Contributor: KANDA'JALEN EIRSIE

{
> I'm trying to come up with a registration keying routine for my
> software, but am at kind of a loss on how to do it and make it somewhat
> secure or a pain to crack.
> Here's a program that supposedly uses RSA encryption, but it must be for
> an older pascal because I couldn't get it to compile with version 7.0
> since it tries to use a declaration of Integer[36]. I tried it with
> just a regular Integer declaration and I couldn't get it to work (I
> think).

 OKay...  As I recall, that Integer[36] thingy was implemented on DEC
 VMS systems (possibly others) as kind of a work around for, faster than
 real, large (greater than maxint) integer math applications.  You might
 try declaring the variables as longint to test out the algorithm..
 It's 32 bit, but then it may be a hair too small even for the math
 tricks that your rsa is doing...  Making such large numbers that it
 needs 36 bit integers to avoid overflows..

   Anyway.  I was really wondering why you didn't want to implement an
 XOR type of encryption method..  It's really so much faster than any
 math trick type of implementation...As there is really no math
 involved..

 Encryption security has three basic concerns:

 It has to be secure when the enemy knows or has in possesion the method
 that you encrypted your target,
 It has to be secure when the enemy has in his possesion, your target,
 And it has to be secure if the enemy has in possesion, your method,
 your target and your key.

 Whatever the method you use, all you are really doing is changing the
 value of a byte (the simplest item) to some other value.  Or you are
 restructuring the method of access.

   Or in plain english, you compress your file, then mess it up with
 some encryption algorithm that uses a key to decrypt it.
 How you compress, and how you encrypt doesn't really matter.

   What matters, is the possible number of ways that you COULD have
 used.  If that number (of ways) is computable, then your encryption
 method is crackable.

   This number (of possible methods) is called the domain of solutions.
 If the domain of solutions can be written into a program then any
 method and combinations of methods is crackable.

   To be uncrackable, the domain of solutions must be uncomputable.
 Actually, it may very well BE crackable, but so long as it is
 uncomputable, the cracker has no way to determine where to begin
 cracking!  Thus the defence or security lies not in remaining
 uncrackable, but in remaining encrypted.  Making it take too long to
 crack.  In other words just how much time will it take to solve the
 puzzle and for how long does the puzzle have to remain unsolved before
 it is no longer relevant.

   The perfect encryption engine, would be something that has too vast
 of a number of methods to be computable, yet very simple to operate and
 use.  The answer to this seemingly paradoxical question is simple.  You
 have to introduce a non machine element into the engine.  The human
 element.  A human determined key sequence.  In other words, your key is
 defined not by position or elements, but in steps.  Or instructions on
 what to do that is not machine or engine readable.  Or in other words,
 it can't be automatic (one step) and secure.

 There are many methods, including weird math methods.  However, it has
 been shown that ALL weird math methods are no more secure than simply
 adding 1 to the value of any byte.  The proof of this was published in
 a mathamatical journal some years ago, sorry, I don't remember what it
 was..  But it basicly stated that any weird math method could be broken
 by a simple brute force program that shifted the values of varying
 lengths of bits of a small portion of the target until it found
 recognizable text or data.

 Practical concerns:
   You want a Keyed registration system.  You want to be able to send
 the registered user a post card with some instructions on it on how to
 make his program registered.  This instruction card must be unique to
 his copy of the program.  I assume that the unregistered version of the
 program will be massively distributed I.E. Shareware concept.  Simple.
 You have two maybe three steps involved.
 1 :  A uniqueness must be made in the program, something that
 identifies and connects that particular copy of the program to that
 particular registered user.  A name...
 2:  You need some method of securing the program to that particular
 registered user.  A number or code that interacts with the name to
 produce a file, or key that must then be present during operation for
 the program to work in the registered mode.
 3:  The program must be made aware that it has been registered and if
 the registration code is found to be missing, it will revert to an
 unregistered mode.

    What may happen: If the name and code is given out or stolen,
 it must not work with any other copy of the software.   This is the
 most difficult effect to produce and is not possible to implement
 without your direct involvement in the proccess.  Don't expect to be
 able to produce this effect without direct involvment.   In effect, you
 have to make a unique modification to the program unknown to the user.

 I once worked on a project that had to be totally secured in this
 manner.  The software had to be registered not only to a specific
 individual or company, but also had to be registered to a single
 machine.  We had to be absolutely sure that there were not multiple
 copies of the software executing on different machines, or indeed on
 the same machine or that there were multiple copies of the software
 that could be installed/deinstalled on the same machine.  It was a
 financial system and the possibility of using it to produce multiple
 books existed which we had to avoid at all costs.  It took a while but
 we solved the problem, unfortunately the software was never produced or
 used, as the company I created this system for went belly up before the
 project was installed and the project was cancelled.

   What we used was a regestration key file, that was modified by the
 software, so that it couldn't be used again, it couldn't be used by any
 other copy of the program.  However, if something adverse happened, the
 program knew that it was modified and the same copy of the software
 (that had been origionally registered) could use the key again.  Also,
 the key was time stamped, it was only good for a certain range of
 dates, it couldn't be used to register a copy of the program outside a
 3 day limit.   Also, the software wouldn't operate, even if it was
 registered, if it detected that the date was 30 days since it last
 operated.  It had to be in continuous use at least every 29 days for it
 to remain registered.  Remember that this was a financial package, and
 it had to remain updated to be relevant.  We also had planned to link
 to and download it's data every 30 days and provide a new key to
 operate for the next  30 days.  Thus if the software was installed, and
 the phone lines went down, or we went out of business, the software
 would refuse to operate ( in fact it would self destruct and encrypt
 all work in progress) after 30 days of no contact with home office.
 Also note that at no time did the end user ever have the key file
 before the program saw it first and got a chance to modify it.  Once
 that happened, it couldn't be used by some other copy.  Also, we
 planned on not telling the end users that the software would only work
 on one machine ( the machine it was installed on) We wanted them to
 attempt to pirate the software..
 Why?
   So that we could test their honesty as partners in the business...

   I suppose that this was somewhat mercenary on our part, but then, I
 didn't make those kinds of decisions, I just wrote the software....
}