I’ve been reading some posts here and articles around the web but I can’t picture a serial keys based system for my application.
I read this one but I can’t turn the code into Java and I’m not very familiar with the terms either.
What possible insight can you give me on this? Ideally my application will be for sale but I don’t expect it to be much popular, I don’t mind much if it gets cracked if I have users that appreciate the product and buy it, but I want to avoid it to be easily cracked. Please be as specific as you can, I’m somewhat new to Java.
Thanks in advance.
It’s not that hard, if you’re somewhat flexible in your requirements — perhaps the scheme below would work for you.
You could just produce K = [SN, H([X,SN,Y])] which is the concatenation of an incrementing serial number with a hash, where the hash is a secure hash function of the concatenation of the serial number between unique constants X and Y that are secret “salt” you use to prevent the use of rainbow tables.
Use a well-known secure hash algorithm (e.g. SHA-1 or SHA-2; MD5 is probably also adequate, since the known weaknesses for MD5 are collision attacks, and not preimage attacks) and you should be all set, as least as far as the serial key part goes (you’ll probably want to prevent two people from using the same key).
The other thing you can do which is helpful is use K = [SN, T, H([X, SN, T, Y])] — use both the serial number and a timestamp. This can be used to allow only a narrow use window for the serial key: it’s valid within N seconds of the timestamp, so it would prevent reuse of the key outside that window.
Then encode/decode K to a representation that can be used to easily allow users to enter the key (e.g. base64).
It’s best to have a simple and transparent overall algorithm — obfuscation is not going to help you if someone reverse-engineers your scheme.