license key validation - encryption/decryption
Gerhard Häring
gh_pythonlist at gmx.de
Tue Dec 4 17:21:02 EST 2001
On Tue, Dec 04, 2001 at 10:48:05PM +0100, Irmen de Jong wrote:
> > How do i validate it at the customer site that the
> > "key" installed is valid?
>
> You're looking for a secure hash of your license file, to protect the
> contents of the file from tampering. The sha module can do this for
> you.
The next problem is where to store the hash.
> Now somehow you need to encode information about that
> unique customer into your license, so that another customer
> cannot also use that license file.
>
> Perhaps some sort of public-private key scheme would work?
Which doesn't help at all if both keys are available to the potential
cracker.
> It's quite a task to create a Python application that can't be tricked
> (hacked) to think that the license is valid for *all* features.
Not possible IMO. But one can make it quite hard to crack it.
I'd go with symmetric encryption (might be a simple one, like the rotor
module) in combination with some clever "security thru obscurity". For
the fun of it, you could embed the pickled check routine in a CDATA
section of the XML file. Or encrypt the .pyc files. This would at least
make cracking a matter of days or weeks instead of hours.
Gerhard
--
mail: gerhard <at> bigfoot <dot> de registered Linux user #64239
web: http://www.cs.fhm.edu/~ifw00065/ OpenPGP public key id 86AB43C0
public key fingerprint: DEC1 1D02 5743 1159 CD20 A4B6 7B22 6575 86AB 43C0
reduce(lambda x,y:x+y,map(lambda x:chr(ord(x)^42),tuple('zS^BED\nX_FOY\x0b')))
More information about the Python-list
mailing list