How Lazarus Registration Works
If you're trying to protect your software, it's somewhat important to understand exactly how Lazarus Registration actually works. If you don't know what you're getting, you may be under the impression that you have more protection than you actually do, and that can be bad.
First, let's talk about what Lazarus Registration isn't. It isn't an encryption method. When you protect your software with Lazarus Registration, nothing in your software or your distribution package is encrypted. That means that if the person who goes after your software is a smart fellow, it's fairly trivial for them to extract your executable from the distribution package and install it. That's why it's important to protect your program with the Lazarus Registration Component, in addition to protecting your installer.
The registration key is actually a digital signature of your serial number, combined with a secret key that is specific to the application. If the registration key provided by the user matches what the registration component says it should be the installation is considered valid. The signature is based on the MD5 algorithm, which has been in use for a number of years. It has been shown to have some flaws when signing very large messages, but serial numbers are generally very short and not subject to any flaws I am aware of with the MD5 signature algorithm.
Internally an MD5 signature is represented as a series of 16 numbers, all between 0 and 256. For ease of typing, Lazarus Registration maps those 256 values onto a series of characters that isn't easily confused. For instance, the characters for the number one, the letter L, zero and the letter O do not appear. This convenience does have certain implications. It means, for instance, that two different serial numbers can have the same registration key. While this isn't good, in the design of the component the greatly increased convenience for the customer and the reduced technical support issues were considered important enough to make the tradeoff acceptable.
So how do you make your programs more secure? The first is that it's good to have more than one means of protection. As I mentioned above, don't just check your program at installation time, but also at runtime. If your program requires any external data files, you can also encrypt those files. The files only get decrypted if the serial number passes validation, either on each run of the program or the first time that the program is run with the correct serial number. You might also consider shipping your main application as an encrypted file, and the program that is first run exists only to check the serial number and decrypt the main executable.
- Lazarus Registration
- Encryption using OpenSSL's crypto libraries
- A Working 30 Day Trial Example
- Patrick McKenzie's excellent article
Everything You Need to Know About Registration Systems