Conventional commercial software applications are typically delivered as physical media or as a software download (containing the software code) and an alpha/numeric product key. It is typical for an independent software vendors (ISV's) to require their products to complete an “activation” process before the full rights associated with the software are enabled for a specific user and/or computer. The activation process typically involves the transmission of the product key, along with some information identifying the user and/or computer to an activation clearinghouse. The clearinghouse is typically operated by the ISV, but the clearinghouse may also be operated by a third party. The clearinghouse responds with an authorization code enabling access to the rights associated with the software, thereby licensing the software.
Typically, the activation process is performed “online” over a computer network with bandwidth sufficient to transmit digital signatures, which cryptographically prove the validity of the authorization code. For users who cannot or choose not to activate via a computer network, a solution must be provided which supports “offline” media which has dramatically lower bandwidth. The most common example of such media is the telephone.
The cryptographic proof of validity is related to the difficulty of fabricating a counterfeit proof. The proof is typically based on the user's product key and identifying information, coupled with a private key which is known only to the authorization authority. As long as the private key is physically secured, the feasible means to generate a counterfeit proof are to semi/randomly create candidate proofs and check each for authenticity on the client or attempt to determine the private key value by analysis/brute force. Either attack will ultimately be successful, given sufficient time and processing power. The level of cryptographic security is determined by the time required to complete a successful attack. For digital signatures, this time is far beyond a normal human lifetime, given current processor power and mathematical techniques.
When a user activates over the telephone, however, the amount of data which can be related is extremely limited. This is due to the slow and error-prone nature of reading and transcribing data (typically numeric and/or alpha characters) over the phone. Specifically, the cryptographic signatures used to create authorization codes for online activation could potentially require hundreds of such characters, providing a customer experience which would be unacceptable to all but the most tolerant. Thus, there is a need for a short authorization code which provides protection from attack for a reasonable time but which is less cumbersome than the digital signatures employed during online software activation.