Serialnumbers - two questions

[Steve_K]

Hello experts ...

I have two questions regarding the build in serialnumber generator:

1.) How random are generated serials? Is there a 'true' random number generator build into Setup Factory 7, or just a 'pseudo' random number generator?

2.) In the helpfile I read:

Since the MD5 hash calculation is irreversible, there is no way for a hacker to retrieve the original serial numbers from the installer. The hacker is reduced to using brute force tactics, i.e. trying a series of serial numbers at random until one works…which, if your serial numbers are sufficiently complex, would be highly prohibitive.

What exactly does 'sufficiently complex' mean? When is a serialnumber complex enough to withstand brute force attacks?

Thanks for your help!

Steve

[bnkrazy]

IR will have to answer #1.

As far as the brute force attack ability goes, I generally follow MS' Active Directory strong password requirements. Alphanumeric, at least 9 characters long, and includes at least one letter, number and special character is enough for us.

I usually use a format similar to the following: A20-????-????-???? where the A20 portion is a fixed string per application so I know what application the serial list is for (if I'm outside SF7).

I suppose you could thwart hackers that could manage to get a valid serial and then attempt to figure out others by generating 10 or 20 times the number of passwords you really need and then running a script outside of SF7 against the list and pulling every 10th serial for the final list...

Also, if you have a script already created to generate your serials, you can simply import those instead of using the built in generator.

In our case it really doesn't matter if a cracker guesses a serial as we architect most of our applications to require authorization from our servers at startup...I think it is the number of layers of protection that makes a piece of software more or less prone to be cracked. We just want to give a cracker a hard enough time for it not to be worth the effort...

[Steve_K]

As far as the brute force attack ability goes, I generally follow MS' Active Directory strong password requirements. Alphanumeric, at least 9 characters long, and includes at least one letter, number and special character is enough for us.

I usually use a format similar to the following: A20-????-????-???? where the A20 portion is a fixed string per application so I know what application the serial list is for (if I'm outside SF7).

Yep - had the same thoughts. My plans were to use serials with the first character fixed, plus ????-?????-?????-?????-?????. Similar to the Microsoft CD Keys. I assume that a 25 character serial (letters, and numbers) should be safe when it comes to brute force attacks.

In our case it really doesn't matter if a cracker guesses a serial as we architect most of our applications to require authorization from our servers at startup...

Have also coded a PHP script connecting to a database storing all serials, and the setup calls the script, where the entered serial is checked whether it is valid at all, marked as 'bad', or anything else. Works fine.

Thanks for your thoughts.

Steve

[Steve_K]

Could someone of IR answer my question #1, please?

TIA,

Steve

[Brett]

Could someone of IR answer my question #1, please?

TIA,

Steve

Well, it's as good as srand() and rand() from the c runtime library provide. Does that answer your question?

[Steven Carr]

In followup to Brett's comments.

the c-runtime (although I believe is implementation dependant and hence will change for each compiler, but according to Borlands help which should be pretty close)

rand uses a multiplicative congruential random number generator with period 2 to the 32nd power to return successive pseudo-random numbers in the range from 0 to RAND_MAX. The symbolic constant RAND_MAX is defined in stdlib.h.

RAND_MAX is equal to 32767.

So there is a point where serial number will start to duplicate, and a lot quicker than expected - and even if you have a serial number similar to microsoft with 20 alpha and numeric (possible 13x10^30 combinations) but because of the use of rand() it works out to there could still only be a possible 32767 - quite possible for a brute force attack.

Brett might be able to confirm if the Microsoft implementation of rand() is similar to Borlands.

To be sure you would want to implement, as suggested, additional forms of protection regardless.

[Steve_K]

Thanks for your answers! Much appreciated!

Steve