I’m wanting to generate a unique serial number for someone who just bought my audio software on my website.
I am advised that UUID is a good way to go.
Ideally I would like to generate a UUID based on the users email address. But if its easier and just as effective to generate it not based on that, then thats ok.
My question is, whats the way of validating that UUID generated code in my audio software? How does my audio software know that this UUID code is made for my audio software and not just a general UUID (if you know what I mean) ?
edit: I have offline activation
AFAIK UUID is a general thing, like a random number generator that’s pretty much guaranteed to be unique.
If you want something based on an email address you would need something different, like a hash based on a secret key.
thanks… a complication is that the audio software will be offline activation. So, I cannot store a UUID in a database and validate it.
It has to be an algorithm I generate (I guess) and then decode it in my audio software.
I have an algorithm based on the users email addr, in my mind.
An activation would work by the server creating a key that only unlocks on the users machine. For that you create during installation a challenge.
That could be a UUID that you create and store at first run. Or a hardware ID of your choice.
For obfuscation you could mix the UUID with a salt that only you know, like appending a secret word.
When you send the challenge to the server, it will create a key by encrypting (keeping a private key).
Your software has the public key built in so it can decrypt the license and compare the UUID and the secret.
The drawback is that if the user shares the UUID with another user, they could both use the license in conjunction with the UUID. So if you can find a kind of hardware ID instead that would make it safer.
Hope that makes sense
thanks, thats helpful. I’m looking at an offline activation.
What I’d like to do is have the user enter his email address straight after purchase on my website, then I have my own algorithm to create a serial # from that.
Then in my plugin I can check it with the same algorithm.
The only trouble is me getting to grips with (probably) Php and contact forms to implement that. This is what I’m surmising as I take my first steps into this.
A commonly used technique is a json web token (JWT). Here is some reference.
You can encode arbitrary data in the “claims” of the token (username, email, device identifier, etc). The final section of the token is a cryptographic signature that you can check client side (your plugin).
The bigger problem with this kind of strategy is that you can’t cycle keys in binaries that you distribute, and you can’t really make the keys configurable without making it trivial to crack.
Here is a nice C++ library for dealing with JWTs and most web server frameworks (or languages for them) will have a JWT creation API.
I have only come across a handful of instances where offline activation is truly necessary. In my opinion it’s not worth implementing unless you’re selling to enterprise customers.