What are the current "Best Practices" for the following Software Key Generation scenario?<p>I am a small independent software vendor. When a vendor sells my software to a customers, I want them to visit my web page (PHP/MySQL) to generate a new "Software License Key" that they provide to the customer.<p>When the customer first starts the application, they enter their Name and Key, and the application "phones home" to validate the key.<p>I am very interested in recommendations for precisely how to generate they keys, and any common errors or security risks. Obviously, we want to avoid crackers being able to generate fake keys. We also need to prevent crackers getting into the key-generation web site and gaining access to the database, or tricking it into generating new keys (without being an authorized vendor). It would also be nice if there was a way to check (without phoning home) that a key is "probably" valid (such as, it has the right checksum, and is not on a blacklist hard-coded into the latest version).<p>Any tips and references in this area would be appreciated.
Create a public/private key pair. Have the client encrypt some relevant information such as the MAC address, IP Address, and software serial number, and phone home occasionally for authorization. This takes care of the problem of moving to a new machine or fail-over, but allows you to identify stolen keys or someone putting copies on multiple servers.
1. Get machine fingerprint based on hardware id of the devices. Use your judgment on which one you want to include.
2. Create a one way hash, with a salt. Store it locally.
3. Call home with this key to activate the product.
4. Every once in a while check the finger print again to see if it has changed if it has redirect to the activation page. This would happen only if the hardware changed.<p>I am assuming that the people won't direct access to this logic in your PHP application. I don't use PHP so don't know if you can pre compile your app.