1

I am trying to develop a rudimentary licence system to prevent distribution of some software tools.

I want to design an algorithm that will generate the same HWID be it on Windows or a Mac OS system. It should be portable also, i.e. can be implemented in Go/Java/.Net

I am currently thinking of some scheme that involves getting the serial number of all hard drives, CPU serial and installed RAM. Concatenate these and SHA1 or something. That would be the HWID.

My question is can all of these be gathered on similar systems?

Thanks.

jim
  • 8,670
  • 15
  • 78
  • 149
  • System HDD s/n seems the most reliable number. Other is MAC address of Ethernet card, but it is very unstable. The major problem is enable/disable wifi/bluetooth button on laptops - it changes the number of MAC-s and their order. Presence of Ethernet is not guaranteed for every system. Also the MAC address can be changed/cloned. – i486 Dec 14 '15 at 12:58
  • Yes, I forgot to mention MAC above. It could probably do for my current project which relies on internet. That said, I would prefer to rely on things that don't change often i.e. Motherboard, CPU, HDD and RAM. – jim Dec 14 '15 at 13:02
  • 1
    The only stable (but expensive) solution is hardware dongle. If the software is internet oriented (i.e. cannot work without internet connection) you can implement "licenses" on server. I.e. each running copy registers itself with client-ID on server and get permission to work every minute. If client-ID is cloned, only one of copies will work. The real owner can call to change ID and reject pirated copies. – i486 Dec 14 '15 at 13:08
  • Yea that's what I plan on doing also. How do you detect that a client id is copied, is it paired with a random session id with each "auth" request or is it linked to the IP address the request came from? Thanks. – jim Dec 14 '15 at 13:13
  • The IP is not stable info because it can be changed frequently for phone clients or be equal for 2+ clients if they are behind router. You can send client-ID and current date/time (to avoid replay-ing) in plain text plus SHA of the same + shared secret. The server knows the shared secret and checks the hash. – i486 Dec 14 '15 at 13:37
  • ... there can be also an incrementing counter which will detect double usage of same client-ID. – i486 Dec 14 '15 at 13:40
  • Yes similar to API auth then. Age old questions of securing secret then I guess. Plenty to go on here for my basic system though. Thanks. – jim Dec 14 '15 at 16:12

0 Answers0