Hi all, there is a question that has bugged me for quite a while right now. Now that I have found this site, it seems to be the best place for asking it. Sorry if somebody has asked this before, I do not know what technology to use, so I do not know what to search for in this case... :stickout:

I'm planning to write a small software, where users would download and have it unlocked to enable full feature set on the software. To unlock it, users will have to provide their user names/passwords from within the software itself, and the software will then connect to a web server, from where it downloads the license file onto the users' machines (this license file is unique for every user, based on some of his/her machine's hardware identification. A license file from one machine will not work on the other).

Having come from a C++ background, I am a total idiot when it comes to web technology. With that in mind, I would hope the solution for this could be kept to the simplest possible way, because I do have the following limitations:

1. I have a Windows 2003 webhost by a webhosting company.
2. All I get is ASP.NET and all those PHP stuff (I guess).


I will appreciate if there is anyone who can advice me on the technology to use, thanks in advance! :)


Regards,
Ben.

You could google for "online licensing system" or "online licensing manager".
I dont know of any free ones:blush:.

Since you have C++ background it would be very simple for you to understand how client-server architecture works.
I can explain you but I need some more information
The first question is what kind of client software is? Is it a web application using php/asp or some exec file?
Do you have any ideas how to tie down unlocked software to the computer HW or its IP address to prevent unauthorized copying?

Ok i've done some research.Its all on how much you want to spent (isn't it always like this?:eek:).
There are some solutions available with a ready to go license server that arent that expensive.
If you want to develop your own you would have (as Anrew_I suggested) to tie down the computer (via ip,mac address,some hardware id) so that the license cant be moved.
Then develop a server side app (in php,asp,perl,ruby or whatever you are familiar with) that you communicate with and it checks the validity of your license.
Pretty straight forward although it can be bypassed.

Ah great, thanks Tix and Andrew. Have not had time since my last post, let me try to answer some of the questions you're having. Okay basically I'm developing a small utility software (.exe) that runs on users' PCs without requiring them to connect to the Internet at all, except at the time of "unlocking" the software.

In the process of unlocking, the software will attempt to read client PC-specific information (some hardware identifiers and the-like). Of course the software must be an administrator process so that it is allowed to perform privileged tasks such as this. Now let us assume for a minute that the hardware ID is "1234. This "1234" value, together with the user log-in/password is sent to the licensing server, where they are used to scramble license key file FILE_X. This FILE is then being downloaded to the user's machine. When the software runs for the next time (after being unlocked), it looks for FILE_X, and then use its own hardware ID "1234" to unscramble the FILE_X back into something meaningful, which the software uses to realize its full feature set.

So that's basically the idea I have as to how to tie the software to a specific machine. The only thing I do not know is, how these log-in/password/hardware ID are being sent to the licensing server in a secure manner, and how the scrambled FILE_X being downloaded back onto the user's machine using an existing technology. :)

I was thinking to write a WinSock server (I am not expecting this to be high volume thing, though that will be a good news to me) where all these are done.

I appreciate the time you all have taken to shed some lights on this issue.:)



Thanks,
Ben.

You can implement a winsock server and communicate with the server.
You can also go the http way.This way you can use curl in your c++ project.
Via curl you can make a request posting your '1234' then the server app will create the licensed file and promt you for its path (lest say it mydomainname/licenses/lisence.dat).
Via curl you download this file and you are ready to go ;).
Of course there are countless possibilities (https against http,.htaccess your files,etc)

Thanks Tix for the quick response! But I do not know what CURL is, perhaps I should do a search later on (still in piles of company emails right now, argh!!).

curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling

From http://curl.haxx.se/

So that's basically the idea I have as to how to tie the software to a specific machine. The only thing I do not know is, how these log-in/password/hardware ID are being sent to the licensing server in a secure manner, and how the scrambled FILE_X being downloaded back onto the user's machine using an existing technology. :)


We already do this [well, not quite the same, but very similar online licensing].

1. Your requirements server side are very, very simple. You can handle it with just a server side script + Database. In almost any server side scripting language and database version. If you want to go with ease of use, Windows/Apache/MySQL/PHP will do fine. If not, Linux/Apache/MySQL/PHP will do fine too.

2. For security,
(a) Use HTTPS to send the data to the licensing server to prevent packet-capture data loss.
(b) Since HTTPS is just HTTP over SSL, you will be sending HTTP POST requests. Encrypt these POST requests - best way to do so is use PKI - embed the server public key in the client, and encrypt using that. The server would decrypt using its private key. This pretty much cuts out the man-in-the-middle attacks
(c) When sending data to the server, send a unique public key generated at client side as part of the request. Let the server encrypt the license file with this public key and send back, for the client to decrypt with its private key.

These are all low traffic transactions, so CPU usage is irrelevant.

3. Be warned...you are asking to be hit hard by a skilled software cracker when you develop your own licensing mechanisms. There are existing protection mechanisms like Armadillo etc. But if your software is low-profile, it isn't an issue.

Ideally, don't sell this to a corporate who is going to build a big product and sell it to hundreds of thousands of users.

