I am trying to receive the user's password from a PDF file. For testing purposes I'm given both, the master's and user's password. Right now I am passing the master's password in a parameter and use it to create a new instance of iTextSharp.text.pdf.PdfReader which works fine. Then I'm entering an if-clause which should return whether the PDF is being opened with full permissions or not. Inside this if-clause I request the user's password by calling iTextSharp.text.pdf.PdfReader.ComputeUserPassword() which returns null.
My entire code looks like this (GetByteAr(string s) returns the password converted to a byte array):
public static bool IsPasswordProtectedOwner(string pdf, string ownerPw)
{
try
{
var reader = new PdfReader(pdf, GetByteAr(ownerPw));
if (reader.IsOpenedWithFullPermissions)
{
Console.WriteLine("opened with full permissions");
string pw = String.Empty;
var computedPassword = reader.ComputeUserPassword();
foreach (byte b in computedPassword)
pw += Char.ConvertFromUtf32(b);
}
else
{
Console.WriteLine("not opened with full permissions");
}
}
catch (Exception e) when (e is NullReferenceException || e is BadPasswordException)
{
Console.WriteLine(e);
}
return true;
}
And my output looks like this:
opened with full permissions
System.NullReferenceException: Object reference not set to an instance of an object.
at PDFsV2.PDFInteractor.IsPasswordProtectedOwner(String pdf, String ownerPw)
in C:\Users\user\source\repos\PDFsV2\PDFsV2\PDFInteractor.cs:line 57
Can you help me understand why computedPassword is null? Why is ComputeUserPassword returning null?
Edit, this is the reason why it returns null:
https://api.itextpdf.com/iText5/5.5.13/
public byte[] computeUserPassword()
Computes user password if standard encryption handler is used with
Standard40, Standard128 or AES128 encryption algorithm.
Returns:
user password, or null if not a standard encryption handler was used, if standard encryption handler was used with AES256 encryption
algorithm, or if ownerPasswordUsed wasn't use to open the document.
https://github.com/kusl/itextsharp/blob/master/tags/iTextSharp_5_4_5/src/core/iTextSharp/text/pdf/PdfReader.cs#L3849 shows the implementation of ComputeUserPassword as:
public byte[] ComputeUserPassword() {
if (!encrypted || !ownerPasswordUsed) return null;
return decrypt.ComputeUserPassword(password);
}
As per that code (second line) it is possible for ComputeUserPassword to be null. As such, you need to cater for that in your code (i.e. check whether it is null before foreaching over it).
In your case, it is likely because:
ownerPasswordUsed = decrypt.ReadKey(enc, password);
is returning false. This may indicate you have the wrong password value.
Similarly, the docs state:
user password, or null if not a standard encryption handler was used
or if ownerPasswordUsed wasn't use to open the document.
Well, I'm trying to generate the same key with this two libraries:
https://github.com/dvsekhvalnov/jose-jwt this is for C#
https://github.com/Spomky-Labs/jose and this is for PHP
I have implemented both:
In C#:
public static string CypherData<T>(T payload)
{
return JWT.Encode(payload, pubkey, JweAlgorithm.RSA_OAEP, JweEncryption.A256GCM, JweCompression.DEF);
}
Console.WriteLine(Api.CypherData("hola"));
This how I load public key PEM string:
private static RSACryptoServiceProvider GetPubKey()
{
ConnPreCheck();
JObject obj = JsonConvert.DeserializeObject<JObject>(getPubKey.HttpGet());
pubkeyStr = obj["data"]["pubKey"].ToString();
return PemKeyUtils.GetRSAProviderFromPemString(pubkeyStr);
}
And this is what it returns:
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.L3Teg2RSXXpp4jakLkl2PQgidJ5BIXyP5QZM2B4RaO0vs55aT22D9_dPl6d83KvXezM4YkOnyoF0JA0eLX3k8W4eWkHUhgoYqxgwQSWWhjrpDxcpNdXbDlB6zVb_BKf5upro5qm23nr_SOkkqhKJGrw_sIXvD1LjOburLolDqojrnvK5awGtiFwkPZjRh_wh4z4buEfYsWJCKhTLU6aG_DipmbAXq1o9u1-cqiQJC0JlPJRbh6JJDmVc9YqBv0W0rFEa7W5HA12TO-RtV42tEPApr3hNmD8QwzvxxZYKpMzoBAsSQcvSKk878qeOAcx3pZyoDZ6WzD-LRusWy7nJwOa6AC9NsL91mv8WsZxWar9AnzOsKleSJ7k8I477pXE_H1g7XnFBgmA4egF-721sa7SO2LtS440v1ytA4504sdjVYeOfWmRSU4UljnUqaYTd031fzCevzNEO0Q7mncn-sJACVHiwQB9c703SvYZaFOyzU-vdXUqBRTR6x0JvQd_lFNgSS9pOQC5BQbAKOME9fjdXiwRUKfyHXCUAUj88CJEMqxg3_VYYfUC04GahmoysR9QUpK3l84Z5TLOi47SvO-NkR-2wf7v4ko8bZIR3E6XFHFG9lWwdzR_JPz7fm0OFiYB0HN8XgWE4bQ2tasYsmFhWVfkeRZodnlqFvImSNjA.GIGFv4h_nYkpBiA5.1_66eMEb.BJTezaLucvfluWQ8VEzgCQ
In PHP:
Well, the PHP implementation is the following:
include(__DIR__ . "/../libs/jose/autoload.php");
$file = __DIR__ . '/../keys/public.key';
$contents = file_get_contents($file);
// This is the input we want to load verify.
