生成许可密钥的方法有很多，但真正安全的方法很少。这很遗憾，因为对于公司来说，许可证密钥的价值几乎与真正的现金相同。

理想情况下，您希望您的许可密钥具有以下属性:

Only your company should be able to generate license keys for your products, even if someone completely reverse engineers your products (which WILL happen, I speak from experience). Obfuscating the algorithm or hiding an encryption key within your software is really out of the question if you are serious about controlling licensing. If your product is successful, someone will make a key generator in a matter of days from release. A license key should be useable on only one computer (or at least you should be able to control this very tightly) A license key should be short and easy to type or dictate over the phone. You don't want every customer calling the technical support because they don't understand if the key contains a "l" or a "1". Your support department would thank you for this, and you will have lower costs in this area.

那么如何解决这些挑战呢?

The answer is simple but technically challenging: digital signatures using public key cryptography. Your license keys should be in fact signed "documents", containing some useful data, signed with your company's private key. The signatures should be part of the license key. The product should validate the license keys with the corresponding public key. This way, even if someone has full access to your product's logic, they cannot generate license keys because they don't have the private key. A license key would look like this: BASE32(CONCAT(DATA, PRIVATE_KEY_ENCRYPTED(HASH(DATA)))) The biggest challenge here is that the classical public key algorithms have large signature sizes. RSA512 has an 1024-bit signature. You don't want your license keys to have hundreds of characters. One of the most powerful approaches is to use elliptic curve cryptography (with careful implementations to avoid the existing patents). ECC keys are like 6 times shorter than RSA keys, for the same strength. You can further reduce the signature sizes using algorithms like the Schnorr digital signature algorithm (patent expired in 2008 - good :) ) This is achievable by product activation (Windows is a good example). Basically, for a customer with a valid license key, you need to generate some "activation data" which is a signed message embedding the computer's hardware id as the signed data. This is usually done over the internet, but only ONCE: the product sends the license key and the computer hardware id to an activation server, and the activation server sends back the signed message (which can also be made short and easy to dictate over the phone). From that moment on, the product does not check the license key at startup, but the activation data, which needs the computer to be the same in order to validate (otherwise, the DATA would be different and the digital signature would not validate). Note that the activation data checking do not require verification over the Internet: it is sufficient to verify the digital signature of the activation data with the public key already embedded in the product. Well, just eliminate redundant characters like "1", "l", "0", "o" from your keys. Split the license key string into groups of characters.

我以前用过Crypkey。这是许多可用的之一。

使用任何许可方案，您只能在一定程度上保护软件。

我坚信，只有基于公钥密码学的许可系统才是正确的方法，因为您不必将许可证生成所需的基本信息包含到源代码中。

在过去，我曾多次使用Treek的授权库，因为它满足了这一要求，并提供了非常好的价格。它对终端用户和自身使用相同的许可证保护，直到现在还没有人破解它。你也可以在网站上找到避免盗版和破解的好建议。

你可以使用免费的第三方解决方案来解决这个问题，比如Quantum-Key。Net它是免费的，通过paypal为你创建的网络销售页面处理支付，通过电子邮件发放钥匙，并将钥匙锁定到特定的计算机以防止盗版。

你还应该注意混淆/加密你的代码，或者它可以很容易地使用De4dot和. netreflector等软件进行逆向工程。ConfuserEx是一个很好的免费代码混淆器，它使用起来快速简单，比昂贵的替代品更有效。

你应该通过De4Dot和. netreflector运行你完成的软件来逆向工程它，看看黑客会看到什么，如果他们做同样的事情，并确保你没有留下任何重要的代码暴露或未伪装。

你的软件仍然是可以被破解的，但对于那些偶然的破解者来说，这可能足以让他们望而却步，这些简单的步骤也可以防止你的代码被提取和重用。

https://quantum-key.net

如何使用ConfuserEx?

https://github.com/0xd4d/de4dot

https://www.red-gate.com/dynamic/products/dotnet-development/reflector/download

我们用来生成许可证密钥的c# / .NET引擎现在是开源的:

https://github.com/appsoftware/.NET-Licence-Key-Generator。

它基于“部分密钥验证”系统，这意味着只有用于生成密钥的密钥子集必须编译到您的分布式文件中。您自己创建密钥，因此许可证实现对于您的软件是惟一的。

如上所述，如果您的代码可以反编译，那么绕过大多数许可系统就相对容易。

生成许可密钥的方法有很多，但真正安全的方法很少。这很遗憾，因为对于公司来说，许可证密钥的价值几乎与真正的现金相同。

理想情况下，您希望您的许可密钥具有以下属性:

Only your company should be able to generate license keys for your products, even if someone completely reverse engineers your products (which WILL happen, I speak from experience). Obfuscating the algorithm or hiding an encryption key within your software is really out of the question if you are serious about controlling licensing. If your product is successful, someone will make a key generator in a matter of days from release. A license key should be useable on only one computer (or at least you should be able to control this very tightly) A license key should be short and easy to type or dictate over the phone. You don't want every customer calling the technical support because they don't understand if the key contains a "l" or a "1". Your support department would thank you for this, and you will have lower costs in this area.

那么如何解决这些挑战呢?

The answer is simple but technically challenging: digital signatures using public key cryptography. Your license keys should be in fact signed "documents", containing some useful data, signed with your company's private key. The signatures should be part of the license key. The product should validate the license keys with the corresponding public key. This way, even if someone has full access to your product's logic, they cannot generate license keys because they don't have the private key. A license key would look like this: BASE32(CONCAT(DATA, PRIVATE_KEY_ENCRYPTED(HASH(DATA)))) The biggest challenge here is that the classical public key algorithms have large signature sizes. RSA512 has an 1024-bit signature. You don't want your license keys to have hundreds of characters. One of the most powerful approaches is to use elliptic curve cryptography (with careful implementations to avoid the existing patents). ECC keys are like 6 times shorter than RSA keys, for the same strength. You can further reduce the signature sizes using algorithms like the Schnorr digital signature algorithm (patent expired in 2008 - good :) ) This is achievable by product activation (Windows is a good example). Basically, for a customer with a valid license key, you need to generate some "activation data" which is a signed message embedding the computer's hardware id as the signed data. This is usually done over the internet, but only ONCE: the product sends the license key and the computer hardware id to an activation server, and the activation server sends back the signed message (which can also be made short and easy to dictate over the phone). From that moment on, the product does not check the license key at startup, but the activation data, which needs the computer to be the same in order to validate (otherwise, the DATA would be different and the digital signature would not validate). Note that the activation data checking do not require verification over the Internet: it is sufficient to verify the digital signature of the activation data with the public key already embedded in the product. Well, just eliminate redundant characters like "1", "l", "0", "o" from your keys. Split the license key string into groups of characters.