Need more info / clarifications, let me know

Edit: By the way, I forgot the client side. Just go good old WinInet + CryptoAPI if you are on windows. Else just use libcurl as suggested above [if on Linux/MacOSX/similar]

You can use public/private key combos to implement this. You need to be able to do two things:

1. Verify that the license file is from you
2. Decrypt information in that license file, parse and use its contents

For the first point in question, you need to use digital signatures. Then you need to verify them in the client. For example, you sign your license using a private key. The public key is present with the client. It then verifies if the license is from you. Then you decrypt it and parse the contents, using them in any way you see fit. A license file can be a simple text file in its unencrypted form.

This is what most guys do. One more thing I'd like to add is that finding something unique to identify a machine with is tricky. System serial numbers may not be available in low-end systems and the way in which you obtain them differs. If you plan to use MAC IDs, please bear in mind that these can be faked by running configuration commands or by running inside a virtual machine.

Oh wow, thanks everyone! It never surprises me how little I know about things.

ZeroPing, very in-depth explanation there, thanks. While my server side can be simple, it does not only do database look-up for user names/passwords. It should be able to access the server file system, get the original "FILE" and scramble it with client PC's hardware ID into "FILE_X", and send this "FILE_X" back to the client PC. The "FILE_X" can only be reverted/consumed by the software only with that PC's hardware ID (so the "FILE_X" can only be used on one machine). Would you think PHP can do that kind of thing (forgive my ignorance of PHP, I'm a C++ guy)?

I will use CryptoAPI and WinSock/libcurl at the client (Windows) side though. And oh, my software is a small time stuff, so I doubt anyone would even consider hacking it. :)

Binarykarma, that's some good idea. I will try to understand public/private key encryption mechanism from my colleague. Thanks also for the tips on fake MAC IDs, I will likely retrieve the harddisk identifier (if there is such thing) since an installed software will always be residing on the same harddisk, no matter how user upgrades his system (well if he chooses to buy a new harddisk, he will be given up to three opportunities to unlock the software on a new harddisk). Does that make sense or am I fooling myself?


Tix, good thing to know, cURL seems to be a neat library to use for my case, thanks!



Regards,
Ben.

Yeah,
You can get the real hard disk serial number if you want, but like you said, it is a headache when the user needs to change his disk.

Hi guys, your responds put me in a much better position right now, but there is one pending question I would like to get answers for:

Pending Question:
The server-side application which listens to incoming client requests would need to access a file on the server, do some scrambling operations to it (with the client hardware ID) to produce FILE_X, and then sends it back to the client. Is there any existing (Microsoft) technology that allows me to implement this server application (not about the scrambling part, I will know how to do that when I know what language/technology to use)? Or do I have to use C++ for this? Say if I were to use C++, what's the best way of doing it?


Thanks in advance for your help :)


Regards,
Ben.

Missed your earlier post.

You can use either PHP, or ASP.NET or any similar server-side technology to do this.

All you need to do is use the hardware identifier [from the client] and derive an encryption key from it. That encryption key can be used to encrypt the file using standard php/asp.net/asp/anything functions. The client can then decrypt it.

Now what encryption system does one use for this? PKI - public key crypto - is the best way to go. Use the hardware identifier to generate public+private key at both client/server - RSA 1024 bit is reasonably good. Let server encrypt with public key; client decrypt with private key. Ensure the file has 2-3 header bytes so that the client knows that the decryption is successful.


As for hardware-identifier generation, you can use WMI, or you can use actual physical disk-ID checking. For the latter, do a google for diskid32. WMI is more prone to interference.

There is a big problem using non physical disk-id checking. If you use volume serial numbers, they are non-unique [assigned on format]. And if you use WMI, then the # of disks varies when the user inserts/removes USB hard drives.

I would suggest just using physical disk id checking on the windows drive. If the user changes their hardware, they can contact you for a reset/update - should be rare.

Oh my, that is exactly what I needed to know! Thanks a lot ZeroPing!

Being able to use ASP.NET means I do not need to have any web hosting package that allows me to run my own EXE on the server (most plans I see do not allow that; and the ones that do, are too expensive). Great news there!

One other thing is, I will only use PKI in the process of sending FILE_X (scrambled) to client machine. After the client decrypts it (with its private key), it remains as scrambled FILE_X (this FILE_X can only be unscrambled by client hardware ID, so it will not work on another machine if copied). PKI is only used to secure the file transfer.

During runtime, my software will unscramble FILE_X in bits and pieces into a usable form in memory, depending on its needs. There is not a time where the entire FILE_X is unscrambled into the memory so it will be harder for the hacker to get hold of the entire unscrambled FILE.

Hope I am making sense here, and thanks again for the help you have given me!

Regards,
Ben.

Yes, that makes sense. Just make sure your public/private key pair is generated from a relevant seed / source.

Let us know how it goes :)

Sure ZeroPing, will do! But this will probably take three months' time as I'm still in the development phase. At the same time of developing my software, I will be sourcing out for a good web host company and will need to see if I really need SSL for any reasons (my guess is I will need one, as online payment is involved).

Thanks again for your help!