Subscription based licensing your software - Offline validation

Question

I am trying to create a subscription based licensing system, where if you buy a software for 1 year 1 user, you can use it only for a year in the machine you used to activate the software, after which you will have to renew your license key. This is pretty basic but implementing the same of your own is a total different scenario.

So let me discuss what I did so far: (Code not included let me know if you want me to paste them)

First I have a hosted MySQL DB, in which I have a database which stores all the license related information (Products , serial_keys, Plans etc.)

So, when you start the software for a the first time it checks for a few values in the registry (multiple locations) , if not found it shall ask you for a serial key.

Once you have entered the serial key, the software shall connect to the DB and validate your key and compute the following

1. Validate the serial key
2. Compute a Unique machine ID - Fetch BIOS_SL , MB_SL , HDD_SL , add them into one string and MD5 it.
3. Compute License Validity - Get Internet Current time , Increment the year with the plan duration
4. Store the following information in the registry (Multiple Locations) - license_id , machine_id, valid_till, activation_date, last_updated & license_status

A few Logical steps skipped here like if the license is already activated, check and match the registered machine_id

So the software is registered. Now, I every time the software starts it will again look for those values in the registry and make a decision based on it, here is where I am stuck and need your expert advice.

1. Software starts
2. Checks Registry values
3. Generates machine_id and matches it with the one stored
4. Reads valid_till value (expiry date) and matches it with the current time.

Considering that the user has no internet and used it for one time activation or his internet plan expired, How can I make a legitimate check for the date? Can't use system time they are very much vulnerable.

At this moment I think of creating a service which will have a call back function to act whenever the user tries to change the system date. But this is tedious and I suppose not the best solution.

Or Record the system time at boot and depend on that, but then the user can change it via BIOS even before the system boots.

Sorry for such a long question, but had to explain the entire scenario.

In a nutshell, user doesn't have internet connection how to maintain or fetch a legitimate source for date/time calls?

Answer 1

You could make the following procedure:

1. when the program starts, you have to store the current time and save it in an encrypted file. At the first time t0 (first sw execution) this file must contain a null time value. Note this file must be mandatory. If the current time is minor of the last stored time (anomalous situation) increment your elapsed time as follow: last_time += last_time - current_time;
2. during program execution, trace the time elapsed adding the time stored in the encrypted file (you could use the "time()" function). Do some checks during the program execution: the elapsed time must be minor of the license time. This is useful if the program is always in running for a period superior to the license time
3. Before closing program, you have to update time info in the encrypted file (1)

Although this method is not accurate, it can protect you from a improper use of your program.

Note that: if the program will be conected to internet you can restore all info about the correct elapsed time in the encryped file.

Sorry for my english!

Answer 2

You can do a few things though you will never get something 100% fool proof.

The easiest would probably be just require an internet connection. But we've seen how well that was received with the XBox and other game companies.

If you can't count on an internet connection to perform a check you could watch for "suspicious" activity. For instance, keep a record of the last run time of the application. If for some reason the system clock reports a time before the last recorded run time then prompt the user to establish an internet connection and validate.

Keep in mind there may be legitimate reasons for a user setting their clock back. Daylight savings time being one. Perhaps use a threshold like ignore the clock being set back an hour or day or whatever.

Answer 3

We have already list algorithm I won't repeat that, It does solve problem now BIOS check we just need to make sure that it's not going back. That each time program starts we record current time, if user has to bi-pass license he needs to set his which if he does post installation program could detect that

Now if user change bios time before installation we are still ok, because program will treat that as correct time and will calculate year from that time.