We use a real keygens algorithm that's defined in RFC 3031, but we haven't provided the details ofhow this works. It's basically an implementation of the ChaCha stream cipher. It uses 2^-32 keys togenerate subkeys and a 2^-64 hash code for each subkey.
If you're using master keys, your customers will be able to claim their keygens, but this isthe wrong approach to this problem. You're assuming that the keys that you generate are goodkeys, and you assume you'll be able to keep them secret, and you don't expect a DoS attack tocausing you to run out of keys.
But if you're not using subkeys, you're just being an ass and providing convenience to people who arenot using code that you sign. They are no better off than you are. They can't generate keys for theirusers, they can't send keys to their users to use with your software, and they can't send the keys intheir users' licenses. None of them can use your software without contacting you to get a newkey, and they might not be as skilled or intelligent as you are.
This is not an obscure theory. It's applied to many products, and it's a problem we've actuallyencountered here at Google. We've found that we need to put up a defense against these kinds ofattacks. We need to generate unique subkeys for each of our customers.
The only way to avoid this problem is to generate unique subkeys, one per user. You can use anytechnique you like to make it hard for someone to derive subkeys for your customers. Forexample, you can drop the subkeys into a set of random numbers in a database.
The problem with this line of thinking is that it is just like the one that led to the RSA debacle.A number of years ago, RSA realized that they were depending on software random number generators toharden their keys. After a few years of digesting the problem, they decided to change the way theygenerate their keys. They generated a new key, they gave it to their customers, and what happened isthat the software keys stopped working and the customer keys didn't. Worse, the real problem is that itwasn't a software problem at all, it was a cryptographer problem. RSA, like most other software vendors,had simply turned their keys upside down, and were happily using software keys as secret seed values fortheir own purposes.
This, of course, happens all the time with software random number generators, but it is very difficult to see itcoming. Unfortunately, there is no simple way of avoiding it. You have to look very carefully at what youdepend on. If you do, you can quickly find out if it's working.
We need to leak the keygens in a way that gives them some value. But they have to befairly worthless to someone who's going after our subkeys. Keygens are only worth attacking whenit's easy to get the malicious subkey.
This is the biggest problem: a well-designed system can easily handle keygens. If we canleave the keys where they are, and give our customers a new set of subkeys every time they purchase anapp, we can handily subvert keygens. 827ec27edc