How are hardware-specific product keys generated?

I have a piece of software that works only in demo mode unless you have a key. To get a key, I have to click a button in the software, and it spits out an 8 digit number. I send that number to the software vendor and they send me a key. I input the key and the software is happy.

I noticed that the same key does NOT work on another laptop - say, if I wanted to decommission an old laptop and transfer the software over to a new one. The 8 digit number generated on the new machine will be different, meaning the license key will also be different.

Where does the 8 digit number come from? I guess it can’t be coming from the software, otherwise it would be the same no matter which machine I installed it on. That means it’s coming from somewhere in my hardware. How does the software my 8 digit number + the key = success?

This seems to be a good way to prevent software piracy, so I’m wondering why Microsoft and other large companies don’t use this method. I realize that not everyone who has a computer has internet access, but a user could just as easily call their number in to a validation hotline.

Aw shit, I swear I had an article, a few years ago, describing how this works. (There may be various competing algorithms, of course.)

From what I can remember, the algorithm looks at various characteristics of your machine that are likely to remain constant on your machine, but that are likely to be different on different machines – things like the motherboard serial number, the Ethernet number (the MAC address), maybe the hard disk label or serial number, perhaps certain characteristics of the structure of your root directory – I don’t remember the specific items, but it was stuff like that.

Then, to validate that it’s running on the same machine where the key was generated, it re-computes that and compares with the original – but there’s a certain amount of leeway deliberately built into the algorithm. It ends up generating a score (like 1 through 10 or whatever it was) indicating the likelihood that it’s still the same machine. Any score of, say, 7 through 10 means it’s probably the same machine, the the app will run.

That’s basically the way that Microsoft ties a Windows installation to a specific computer but that’s not how everyone does it. Microsoft also keeps a copy of the key on their system when you register so that they know what machine it is installed on.

Other software varies, but they use generally the same things that you mentioned. They will tie the software key to things like the CPU, BIOS (motherboard), or Hard Drive serial number or the Ethernet MAC ID. Often though they will only tie it to one thing. It gets to be a royal pain if you have to replace the hardware component that the license is tied to. Then you have to contact the company, explain why you need a new key for the same machine, and re-register. Windows allows you to replace a few items without it triggering the copy protection, which is a bit more user friendly but requires more effort on Microsoft’s part.

There was an attempt by Intel to embed a processor serial number in their chips that could be used for purposes such as this. But opposition forced them to cancel it.

You can use other hardware ID factors to generate a number, but this runs into issues when someone swaps out a component that it is based on such as hard drive.

For simple software ID generation, one can be generated during install simply based on time-date-and some random bits. No two installs would have the same number. Using a public-key crypto system, the code you see can be generated, at the other end they decode it to verify you have a valid install, generate a matching code, encrypt that (also public key), send back the license key, which is verified at your end (but not decoded).

Dedicated people can work their way thru all this, find out where the install code is stored, etc. and duplicate this. OTOH, if they’re that good it’s simpler to just modify the program so that the test for valid license always passes.

Of course, people cut corners and full security is frequently not present. In addition, companies like Microsoft actually do use hardware identifiers to protect products due to the huge demand for their products. Nevermind the headaches that it causes for upgraders like myself.

There are lots of ways to make such keys. Computer hardware has all sorts of identifying details that software can look at. The trick is that you want to pick something that’s not likely to change very often, because people are going to get pretty frustrated if their software stops working regularly. For that reason, using something like the motherboard model is good, since people rarely change that, but using, say, the size of installed memory would be pretty bad.

Microsoft does use this kind of system. If you change your computer hardware too much, you have to contact them to get a new key.

The reason that pirates are still able to get around Microsoft’s anti-piracy measures is mostly

  1. They’re very motivated, and will patch/crack the authentication system itself.
  2. There’s a good business case for Microsoft to make it easy to use the same key to install lots of copies of Windows. If you’re a system administrator for a big corporation and you want to roll a new version of Windows out to 10,000 systems, it’s going to be a bitch and a half if each system needs to receive a separate key from Microsoft.

They are way ahead of ya there