$input = #$_GET["input"];
$key = new \Jose\KeyConverter\RSAKey($contents);
$jwe = \Jose\Factory\JWEFactory::createJWEToCompactJSON(
$input, // The message to encrypt
new \Jose\Object\JWK($key->toArray()), // The key of the recipient
[
'alg' => 'RSA-OAEP',
'enc' => 'A256GCM',
'zip' => 'DEF',
]
);
They are similar codes no?
But the output is different:
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJ6aXAiOiJERUYifQ.jbNHUCuXYcXZWrHsJrPclV-fjYmFWwwPj4t3kAOt7PahQfsz0a1GaRrODcwKce4yRtLyjv2U7CtFMxt9ah3XTwIqm1mzzPMhO4LnFIRqMRgsxEgIijRqNOOpE85M3UPBRqjYw0wdjaqfJToLVLwaHgUPCkOqsHrdOOWkxN20fZYy4Z1PQAC0rk2WqLD0x7Za1jdV6LvVtd18iFIaRqf2uNYcRePdyInRxwHGp9JfRkVCQILTfwHlxQBKrwJxhZOzdHrjjNjxNsjAsHGMix6MAbUR0YT4hlrE59eriDVxix4uQrrChuzWVz_kY9-zvB9SDZnYDdfgONYUgTMpbkMTVWsF40JmWJ6wvGs3HaaIxN17UjQLemKgrS4-bqvbnschhZTIGi5-f8Cr_SwGo411VNYhNpD4P1H2dEjmAFpn3SdW3Oi6pPgK2tvIpEwGUS-Gi29-aCCNeuyE2m5dbFW28G9HMmvZHAky4KHE4NlNJTrH0aBxQX_Gc7eTf9q00gJtKQ5CinXaUYAB0xSEbsNACZuFLPawuxj_3FGn6dHYFOkSsatCTcqV5tiGJXG6ns-wDc682-G9Mj8HCIzYzakp-yZLIaY00fg5xQdgKJrk0QbCtvbwiQGoupyMV9f3RpEBJznPrq4STypxskdh6jksB6T_1fhPqZMVt2BHR4phCBg.9380DJUDH4TQnnr7.zEuMQwRr.BfdStBMcVnVR-2ujTLjuaA
You can see the differences here:
Left is for C# and right for PHP. You can see it there: http://qbz28b-user.freehosting.host/html/Result.html
Obviously, when I try to decrypt with PHP the text generated with C#...
... the implementation of decrypting in PHP:
include(__DIR__ . "/../libs/jose/autoload.php");
$file = __DIR__ . '/../keys/private.key';
$contents = file_get_contents($file);
// This is the input we want to load verify.
$input = #$_GET["input"];
$jwk = new \Jose\KeyConverter\RSAKey($contents);
// We create our loader.
$loader = new Jose\Loader();
$loader->load($input);
// The payload is decrypted using our key.
