On 29.12.2009, at 17:10, Rafael Bugajewski wrote: > On 12/29/2009, at 04:54 PM, Uli Kusterer wrote: > >> *never* ship the code that generates a key in any way, especially if it is >> part of your SN check. > > So what alternatives do you propose? (Probably I just misunderstood this > sentence) > > I mean, you have to check the serial in some way, in most cases it’s the > reverse of your key generation code.
I won't go into encryption theory here (not that I'm the right person to ask), but in short, there are two kinds of encryption (and really, a serial number is just a form of encryption at its heart), symmetric and asymmetric: 1) Symmetric means that you need the same password to decrypt as you need to encrypt it. This is bad for serial numbers, because you need to be able to decrypt the number to verify it. Anyone who can validate a serial number can also generate new ones. 2) Asymmetric means that you have one password for encryption, and another one for decryption. The advantage of this is that you can hand the decryption password (the "public key") out to anyone, while you keep the encryption password to yourself (the "private key"). Being able to read the encrypted "message" doesn't mean you can generate one. For a secure serial number scheme, you always want an algorithm of type 2. Otherwise, it's too easy to crack, because you're shipping a serial number generator with your application. -- Uli Kusterer Sole Janitor http://www.the-void-software.com ------------------------------------ MacSB email guidelines: http://tinyurl.com/2g55d6 Use MacSB-Talk for off topic messages: http://groups.google.com/group/macsb-talk Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/macsb/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/macsb/join (Yahoo! ID required) <*> To change settings via email: [email protected] [email protected] <*> To unsubscribe from this group, send an email to: [email protected] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
