简体繁体 English

如何编写超级简单的软件激活系统？

[英]How to program a super simple software activation system?

原文 2010-08-14 01:19:05 6 3 php/ c++

I have a piece of shareware that I wrote that I'd like to distribute on the internet. 我有一份我写的共享软件，我想在互联网上发布。 I have a serial number type thing set up but there is still a ton of key sharing :(. I'd like to add a system where once the user enters the serial, it is checked with my server to make sure that it is valid. Simplicity is key. 我有一个序列号类型的东西设置，但仍然有大量的密钥共享:(。我想添加一个系统，一旦用户输入序列，它与我的服务器检查，以确保它是有效的简单是关键。

-Client sends MD5 of serial number to web page using php type thing "www.mywebsite.com?key=3434343" -Client使用php类型的东西“www.mywebsite.com?key=3434343”将序列号的MD5发送到网页

-Php script takes MD5 and checks it against simple database. -Php脚本采用MD5并根据简单数据库进行检查。 If MD5 key exists in database, it increments a counter associated with that key, and generates a webpage that displays a 1. If no entry in the database, the script generates a webpage that displays 0. 如果数据库中存在MD5密钥，它会递增与该密钥关联的计数器，并生成显示1的网页。如果数据库中没有条目，则脚本会生成显示0的网页。

-Client reads webpage and checks for 0 or 1 and acts accordingly. -Client读取网页并检查0或1并相应地采取行动。

I will manually enter in valid keys (md5'd) in the database and monitor active keys for too many activations. 我将在数据库中手动输入有效密钥（md5'd）并监视活动密钥以进行过多激活。 I don't know anything about php so I don't know if this will work. 我对php一无所知，所以我不知道这是否有效。 Does this seem good enough? 这看起来足够好吗？ Are there blatant security holes? 有明显的安全漏洞吗？ I will be using a shared host. 我将使用共享主机。 Is there a better way? 有没有更好的办法？ Thanks 谢谢

3 个解决方案

There are actually several blatant security holes in your scheme. 实际上，您的方案中存在几个明显的安全漏洞。

The first is that users can redirect their local internet traffic to a site that pretends to be you, but always displays a "1". 首先，用户可以将本地互联网流量重定向到假冒您的网站，但始终显示“1”。

The second is that each key would only be good for X "activations", but if the message is lost in transit, too bad - the counter is still incremented. 第二个是每个键只对X“激活”有好处，但是如果消息在传输中丢失，那么太糟糕了 - 计数器仍然会增加。 You need some way to validate that everything is OK; 你需要一些方法来验证一切正常; viewing the page is not enough. 查看页面是不够的。

The third is that hacking the program to think it got a "1" from your site would be the easiest thing in the world. 第三是黑客程序认为它从你的网站得到“1”将是世界上最容易的事情。

Don't implement your own copy protection. 不要实施自己的复制保护。 It will just annoy legitimate users, while not even slowing down real pirates. 它只会惹恼合法用户，甚至不会减慢真正的海盗速度。 Either use a sophisticated commercial system, or (better yet!) try to strike at whatever motive is leading users to steal your program. 要么使用复杂的商业系统，要么（更好的是！）试图打击导致用户窃取您的程序的任何动机。 This might be that your price is too high, or perhaps they don't feel you respect them. 这可能是你的价格太高，或者他们觉得你不尊重他们。 People do things for a reason. 人们做事是有原因的。

You're lacking a vital understanding of the key... the key is in form of MD5 which will contain both alpha and numeric characters, consider this as an example: 你缺乏对密钥的重要理解......关键是MD5的形式，它将包含字母和数字字符，请将此视为一个示例：

3c102d6b53a7a8723e694f1417c2abfe

How are you going to generate the key? 你打算怎么生成钥匙？ On what basis you generate the key from ? 凭什么你生成的关键？

I also, see in this is the passing of the key to the website using the parameter like this: 我也看到，这是使用如下参数传递密钥到网站：

www.mywebsite.com?key=3434343

It will take a while for the hacker to find a key...what with the advent of processor speed and key generation.... it will be cracked in no time, further more, you will be exposing your script.... do not underestimate what hackers/crackers can do to break the scripts... which is something you did not mention in your posting, no security defences of any kind! 黑客需要一段时间才能找到一个密钥...随着处理器速度和密钥生成的出现......它将立即被破解，更多的是，你将暴露你的脚本....不要低估黑客/破解者可以做什么来打破脚本...这是你在帖子中没有提到的，没有任何安全防御！

Also, there's no mention of using security certificates to authenticate and not to scare off the end user or even worse, an antivirus scanner may flag the site as suspicious thus the end user is locked out of the application..... 此外，没有提及使用安全证书进行身份验证而不是吓跑最终用户，甚至更糟糕的是，防病毒扫描程序可能会将站点标记为可疑，因此最终用户被锁定在应用程序之外.....