$jws = $loader->loadAndDecryptUsingKey(
$input, // The input to load and decrypt
new \Jose\Object\JWK($jwk->toArray()), // The symmetric or private key
['RSA-OAEP'], // A list of allowed key encryption algorithms
['A256GCM'], // A list of allowed content encryption algorithms
$recipient_index // If decrypted, this variable will be set with the recipient index used to decrypt
);
$coreData["content"] = $jws->getPayload();
The following exception occurs:
Fatal error: Uncaught InvalidArgumentException: Unable to decrypt the
JWE. in C:\xampp\htdocs\z3nth10n-PHP\libs\jose\Decrypter.php:80 Stack
trace: #0 C:\xampp\htdocs\z3nth10n-PHP\libs\jose\Loader.php(95):
Jose\Decrypter->decryptUsingKeySet(Object(Jose\Object\JWE),
Object(Jose\Object\JWKSet), NULL) #1
C:\xampp\htdocs\z3nth10n-PHP\libs\jose\Loader.php(30):
Jose\Loader->loadAndDecrypt('eyJhbGciOiJSU0E...',
Object(Jose\Object\JWKSet), Array, Array, NULL) #2
C:\xampp\htdocs\z3nth10n-PHP\includes\actions.php(321):
Jose\Loader->loadAndDecryptUsingKey('eyJhbGciOiJSU0E...',
Object(Jose\Object\JWK), Array, Array, NULL) #3
C:\xampp\htdocs\z3nth10n-PHP\api.php(9):
include('C:\xampp\htdocs...') #4 {main} thrown in
C:\xampp\htdocs\z3nth10n-PHP\libs\jose\Decrypter.php on line 80
I have been looking in the code for so much time, and I have realized that the problem isn't in the code, the problem is in the token generated. And I don't know what can I do, you can test it here.
Encoding a word...
... and then, decrypting it.
Any suggestions to look at?
I need all the text in the body for incoming email.
I tried:
var mesage = GetMessage(service, "me", 1);
Console.WriteLine(mesage.Snippet);
public static Message GetMessage(GmailService service, String userId, String messageId)
{
try
{
return service.Users.Messages.Get(userId, messageId).Execute();
}
catch (Exception e)
{
Console.WriteLine("An error occurred: " + e.Message);
}
return null;
}
But I am getting just snippet as shown in the screenshot.
Incoming mail to me:
Result:
Looking at the documentation, Message.Snippet only returns a short part of the message text. You should instead use Message.Raw, or more appropriately, Message.Payload.Body?
var message = GetMessage(service, "me", 1);
Console.WriteLine(message.Raw);
Console.WriteLine(message.Payload.Body.Data);
You should try both out and see what works best for what you're trying to do.
To get message.Raw you need to pass a parameter, as stated in the docs:
Returned in messages.get and drafts.get responses when the format=RAW parameter is supplied.
If none of those things work, you could try iterating over the parts of the message to find your data:
foreach (var part in message.Payload.Parts)
{
byte[] data = Convert.FromBase64String(part.Body.Data);
string decodedString = Encoding.UTF8.GetString(data);
Console.WriteLine(decodedString);
}
I have some data I wish to protect, so I am using ProtectedData to encrypt it onto a file.
When I am attempting to read and decrypt the data I am getting the strangest exception:
CryptographicException - Unable to update the password. The value provided for the new password does not not meet the length, complexity, or history requirements of the domain.
This is where it is thrown:
byte[] decryptedData = ProtectedData.Unprotect(Encoding.UTF8.GetBytes(fileContent),
Encoding.UTF8.GetBytes(entropy),
DataProtectionScope.LocalMachine);
It also happens when using DataProtectionScope.CurrentUser.
I haven't found any information about this exception online so I'm pretty much clueless.
Some generic errors won't generate an exception and that last error is thrown.
From inside System.Security.Cryptography.ProtectedDate.Unprotect:
throw new CryptographicException(Marshal.GetLastWin32Error());
More specifically it is most like failing because of on of the default flags using the System.Security.Cryptography implementing crypt32.dll:CryptUnprotectData - CRYPTPROTECT_UI_FORBIDDEN - "This flag is used for remote situations where presenting a user interface (UI) is not an option. When this flag is set and a UI is specified for either protection or unprotection, the call fails and GetLastError() returns the ERROR_PASSWORD_RESTRICTION status code." Windows Data Protection
I found a workaround that works for me is to not use the Base64 converter, I use the same script that PowerShell uses:
static byte[] ByteArrayFromString(string s)
{
int length = s.Length / 2;
byte[] numArray = new byte[length];
if (s.Length > 0)
{
for (int i = 0; i < length; i++)
{
numArray[i] = byte.Parse(s.Substring(2 * i, 2), NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture);
}
}
return numArray;
}
I have devices with unique serial number (string incremetation) ex : AS1002 and AS1003.
I need to figure out an algorithm to produce a unique activation key for each serial number.
