How to make my licensing system better?

<p><a href="https://github.com/SaturnsVoid/SimpleLicensing" rel="nofollow">https://github.com/SaturnsVoid/SimpleLicensing</a></p> <p>Its a simple project i am doing, making a application licensing system in/for Go.</p> <p>So far i have a basic setup, the major flaw is that it will always need the client to have internet access to the licensing server...</p> <p>Any ideas on how to make this better?</p> <hr/>**评论：**<br/><br/>php_questions: <pre><p>I haven&#39;t really looked through all of your code but there are already a couple of things that seem to be bad for security..</p> <p>Here:</p> <p><a href="https://github.com/SaturnsVoid/SimpleLicensing/blob/master/SimpleLicensing/Licensing.go#L51" rel="nofollow">https://github.com/SaturnsVoid/SimpleLicensing/blob/master/SimpleLicensing/Licensing.go#L51</a></p> <p>This seems to be pretty bad for security.. you should be using </p> <blockquote> <p>cipher.NewGCM </p> </blockquote> <p>Because it gives you AEAD ( <a href="https://en.wikipedia.org/wiki/Authenticated_encryption" rel="nofollow">https://en.wikipedia.org/wiki/Authenticated_encryption</a> )</p> <p>Also, I see that you are using math/rand to generate random strings</p> <p><a href="https://github.com/SaturnsVoid/SimpleLicensing/blob/master/Server.go#L8" rel="nofollow">https://github.com/SaturnsVoid/SimpleLicensing/blob/master/Server.go#L8</a></p> <p><a href="https://github.com/SaturnsVoid/SimpleLicensing/blob/master/Server.go#L87" rel="nofollow">https://github.com/SaturnsVoid/SimpleLicensing/blob/master/Server.go#L87</a></p> <p>You should be using crypto/rand instead.. math/rand is not suitable for &#34;security-sensitive work&#34;</p> <p>This is what it says in the math/rand overview </p> <blockquote> <p>For random numbers suitable for security-sensitive work, see the crypto/rand package.</p> </blockquote></pre>dmke: <pre><p>I&#39;d go with public-key cryptography:</p> <ul> <li>on the server, generate a private/public key pair</li> <li>distribute the public key with your software</li> <li>when generating a license, simply list some data (recipient, expiry date and such) and sign it with the private key</li> <li>the client then validates the license with the public key</li> </ul> <p>(Come to think of it, this seems like a prime target for JWT.)</p> <p>This largely eliminates the need for an active internet connection. On the server side, you also won&#39;t need a DBMS, simply store the license on disk.</p> <p>The obvious revocation problem can be mitigated either by periodically connecting to the server (say, once every month), or by issueing only short-lived licenses + auto-generating new ones before the current one expires (similar to Let&#39;s Encrypt).</p></pre>robvdl: <pre><p>Unrelated but I thought I mention it anyway, there is a typo here:</p> <p><a href="https://github.com/SaturnsVoid/SimpleLicensing/blob/master/SimpleLicensing/Licensing.go#L145" rel="nofollow">https://github.com/SaturnsVoid/SimpleLicensing/blob/master/SimpleLicensing/Licensing.go#L145</a></p> <p>It says &#34;connot&#34; instead of cannot</p> <p>Also I am pretty sure &#34;License is expired&#34; should be &#34;License has expired&#34;.</p></pre>