An encrypted license key is hard to forge. But it still needs to be relatively easy to use.
For complex licensing mechanisms, the standard text-based license (.lic) file available in VC++'s AppWizard is too simple to be effective. If your application requires a complex licensing mechanism, consider the MD5 message digest. MD5 is an encryption algorithm described in RFC 1321 (The MD5 Message-Digest Algorithm) [1]. It was created by RSA Data Security, Inc. The algorithm takes a string of any length as input and produces a 128-bit fingerprint, or message digest, as output. Theoretically, it is computationally infeasible to produce more than one message with the same message digest using MD5 encryption. For ease of use, I wrapped the MD5 algorithm in a small reusable C++ class that can be added to any MFC or ATL COM/ActiveX project. [2]
MFC uses the first line of the AppWizard-created .lic file as the license key. For license verification, this key is compared to the same hard-coded key embedded in the control. A better method would be to put an encrypted key or message digest that was created by MD5 into the license file. Then, for license verification, the control would run the same algorithm and compare the resultant message digest with the license file's digest. If they matched, the control would be created. If they did not match, you could either deny the request or display a "nag" screen that prompts the user to pay for the control.
You can use MD5 as a tool to implement licensing mechanisms of varying degrees of sophistication. For instance, you could use a secret key that is embedded in the control. This key would be concatenated to a string read out of a registry entry that was set during installation. You could then use MD5 to create a message digest from the concatenated string. For license verification, compare this digest to another digest that you had set in a second registry entry during installation. That registry entry would have been created using the same concatention method.
For this article I created a generic AppWizard-generated MFC ActiveX control that supports licensing and uses my MD5 class. As a simple demonstration, I changed the license key (the first line of the license file) to be
ae05741a93699a5c4d7bb1744aa9a1b0which is the message digest produced by MD5 when fed the string "TESTMD5". Remember, anyone can see the message digest, but they won't know the string used to create it. Next, I hard-coded the string "TESTMD5" into my control. For license verification, I send this string through MD5 to create a message digest.
You can create a message digest for your .lic file using the Digest utility included in the source code for this article. (See p. 3 for downloading instructions.) Choose any string as input, and Digest will create the associated message digest. In MFC, you can use AfxVerifyLicFile to read and verify the .lic file. Figure 1 shows the VerifyUserLicense method using MD5 to create the digest and pass it to AfxVerifyLicFile for license verification. Note that if license verification fails the control's ClassFactory creates it, but the control will display a "nag" screen. This allows a developer to try out the control but not use it with any software product intended for resale. If you don't want the control to be created at all when license verification fails, have VerifyUserLicense return FALSE.
Figure 2 shows the GetLicenseKey method. This method invokes MD5 so development tools such as VB or VC++ can get the license key from the control at design time and include it in the compiled program. At run-time, the GetLicenseKey method will be called again. For license verification, its return value will be compared to the key that was embedded at design time.
This is a simple example for demonstration purposes only. No licensing scheme is foolproof, but using an encryption algorithm like MD5 as part of your licensing mechanism will make hacking the license key much more difficult. To use the MD5 class, just add the MD5Encrypt.cpp and MD5Encrypt.h files (available on the CUJ FTP site) to your project and recompile.
Information Sources
[1] http://www.cenacle.se/~jorgen/CIE/RFC/1321/index.htm.
[2] My source code is a wrapper around RSA's code. RSA grants license to copy and use this software provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
[3] http://www.rsa.com/rsalabs/newfaq/q99.html.
Michael Parent is a software developer at ViewLogic Systems, Inc., a Massachusetts-based company specializing in electronic design automation software. He can be reached via email at mparent@ici.net.