My first project is inching ever closer to completion, and I’ve started to brainstorm about the immense topic of product authentication/registration/unlocking. For my use case, I’m not concerned about making my software impossible to crack/pirate, I just want to make it “not easy”.
Now, I would really like to find a solution for this that requires no internet connection on the user’s machine at authentication-time, for several reasons:
- I’m a beginning developer, and I can’t afford to spend money on a server at this time
- I believe that using an internet connection to authenticate is a very large potential source of bugs, and frustration & confusion for paying customers, which is the last thing I want!
- The moral and ethical implications of employing a server to run 24-7… but that’s really outside the scope of this forum post
So, with all of that in mind, I’ve been brainstorming on this question: is it possible to create a reasonably secure authentication system that does not require an internet connection?
I’m familiar with the obvious approach of hard-coding a list of acceptable keys into the binary, and giving each paying customer a key, and the authentication check is to see if the key the user enters is in the list. Personally I think this approach offers barely any security, and isn’t really worth doing at all – might as well just not use authentication.
The other approach I’ve been pondering would be something inspired by RSA-style public/private key cryptography…
If the auth check is putting the key through some kind of mathematical one-way function, then only the public key would need to be hard-coded into the project’s binary. When the user purchases the product, they recieve a private key. At authentication-time, when the user enters their key, the plugin would run both the user-entered private key and its hard-coded public key through the same one-way function, and authentication is only successful if both functions get the same answer.
One major benefit of this approach seems to be that it would allow the developer to generate new keys at will, without having to update the product itself in any way. And, of course, this would also eliminate the overhead cost of an authentication server.
Does this seem like a reasonable approach?
Are there still any obvious glaring security flaws in this basic design?
I’m very new to cryptography, and programming in general, so any insight is appreciated!