I'm looking for a registration method for software developed for PDAs.
 Thought of picking up the serial number of a device, have it pass
through a formula which give two resuts and send off one of them to
the server through the user and via a registration form where a reply
comes with the recond portion for comparison.

The application would be activated if the two match.

Want to make sure the application is not fooled through a tool that
sets the serial number of the device in order to have it falsely
registered, as the case is with some of the fake registration tools
out there.

Any recommendations and formulas to use on both ends of the business transaction? 

Thank you.

/Dusty

---

Request for Question Clarification by joseleon-ga on 20 Dec 2003 05:32 PST

Hello, dustydune:
  Are you looking for software that helps you protect the software you
develop for a PDA? Which language do you use to develop such software?
Palm or Pocket PC?

Regards.

---

Request for Question Clarification by endo-ga on 20 Dec 2003 07:47 PST

Hi,

What you would need to do is develop some kind of hashing algorithm.

The user would send you the registration number, you would calculate
the hash of this number and send it back. The user would input this
number as their registration code, your program would then calculate
the hash of the registration number and compare the two.

If you want I could give you references to popular hashing algorithms,
which could inspire you in creating your own.

What do you think?

Thanks.
endo

---

Clarification of Question by dustydune-ga on 20 Dec 2003 13:17 PST

Hi Endo,

I like the idea, but I would like to get recommendations on how to
make sure this is the same PDA that was authorized to use the
software?

Should the application request the user to trigger the process, the
application would then create the two strings through the algorithm
and then use the date and time of the machine to do so and give the
user 24 hours to get the code processed on the net to complete the
registration process or re-do the process again?

You see, I know very little about the issue, but if I'm assumed that
the method can counter the serial number or other PDA environment
characteristics forging to register other unauthorized PDAs.

You're heading in the right path and if you explain the idea to
address my issues, you've got it covered. :-)

/Dusty

---

Request for Question Clarification by endo-ga on 20 Dec 2003 14:03 PST

Hi,

What you suggest wouldn't prevent anyone from changing the serial
number and the date on their PDA to install the software.

What you could do is derive a hash from the serial number and the
running processes and available memory available at the time. Send
this hash to you as a registration number, you then calculate another
hash from it, and send it back as a registration code. Your program
does the same calculation and compares the two. You will know that it
will only work on one PDA because the original registration number is
derived uniquely at installation time and only the corresponding hash
can be used to complete registration.

I can find you source code in C for a popular hashing algorithm, I
guess you could apply it and then use only certain bytes out of the
hash to make the registration code.

What do you think?

Thanks.
endo

---

Clarification of Question by dustydune-ga on 20 Dec 2003 14:13 PST

Go ahead! :-)

/Dusty

Hi,

Thank you for your question.

Here is a short description of a hashing algorithm:

Hashing algorithms
http://www.networksorcery.com/enp/data/hashing.htm

A very popular hashing algorithm is MD5. It is often used for storing
hashes of passwords for example.

Here is some source code in C:

MD5 Algorithm source in C
http://lists.cs.cornell.edu/pipermail/cyclone-l/2003-May/000288.html
http://www.l2tpd.org/cxref/md5.c.src.html


Source code and executable in C++:

RSA MD5 Message Digest 
http://www.langfine.com/rsa_md5.htm


Example in Java:

How can I store an encrypted password?
http://java.sun.com/developer/qow/archive/28/


Command line utility:

Command Line Message Digest Utility 
http://www.fourmilab.ch/md5/

Crypto++ library
http://www.eskimo.com/~weidai/cryptlib.html


So lets assume you can read the following from a PDA: serial number,
list of processes running and free memory. Your program can calculate
a hash of these elements during installation by concatenating all this
information into one big string. You can then choose to pick out every
third character or so and derive a registration number unique to that
computer. Your application then stores this registration number on the
computer and the user sends it to you as well.

You can then calculate a hash out of this registration number in the
same way you calculated the first hash. You can then send this back to
the user. Your program will do the same calculation and compare the
two for a match.

You will want to diverge slightly from the default algorithm to
prevent users from figuring out what your program is calculating,
which is why I suggest you choose only given characters out of the
hash you obtain. This will remove the characteristic of near unicity
that the algorithm produces, but will reduce a chance of someone
guessing how your program is calculating the strings.

Another possibility would be to use two different algorithms. e.g. you
could send back the SHA hash of the registration number. Crypto++
mentioned above includes lots of algorithms.

I hope this answers your question, if anything is unclear or you
require any clarifications, please do not hesitate to ask.

Thanks.
endo


Search strategy

hashing algorithms
://www.google.com/search?q=hashing%20algorithms

md5 algorithm source
://www.google.com/search?q=md5%20algorithm%20source

Thanks! :-)

/Dusty

Glad to have been of assistance.
Thank you for the great rating.
Regards,
endo