Many software manufacturers in the market today require a purchaser and end user to obtain a license to use a software program or product. Some products contain a dialog box that appears during installation of the product with the license information. When an end user accepts the terms and conditions of the license, usually by clicking an “ACCEPT” button, the product is then installed on the computer and the product is authenticated or authorized.
An example of authorizing a product is disclosed in U.S. Pat. No. 5,490,216 to Richardson, entitled System for Software Registration (“the '216 patent”). Products are authorized by sending some type of Computer ID to a licensing authority, and/or customer or end user specific information such as name and/or credit card number. The licensing authority and end user then use an identical algorithm at each end to transform the Computer ID into an authorization key. According to the '216 patent, both algorithms will always process the same Computer ID exactly the same way. If the authorization key generated by the licensing authority and received by the end user's computer is identical to the one created on the end user's computer, the product is available to use. The uniqueness of each authorization key is based on aspects of the end user's computer, aspects of the program (such as a checksum), and/or end user specific information such as name, address, credit card number, etc.
A unique Computer ID (and/or purchaser ID) is necessary for this technology to produce massively different activation keys for each end user. Without the unique Computer ID, one activation key would work on all of the computers. Problems with this technique include that it limits how products are activated. Additionally, the system and methods of the '216 patent utilizes very long alphanumeric numbers that are difficult for human beings to manage, communicate, or manually enter.
Still further, the system and methods of the '216 patent opens up the activation process to serious security flaws. More particularly, one popular method for using illegal copies of products is by unlocking them with rogue activation key generators. The process described in the '216 patent makes this easy. For instance, once any key generator is copied, the copies can be used to generate activation keys for all products using that system, or if end users can get a copy they can use the copy to generate activation keys for products the end users are not entitled to use. This happens frequently as can be shown by doing a quick web search for popular products and the term “keygen.” Processes known in the prior art make it possible to produce a key generator by copying a section of the protected product (or protection DLL), since both the key generator and the protection produce the identical hash of the input data.
In the case of a company that sells copy protection, unless that company creates a new algorithm for each customer or end user, the same key generator can be used to generate activation keys for all customers or end users and all products. This is a serious weakness in the copy protection system. Reverse engineering a single product will result in a rogue activation key generator for multiple products.
If a publisher or licensing authority desires to lease or license a product, that product must be reactivated continuously on the same computer. Using existing technology, reactivation is either impossible or very difficult because the unique Computer ID will always be the same and the customer or end user information will be the same. As a result, the activation keys will always be the same and the end user can continuously reuse the same activation key, defeating the purpose of enforcing the lease or license.
Unique Computer IDs and activation keys are typically of the type: VY13V-249B5-A25BC-PBC43-648DG. Computer IDs and activation keys of this type are difficult to verbally transmit from end user to licensing authority as the letters B, C, P, G, and V sound very much the same and the differences can be lost over a telephone connection unless both parties are well versed in using phonetics such as are used by the military.