SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2005
    Posts
    99
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Generating beta or application keys

    I will be writing a script in PHP to generate keys which will be used by site members to gain access to game betas, game free trials etc. Basically it will be a long code that will be unique to them, kind of like a MS Windows key. I haven't done this before and am looking for a bit of advice on how to make it work. My initial idea is to generate a long random string of alpha numeric characters.

    Is this a wise approach and am I missing anything that I should be considering security wise or anything else?

  2. #2
    SitePoint Enthusiast
    Join Date
    Aug 2007
    Location
    edge of nowhere
    Posts
    74
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are these games online (i.e. flash games) themselves? Or are these regular, or offline games?

    A primitive idea of what I'dd do is generate a set of keys which all have a certain checksum, so the game instances can do a primitive check on the validity of the key.
    Then I'dd store these in a DB and disable everyone one by one as they are handled out, in order to prevent distributing duplicates.

    You can then complicate this by "calling home" from each instance of the demo games to report some unique system variable that the current host is using and determine wether the same key was used on radically different systems/areas of the globe/ips in the past.

    That's just a quick idea, and I'm sure there are far better options than this.
    Programming boils down to three things: fast, good and cheap.
    Please pick two.

  3. #3
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    You have not mentioned how the key will be used.

    As long as the key does not need to be validated against the software, then you can in general create the key any way you want. Just check it against the db to make sure it does not already exists, and make it random enough so people cant increase one number to get the another valid key.

  4. #4
    SitePoint Enthusiast
    Join Date
    Sep 2005
    Posts
    99
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I generate a list of say 1000 keys that I store locally and give a copy to a 3rd party website. I make keys available 1 per user and mark them as used as they are taken, the user goes to the 3rd party site and enters it to "get free stuff" which they get as long as the key exists and has not been marked as used by the 3rd party site. It then gets marked as used by the 3rd party.

    Is this kind of thing done purely by obscurity, i.e. there might be 10,000 keys but there are 5 billion combinations making guessing a key extremely improbable or should I be using some other more more secure method? How obcure would it need to be to safely prevent bruteforce attempts at key generation?

  5. #5
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    Product Keys are always based on obscurity, if you are lucky you can randomly type in a correct key to any product. There are a few exeptions where this is not possible, but that is for more expensive products.

    In your case, you have no algorithm that you need to follow. This allows you to freely create the keys, just make sure your making them random enough.

  6. #6
    SitePoint Enthusiast
    Join Date
    Aug 2007
    Location
    edge of nowhere
    Posts
    74
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For a pretty-much bullet-proof app I am sure you will have to use some form of keys similar to asymmetric encryption (i.e. public/private key pairs) with the serial being your public-key encrypted message (i.e. an "ok" encrypted with a public key) and letting the other party decrypt the serial to the same "ok" using their private key.

    edit:

    This makes for an explanatory, less ambiguous reading: http://en.wikipedia.org/wiki/RSA
    Programming boils down to three things: fast, good and cheap.
    Please pick two.

  7. #7
    SitePoint Enthusiast
    Join Date
    Sep 2005
    Posts
    99
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think in my situation, adding additional code checking at the 3rd party site is not an option so it looks like I'll have to go with purely obscure.

    Thanks for all the input.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •