I am researching software authentication methods that are easy yet secure to implement in my own projects.
IDEAS: Steps to authenticate apps
The application is running from a USB drive as it is never installed on any one computer.
- Upon each run, the software starts up Information such as USB Hardware ID and perhaps an ID unique to the app is gathered and somehow securely hashed into an activation key-like string.
- This string is then passed as a parameter into a PHP function where it is reversed (server-side) and content checked against a database to verify that the application was run from an 'authorized' USB key and not copied from one to another (as H/W ID would change and not match the one in the database) - effectively this would minimise the chance that a client gets two working 'software licenses'.
Questions
The idea is to be able to retrieve the columns for the row in the database, which matches that particular HW ID and unique app secret will locate the correct row. The PHP is used to check if further entries in that row are also matching other values such as whether the HW key is expired or not. However, to prevent the user from using that same string parameter every time, it should be random and near impossible to calculate/guess, yet link to the same location in the database.
I am now considering encryption instead of hashing (for the benefit of maintaining the data), as it can be decrypted using a master key at the server. I understand that hashing only converts in one direction and perhaps I wasn't expressing the scenario correctly before this edit so I hope things have become a little clearer. Could someone guide me in the right direction? How is this done?
I'd really appreciate any feedback and ideas on how to make this happen properly.