Thread: [GD-General] serial numbers
Brought to you by:
vexxed72
Menu
▾
▴
gamedevlists-general
|
From: <cas...@ya...> - 2003-05-26 16:02:26
|
Hi, I'm looking for information about how to generate and validate serial numers for a product that I want to sell. Could somebody point me any references on the subject? Thanks in advance, Ignacio Castaño cas...@ya... |
|
From: Jeff T. <myt...@ma...> - 2003-05-26 19:15:53
|
There was a good post on this subject on the Unsanity.org blog site. It=20= has some Mac OS X specific comments in it, but is still a generally=20 useful thread. You can read the thread here:=20 http://www.unsanity.org/archives/000101.php Enjoy, Jeff Jeff Thompson CTO, CodeTek Studios, Inc. On Monday, May 26, 2003, at 11:07 AM, Ignacio Casta=F1o wrote: > Hi, > I'm looking for information about how to generate and validate serial=20= > numers > for a product that I want to sell. Could somebody point me any=20 > references on > the subject? > > Thanks in advance, > > > Ignacio Casta=F1o > cas...@ya... > > > > ------------------------------------------------------- > This SF.net email is sponsored by: ObjectStore. > If flattening out C++ or Java code to make your application fit in a > relational database is painful, don't do it! Check out ObjectStore. > Now part of Progress Software. http://www.objectstore.net/sourceforge > _______________________________________________ > Gamedevlists-general mailing list > Gam...@li... > https://lists.sourceforge.net/lists/listinfo/gamedevlists-general > Archives: > http://sourceforge.net/mailarchive/forum.php?forum_id=3D557 |
|
From: <cas...@ya...> - 2003-05-26 23:20:36
|
Thanks Jeff, That link contains some useful points, but I'm looking for more technical info. I'd like to know which algoritms are usually used to generate and validate the keys. They keys should look like random, and I would like to include the product and user name in a non-obvious way. So that, given the product and the user, I should be able to validate the given key. I'm sure there is a lot of information about this, and I know that this is probably related with encryption and checksum algorithms, but I cannot see the exact relation between the two. Any hints would be appreciated. Ignacio Castaño cas...@ya... Jeff Thompson wrote: > There was a good post on this subject on the Unsanity.org blog site. It > has some Mac OS X specific comments in it, but is still a generally > useful thread. You can read the thread here: > http://www.unsanity.org/archives/000101.php > > Enjoy, |
|
From: Ben C. <be...@gu...> - 2003-05-26 23:43:47
|
On Tuesday, May 27, 2003, 12:25:20 AM, someone wrote: [snip] > I'm sure there is a lot of information about this, and I know that this is > probably related with encryption and checksum algorithms, but I cannot see > the exact relation between the two. You want to generate a sequence (probably trivially obfuscated) containing the username/registration number (as in order number, not unlocking code) or whatever, and then sign it using one of the various public-key crypto algorithms. That way, you use the private key to generate the signature, and the application can *verify* the signature is valid using the public key, but it is "very hard" (in a provable, mathematical sense) to generate a new valid signature without the private key. Pick a big enough key-size (for an app like this, where generation/verification time isn't a big issue, go for a large number >=512 bit or so, say), and it becomes basically impossible to break the system without acquiring the private key "directly" (ie breaking into your office or whatever) or devoting totally unrealistic amounts of computation time to it. Er... or inventing a quantum computer, of course, but if someone manages that I imagine cracking shareware registration schemes will be well down their list of "things to do"... <grin> I'd look up the various open-source crypto libraries that are available - it's possible to "roll your own" cryptography code, but it's very easy to make subtle mistakes that can leave you open to vulnerabilities. -- Ben Carter - Neko Technologies - be...@gu... http://www.neko-tech.com/ - http://www.absoluteterror.com/ ---------------------------------PGP Key available on request--- "Broken mirror, a million shades of light, the old echo fades away. But just you and I can find the answer, and then we can run to the end of the world." - Small of two pieces, Xenogears |
|
From: J C L. <cl...@ka...> - 2003-05-27 00:31:12
|
On Tue, 27 May 2003 01:25:20 +0200 iso <iso-8859-1> wrote: > I'd like to know which algoritms are usually used to generate and > validate the keys. They keys should look like random, and I would like > to include the product and user name in a non-obvious way. So that, > given the product and the user, I should be able to validate the given > key. Typical forms I've seen are a one-way hash ala MD5 of the public data, along with a secret. The resultant string (often with another secret) is then digitally signed with the resultant string, sometimes with a CRC or other padding data appended.. The application then verifies the signature to check that the key is of valid form, and the central site can check that the key is legit. Other variants have (some of) the public data encoded in easily reversible fashion in the string so that entering the key in the app "magically" causes other fields to be populated. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. cl...@ka... He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. |
