There is no standard. Each company does it one way, with higher or lower level of sophistication/quality. Rarely is the algorithm published, since ignorance of it is the main factor that seeks (but rarely succeeds) to ensure protection against misuse (see "security for obscurantism"). The techniques employed evolve over time, while the techniques of "breaking" or evasion* also do so.
However, some patterns can be observed in these techniques, depending on the particular scenario they apply (online or offline software, which "calls home" or which does not).
*Note: I refer to "break" when one discovers a means of generating valid codes that were not issued by the producer/distributor, without change ("crack") in the program, and "escape" when the program is modified to simply not do more key checking (so that it works without a valid key) or to "trick" it in any other way by simulating a validation server, blocking the application in the firewall, etc.
Offline, without "call home"
In this scenario it is sought to prevent a user who does not have the key - any key - from running the program. It is the simplest but most limited scenario - as it is enough that a single key is disclosed so that anyone with a copy of the program can use it.
The general technique is to embed a checker algorithm into the software, which receives a code and says "valid" or "invalid", and separately deliver a unique key to the client that the validator will accept. The format must be such that a third party cannot easily create valid codes from scratch.
Rather ineffective algorithms have been used in older systems (a response to a similar question in Soen [indicated by rubStackOverflow in the comments] cites a case where only 10 attempts were enough to guess a valid key! ), but someone who wanted to implement it today could do so unbreakably (but not unavoidably) through public key cryptography:
- Create a key pair by embedding the public key into the installation media;
- Each license would have a serial number, and the CD-Key would be that serial number signed by the private key (which only the distributor has);
- When the user enters with the key, the system only has to check whether the signature is valid or not.
Without the private key, it’s impossible to create a keygen that generates (with high probability) valid keys, no matter how many other keys the attacker knows. So the only way to copy the software without changing it would be to reuse an already used key (and if the supplier has the means to track a key to its owner - via registration at the time of purchase, for example - this increases the exposure of those who share a key, and consequently the risk of being caught).
Offline, "Calling home"
If product activation involves the intervention of the producer/distributor, this allows a somewhat more sophisticated protection. For example, you can make the software work only on the first machine it was installed on, and the code is useless on any other*. In addition it is clear to try to authenticate who uses the CD-Key so as to prevent the same key from being used twice by different people.
* Disclaimer: at least in Brazil and the US this is illegal (for different reasons), unless the supplier guarantees the consumer the right to reinstall the system in another machine (after uninstalling the first one, or if the first one is unusable), whatever the technical means used for this. In Brazil it is even allowed cracking a system legally to guarantee their consumer rights, provided that this crack does not simultaneously incur a violation of the copyright of the supplier.
This intervention does not need to involve an internet connection, as I have already observed (I recently downloaded my copy of Windows 7 by phone). Again, the techniques vary in quality, but here is an example of how this could be done:
- Again, asymmetric keys are created, but in this case two pairs are required, one to sign and one to encrypt;
- A CD-Key is created as in the previous case, signed by the manufacturer;
- The software, once installed, collects some hard-to-forge user system information (such as your mac address) and asks for the CD-Key pro user (checking the subscription);
- It then encrypts ("encrypts") both data generating a new code, which needs to be sent back to the manufacturer (whether via internet, phone, or any other means);
- The manufacturer then decrypts this data, registers it into his database (as said, "a huge database containing all valid Keys and for whom they were assigned") - if they have not already been used, of course - effectively linking (Locking) that serial number to that user and that specific machine;
- A serial release code is then created and signed by the manufacturer; this code is then inserted into the software (automatically or manually) and the signature is verified, freeing the access.
Again the attacker can’t generate a CD-Key out of the blue (because he doesn’t have the private signature key), but in this case you can’t even reuse a previous key - because the final code, the one returned at the end of the process, is only valid for the computer with that specific MAC address.
Online
If the software requires internet connection, then none of this is necessary - just use a random and unique value like CD-Key (one UUID is enough, provided that safely generated), store it in your database a priori (necessary, otherwise one could not distinguish valid keys from invalid ones) and when validating check if the code is in the bank and associate it to the logged in user (if this has not already been done), rejecting if it is sent by a different user. And of course taking appropriate steps to prevent multiple people from logging in with the same user account.
I cannot say with certainty what is used in practice, since they are proprietary systems and I do not know their operation. But I can safely say it’s based on cryptography. The scheme can be from simple - the software contains a public key, and the CD-KEY is a private key or something signed with that key - to something much more complex. I have studied for example a technique that allows to "disable" a cracked device simply by generating a code that works in all others except that. I can also infer a few things based on personal experience with Windows.
– mgibsonbr
By the way, I find the question interesting, I just don’t know if it’s "responsive". You say there must be some algorithm or pattern, but hardly that pattern would be public - because otherwise it would make the work of the "pirates" much easier.
– mgibsonbr
in English: http://stackoverflow.com/questions/3002067/how-are-software-license-keys-generated
– rubStackOverflow