MS to intro product key check in WinXP SP1 WPA

And uncrack cracked systems

  • alert
  • submit to reddit

Security for virtualized datacentres

Microsoft has released details of the changes being made in Windows Product Activation (WPA) with WinXP Service Pack 1. As expected, SP1 will fail to install if either of "two well-known pirated product keys" has previously been used to activate the system, and such systems will also be denied access to Windows Update. But the changes will have a far wider impact than this, as Microsoft appears to be trying to cover all currently known holes in WPA security.

Activations taking place after SP1 has been applied (largely on new systems, one presumes) will include the product key in the installation ID. According to Allen Nieman, lead technical product manager i/c WPA, the full key will be sent to Microsoft in an internet activation, while telephone activations will include a hash value of the key, " in order to limit the increase in size of the telephone Installation ID." Nieman says "we should have included this in the Installation ID from the beginning," and now they have.

This installation ID previously consisted of product ID and hardware hash, so the addition of the product key takes the components to three. The major impact of this change is that Microsoft can now check a product key "to determine its validity," which perhaps means that Microsoft does have a list of valid keys of some sort, and that key generation software will cease to function. If however Microsoft does not have such a list for products already shipped, it most certainly will have in the future. Failing that, the change at least gives Microsoft a mechanism for swiftly cracking down on new leaked keys.

As Windows Update will also now be checking keys, Microsoft can deny access to updates even if SP1 has been successfully applied on a system whose key is subsequently determined to be compromised. No bombs vaping systems as yet though - it still seems to be the intention simply to freeze systems by denying them updates. Apart from...

"Service Pack 1 for Windows XP will contain fixes to cracks used by software pirates to circumvent activation. Installations of Windows XP patched by a crack will require activation after SP1 has been installed." So, although as far as leaked product keys are concerned, Microsoft is sticking to its promise of just freezing the system state at pre-SP1, users of patched versions applying SP1 will be bombed.

Why the differentiation? People using cracks are badder than people using dodgy corporate keys? Market research? Possibly, Microsoft recognises that users of leaked keys stand a greater chance of being genuine customers using the keys either deliberately or obliviously, and that it stands some chance of shooting its friends by mistake.

Windows Update, by the way, will not be validating product keys until 2nd October, according to Nieman, which means until then the product key data is simply discarded. After that date it will be used for validation and then discarded, he says. But, um, hang on a moment there Mr Nieman. If Microsoft has a list of valid keys, and if it checks my key against that list, then must it not place some form of tick on the list, in order to cater for my known propensity to pass on my product key to my neighbours, pets and passing tradespeople? (I jest, please stop trying to break down that door.)

Anyway, the nature of 'discarded' here seems to us to warrant further investigation, and the importance of the 2nd October switchover is probably that Microsoft wants to avoid the possibility of two sets of changes going horribly wrong at the same time.

There is one small relaxation in the new model, in that users forced to reactivate after making hardware changes will now have three days in which to do so, rather than having their system break instantly, and being forced to fix it then. From the user's perspective this probably does not amount to a particularly large hill of beans, but it will likely make them less cross when they phone up, and it does look like a concession.

As regards corporate customers, an encryption feature has been added, "to allow the encryption of the VLK for unattended setups of Windows XP with Service Pack 1. Customers who place their VLK in an unattended setup file (unattend.txt) will be able to encrypt the VLK such that it will be time limited and hidden from plain text. This means that the VLK could be encrypted in the unattend.txt on a network share install point, RIS, CD-based install, etc."

The implications of this aren't immediately clear to us, and rather depend on what that "time limited and hidden from plain text" means. It should not mean that corporate customers will need to be issued with new keys for existing installations (as Nieman hotly denied when we suggested this might be the case), but it does seem to suggest new 'disposable' keys are envisaged for new slipstreamed installations. Limited time keys would certainly make sense, considering what techies are like.

Microsoft puts all of this in its very own way. The changes are "ensuring licensed customers receive full benefits" and "raising the bar on pirates" who "have been busy engineering circumventions to digital rights technologies including Microsoft's own product activation." So there you have it - WPA is a digital rights technology. Which may remind you of something. ®

Website security in corporate America

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.