What would be the best approach for this ?
Thanks !
(This has to be done offline)
You have two things to consider here:
- Whatever key you generate must be able to be entered easily, so this eliminates some weird hash which may produce characters which will be cumbersome to type, although this can be overcome, it’s something you should consider.
- The operation as you stated must be done online
Firstly, there will be no way to say with absolute certainty that someone will not be able to decipher your key generation routine, no matter how much you attempt to obfuscate. Just do a search engine query for “Crack for Xyz software”.
This has been a long battle that will never end, hence the move to deliver software as services, i.e. online where the producer has more control over their content and can explicitly authorize and authenticate a user. In your case you want to do this offline. So in your scenario someone will attach your device to some system, and the accompanying software that you intend to write this routine on will make a check against the serial number of the device v/s user input.
Based on #sll’s answer, given the offline nature of your request. Your best, unfortunately would be to generate a set of random codes, and validate them when user’s call in.
Here is a method borrowed from another SO answer, I've added digits as well
private readonly Random _rng = new Random();
private const string _chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456789"; //Added 1-9
private string RandomString(int size)
{
char[] buffer = new char[size];
for (int i = 0; i < size; i++)
{
buffer[i] = _chars[_rng.Next(_chars.Length)];
}
return new string(buffer);
}
So, generating one for each of your devices and storing them somewhere might be your only option because of the offline considerations.
This routine will produce strings like this when set to create a 10 digit string, which is reasonably random.
3477KXFBDQ
ROT6GRA39O
40HTLJPFCL
5M2F44M5CH
CAVAO780NR
8XBQ44WNUA
IA02WEWOCM
EG11L4OGFO
LP2UOGKKLA
H0JB0BA4NJ
KT8AN18KFA
Activation Key
Here is a simple structure of the activation key:
Part
Description
Data
A part of the key encrypted with a password. Contains the key expiration date and application options.
Hash
Checksum of the key expiration date, password, options and environment parameters.
Tail
The initialization vector that used to decode the data (so-called "salt").
class ActivationKey
{
public byte[] Data { get; set; } // Encrypted part.
public byte[] Hash { get; set; } // Hashed part.
public byte[] Tail { get; set; } // Initialization vector.
}
The key could represent as text format: DATA-HASH-TAIL.
For example:
KCATBZ14Y-VGDM2ZQ-ATSVYMI.
The folowing tool will use cryptographic transformations to generate and verify the key.
Generating
The algorithm for obtaining a unique activation key for a data set consists of several steps:
data collection,
getting the hash and data encryption,
converting activation key to string.
Data collection
At this step, you need to get an array of data such as serial number, device ID, expiration date, etc. This purpose can be achieved using the following
method:
unsafe byte[] Serialize(params object[] objects)
{
using (MemoryStream memory = new MemoryStream())
using (BinaryWriter writer = new BinaryWriter(memory))
{
foreach (object obj in objects)
{
if (obj == null) continue;
switch (obj)
{
case string str:
if (str.Length > 0)
writer.Write(str.ToCharArray());
continue;
case DateTime date:
writer.Write(date.Ticks);
continue;
case bool #bool:
writer.Write(#bool);
continue;
case short #short:
writer.Write(#short);
continue;
case ushort #ushort:
writer.Write(#ushort);
continue;
case int #int:
writer.Write(#int);
continue;
case uint #uint:
writer.Write(#uint);
continue;
case long #long:
writer.Write(#long);
continue;
case ulong #ulong:
writer.Write(#ulong);
continue;
case float #float:
writer.Write(#float);
continue;
case double #double:
writer.Write(#double);
continue;
case decimal #decimal:
writer.Write(#decimal);
continue;
case byte[] buffer:
if (buffer.Length > 0)
writer.Write(buffer);
continue;
case Array array:
if (array.Length > 0)
foreach (var a in array) writer.Write(Serialize(a));
continue;
case IConvertible conv:
writer.Write(conv.ToString(CultureInfo.InvariantCulture));
continue;
case IFormattable frm:
writer.Write(frm.ToString(null, CultureInfo.InvariantCulture));
continue;
case Stream stream:
stream.CopyTo(stream);
continue;
default:
try
{
int rawsize = Marshal.SizeOf(obj);
byte[] rawdata = new byte[rawsize];
GCHandle handle = GCHandle.Alloc(rawdata, GCHandleType.Pinned);
Marshal.StructureToPtr(obj, handle.AddrOfPinnedObject(), false);
writer.Write(rawdata);
handle.Free();
}
catch(Exception e)
{
// Place debugging tools here.
