No offence intended, but let's not discuss that licensing schemes can be cracked (I know that) and that recourse to the law is usually a better deterrent (maybe in your country, but no in all).
Not my choice - I have been told to implement licensing, just good enough to keep casual hackers away.
What might make this slightly different is that the PCs which will run the software won't always have internet access privileges.
When someone buys the product, I can build licensing info into it & deliver an install CD. But, what happens if they want to buy more licenses? I don't want to have to go on site to update the licensing data, but they may not be able to access my server, nor I theirs.
I was thinking of having licenses in external (encrypted) files, each containing a number of licenses and an expiration date. If the user buys more licenses, then I can email out an additional file & their security cleared IT guys can burn it to CD or USB stick and then copy it to the applications data directory.
Does that seem ok? Can you think of something better? Can you see problems? I don't have too much time to implement this.
I use asymmetric cryptography with elliptic curves. To generate a new license key, hash user name (or email, possibly with some app ID appended), sign the hash with your private key and encode with base-32 to get a nice key like
HQYRV-OZFNZ-M3L7B-WA644-CXLG4-D7IRD-QZ6FY-GJGTO-MEXEG
.To validate the license, hash the user name as above and verify signature of the hash with your public key.
This has numerous advantages: the key is relatively short (thanks to using EC instead of RSA/DSA), the key is “random” in that a different one is generated every time for the same user name, and, crucially, there’s no keygen code in the application and a cracker cannot write a keygen without getting hold of your private key.
I have a library for doing this on GitHub: https://github.com/vslavik/ellipticlicense (it’s a fork of now-dead Objective-C project, I added portable C API and made some other improvements).
That would be fine if the license contains a lot of info. Typically they don't so they can be encrypted complete with some protections in 30-50 chars or so. These can then be emailed out, cut&pasted, or even typed.
As for protection schemes, PKV or Partial Key Verification is popular. There are a number of questions here on SO about it, and a Google search will provide a number of different language implementations.
If you don't particularly care about cracking attempts how about this:
Pre-generate a certain number of completely random keys (I don't, know... say 10,000 for the sake of this example). Hash each of those keys with SHA-1.
In your program, include an array that contains the SHA-1 hashes, e.g:
When the user buys a new license (or pack of licenses) give them the appropriate number of keys, scratch the keys from the list, and that's that.
When a user enters a key in the app, hash it and iterate the list. If you find the hash, you're good to go. If you don't, the key is wrong/unauthorized.
Advantages:
Disadvantages:
The scheme can be enhanced in many different ways. But it's a starting point for you.