Geek Answers Handbook

Licensed scheme, protection against fraud and recall

This is my first question, so please be careful ...

I am working on software that I would like to protect using some kind of licensing scheme. The basic scheme would be to create some “unique” key for the user. The user sends this key and registration code when he wants to register the software and receives an activation code.

When the application starts, it checks the activation code by comparing the “unique” key and the data block obtained by decrypting the activation code.

This is fair and quite simple to implement, you can choose different cryptographic algorithms, etc. However, this scheme does not have two properties:

  • If a user manages to fake a hardware signature, etc., to create the same “unique” key on another computer, he can use the same license data.
  • If the user decides to remove the application and wants to transfer it to another computer, nothing prevents him from reusing the old license data on the old computer and still getting new license data for a new installation.

Do you have any suggestions for resolving these issues?

One of my ideas was to add some “random” data to the “unique” key, this random data will be stored in an obscure way, if the user uninstalls the application, this random data will be deleted, and some previous random data will be created with a hash license data and data that can be sent to me to make sure that he really uninstalled the application, and made sure that he would not be able to use the previous license data again, because the random data was changed.

Again and again, for the moment ...

EDIT: I currently have a circuit that works, I should mention that the most common product is installed in an embedded environment, where hardware changes are very rare, and if there is a hardware failure, it is most likely that the machine is broken. But I could change the hardware key scheme to take into account and allow some changes.

In addition, because of this, the software most likely will not run inside the virtual machine, but I did not think about it.

The application is not called regularly if a network connection is available, the user gets the opportunity to do more automatic registration, otherwise he receives a registration key, enters it into the software and receives the installation ID, which is provided to me, the registration code + installation ID generates an activation key that the user receives from me, which then unlocks the software.

What I'm looking for is good / possible solutions for 2 points. Hardware spoofing, cancellation of license keys, that is, to ensure that the user can not use the same regcode + activation code.

Thank you for all your feedback.

Not necessary

+6
security cryptography hash license-key
source share
5 answers

First, you must clearly indicate what you are trying to protect. Apparently, you want to make sure that for each purchase of your application there will be only one computer on which the application is installed and can be launched.

You suggest using a hardware signature as part of each user's unique key. What happens if my equipment fails (for example, a break on the hard drive)? I am not going to buy your application if I cannot use it after a hardware problem, so at least you should be prepared to handle key change requests. You better respond quickly because if your application is important, I want to minimize downtime. And I do not invite you to verify that my equipment has failed, so you have to take my word for it. This means that any user can get free licenses from time to time, anticipating a hardware failure.

What about virtual machines? It is probably possible to detect all existing existing virtual machine configurations, risking several false positives from time to time. If you deny virtual machines, how do you justify it for users? If you allow virtual machines, how do you prevent the user from creating multiple copies of the entire virtual machine? (This can happen even with hibernate physical machines).

Will the application contact you every time it starts? I think so from your uninstallation scheme. This bandwidth and availability, as well as disabling some users - not everything on the network, especially in sensitive environments. But then you don’t need such a complicated scheme: your server can track how many copies of the application are running, although you need to handle the case when the application does not stop for any reason (application crash, OS crash, power failure, connection loss ...) .

You do not discuss this in your question, but you need to protect the application executable so that someone cannot bypass the license check using the debugger.

+3
source share

Put your software on the hardware and put a padlock on the hardware. Ship the device to the client.

If you think that the client will open the device to get your code, think about encrypting the drive ... Then they must open the box and find the keys. A TPM chip or a secure USB token can help with the latter.

+1
source share

As an author of conditional code and a longtime member of ASP , I think you are going in the wrong direction with your decision. The only way to make this doable is with a hardware device, as has already been suggested. This or permanent online activation is the only way if you want to be sure and your product is so good and without competitors that your customers will still use it.

But what we (organized small ISVs) learned from the practice is that you should not do what you are trying to do. Do not associate it with equipment. Sell ​​one license per person, not one computer license. As a result, you will get more sales due to a free license.

Just do enough to keep honest people honest. Therefore, limit the version of the trail (I decided to close the application in an hour for me) and leave the final version free of everything. Give a separate download for paid customers and that’s it. Be a good company, not a greedy profit maximized by the legal restrictions of the company.

At first I used some of the best window protection programs, but they all had serious problems with my code. And they call hack sooner or later. Therefore, I refused all.

PS: I use the hardware scheme of the fingerprint on the windows, where I do not limit the program, but simply so that people do not receive new trial keys every 30 days. It seems to work along with the nag screen. A fingerprint is a username, a Windows installation time, a change in the time stamp of system files, and a serial number identifier for the hard disk.

+1
source share

Let the registration code also be an activation code.

You generate a unique registration code at the point of sale or is packaged with the product. The client registers / activates / deactivates you (or your server) in one step using this single code. Client hardware should not generate any keys.

Re-registration / re-activation still requires contact with you, so you are aware of the re-installation of attempts.

0
source share

I think the only solution to your problem is dongle cryptographic hardware. Usually it will be an unauthorized access protected USB-security key-responder, which is easily transferred between computers.

These devices cost less than $ 1 in large quantities and no more than $ 10 for very small quantities. Good ones are very difficult to fake, very easy to implement in your application and usually come with a free EXE encoder that also contains debugging and anti-reverse engineering functions.

0
source share

More articles:


All Articles