}
continue;
}
}
writer.Flush();
byte[] bytes = memory.ToArray();
return bytes;
}
}
Getting the hash and data encryption
This step contains the following substeps:
create an encryption engine using a password and stores the initialization vector in the Tail property.
next step, expiration date and options are encrypted and the encrypted data is saved into the Data property.
finally, the hashing engine calculates a hash based on the expiration date, password, options and environment and puts it in the Hash property.
ActivationKey Create<TAlg, THash>(DateTime expirationDate,
object password,
object options = null,
params object[] environment)
where TAlg : SymmetricAlgorithm
where THash : HashAlgorithm
{
ActivationKey activationKey = new ActivationKey();
using (SymmetricAlgorithm cryptoAlg = Activator.CreateInstance<TAlg>())
{
if (password == null)
{
password = new byte[0];
}
activationKey.Tail = cryptoAlg.IV;
using (DeriveBytes deriveBytes =
new PasswordDeriveBytes(Serialize(password), activationKey.Tail))
{
cryptoAlg.Key = deriveBytes.GetBytes(cryptoAlg.KeySize / 8);
}
expirationDate = expirationDate.Date;
long expirationDateStamp = expirationDate.ToBinary();
using (ICryptoTransform transform = cryptoAlg.CreateEncryptor())
{
byte[] data = Serialize(expirationDateStamp, options);
activationKey.Data = transform.TransformFinalBlock(data, 0, data.Length);
}
using (HashAlgorithm hashAlg = Activator.CreateInstance<THash>())
{
byte[] data = Serialize(expirationDateStamp,
cryptoAlg.Key,
options,
environment,
activationKey.Tail);
activationKey.Hash = hashAlg.ComputeHash(data);
}
}
return activationKey;
}
Converting to string
Use the ToString method to get a string containing the key text, ready to be transfering to the end user.
N-based encoding (where N is the base of the number system) was often used to convert binary data into a human-readable text. The most commonly used in
activation key is base32. The advantage of this encoding is a large alphabet consisting of numbers and letters that case insensitive. The downside is that this encoding is not implemented in the .NET standard library and you should implement it yourself. You can also use the hex encoding and base64 built into mscorlib. In my example base32 is used, but I will not give its source code here. There are many examples of base32 implementation on this site.
string ToString(ActivationKey activationKey)
{
if (activationKey.Data == null
|| activationKey.Hash == null
|| activationKey.Tail == null)
{
return string.Empty;
}
using (Base32 base32 = new Base32())
{
return base32.Encode(activationKey.Data)
+ "-" + base32.Encode(activationKey.Hash)
+ "-" + base32.Encode(activationKey.Tail);
}
}
To restore use the folowing method:
ActivationKey Parse(string text)
{
ActivationKey activationKey;
string[] items = text.Split('-');
if (items.Length >= 3)
{
using (Base32 base32 = new Base32())
{
activationKey.Data = base32.Decode(items[0]);
activationKey.Hash = base32.Decode(items[1]);
activationKey.Tail = base32.Decode(items[2]);
}
}
return activationKey;
}
Checking
Key verification is carried out using methodes GetOptions an Verify.
GetOptions checks the key and restores embeded data as byte array or null if key is not valid.
Verify just checks the key.
byte[] GetOptions<TAlg, THash>(object password = null, params object[] environment)
where TAlg : SymmetricAlgorithm
where THash : HashAlgorithm
{
if (Data == null || Hash == null || Tail == null)
{
return null;
}
try
{
using (SymmetricAlgorithm cryptoAlg = Activator.CreateInstance<TAlg>())
{
cryptoAlg.IV = Tail;
using (DeriveBytes deriveBytes =
new PasswordDeriveBytes(Serialize(password), Tail))
{
cryptoAlg.Key = deriveBytes.GetBytes(cryptoAlg.KeySize / 8);
}
using (ICryptoTransform transform = cryptoAlg.CreateDecryptor())
{
byte[] data = transform.TransformFinalBlock(Data, 0, Data.Length);
int optionsLength = data.Length - 8;
if (optionsLength < 0)
{
return null;
}
byte[] options;
if (optionsLength > 0)
{
options = new byte[optionsLength];
Buffer.BlockCopy(data, 8, options, 0, optionsLength);
}
else
{
options = new byte[0];
}
long expirationDateStamp = BitConverter.ToInt64(data, 0);
DateTime expirationDate = DateTime.FromBinary(expirationDateStamp);
if (expirationDate < DateTime.Today)
{
return null;
}
using (HashAlgorithm hashAlg =
Activator.CreateInstance<THash>())
{
byte[] hash =
hashAlg.ComputeHash(
Serialize(expirationDateStamp,
cryptoAlg.Key,
options,
environment,
Tail));
return ByteArrayEquals(Hash, hash) ? options : null;
}
}
}
}
catch
{
return null;
}
}
bool Verify<TAlg, THash>(object password = null, params object[] environment)
where TAlg : SymmetricAlgorithm
where THash : HashAlgorithm
{
try
{
byte[] key = Serialize(password);
return Verify<TAlg, THash>(key, environment);
}
catch
{
return false;
}
}
Example
Here is a full example of generating the activation key using your own combination of any amount of data - text, strings, numbers, bytes, etc.
