I have an application that creates a serial key as follows:
Take customername
Sign customername using privatekey and sha/dsa algorithm
Then license can be checked by decoding with public key, and checking cuastomername matches
This works okay except that the generated serial is rather long. So it is not really practical for customer to type in the serial key instead they have to provide a serial with in a file, which is rather different to how mist applications and work and is confusing.
Many other applications just provide the user with a Guid when they make a purchase
i.e 5bd1060b-8608-4817-93ca-207f7c828e2f
and the user has to enter their email address and guid to license their application.
This looks like a neater solution for the user but I don't understand how such an application verifies a valid guid from an invalid guid unless its done all online by checking emailaddress/guid pairs on a database. But I really would like some kind of verification to be done without requiring an online check otherwise:
a>The application will not work if internet connection/my server down or b>they can circumvent check by disabling internet access
EDIT:
My understanding solution as proposed by answer below:
User makes purchase
Take emailaddress + salt
Encrypt with SHA1 gives 160bit hash
Convert to hex notation gives 20 hex values, i.e 40 characters
Lop of last 8 characters to give a Guid
Email User Gui and Email address which they enter into program
Program verifies this pairing by taking the email address, adding salt, encrypting ectera
and checking generates a valid guid.
My main problem with this is that I need to store the salt in the program somewhere, therefore if the hacker finds the salt and works out what Im doing they can create a valid license key generator for any email address.
My current method for another program:
I have generated a public key/private key pair
User makes purchase
I generate a license by signing the emailaddress
BaseEncode the generated license
Send license to user
Program verifies license by basedecoding and decrypting with public key
My problem has been that when I sign the emailaddress is too long so I end up putting it in a file instead of the user entering it into a field, but maybe the problem is that I am base64encoding rather than converting to Hex.
How long can the output of signing be, does it depend on the length of the input or is it always the same ?
Because I decrypt the key with the public key I canot lop some chars of the license key, but if the generate key is only 40 characters I guess that is okay
I think the advantage of this method is that even if hacker works out how I'm doing things, they cannot create a license generator because they do not, and cannot get the private key because it is only stored on my server. They could only generate licenses if they created a new private/public key pairing and then if my application had the public key encoded in itself the application could reject the license anyway.
Of course they could hack the application, but if the application was updated regularly this would become alot of effort.
So in summary: Have I understood this correctly, which method is best, and how much data is generated for second approach.