The serial number lists are encrypted once your setup is built. During your installation, you can prompt the user for a serial number using a Verify Serial Number screen or by creating your own custom screen. If the provided serial number is not found on any of your serial number lists, the installation will not continue.


I am concerned about the security of the serial number lists stored in the installation package.

There are two possible ways to validate the entered serial number against the stored list.

The straightforward way is to decrypt the whole serial number list (store it in memory) before validation. Obviously this way is not so safe, a hacker can easily copy the whole serial number list from the memory.

The other attitude is to encrypt the entered serial number with the same algorithm and key and validate this encrypted string against the encrypted serial number list strings. This is more safe.

How is this done in Setup Factory 8.0?

I have already found the answer (http://www.indigorose.com/webhelp/suf80/Users_Guide/Chapter_8_Security_and_Expiration.htm)

Serial Number Lists Are Secure
In Setup Factory 8.0, your actual serial number lists are not stored in the installation. Rather, an MD5 hash (or "digest") is calculated for each serial number within each of your lists. These MD5 hashes are then stored in the installer instead of the original values. This ensures that your list of serial numbers is not vulnerable.

When the user enters a serial number, the installer calculates the MD5 hash for that value and then compares it to the list of MD5 hashes that were created from the original serial numbers. If a matching MD5 hash is found, the installer knows that the user's serial number is valid. (Since every MD5 hash is unique, the only way that the MD5 hashes for two serial numbers can match is if the serial numbers are the same.)

This allows the installer to detect a valid serial number without actually knowing what the original serial number was. Since the MD5 hash calculation is irreversible, there is no way for a hacker to retrieve the original serial numbers from the installer. The hacker is reduced to using brute force tactics, i.e. trying a series of serial numbers at random until one works…which, if your serial numbers are sufficiently complex, would be highly prohibitive.

MD5 is good enough for our purposes, but not as strong as that quote suggests. See http://en.wikipedia.org/wiki/MD5