Keygens, Protection, Encryption Panel Registration Key Considerations SIC 2001

1
Keygens, Protection, Encryption
PanelRegistration Key Considerations (SIC 2001)

• Chris Thornton
• Thornsoft Development, Inc.
• chris_at_thornsoft.com
• www.thornsoft.com/sic

2
Why use registration keys at all?

• Theyre so convenient! Both for us, and for the
  customer.
• No special URLS to remember
• Easy to rebuild system after system rebuild.
• Registered Version can be traded anyway. Will
  be increasingly problematic with
  Napster/Wrapster/Gnutella, IRC, etc., technology.
  (OOPS! Last years slide!)

3
Anti-Cracking

• The crackers will still crack you. Thats just
  the way it is.
• But if a user has to sift through 5 old
  non-functional keygens or published crack keys,
  they may decide that 20 isnt so much to ask
  after all!
• Goal Make the crack experience less enjoyable
  for the crack users.

4
Techniques

• Sprinkling
• Spread the checks into various places in the
  program.
• Time Bombs
• Use Message In A Bottle technique
• Compression / Obfuscation
• And.

5
Partial Key Verification

• Dont give the cracker enough information to
  build a complete key.
• They can only build a keygen against what they
  see in the program. So, leave some of the checks
  out, and add them back into future releases.
• Each release only checks part of the key (Details
  on next slide)
• Each release of your software requires crackers
  to make a new keygen.
• Users arent impacted, as their keys have all
  correct digits.

6
Example of obsolete keygen.
7
The Mechanics

• I use If SampleKey UserKey then
  RegisteredTrue algorithm. (standard stuff)
• To generate the SampleKey, first, I generate 10
  decoy digits, from the users name.
• Ex for i 0 to 9 do RegKeyi
  (Ord(CleanStringi) 2) Mod 10
• Then, in the positions that Im actually
  checking, I overwrite the decoys with digits
  generated by the actual algorithm, leaving decoys
  in the unchecked digits.
• Ex RegKey7 ((Ord(CleanString1)3) -
  Ord(CleanString4)) Mod 10

8
Mechanics (cont)

• In the previous example, the middle 5 digits are
  not checked. I dont check the decoys.
• In the next release, Ill add another digit, and
  take one more away. Forged keys can now be
  detected.
• Forged keys generate an error message, and invite
  the user to read more about the error at our web
  site. The target page logs their IP address, the
  name/key that was used, and the date/time.
• Future versions may not ask permission...
• But my customers keys, generated with all
  correct digits, will be just fine.

9
Reality Check

• 3657 visits to my naughty pirate page during
  the past month (June 17-July18 2001), or avg
  121/day.
• Next version wont ask permission after 3rd
  violation - it will just bring up the web page
  automatically.
• Next version will shut down completely after 5th
  illegal use.
• I am considering a more friendly message and
  page. (honey vs. stick)
• I am seriously considering using stronger
  encryption in ClipMate 6.