BOTTOM LINE: Do not try security schemes like this as they are false economy, either way, it would be equivalent of a moth attracted to a flame, when an application "is protected", hackers/crackers will attempt to bypass it regardless of what you think..and you would be kidding yourself into thinking and deluding yourself that you're a brilliant programmer and that your dreamt-up-scheme is foolproof - DON'T ...Stay away from these kind of schemes.... 底线：不要尝试这样的安全方案，因为它们是虚假的经济，无论哪种方式，它都相当于吸引火焰的飞蛾，当应用程序“受到保护”时，黑客/破解者将试图绕过它而不管是什么你想...你会开玩笑地思考并欺骗自己，你是一个出色的程序员，而你梦寐以求的计划是万无一失的 - 不要 ......远离这些方案......

I would echo the points that have been raised in the comments about why you should consider not doing this, or at least not doing it yourself. 我会回应在评论中提出的关于为什么你应该考虑不这样做，或者至少不自己这样做的观点。 But if you really want to (and/or for educational purposes), for a system like this I'd go for asymmetric encryption. 但是如果你真的想（和/或出于教育目的），对于像这样的系统，我会选择非对称加密。

Basically, the idea is that you generate a public/private key pair, embed the public key in your application, and keep the private key on your server. 基本上，我们的想法是生成公钥/私钥对，将公钥嵌入应用程序中，并将私钥保留在服务器上。 In order to get registered, a copy of your application would send the serial number to your server. 要注册，您的应用程序副本会将序列号发送到您的服务器。 The PHP script on the server would check its database for that serial number, decide whether the registration is valid, and if it is, the server sends back the serial number encrypted with its private key. 服务器上的PHP脚本将检查其数据库中的序列号，确定注册是否有效，如果是，则服务器发回使用其私钥加密的序列号。 Your program can then use the public key to decrypt the message received, compare the decrypted version against the serial number, and if it matches, it can activate itself. 然后，您的程序可以使用公钥解密收到的消息，将解密的版本与序列号进行比较，如果匹配，则可以自行激活。 Of course, this won't foil a (semi-)determined hacker, but it does eliminate the easiest way to get around the scheme you gave in your question, namely redirecting the request to a site which always returns a 1. 当然，这不会阻止（半）确定的黑客，但它确实消除了解决您在问题中给出的方案的最简单方法，即将请求重定向到始终返回1的站点。

If you're worried about serial numbers traveling over the internet unencrypted, you could use the public key to encrypt the serial number before the program sends it to the server. 如果您担心未加密的互联网上的序列号，您可以在程序将序列号发送到服务器之前使用公钥加密序列号。 And when the server responds, instead of sending back the encrypted serial number, it would send back (1) a random number generated on the server and (2) an encrypted hash of the random number and the serial number. 并且当服务器响应时，它将发回（1）服务器上生成的随机数和（2）随机数和序列号的加密散列，而不是发送回加密的序列号。 Or use HTTPS, which does something similar. 或者使用HTTPS，它做类似的事情。 But if you're trying to protect against someone who has the means and motivation to intercept communications between your program and the server, you'll need more than just this simple scheme because that person almost certainly has more sophisticated tools at his/her disposal. 但是，如果你试图防止有能力和动机拦截你的程序和服务器之间的通信的人，你需要的不仅仅是这个简单的方案，因为那个人几乎肯定拥有更复杂的工具供他/她使用。 In that case you would need a reputable commercial DRM system to have the best chance of protecting your program. 在这种情况下，您需要一个信誉良好的商业DRM系统，以便最有可能保护您的计划。 And at that point, I'd ask yourself whether it's really worth it. 在那一点上，我会问自己这是否真的值得。