Securing A Database - License Key (1 Viewer)

gemma-the-husky

Super Moderator
Staff member
Local time
Today, 18:38
Joined
Sep 12, 2006
Messages
15,953
Here's a general idea for securing a database.

You need

an encryption/decryption technique
a utility to change an encrypted byte string into a (longer) hex string (for presentation purposes)
a MD5 (say) one-way hashing algorithm
a utility to get a "secret" from your machine - say the HDD number

all of these things are available for download.


First - you need to put this into an mde/accde, as obvioulsy it's no good if users can see your code.

Now you need some "secret" you want to protect. Say you want an expiry date for your aplication. You also may want to read something unique to the machine - maybe the HDD code.

put the date and HDD code together into a string - you could interleave or process these in any way you want

Now, encrypt this again using your encryption technique. A simple xor system may be sufficient, although there are more complex methods.

Turn the resultant string into a Hex String - it's better to get printable chars than strange non-printable chars.

In order to do this all remotely, your client/installation presents this string to you.

now take a MD5 hash of the HEX string

take a few characters from selected positions in the MD5 hash, and insert them into your hex string to make a longer HEX string

this is the license key you issue to your users, which does not now need to be hidden from users - they need to see this one

encrypt it all again, if you want, and turn it into another Hex string.

send this string back to your users

--------

so - to use the licence key

-decrypt the licence key, if you encrypted it again

- take out the MD5 characters you inserted into the string in the first place, and store them in a variable

- this leaves you with the original encrypted string, and the characters you just stripped out. Now do a MD5 of the encrypted string, and make sure it gives you the same check characters. If it doesn't reject the string

The likelihood of someone working out which characters you added to the string from the MD5 hash to produce the final string are negligible, I would think, but if you obfuscated further by re-encrypting the entire string, it becomes pretty random.

- this now leaves you with the original encrypted stuff, which you can reverse to recover the original license date, and machine HDD, which you test to make sure the license date has not expired, and the HDD is correct.

----
the main thing here is the MD5 hash. MD5's are one way functions. Knowing the final MD5 hash does not help you recover the original string that produced it. There are databases to test MD5's - which is why you need to start with a pretty random string in the first place.

If you just took an MD5 of a date, I suspect the databases would have this stored in their records.

HDD's are not unique, but are random enough for your database to not automatically be able to be run on any other random machine - but there are other secrets you could lift off your machine, if you want something else. HDD is quicker to get at than some things though.

This whole validation process is very fast, and produces no noticeable delay.


-----
obviously your database has to include all the code necessary to reverse all these processes - so reverse engineering code could identify all the steps you took to encrypt everything. The only way round this I suppose is to require an active online connection - to do some of this checking away from the client's machine, but I suspect this would be taking it all too far.


I hope this helps.
 
  • Like
Reactions: Rx_
Maybe it's not relevant, but what happens if the final user changes his machine's date to one prior to the expiry? Will the database resume working?
 
I believe AJ Trumpet posted a working sample of a license key system.
 
Maybe it's not relevant, but what happens if the final user changes his machine's date to one prior to the expiry? Will the database resume working?


yes - one way is to build in something that sets an expired flag on expiry - and test that in case the date was reset. so then you have to find a way of obfuscating that flag, too!

The idea was more about the general principle of how to protect a database
 
Hi GTH, Peter's Software say that resetting the computer date doesn't fool Keyed Access. They call the feature "bullet proofing". I haven't tested it.

Thank you for this Post
 
Maybe it's not relevant, but what happens if the final user changes his machine's date to one prior to the expiry? Will the database resume working?:cool:



_________________
 
Last edited:
Maybe it's not relevant, but what happens if the final user changes his machine's date to one prior to the expiry? Will the database resume working?:cool:



_________________
Johni Imtiaz..!!

yes - see #4

but if you build it yourself, you can add whatever features you like, and it's free.
 
Hi

GTH - I need to do exactly what you said in your OP but haven't got the faintest idea what most of what you said is....is there any free to use code that could do this for me?
 
How are Software License Keys generated?
liccense Keys are the defacto-standard as an anti-piracy measure. To be honest this strikes me as (in)Security Through Obscurity, although I really have no idea how License Keys are generated. What is a good (secure) example of License Key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators? How are key generators made?
 
How are Software License Keys generated?
liccense Keys are the defacto-standard as an anti-piracy measure. To be honest this strikes me as (in)Security Through Obscurity, although I really have no idea how License Keys are generated. What is a good (secure) example of License Key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators? How are key generators made?

The idea is that your programme knows a value that the user needs to have available in order to use the programme.

Let's say your programme looks for a "licence key" value of 123 to be stored in a certain field, or to be kept in a file, or to be kept in the registry somewhere.

If a user can determine which value your programme is checking, he can use copies of your programme without authorisation.

So instead of using a specific value of 123, instead look for, say, the HDD number of the client machine. This is generally different on all machines - well sufficiently different that any 2 PC's are likely to have different HDD numbers.

