On CD-Keys as DRM

[pneuma08]

So, let's say the purpose of CD-Keys is to provide a viable method in which to restrict illegal copies of the game from being used. Now, for this to be the case, there must be a viable but limited number of them. From what I understand, this is typically done with an algorithm which determines if a key is valid or not. However, this creates some excess; if the algorithm generates 3 million keys but only 400 thousand copies of a game are sold, that leaves a 2.6 million gap. Even if a key is specifically generated for each copy of the game, for every retail box that sits in the store, unsold, that is a potential key for use by an illegal copy.

That said, working in retail I'm more than aware of relatively new tech where a specific key is generated on demand and printed on the receipt, typically used in gaming retail when buying DLC. What if that technology were to be used with retail boxes as well?

That is to say, consider the following system:

* Keys are generated individually and uniquely upon sale (either digitally or physically).
* A list of keys is kept, such that it would be easy to determine if a key is inactive or active but in use.
* The system checks for validity once, upon installation. (Or possibly once every time the game boots or even just occasionally, when it also checks for updates.)

Possible drawbacks include the need for an internet connection (which is unfortunately becoming standard in PC retail releases these days), the need to construct and maintain a very large database whose value diminishes over time (although some structures of which may already be in place by companies like Microsoft), the need for access to Point of Sale Activation (for retail), increased components increase the possibility of failure for any one which may cause grief and inefficiency, and the window between sale and installation in which keys may be "stolen".

Still, this system does cut down on a great deal of excess and is a lot less intrusive than other DRM (cough, cough). The system may even allow for a bit of flexibility; one or two conflicts may only be red flagged but otherwise ignored, but a hundred conflicts means it's time to crack down. With sufficient monitoring data, it may even be possible to track down where the offending key came from.

Thoughts?

(For full disclosure, I'm no fan of DRM but I don't care as long as it's unintrusive.)

 

[More Fun To Compute]

Key generators are a fairly old sort of piracy scheme. They used to be a big problem for Counter Strike before Steam came along, along side game shop employees using keys themselves then selling the game box. I don't think that making a key generator is necessarily any easier than writing a crack though as it requires someone to work out the algorithm for validating keys, which might be server side, and then writing code that can generate random keys. That can be some Alan Turing level computer hacking. To crack a game a cracker just has to be able to read the game code and add some "nop" instructions in machine code in the right places. Which also isn't always easy.

 

[Woodsey]

I'm a little confused on how they're going to know if keys are valid if you're just generating random ones from scratch on the receipt.

 

[the_pleasure_is_mine]

Is it just me, or does typing in the CD key to a game you just purchased with your own hard earned money make you feel good?

Dunno why.

Totally does a bit...

Always feels good to activate Battlefield 2142 on a new computer.

 

[the_pleasure_is_mine]

people still play that?!

Damn it! That was my all time favourite game! I thought it was dead T^T

The community is nowhere near as lively as BF2 but I can still get into a damn good game whenever I play it and I only got a chance to reinstall it about a week ago ^.^

 

[ThriKreen]

Retailer generated keys? No publisher will trust that the reported sale numbers are true.

 

[pneuma08]

Retailer generated keys? No publisher will trust that the reported sale numbers are true.

Generated through retail, not by retail. I'm not exactly sure how it works, but I think the publisher sends the keys on checkout.

They're doing it right now for some DLC, pre-order bonuses, Windows Anytime Upgrade, and a couple other things. Actually, now that I think about it it's mostly Microsoft.

They could also force the key to authenticate a la console serial numbers (or Korean flavor-of-the-month paid-premium game cards). That might be better.

 

[pneuma08]

Key generators are a fairly old sort of piracy scheme. They used to be a big problem for Counter Strike before Steam came along, along side game shop employees using keys themselves then selling the game box. I don't think that making a key generator is necessarily any easier than writing a crack though as it requires someone to work out the algorithm for validating keys, which might be server side, and then writing code that can generate random keys. That can be some Alan Turing level computer hacking. To crack a game a cracker just has to be able to read the game code and add some "nop" instructions in machine code in the right places. Which also isn't always easy.

Yeah, I think the Achilles' Heel of this design would be an installer crack. It would be possible to go the more obnoxious route of having it authenticate every once in a while (say, during loading screens) but that is getting dangerously close to always-online activation. Maybe make those optional (i.e. do nothing on failure to authenticate mid-game - well, it may extend the "loading" downtime a bit but I think that sounds acceptable) - which would make it really hard to track down - but throw up a serious red flag for action later.

Anyway, I think it would be entirely possible to set up this system using mostly established structures without any extra effort for the consumers but have it be complicated enough that the cracks don't start popping up within 24 hours.

 

[Veylon]

It goes back to the same issue with DRM as always: where is it verified?

1) On the PC. Solution: Either determine the key generation method and generate new keys or else disable the verifier code.

2) Online: Create a dummy program that pretends to be the server and just say yes. Or, again, disable the part of the code that asks.

There can be some hoopla associated with this, like using the verifier to download some key files that the game requires to operate. Assassin's Creed 2 did this. Any pirated copy would have to include those files.