我是否应该将许可证密钥输出从纯 md5 输出更改为常见的“XXXX-YYYY-ZZZZ”?输入代码?

发布于 2024-10-11 13:31:25 字数 546 浏览 11 评论 0原文

我正在创建一个简单的许可证密钥系统,以“让诚实的人保持诚实”。我不关心特别严格的密码学。

如果他们对演示限制感到恼火,他们会访问我的注册网站,付款并给我他们的电子邮件。我给他们一个许可证密钥。

我让事情变得非常简单,因此:

license_key = md5(email + "Salt_String");

我让 PHP 和 C# 函数运行相同的算法并获得相同的密钥。

问题是这些函数的输出是一个 32 个字符的字符串,例如:

A69761CF99316358D04771C5ECFCCDC5

Which 可能很难记住/键入。是的,我了解复制/粘贴,但我想让所有付费客户真正轻松地解锁软件。

我应该以某种方式将这个长字符串转换为更短的字符串吗?

假设我只使用前 6 位数字,因此: A69761

其中显然存在更多的加密冲突,但在实际使用中这有什么关系吗?

还有其他想法可以使该内容更易于阅读/可输入吗?

I'm creating a simple license key system to "keep honest people honest". I don't care about especially stringent cryptography.

If they get to annoyed with the demo limitations, they go to my registration website, pay, and give me their email. I give them a license key.

I'm keeping things really simple, so:

license_key = md5(email + "Salt_String");

I have PHP and C# functions run that same algorithm and get the same key.

The problem is that the output of these functions is a 32-character string like:

A69761CF99316358D04771C5ECFCCDC5

Which is potentially hard to remember/type. Yes, I know about copy/paste, but I want to make it REALLY easy for all paying customers to unlock the software.

Should I somehow convert this long string into something shorter?

Lets say I use only the first 6 digits, so: A69761

There are obviously way more cryptographic collisions in that, but will it matter at all in practical use?

Any other ideas to make the thing more human readable/typeable?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

寂寞花火° 2024-10-18 13:31:25

剩下 6-10 个符号就足够了 - 用户无论如何都无法猜出代码,并且很容易输入。
另外一个好主意是在您的服务器上注册每个许可证,以便您能够检查该用户是否真的诚实,并且没有将许可证密钥提供给其他人。

To left 6-10 symbols will be enough - the user anyway will not be able to guess the code, and it would be easy to type in.
Also good idea would be to register each license on your server, so that you will be able to check that user is really honest, and didn't give a license key to another person.

渔村楼浪 2024-10-18 13:31:25

根据我的经验,要求用户输入或复制/粘贴 30 个字符的代码确实会让客户感到沮丧。并不是说有那么困难。这只是人们不关心的一个障碍。

我用于我的业务的解决方案是单独试用和购买下载。要获取许可副本,客户需要在下载表单中输入电子邮件地址和简短的用户 ID。仅输入电子邮件会自动重新发送用户 ID。您没有询问这一点,但是自动查找客户需要的任何代码的系统比拥有一个简单的系统更重要。下载系统在数据库中查找用户的详细信息,并提供嵌入了用户许可证的SetupSomeProductCustomerName.exe。此设置将安装客户的许可副本,无需任何进一步的身份验证或服务器连接。

这个系统对我们来说非常有效。客户只需备份一个文件,并且不会丢失序列号,以确保他们将来可以重新安装该软件。

也就是说,如果您更喜欢使用使用单向哈希的系统,只需使用生成较小哈希的算法即可。例如,CRC-32 结果为 8 个十六进制数字。

哈希值的加密安全是没有意义的。破解者只需遍历您的代码,复制将电子邮件地址突变为许可证密钥的整个代码块,然后将其粘贴到他们的注册机中。然后他们可以为任何电子邮件地址生成许可证密钥。无论您的哈希算法有多复杂,他们都可以做到这一点。

如果你想防止这种情况发生,你需要使用公钥加密,这会导致密钥太长而无法输入。如果你走这条路,你要么需要用长密钥粘贴来惹恼你的客户,要么单独的密钥文件,或使用我上面描述的个性化下载系统。

In my experience, asking the user to type or copy/paste a 30-character code indeed leads to frustrated customers. It's not that it's so difficult. It's simply a hurdle that people don't care for.

The solution I've used for my business is to have separate trial and purchased downloads. To get their licensed copy, the customer types in their email address and a short user ID on the download form. Entering only the email automatically resends the user ID. You didn't ask about this, but a system to automatically look up whatever code the customer needs is even more important than having a simple system. The download system looks up the user's details in the database and serves a SetupSomeProductCustomerName.exe that has the user's license embedded in it. This setup installs the customer's licensed copy without requiring any further identification or server connections.

This system has worked really well for us. The customer has only one file to back up and no serial numbers to lose to make sure they can reinstall the software in the future.

That said, if you prefer to use a system using a one-way hash, simply use an algorithm that generates a smaller hash. E.g. CRC-32 results in 8 hexadecimal digits.

There's no point in the hash being cryptographically secure. A cracker will simply walk through your code, copy the entire block of code that mutates the email address into the license key, and paste that into their keygen. Then they can generate license keys for any email address. They can do that regardless of how complex your hashing algorithm is.

If you want to prevent this, you need to use public key encryption, which results in keys that are far too long to type in. If you go that route, you'll either need to annoy your customers with long keys to paste in or separate key files, or use the personalized download system I described above.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文