Digitally Signing Licenses using Public Key Technology

Since software license keys contain entitlement information, it makes sense to protect those data from tampering and corruption. It would be tempting for an unscrupulous user to change a license count from 10 to 100 by simply tacking on an extra zero, or to upgrade your v2.0 licenses to v5.0 with a similarly simple edit.

To prevent this, software licenses, especially those that are in a readable plain text form, are “digitally signed.” This means that the data that represent the license entitlement (product, version, expiration date, count, etc.) are input to an algorithm that creates a verifiable “signature” for that data.  If the data is ever modified, then the signature for that new data would no longer match the original, rendering the license invalid.

Early licensing products used common algorithms that were customized with secret “seeds” to ensure that every vendor’s certificate generator could create and validate licenses for its products only.  But, there were problems with this because it was possible for hackers to extract these seeds and build license generators that could create counterfeit licenses that would work with an ISV’s unmodified applications.

Today, software licensing vendors rely on public key / private key schemes to address this counterfeit license problem. With public key encryption, software vendors can create digitally signed licenses with a private key that can be verified by anyone who has access to the vendor’s public key. The important point is that, unlike “seeds” which were exposed in the binary application products, the private key remains private, and is never shipped as part of the software product.

Leave a Reply

Your email address will not be published. Required fields are marked *