Design a secure challenge response license key system for software

We have some software that we wish to protect from piracy. We are looking for someone with experience with encryption and digital signatures to create a solution for us with some sample code.

## Deliverables

The license key will probably be of the form

XXXX-YYYY-ZZZZ-AAAA

This will, probably, in part resolve to a serial number, 0001,0002 etc. What we want to do is create a secure model around this license key so that a user can only authenticate one machine for use with our software. We plan to use the MAC address of the target machine as its unique identifier, and original authentication will be over the internet, although normal use of the target machine will be online, for authentication, the machine will be required to be online. There will therefore be two sets of data sent to our authentication server, this information can either be hashed first, or sent in raw form.

(License Key) + (MAC Address) → Server

The server will then register that this MAC address **only** can be used with this license key (or serial number, as the license key contains the serial number). After registering with the server the license key, the server will present the user with a response which the user will probably enter by hand into the target machine. The target machine recognises this as authentic using some digital signature check and continues, placing software checks at various places, possibly decrypting its program partially using some of the response code.

So

1. Possible Function (License Key + MAC Address) → Server

<!-- -->

1. Server stores License key and MAC address in a MySQL-DB (We will write this code)

<!-- -->

1. Server creates Authentication signature

<!-- -->

1. Server sends this digital signature back.

<!-- -->

1. Signature is entered into Client (possibly manually)

<!-- -->

1. Client authenticates that this response is for the correct license key and MAC.

2. Client stores this response for future checks and continues

Important points are.

1. The Response cannot be too long as the user needs to enter this data manually, so 20-30 characters would be ideal.

2. For obvious reasons we would prefer a none symmetric system. Ideally the server will have a private key, the response will have some kind of public key.

3. The target system does not run an OS such as Windows or Linux, therefore we will need any libraries used by the client as C source so we can compile onto our target machine.

4. The server will be a standard -nix architecture so the private signing can be in any appropriate language using available libraries, only the client machine needs code to check that the response is authentic.

C Programming Linux Script Install Shell Script

Project ID: #3073372

About the project