If a user determines that the number required IS the HDD number, then the system is defeated. Moreover, you most likely do not know the user's HDD number, anyway. You aren't likely to personally install your program on a user's PC.

So instead, if you get the user to send you his HDD number, and you process this in a way that is hard for the user to determine, and then send him back the result as his "licence key" - your programme can do the same thing. Read the HDD, process it, and see if the result is what you expected. If it is, the user can continue. If not, terminate the application.

so the licence key you issue to your user works on his machine, but probably doesn't work on another machine, and he most likely can't work out what you did to produce the licence key from his HDD.

Now you can do this either by encryption, or by hashing. Encryption is producing an encoded result, which can then reversed to recover the original. This cannot be done with hashing. Instead with hashing the same steps have to be taken, and the hashed result compared with the expected hashed result.

It becomes a bit trickier if you want to build in an expiry date. With encryption, such as vignere (basically this is a complex alphabetic Caesar shift cipher), you can include in the plaintext a licence expiry date as well as the HDD. After decrypting the result you recover the original data, the HDD and the expiry date.

Now, you can't manage an expiry date so easily with hashing alone. With hashing, you cannot recover the original string that produced the final hash result, so you can't determine the expiry date directly from the hash key. You can use a combination of encryption techniques and hashing.

You can download code to implement either of these methods. (MD5 hash, or a vignere cipher)

Whatever you do, your programme needs to include code either to duplicate the steps that you take to transform a message from the user into a licence key, or to reverse the encryption of the licence key back to the original data - most likely a combination of both.
 
You will send to me your Email. Mine will be available when my post count comes to 10.
I shall send to you access 2003 LockFileMaker.mdb, MainFile.mdb,LockFileTemplate.mdb. The LockFileMaker shall be able to generate LockFile.mde and MainFile.mde. The LockFile shall carry the limitations in number of days for MainFile.mde to remain working. The user is given LockFile.mde and MainFile.mde and these should be in the same installation folder. For a full license you have to generate another LockFile.mde with open limitations and you send it to the user to replace the old LockFile.mde. However try to guess what could happen if the MainFile.mde is copied to another folder and dbl cliked!. You shall take it from there.
 
I have designed something for you. Hope it works. Create two blank forms; "Startup" and "Main Form". Attach this code to Startup - On Load. Secure the code by right clicking on the project in the VBA Editor, select protection and enable this. Go ahead and set the password. Call me on +256-772-459848 for help.

__________________________________________________________________-
Private Sub Form_Load()
Dim DateNow As Date ' Declare variables.
Dim ExpiryDate As Date ' Declare variables.
Dim License As String ' Declare variables.
Dim Startup As AccessObject ' Declare variables.
Dim Msg

DateNow = Now()
ExpiryDate = DateAdd("m", 1, "1-oct-16")
License = InputBox("Enter License key", "Permission to use Program - Mega Data Systems")
If (License = "1234") And DateDiff("d", DateNow, ExpiryDate, vbSunday, vbFirstJan1) <> 0 Then
Msg = "Your Trial period has: " & DateDiff("d", DateNow, ExpiryDate, vbSunday, vbFirstJan1) & " days remaining"
MsgBox Msg, vbInformation, "Remaining period for program to crash - Mega Data Systems"
DoCmd.Close acForm, "Startup"
DoCmd.OpenForm "Main Form", acNormal, "", "", , acNormal

Else
Msg = "You have entered wrong License key or Your trial period has expired"
Beep
MsgBox Msg, vbInformation, "Program License Key - Mega Data Systems"
DoCmd.Quit

End If

End Sub
 
Dave
HDD's are not unique, but are random enough for your database to not automatically be able to be run on any other random machine - but there are other secrets you could lift off your machine, if you want something else. HDD is quicker to get at than some things though.
Can you tell us more about the other secrets that can be lifted and how one might get that value.
 
MAC address would be another, transmuttable but not easy to do.
 
Whilst looking at securing a database you might want to think hard about un-securing it again. Most people do this for the value of the database and to stop people copying it and normally don't think of the customer.

If somebody has paid a lot of money for a database and then has a hard drive failure, they change the hard drive to a new one with a different number, restore a back-up and expect to be working again.

If you are going to charge good money you need to be in a position to fix things a bit quick or will have a very disgruntled customer.
 
I use a Vigenère cipher to generate passwords.

I have always been fascinated by ciphers, I even wrote a password generator which created unbreakable passwords, well that's what I think anyway! I'm not going to tell you why they're unbreakable! I just happened upon this YouTube video by professor Edward Brumgnach and it's absolutely fascinating! a nice watch while you're trapped at home... You can watch YouTube videos at double speed, and this one is quite watchable at double speed...

"The Lost Symbol" - Magic Squares and the Masonic Cipher

 

Users who are viewing this thread

Back
Top Bottom