Security improvements to key signing functionality

After that Web API 2.0 was announced, there have been some minor changes.

  1. A new parameter, signMid was added in the Activation method. By setting it to true, you can ensure that the machine id (set by mid) is signed also. (read more about the security advantages under SignMid)
  2. The Valid output parameter is equal to “True”, with a capital “T”, instead of “true”.
  3. The signing functionality (in both Activation and Validation methods) was fixed to make sure that signatures that the server generates can be validated by a client using the public key.

SignMid

The security advantage of using signMid is mostly relevant for applications that perform activation only once or not at all. By setting it to true, the machine code will be added to the signature (in the KeyInformation class) and thus the client app will know that it has not been modified since the last activation was performed.

This opens doors to securer key activation on computers (devices) that do not have direct connection to the Internet, for example, some computers in an enterprise. An enterprise computer does only need to provide a machine code, which is later used to get a signed key information file. If you would like to have something that facilitates the implementation of this logic, please wait several days (approx 1-2 weeks). We are currently working on a possible solution.

Application maintenance 3rd-4th January.

Yesterday, between 11 pm – 1 am Stockholm time, there was a major upgrade of the APIs in the application. This might have caused disturbances that could affect the Web API during that time. I am very sorry for that. The application is now up-to-date!

Serial Key Manager platform is updated continuously, which is very difficult to notice. However, certain times we need to upgrade vital components in order to keep Serial Key Manager secure.

Upgrade of Web API and Support for Java

The Web API that is used to perform tasks like key validation from a client computer (or a web application) has been upgraded. Here’s the description of it from the support page:

Many operations can be performed using web requests. In contrast to the previous version of the Web API, the new version aims to make all methods standardized. All requests in each method follow the same pattern in order to make it easier to go from one operation to another. Input parameters, results, and errors are well documented in the new documentation to make it easier to use the functionality in SKM on all platforms.

The new Web API requires only two methods to be implemented in the client application: one to send a request and another to decide how the result from the server should be interpreted.

In SKGL Extension API (for .NET) there are two new methods to make these operations easy.

The first method (GetParemeters) is used to send an array of parameters (see the required parameters) to the server and then record the result (another array of variables). If you are using Validation, the result will either contain variables such as the creation date or an error with a short description why it went wrong.

The second method (GetKeyInformationFromParemters) is a helper method that will, given that either an Activation or Validation request was sent, put the information into a KeyInformation so that you can continue to use the features like offline key validation (storing the information securely offline).

In order to make sure that it’s easy to implement this logic into Java, a new API is currently being developed. This API is open-source too, and it can be accessed through GitHub. The API documentation can be accessed here. For the time being, the API has one method that works similar to GetParameters.

Interact with server using API

SKGL Extension was upgraded to the new functionality available in SKM since yesterday. Apart from the fact that you can generate/activate/validate keys using web requests, you can from now list all products and also get uid, pid and hsum values without explicitly logging in through the browser.

Here are the methods that were recently added to the API:

The class that stores this information is:

NOTE: You have go through authentication using your username and password associated with your account for these methods to work.

Secure connection with SSL

From now on, all communication between you (the web interface or the client app) is protected with 256 bit encryption (AES 256 and RSA 2048) by default.

If you are using SKGL Extension API, the only thing you have to do is to upgrade to version 1.0.9.1. If you are sending customized requests (from another server or a different platform), you can simply change from http to https.

This change was performed yesterday, and there might have been short disruptions when logging in into SKM, during external key generation, key activation and validation. The secured connection is now working properly, and no more disruptions should occur.

Our goal is to continue improving the security measures in order to ensure that only you are able to access your information. If you want to find out more about the security measures, please see this article:

Access to the notes field

In the last post, there was a questionnaire about whether or not the access to the “notes” field should be given through key validation or key activation. The results of the questionnaire were mixed.

All opinions are very important for us, so, as a result, the notes field access is implemented in such a way to allow those users that want to access it being able to do so, while those users that don’t want the notes field to be exposed will be able to restrict access to it.

So, if you want to get the notes field exposed, please see this article. If you don’t, there is nothing that has to be done. Simply keep using  Serial Key Manager as you’ve always have done!

The recently released version of SKGL Extension API, v. 1.0.8.1, incorporates a new “notes” field in the KeyInformation class. The notes field is saved in the same way as creation date and other serial key features into a file during offline key validation (one time key activation with a digital signature). For those users that decide not to activate notes field access, nothing has to be done either. Serial Key Manager platform will work with 1.0.7.1 as usual.

It would be great if you find this way of implementing the access to the “notes” field is the optimal solution, but it might not be the case. If there is something you don’t like about this change or if you simply want to tell us what you think, you are warmly welcome to contact us!

External key generation and secure offline key validation

Two great features are now implemented and accessible by all users of Serial Key Manager (SKM): External key generation and passive key validation.

External key generation

From now on, you can generate new keys with a simple web request without exposing neither the password of a product nor the log in details to your account. Everything is handled by a private key that you can change at any time. This feature can be activated/deactivated at any time also.

This is particularly good if you want to automatize the entire software distribution cycle (app downloaded, evaluated, purchased, activated).

For more information, please read the following article or see the video embedded in the end of this post.

Passive key validation

One of the greatest advantages of SKM is that you can control all apps that are connected to SKM servers. That is, all your changes on the server will instantly reach the client app.

In some cases, however, there is no need to validate keys each time the application starts. You might, for instance, want to validate a key only once or possibly once in a month (or any other interval of time), and, at the same time,  be sure that the key information has not been altered.

For more information on how this can be accomplished, please read the following article.

Minor changes

Conclusion

Both of these features were suggested by users of SKM. As I’ve mentioned in the previous posts, all your suggestions are very important to make SKM a great product. In contrast to the early version of SKM, there are now so many new functionality available in SKM. Because of this, all users that registered before the 11th of August have received an extended trial period.

I hope everyone enjoys using SKM. If you would have any questions, please feel free to ask me in English, Swedish or Russian!

The video

Additional information using JSON

Serial Key Manager is now entirely platform independent! Not only can validation and activation occur on any platform, but even the additional data like set timefeatures, can be retrieved using a simple web request. This means that no password has to be stored in the application, which drastically improves the security.

If you would still like to allow offline validations, please consider using activation where you restrict the number of machines that can use the same key.

Several weeks ago, trial activation feature was added, which will ensure that the time restriction starts at the moment of activation.

As you can see, many features have been added to Serial Key Manager. Because of this, 3 days premium subscription can now be activated again, to allow you to test the newly added features.

You are always welcome to ask any questions! Contact us here.