|
From: Ken P. <ke...@dr...> - 2003-05-28 21:28:57
|
At 11:36 AM 5/27/2003, you wrote: >MD5 is not trivially reversible, so this seems to work. However, if two >users have the same name, the keys will also be the same, and some products >don't requiere an username, so in that case I would have a single key! If you're generating keys over the net, then you're likely going to have their email address, so use that instead of their name. It's guaranteed to be unique. |
|
From: Brian H. <ho...@py...> - 2003-05-28 22:11:19
|
>If you're generating keys over the net, then you're likely going= to >have their email address, so use that instead of their name. = It's >guaranteed to be unique. It's also guaranteed to change. Brian |
|
From: Ken P. <ke...@dr...> - 2003-05-29 02:33:55
|
At 05:11 PM 5/28/2003, Brian Hook wrote: > >If you're generating keys over the net, then you're likely going to > >have their email address, so use that instead of their name. It's > >guaranteed to be unique. > >It's also guaranteed to change. G'day! Sure, it's pretty likely. But how important is that? If you're mainly using it to generate a unique key for a customer, then it really doesn't matter. He can change his address 1 million times. The address is still in your database with his real name and whatever other info you captured with the sale. The only way I see it being an issue, is if he changes email accounts and contacts you for a new key (re-install or whatever). In that case you'd require that he give you sufficient proof that he is who he says he is, then you just give him the key (or generate a new one off of his new address). Is there another issue I'm missing? Assuming Candy Cruncher uses a key to unlock, you would probably have a fair bit of experience with this by now. Stay Casual, Ken |
|
From: Brian H. <ho...@py...> - 2003-05-29 03:12:22
|
>The only way I see it being an issue, is if he changes email >accounts and contacts you for a new key (re-install or= whatever). >In that case you'd require that he give you sufficient proof= that he >is who he says he is, then you just give him the key (or= generate a >new one off of his new address). Support hassles are far more prevalent than you'd expect. People= often can't remember who purchased a game (dad, mom, wife,= husband) and what e-mail was used. Relying on e-mail addresses,= especially in this day of ISP (comcast.net, bellsouth.net, rr.com, cox.net,= etc.) and Web mail (Hotmail, Yahoo mail, etc.), seems to be a bad= idea. >Is there another issue I'm missing? Assuming Candy Cruncher= uses a >key to unlock, you would probably have a fair bit of experience= with >this by now. Anyone could trivially backwards engineer our key generator,= because frankly, this isn't an area that is worth pursuing. No matter how good your generator, someone will crack it if they= want to. But in all honesty, they'll just look for a crack at any of= the numerous crack/codes sites. Google will get you serial #s for= just about any game you can imagine. Or CD-keys. So the only reason to do this is to stop the casual users who are= scared or not knowledgeable enough to do this, and thankfully= (for us) that's the vast, vast majority of our audience. All we do is generate a value from a combination of custom= product code and the user's name that they enter on the order form. We= take that and generate a 16 (?) alphanum code, replacing often misinterpreted characters (e.g. no 'I' or 'O'). That's it. Simple and easy. Brian |
|
From: Colin F. <cp...@ea...> - 2003-05-30 13:31:47
|
>>> From: "Brian Hook" <xxxxxxxxxx> >>> >>> No matter how good your generator, someone will crack it if they want >>> to. But in all honesty, they'll just look for a crack at any of the >>> numerous crack/codes sites. Google will get you serial #s for just >>> about any game you can imagine. Or CD-keys. [1] First, put a unique code in each build of the game before the official release date, then do a Google search for any cracked versions, and then embarrass the reviewer who leaked the game to the public before it was even on sale! Demand his head on a platter from the game magazine editor, or threaten to reduce your bribes for A+/100%/5-star ratings. Won't those punks change their tunes when you cut off their supply of cocaine, outcall escorts, and Japanese anime DVDs! [2] Later, when the game is in general release, do the Google search again, and send "Cease and Desist" e-mail to the punks offering cracks to your game, from fake law firms or from Yakuza assassins with an inexplicable desire to optimize "market efficiency" for your product. Or invoke the Patriot Act and TIA or whatever and have the crackers tried by a secret military tribunal and summarily executed -- or at least brainwashed and cryogenically frozen to be revived later as Universal Soldiers, defending the government against freedom and democracy. [3] Then, do what Madonna does! Flood Kazaa and Direct Connect with *fake* cracks to your game -- and put in some profane message to infuriate pirates! Releasing your most unimaginative game yet, just to get more cash out of your fan base, would complete the analogy, but that would simply be icing on the cake! That will teach them to rage against the machine! The freakin' machine is X-treme raging right back at 'em! You da "Man"! --- Colin cp...@ea... http://www.welovetheiraqiinformationminister.com/mss_readers.html |
