Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Software protection by encryption

For our software we use hardware dongles to protect the software. No protection is perfect but this commercial solution is affordable and keeps honest people honest (as mentioned in another thread). The advantage is the 128 bit key that is stored 'unreadable' on the hardware dongle.

We want to remove this hardware dongle and start using software protection. Basically we can use a commercial product, but on the other hand that won't be unbreakable either. I don't know much about encryption and that's why I am posting this. How do I store a key on a Windows computer that will not be possible to read by using Reflector or something else? However I should be able to access the key for testing the license code.

I would just like a simple solution that can't be hacked by simply using Reflector.

Or am I asking a very stupid question?


Thank you all for your very fast and useful replies. I don't want to use licensing over the internet, since the application is running not always on computers that are connected. I will then get probably more problems then solving them. We will now most probably go for a commercial solution. It seems that protection is not that trivial.

Thanks a lot!!

like image 644
Enrico Avatar asked Oct 22 '08 20:10

Enrico


4 Answers

I read an through an interesting presentation about how skype approaches the task of protecting software by encryption.

like image 61
codeinthehole Avatar answered Sep 29 '22 09:09

codeinthehole


I run a software company that has dealt with this issue for nearly 20 years. As both a developer and a business owner, I'd like to first encourage you to broaden your goals a bit. For example, it is simply a mistake to define your problem as "preventing piracy." Your goal should be to maximize revenue.

With that being said, there are some people who simply will never buy your software but who may make fairly significant efforts to get it for free. It isn't "fair" that they get a free copy but placing a lot of resources into the effort to prevent it is largely a waste of time. Indeed, these folks often end up "going legit" simply to get on our update list, to get support or because their business evolves to the point where they can now afford our license. In these cases, the original piracy ends up enhancing our revenue.

So, how do we license?

We generate a random license number with each new install (a number between 10K and 99K does nicely). We then have an algorithm for generating a matching number (anything non-trivial will do). We use a random number, by the way, so that any attempt reinstall on another computer results in different license/match numbers.

Next, we ask users to call us on the phone to get the matching number for their license (this is important). The software looks at the matching number they enter and compares it to the matching value generated on the user's side. If there is a match, the software is fully activated.

I say that having them phone us is important because we use that as an opportunity to talk with them about their setup, answer any questions, and let them know they are dealing with real people. Very few people have the nerve to try calling and impersonating another company (we look them up and compare their information to our purchase database). Note that our package runs nearly $2K so phone calls are reasonable. If your package costs less and has higher volume, you could do this via email. Finally, we use the call-in to tell users how to get upgrades and technical support with their new license.

Finally, we store the key in the application's database (a locally-installed MSDE/SQL Express database) so that any attempt to copy the app will A) be non-trivial and B) bring over a lot of data specific to the organization that first bought the legitimate version (making them less likely to share). The licensing key is encrypted and "split" into two different keys that are kept in two different tables. Thus, a simple "find the key and enter it in the pirated version" will not work.

The bottom line? When you make the entire package more than just the software, build in a few basic protective mechanisms, and introduce the human element, you should see that you don't need the expense and trouble of a dongle to maximize revenue.

like image 23
Mark Brittingham Avatar answered Nov 18 '22 13:11

Mark Brittingham


There is no way to completely secure the key. If it can be read by your program, then it can be read by another program.

like image 17
Ignacio Vazquez-Abrams Avatar answered Nov 18 '22 14:11

Ignacio Vazquez-Abrams


The absolute answer is, of course, that a determined and skillful attacker can break any protection, but, especially for software which is not in a high level of demand or fame, skillful and determined attackers are rare, so taking protective measures makes sense.

To validate a license, sending the key to a central location is the safest way, because they'd have to crack your server (or protocol, watch out) to be able to validate. That'd require connectivity to use the software which may or may not be feasible. You could also distribute a 'license server' along with your software for big installs that'd require only local network access. If you can't and have to validate locally only, you could write a dll in native code that'd make it harder to reverse engineer.

To protect the code itself, and make its protection harder to bypass, obfuscate:

  • .NET obfuscation tools/strategy
  • (Why) should I use obfuscation?
  • Should I be worried about obfuscating my .NET code?
  • What's the best value for money c# code protection for a single developer

All in all, you might get a better value out of a packaged solution.

like image 10
Vinko Vrsalovic Avatar answered Nov 18 '22 15:11

Vinko Vrsalovic