One of my company product need to implement a license mechanism. I’m planing to generate a key base on users PC MAC address. But I’m bit scared is this method confuse with some advance hardware. configurations such as.
- Multiple network cards.
- Virtualization.
- Mac address change possibilities(?)
- Working with VPNs.
Is it a good idea to generate license key with MAC address? Some ideas?
7
Implementing a license mechanism has always been bit of challenge to developers.But if you use MAC address, IMO virtualization & Multiple N/w cards would pose challenge.
There are other options which can be considered. (tht i’m aware)
- Based on Hardware ID’s (Replacing Hware is also a challenge)
- Other License Development kits (CryptoLicensing && SafeNetSolutions && MS-SLPservices and so many..)
- Based on Hardware Devices (Dongle & SD cards etc)
Obviously none of the above options are hack-proof. Considering product & Company needs evaluate them carefully.
Don’t spend too much time in complicating it, do think of those loyal customers (money paying).
If it’s for web servers, just use IP address and domain name. Those are some informations used to create SSL certificate for HTTPS.
In fact, you can use HTTPS method for validation. In your case your application would be like a web browser trying to validate the server by contacting Certificate Authority, in your case, your license server.
This will reduce maintenance issue to slightly more than updating SSL certificate, which is an acceptable pain when changing IP address or domain name.
Thats actually pretty easy for web.
1) Have your license server expire the keys every 24/72 hours
2) When its due to expire your license server gives domains a new key by looking up the domain name and executing a script that comes with your installation:
https://www.somecustomer.com/yoursoftware/license.php?somekey=hash
You can get fancy here by having private keys that only the installation and the server have, then decryption the hash with that private key, obviously if one of your customers gets hacked your going to need to change the private keys but thats simply a matter of building in an update mechanism.
When receiving a new key the endpoint immediately checks with the server that its actually a genuine update request, this will stop people bricking installations by submitting bogus key updates.
3) during the normal course of operation the software it’ll check if it has a valid key by contacting the server
That way the only way it can go wrong is if the domain gets hijacked which to be fair isn’t your problem.
I’ve use MAC-based licensing (as a user and a bit as a developer), and it was fine.
BUT
You must have a customer support person readily available, who can quickly handle all those cases where a user buys a new laptop, their IT department changes stuff, etc. And said support person must be both technically qualified, and bureaucratically qualified, to promptly create and email out a new license. If they have to consult much with a “real” programmer or the official sales rep you are doomed cause one of them will be on vacation. And your customers will get pissed and look elsewhere.
Yes, you’ll probably lose a tiny bit of money to cheaters. Live with it.
1
Generating licence key using MAC address sounds good, but you will need a user login area where user can generate new licence key if he/she change their computer or network interface. Obviously you can automate this process.
What you need is just obtain users MAC and encrypt it using hash. Something like this:
Here the licence key is generated by converting the MAC to hash64.
Remember it works fine in all pc including vps but a bit challenging for vpn. You need to tune a lot over the internet for it.
1