0

Resently is am tasked to rewrite a login system for a winform to only use a key as auth. The customer is imagin a flow like

  1. download exe file
  2. Get a key (guid look alike in mail)
  3. activate u exe and run app.

Not that hard just send the key to the server validate it and boom u got a login.

But is this really secure i mean with a login using password and username i can look the user up by his name and validate a hased edition of his pasword. that way i only pass username and hased version of password.

With only the key how do i pass that from the client to the server secure, and still being able of validating agains the user database.

I have a https and some ssh certificates avalible on the auth server.

thx in advanced

pumpin
  • 71
  • 7
  • Whats the problem? If your customer wants a validation with a key only there is not much you can do. Of course it is not as safe as a registered user-name with a password. Perhaps you can speak with your customer about this concerns. – user1567896 Jul 15 '14 at 10:41

1 Answers1

1

If you want to use serial-like activation system, the most common way to implement it is:

  • You generate serial (GUID) in the server side and associate it with the data provided to you by the user (name, address, etc.)
  • You send serial to the user (by Email, etc.)
  • User enters your serial into the installed app and this serial is being stored in the OS (for example, registry)
  • Each time the app starts it connects to the server and supplies stored serial + some user info(optionaly). Then on the server side you decide: allow or disallow user to use the app (based on some counters, machine key checks, etc.)

The main security problem that you're asking about is how you suppose to validate concrete user by serial?

  • You can generate unqiue code based on users hardware and store it on the server in association with the serial key. On server side you monitor the client activities for each serial such as # of connection per time interval, different machines/IPs, activations number etc. so you can make a decision is this serial leaked to public or not. That approach commonly rises problems when user hardware is changed.
  • You can use certificates to secure negotiation between server and client and uath using them too. This approach can work well if you have specific clients as if you'll try to implement such approach for open-sale software it will definetly lead to client-side problems with app and certificate installation.

For an additional security you may want to encrypt/decrypt serial key when storing it in registry or sending it to server. Also you can use SSL connection to server to secure communications. Look at: Encrypt and decrypt a string

PS: One of the best dev-friendly approaches for security and licensing is to use USB hardware keys that can be wrapped around almost every app :)

This question is tightly connected to security problem. For example, read this question How to generate and validate a software license key?

Community
  • 1
  • 1
Alexander Smirnov
  • 1,573
  • 12
  • 23
  • You hit it right on Alexander So what u say is that ill make a hash of the user when he signs up to get a serial. based on email and Guid and send that as key, i then save key in database and when the user logins in i just send that "key / hash" to the server and look it up. right ? Basicly my concern is, Is it save to send a key like that over https – pumpin Jul 15 '14 at 11:21
  • Or should i preform some magic before sending the key to the server and validating it on the server. – pumpin Jul 15 '14 at 11:22
  • As i've already said you can encrypt serial before sending it to server. I've updated the answer with the additional link. Also you can use SSL connection to further secure the transaction. – Alexander Smirnov Jul 15 '14 at 11:45
  • Basicaly there is no such thing on that matter that can be called "safe" :) But you can do everything what you can to secure your serial: in most cases encryption and SSL is enough. – Alexander Smirnov Jul 15 '14 at 11:49
  • Thx alot Alexander you really helped alot on understading the flow. witch is just what i needed – pumpin Jul 15 '14 at 12:01