Digitally Signed Licenses

Since software license keys contain entitlement information, it makes sense to protect that data from tampering and corruption. It would be tempting for an unscrupulous user to change a license count from 10 to 100 by simply tacking on an extra zero, or to upgrade your v2.0 licenses to v5.0 with a similarly simple edit.

Software licenses, especially those readable in plain text format, are digitally signed to prevent this. This means that the data that represents the license entitlement (product, version, expiration date, count, etc.) are input to an algorithm that creates a verifiable signature for that data. If the data is ever modified, then the signature for that new data would no longer match the original, rendering the license invalid.

Early licensing products used common algorithms that were customized with secret “seeds” to ensure that every vendor’s certificate generator could create and validate licenses for its products only. But, there were problems with this because it was possible for hackers to extract these seeds and build license generators that could create counterfeit licenses that would work with an ISV’s unmodified applications.

Today, software licensing vendors rely on public key/private key schemes to address this counterfeit license problem. With public key encryption, software vendors can create digitally signed licenses with a private key that can be verified by anyone who has access to the vendor’s public key. The important point is that, unlike seeds which were exposed in the binary application products, the private key remains private, and is never shipped as part of the software product.