Example of usage:
string serialNumber = "0123456789"; // The serial number.
const string appName = "myAppName"; // The application name.
// Generating the key. All the parameters passed to the costructor can be omitted.
ActivationKey activationKey = new ActivationKey(
//expirationDate:
DateTime.Now.AddMonths(1), // Expiration date 1 month later.
// Pass DateTime.Max for unlimited use.
//password:
null, // Password protection;
// this parameter can be null.
//options:
null // Pass here numbers, flags, text or other
// that you want to restore
// or null if no necessary.
//environment:
appName, serialNumber // Application name and serial number.
);
// Thus, a simple check of the key for validity is carried out.
bool checkKey = activationKey.Verify((byte[])null, appName, serialNumber);
if (!checkKey)
{
MessageBox.Show("Your copy is not activated! Please get a valid activation key.");
Application.Exit();
}
By far the most secure way to do it is to have a centralized database of (serial number, activation key) pairs and have the user activate over the internet so you can check the key locally (on the server).
In this implementation, the activation key can be completely random since it doesn't need to depend on the serial number.
You want it to be easy to check, and hard to "go backwards". You'll see a lot of suggestions for using hashing functions, those functions are easy to go one way, but hard to go backwards. Previously, I phrased that as "it is easy to turn a cow into a hamburger, but hard to turn a hamburger into a cow". In this case, a device should know its own serial number and be able to "add" (or append) some secret (usually called "salt") to the serial and then hash or encrypt it.
If you are using reversible encryption, you want to add some sort of "check digit" to the serial numbers so that if someone does figure your encryption scheme out, there is another layer for them to figure out.
An example of a function that is easy enough to "go backwards" was one I solved with Excel while trying to avoid homework.
And you probably want to make things easier for your customers by making the encoding less likely to be messed up when the activation codes are handwritten (such as you write it down from the email then walk over to where the device is and punch the letters/digits in). In many fonts, I and 1, and 0 and O are similar enough that many encodings, such as your car's VIN do not use the letters i and o (and I remember older typewriters that lacked a key for the digit 1 because you were expected to use lowercase L). In such cases, Y, 4 and 7 can appear the same depending on some handwriting. So know your audience and what are their limits.
If your device has some secured memory which can not be read by connecting an programmator or an other device -you can store some key-code and then use any hashing algorithm like MD5 or SHA-1/2 to generate hash by:
HASH(PUBLIC_SERIALNUMBER + PRIVATE_KEYCODE)
And pairs of SERIALNUMBER + KEYCODE should be stored in local DB.
In this way: (offline)
Client calling you and asking for the Activation Code
You asking for a SERIALNUMBER of particular device
Then you search for a KEYCODE by a given SERIALNUMBER in your local DB and generate Activation Code (even using MD5 this will be sacure as long KEYCODE is privately stored in your DB)
Client enter Activation Code into the device, device able to generate hash
by own SERIALNUMBER and KEYCODE and then compare to Activation Code entered by user
This could be simplified by storing activation code itself if device has a secured memory onboard (like SmartCards has). In this way you can just keep own database of SerialCode - ActivationCode pairs.
How about: Invent a password that is not revealed to the user. Then concatenate this password with the serial number and hash the combination.
Anything you do can be broken by a dedicated enough hacker. The question is not, "Can I create absolutely unbreakable security?" but "Can I create security good enough to protect against unskilled hackers and to make it not worth the effort for the skilled hackers?" If you reasonably expect to sell 10 million copies of your product, you'll be a big target and there may be lots of hackers out there who will try to break it. If you expect to sell a few hundred or maybe a few thousand copies, not so much.