Just taking a few other layers in your idea (of getting the server to validate the licence key).....
 
* Just returning "true" is not "safe" - someone could circumvent your call to the server through a proxy and just return "true" anyway.  You really need to have the server return a reciprocal hash of the GUID that the EXE can validate (but even this could be circumvented if someone could work out your hash algorithm ( e.g. if you just used standard MD5 hashing).
 
* Alternatively, you send them the GUID - this is an activation code.  It is sent to the server - which returns the REAL GUID as part of the process - which they then type into the EXE.  This is simple to do - just generate 2 GUID's and store them together (the first is the key to the other).
 
* Most applications that do a registration like this online ask for some information to be entered into a web page (Name and Company - for example) and then provide a GUID that is hashed from those things.  You type exactly the same thing into the application, along with the GUID/HASH - which uses the same hash algorithm - and compares the result it gets to the one typed in and unlocks if it is OK.
 
BUT - it really depends on how secure you want the application to be.
 
We use a GUID activation method for password resets.  The user is NEVER emailed their login details.  They get a ONE SHOT link with a GUID in it.  This page provides them the login details.  If they try the link again - it dies.  This is done to prevent email hijacking trojans from mailing your login details to everyone on your address book.  The same concept could work as a one shot for the application (but you would have to store the GUID and continue to verify it each time you ran the application).
 
Lots of solutions MIGHT work - but not all will be suitable.
 
 

 
On 2/23/06, darryl lyons <[EMAIL PROTECTED]> wrote:
Well, given that a UUID or GUID is meant to be a "globally" unique value, then it is a pretty good thing to use a hard to guess string. However, depending on what you are using, you may get a sequential GUID, which in theory is able to be guessed.... You could always just hash some values and use that.

Darryl

On 2/23/06, Patrick Branley <[EMAIL PROTECTED] > wrote:
Hi Guys

Just wondering how secure using a CF UUID or SQL GUID as product activation key would be ?

Heres my idea for the scenario

1. user purchases software, write a record to the DB on payment and email them the UUID thats generated.

2. when they launch the application (an EXE) they must enter the UUID to have it activated. I make a web-service call back the to the CF Server to validate the UUID is a paid customer in the DB. if they web service returns true the application becomes active.

3. I store the UUID in either the registry or an XML file in the installation folder and re-check each time they launch the app.

The only other thing i can think of doing is actually storing the hashed version of the UUID in the db and doing a compare to make the db more secure.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cfaussie" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/cfaussie
-~----------~----~----~----~------~----~------~--~---

Reply via email to