license key validation - encryption/decryption

[Gerhard Häring]

On Tue, Dec 04, 2001 at 10:48:05PM +0100, Irmen de Jong wrote:
> > How do i validate it at the customer site that the
> > "key" installed is valid?
> 
> You're looking for a secure hash of your license file, to protect the
> contents of the file from tampering.  The sha module can do this for
> you.

The next problem is where to store the hash.

> Now somehow you need to encode information about that
> unique customer into your license, so that another customer
> cannot also use that license file.
> 
> Perhaps some sort of public-private key scheme would work?

Which doesn't help at all if both keys are available to the potential
cracker.

> It's quite a task to create a Python application that can't be tricked
> (hacked) to think that the license is valid for *all* features.

Not possible IMO. But one can make it quite hard to crack it.

I'd go with symmetric encryption (might be a simple one, like the rotor
module) in combination with some clever "security thru obscurity". For
the fun of it, you could embed the pickled check routine in a CDATA
section of the XML file. Or encrypt the .pyc files. This would at least
make cracking a matter of days or weeks instead of hours.

Gerhard
-- 
mail:   gerhard <at> bigfoot <dot> de       registered Linux user #64239
web:    http://www.cs.fhm.edu/~ifw00065/    OpenPGP public key id 86AB43C0
public key fingerprint: DEC1 1D02 5743 1159 CD20  A4B6 7B22 6575 86AB 43C0
reduce(lambda x,y:x+y,map(lambda x:chr(ord(x)^42),tuple('zS^BED\nX_FOY\x0b')))