Serial Numbers
Employing product serial numbers to deter software pirates is one of the most
common ways to combat software piracy. The idea is simple: The software
vendor ships each copy of the software with a unique serial number printed
somewhere on the product package or on the media itself. The installation pro-
gram then requires that the user type in this number during the installation
process. The installation program verifies that the typed number is valid (by
using a secret validation algorithm), and if it is the program is installed and is
registered on the end user’s system. The installation process usually adds the
serial number or some derivation of it to the user’s registration information so
that in case the user contacts customer support the software vendor can verify
that the user has a valid installation of the product.
It is easy to see why this approach of relying exclusively on a plain serial
number is flawed. Users can easily share serial numbers, and as long as they
don’t contact the software vendor, the software vendor has no way of knowing
about illegal installations. Additionally, the Internet has really elevated the
severity of this problem because one malicious user can post a valid serial
number online, and that enables countless illegal installations because they all
just find the valid serial number online.
Challenge Response and Online Activations
One simple improvement to the serial number protection scheme is to have the
program send a challenge response[Tanenbaum1] to the software vendor. A
challenge response is a well-known authentication protocol typically used for
authenticating specific users or computers in computer networks. The idea is
that both parties (I’ll use good old Alice and Bob) share a secret key that is
known only to them. Bob sends a random, unencrypted sequence to Alice,
who then encrypts that message and sends it back to Bob in its encrypted form.
When Bob receives the encrypted message he decrypts it using the secret key,
and confirms that it’s identical to the random sequence he originally sent. If it
is, he knows he’s talking to Alice, because only Alice has access to the secret
encryption key.
In the context of software copy protection mechanisms, a challenge response
can be used to register a user with the software vendor and to ensure that the
software product cannot be used on a given system without the software ven-
dor’s approval. There are many different ways to do this, but the basic idea is
that during installation the end user types a serial number, just as in the origi-
nal scheme. The difference is that instead of performing a simple validation on
the user-supplied number, the installation program retrieves a unique
machine identifier (such as the CPU ID), and generates a unique value from
the combination of the serial number and the machine identifier. This value is
Piracy and Copy Protection 315