Creating an Offline Authentication Method?

Casmat

Hey!

Continuing building my plugin, I am now working on implementing an authentication system to install user products with license keys. I found:

@orange in Woocommerce linked licensing system for your plugins

And it is pretty darn perfect in terms of usability. However, this solution can take quite some time to implement and I was thinking that we could do it soon, but for now, have a simpler authentication system that somewhat gives the illusion to the user of licenses, but in reality its just a simple algorithm. Basically, my question is this: Is my following idea good for my use case (possible flaws? Feel free to suggest another idea) and if so how do I go about implementing it? So here's my thought:

On the website, the user purchases an expansion, "Instrument1". They then receive a license key to their email or website account page. Then on the player plugin, when they click on the import button and select the hr1 HISE package file, then a json is loaded with a a value which stands for the library prefix, like “INSTR1” for Instrument1. The license key the user will have will be something like “INSTR1-xxxxx-xxxxx” and if both prefixed match, the importation process will continue to the next step. The original key is created by the website using a hashing algorithm. The plugin will utilize the same hashing algorithm to verify that the username and license key combo was created by the websites algorithm and if they do, import the full expansion. Of course, they’ll be able to share this combo to others and allow unlimited registrations since there’s no device check/limit, but it may be enough.

That’s what I’m thinking, I don’t know if it has any major flaws I’m not thinking of, but it there aren’t, how do I go about implementing such an algorithm/verification?

Thanks for your help!

Dan Korneff

@Casmat I've been working on a system for 2 years now that is finally in public beta. To put it lightly, it's a real pain.
If you want something that works right out of the box and is easy to implement, I recommend HISE Activate. https://activate.hise.dev/
Putting effort into a system that only feels like a proper solution will just add overhead to your designs with little to no benefit.
Just my opinion.

Lindon

@Casmat we used to use a simple offline -dont-call-home authorisation system, here's what we found:

Any simple algorithm(visible in HISE Script) will be easy for the pirates to build a key-gen(your worst case hacked scenario) but...

if you have a simple algo, that is applied to an RSA decryprted key then you at least have a system that forces the hacker to mess-with-your-code to get a pirate version out.

d.healey

@Casmat Because you're using expansions you can lock the expansion to the user's system so they can't share it.

HISE | Docs

(docs.hise.audio)

Casmat

@Lindon if the code is closed source, would it still be necessary to have the Rsa encoding?

Best Practices for Storing Consumer Key / Secret in Licensing Script

On the topic of licensing, I'm trying to cover all of my bases here so I don't get mega-hacked For those of you who are activating licenses via an online s...

Forum (forum.hise.audio)

Lindon

@Casmat said in Creating an Offline Authentication Method?:

@Lindon if the code is closed source, would it still be necessary to have the Rsa encoding?

Best Practices for Storing Consumer Key / Secret in Licensing Script

On the topic of licensing, I'm trying to cover all of my bases here so I don't get mega-hacked For those of you who are activating licenses via an online s...

Forum (forum.hise.audio)

the licensing model you use is up to you - but it doenst make the code inside the compiled plugin any more or any less available to pirates...open source of course offers them the source code anyway.

Casmat

@Lindon ahh I see! Could you describe the process further on how I would create the algorithm and I apply it to rsa?

Lindon

@Casmat said in Creating an Offline Authentication Method?:

@Lindon ahh I see! Could you describe the process further on how I would create the algorithm and I apply it to rsa?

well you generate a string - and then test it for certain values - anything you like really...

say: a 30 character string where:

Character 3 = "A"
Character 17 = "f"
Character 27 = "n"
All other characters = some random character

now you can have thousands of strings that all comply with this criteria.

Generate a private and a public key in HISE - use the private key to RSA encode each string...

now you have thousands of encrypted strings... give your customers one of these for each purchase of your product

• add an authorisation process in your plugin that accepts one of these encrypted strings, decrypts it with the public key and validates the result matches your criteria.

Casmat

@Lindon Helpful, thanks a lot!

bendurso

@Lindon said in Creating an Offline Authentication Method?:

Thank you! I’m working on implementing something similar based on this post.

Do I first need to create a set number of licenses (e.g., 4000) and then encrypt them all? Or is there a way to create a pattern that meets specific criteria, as you mentioned, without creating each string?

How do I encrypt all the strings? I assume it's with encryptWithRSA, but how should be done?

Lindon

@bendurso said in Creating an Offline Authentication Method?:

@Lindon said in Creating an Offline Authentication Method?:

Thank you! I’m working on implementing something similar based on this post.

Do I first need to create a set number of licenses (e.g., 4000) and then encrypt them all? Or is there a way to create a pattern that meets specific criteria, as you mentioned, without creating each string?

How do I encrypt all the strings? I assume it's with encryptWithRSA, but how should be done?

Well when I use this method I wrote a HISE application that:

1. allows me to enter a public and a private key and a project name
2. allows me to define my characters and positions
3. generates a user entered number of strings that comply with 2 above
4. encodes these strings using the private key,
5. tests they all decode correctly
6. Writes the encoded strings to a text file
7. Records the project data into a recallable json file....

I suggest you do the same....