CDKeys, how?
by CdnGater · in Torque Game Engine · 06/08/2004 (11:25 am) · 3 replies
This post was talking about WON and CdKeys
www.garagegames.com/mg/forums/result.thread.php?qt=820
I was wondering, if we wanted to implement our won verson of CDKeys and validation, how would we go about it?
Are there any resources out in the world, that hints at how to do this? Any searches I have done always brings up a lots of crack sites, of which I am not interested.
I dont want to tie into an existing centerial system, I would prefer my own.
I was thinking random a-z,0-9 with a crc. but that would be easy to break.
Anyone one else doing CDKeys, and if so, can you point me to where I can get more info? Thanks
www.garagegames.com/mg/forums/result.thread.php?qt=820
I was wondering, if we wanted to implement our won verson of CDKeys and validation, how would we go about it?
Are there any resources out in the world, that hints at how to do this? Any searches I have done always brings up a lots of crack sites, of which I am not interested.
I dont want to tie into an existing centerial system, I would prefer my own.
I was thinking random a-z,0-9 with a crc. but that would be easy to break.
Anyone one else doing CDKeys, and if so, can you point me to where I can get more info? Thanks
#2
If I were to do this, I would use a truely random source. There are plenty of ways to do this, using input devices such as a microphone in a noisy setting (radio static)? a webcam and a lava lamp [(c) sgi], or there are "good enough" heuristics such as using CPU load on a busy machine. Come up with some random source you can measure continuously, and concatinate the least significant bit of the input for several hours/days until you have a few million CD keys, and then store them somewhere safe. You probably want to add some kind of checksum so that something like an installer can check the validity of them.
You are still open to the possibility of the codes being stolen, but an attacker would have to transfer the whole thing and not just the generation function, and any keygen would have to be a very large download.
There are things you can do to reduce the risk further, have the server check against a list of one-way hashes of the keys and so you don't have to store the keys anywhere near the server.
I'm really not this paranoid, it's more just an interesting problem. Some of this is probably overkill, but nowdays with online distribution and play, the CD key is the "commodity" more often than the cd itself.
Joel
06/09/2004 (6:20 pm)
I think it's a bad idea to generate CD-Keys with any mathematical model. There are plenty that will work well ("Applied Cryptography" is a good introduction), but it still leaves open the possibility of creating a key-gen. The Valve src code theft illustrates that this is a problem to be taken seriously.If I were to do this, I would use a truely random source. There are plenty of ways to do this, using input devices such as a microphone in a noisy setting (radio static)? a webcam and a lava lamp [(c) sgi], or there are "good enough" heuristics such as using CPU load on a busy machine. Come up with some random source you can measure continuously, and concatinate the least significant bit of the input for several hours/days until you have a few million CD keys, and then store them somewhere safe. You probably want to add some kind of checksum so that something like an installer can check the validity of them.
You are still open to the possibility of the codes being stolen, but an attacker would have to transfer the whole thing and not just the generation function, and any keygen would have to be a very large download.
There are things you can do to reduce the risk further, have the server check against a list of one-way hashes of the keys and so you don't have to store the keys anywhere near the server.
I'm really not this paranoid, it's more just an interesting problem. Some of this is probably overkill, but nowdays with online distribution and play, the CD key is the "commodity" more often than the cd itself.
Joel
#3
A) Mathematical formula which can "verify" a cd key + online database
B) 2 exes, single player doesn't do a key check, and preferably not a cd (it will get cracked so doing it is pointless) + strict online checking.
06/16/2004 (7:34 am)
The question is then, how do you deal with offline PCs, if you use a random model each needs to be verified against a central DB, which leave 2 optionsA) Mathematical formula which can "verify" a cd key + online database
B) 2 exes, single player doesn't do a key check, and preferably not a cd (it will get cracked so doing it is pointless) + strict online checking.
Associate David Wyand
Gnometech Inc.
If you just wanted to hand out CD Keys, then you could use a modified MD5 algoritm on a string only you know. So, for each key you want, run your modified MD5 algorithm on something such as:
"My dog's name is Hermy 00001"
"My dog's name is Hermy 00002"
Then just store the resultant MD5 values (your CD key) for lookup on a central server for when the user connects.
The reason I mention a modified MD5 algorithm (different 'T values' than the standard) is so someone would not only need to discover the text string you're using, but also your unique 'T values' to come up with the final key.
Juat an idea.
- LightWave Dave