|
From: Javier A. <ja...@py...> - 2003-05-30 15:50:00
|
What kind of drugs are you on, man? :) I assume most games are uniquely signed to identify the receiver of betas. We certainly did that on Praetorians (nice batch-mode signature tool for those 85+ magazines!). Leaked versions may still appear, and despite the fact that the leak can be traced back to one of the magazines, you will have a hard time getting any compensation, the most you can hope for is their promise that "they will be more careful in the future". The point of digital signatures is "prevention": make sure the mag gets the point that their copy is uniquely signed, that the signature is prominently displayed on the title screen, that it can be hacked to not appear there but can't be removed entirely, etc etc. and hope that, if they screw up, it will be with someone else's title. Flooding will not stop most p2p systems, they have learned to cope with that: "trusted link sites", statistics for files, and pretty soon they will have built-in ratings and "quality" estimators, just like they don't have central servers anymore. The ones that don't adapt will simply stop being used. I wonder what the future is for mandatory online registration / verification systems. These do create much more trouble for pirated versions, but have tons of usability and privacy issues. Javier Arevalo Pyro Studios Colin Fahey wrote: > > [1] First, put a unique code in each build of the game before the > official release date, then do a Google search for any cracked > versions, and then embarrass the reviewer who leaked the game to the > public before it was > even on sale! Demand his head on a platter from the game magazine > editor, or threaten to reduce your bribes for A+/100%/5-star ratings. > Won't those punks change their tunes when you cut off their supply of > cocaine, outcall escorts, and Japanese anime DVDs! > > [2] Later, when the game is in general release, do the Google search > again, and send "Cease and Desist" e-mail to the punks offering > cracks to your game, from fake law firms or from Yakuza assassins > with an inexplicable desire to optimize "market efficiency" for your > product. Or invoke the Patriot Act and TIA or whatever and have the > crackers tried by a secret military tribunal and summarily executed > -- or at least brainwashed and cryogenically frozen to be revived > later as Universal Soldiers, defending the government against freedom > and democracy. > > [3] Then, do what Madonna does! Flood Kazaa and Direct Connect with > *fake* cracks to your game -- and put in some profane message to > infuriate pirates! Releasing your most unimaginative game yet, just > to get more cash out of your fan base, would complete the analogy, > but that would simply be icing on the cake! That will teach them to > rage against the machine! The freakin' machine is X-treme raging > right back at 'em! You da "Man"! |
|
From: <cas...@ya...> - 2003-05-28 23:33:42
|
Ken Paulson wrote: > If you're generating keys over the net, then you're likely going to have > their email address, so use that instead of their name. It's guaranteed to > be unique. Yeah, that's a good point. Ignacio Castaño cas...@ya... |
|
From: <cas...@ya...> - 2003-05-27 16:31:59
|
J C Lawrence wrote: > Typical forms I've seen are a one-way hash ala MD5 of the public data, > along with a secret. The resultant string (often with another secret) > is then digitally signed with the resultant string, sometimes with a CRC > or other padding data appended.. The application then verifies the > signature to check that the key is of valid form, and the central site > can check that the key is legit. Thanks, I was looking for something like that so, but I still have a problem. I create a message using the secret and the public data, and generate the key aplying MD5 to it, so when the user logs in, he provides the previous key and the public data. I know the secret, so I can recompute the key and validate the key that the user provided. MD5 is not trivially reversible, so this seems to work. However, if two users have the same name, the keys will also be the same, and some products don't requiere an username, so in that case I would have a single key! How can I solve that? I'd like to add a random part to the encoded message, but then I don't know how to validate it... Thanks in advance, Ignacio Castaño cas...@ya... |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X