locked
How do I age a license file? RRS feed

  • Question

  • Hi All

    I'm looking for a read only method to tell whether a certain pre-defined time has passed. Let me be more specific ...

    A program I have written which I am selling uses a hardware specific license file for authentication. Users have asked "but what if I want to change pc or I have a serious hardware problem?" Well of course I want to provide these people with a new license for the new pc but I want to avoid having people abuse the system by saying they have a new pc while really they just gave a copy of the program to a friend.

    So I came up with the idea of using an oline server for authentication every time the program is run, but then people say they wouldn't be able to run the program if for instance they were travelling for a couple of days without internet connection or just out in the park with their laptop.

    So I would like a cross between the two - an online verification which I can somehow cache locally for a couple of days before the verification then dies. I can't just use the time of the verification, as people could obviously just reset their system clocks to an earlier time. So I am wondering if there is a read-only counter somewhere which I could use - i.e. when a login is authenticated, store the value of this counter in an encrypted form, and the program will then work until that counter exceeds a certain level.

    Thanks for any help!

    Wednesday, March 3, 2010 2:31 PM

Answers

  • Hi,

    Contacting the server is a very good idea; you can build in an expiry date into the license so that the software will run for 30 days without needing to contacting the server.  So if the server is available update the license if it's not available then has 30 days passed since the last request; no then run; yes then don't.

    I've worked on something like this before and it always comes down to recognising changes to the system clock. I came up with this idea maybe it will help with your own software.

            //the token uses an expiry date to determine when a new license is required
            //  the problem with that is the user may turn the clock back
            //  to prevent this a file is stored containing the dates that have passed since the ticket was downloaded
            //      so on the 20th Sept 2008 the date 19th Sept 2008 is stored
            //  if the user moves their clock back to the 19th then license is invalid.
            //      if the user moves their clock forward to 25th Sept 2008 from the 20th then
            //          all dates that span that time are stored meaning the license is invalid even if the user
            //          moves the clock back.
            //  this list of dates is removed when a ticket is renewed

    By that it mean the date prior to the software being previously ran is stored.  Ran on 20th Sept 2008 then 19th Sept 2008 is stored. If the system date is earlier than this then the software won't run. If they change the clock forward and run the software then it will run and changing the clock back again will not fix that. The server can also help here to as it could return the last date with the license.  Perhaps a combination of the two will help.


    I have no idea if this is any help... good luck.
    Wednesday, March 3, 2010 5:13 PM
  • Hey Rich,
      Build your own clock using the timing pulses from the system clock. Make predefined amount of program operational time before validating. Attach this as encripted data to the end of another operational data file. This way if they tamper with it the program would stop functioning. Load this and add the run time and save time together at shutdown. This could be a small check that could be checked at various points during the run.This would allow them time when their not connected to the internet and you would have control over that time period. You could use this in conjunction with they way that was described above and it would give you a double check system. Such as allowing them 24 or 48 hours of run time without internet connection. Also you could tell them you x number of hours before shutdown.

    There is no such thing as a secure application. There is always someone out there that can find a way to bypass your protections.

    Curtis
    Always Lost in Code,
    Saturday, March 6, 2010 10:35 PM

All replies

  • Hi,

    Contacting the server is a very good idea; you can build in an expiry date into the license so that the software will run for 30 days without needing to contacting the server.  So if the server is available update the license if it's not available then has 30 days passed since the last request; no then run; yes then don't.

    I've worked on something like this before and it always comes down to recognising changes to the system clock. I came up with this idea maybe it will help with your own software.

            //the token uses an expiry date to determine when a new license is required
            //  the problem with that is the user may turn the clock back
            //  to prevent this a file is stored containing the dates that have passed since the ticket was downloaded
            //      so on the 20th Sept 2008 the date 19th Sept 2008 is stored
            //  if the user moves their clock back to the 19th then license is invalid.
            //      if the user moves their clock forward to 25th Sept 2008 from the 20th then
            //          all dates that span that time are stored meaning the license is invalid even if the user
            //          moves the clock back.
            //  this list of dates is removed when a ticket is renewed

    By that it mean the date prior to the software being previously ran is stored.  Ran on 20th Sept 2008 then 19th Sept 2008 is stored. If the system date is earlier than this then the software won't run. If they change the clock forward and run the software then it will run and changing the clock back again will not fix that. The server can also help here to as it could return the last date with the license.  Perhaps a combination of the two will help.


    I have no idea if this is any help... good luck.
    Wednesday, March 3, 2010 5:13 PM
  • Thanks for trying Derek!

    Two potential problems with that:

    1) The user could just turn the clock back before the first use each day.
    2) How do I store the file in such a way that the user can't just copy it, and after a day's use just delete the file and replace with the one they copied earlier?

    I was hoping there would be a read only counter somewhere, like the total run time of the CPU since manufacture or something like that. Such a number could be stored in encrypted form as a non-changeable expiry. Any takers???

    Thanks
    Wednesday, March 3, 2010 8:23 PM
  • Hi again,

    1) yeah it's not perfect :(
    2) have a look at something called Isolated Storage; this is a 'special' more 'secure' storage location that an application can use to store and share data. You still need to encrypt the data and for that I'd recommend DPAPI (no need for key management done automatically by the system and based on user account/machine password).

    I don't think what your looking for exists; don't quote me on it though but all the timings of a computer rely on the system clock (the BIOS clock - I don't know if changing the time in Windows changes the time in the BIOS); basically if there was such a thing then checking a date change would be real easy and far as I found it's not... ergo such a thing doesn't exist. :)

    I'd love to be proved wrong so my eye is firmly on this post.
    Thursday, March 4, 2010 11:21 AM
  • OK, I had a look at Isolated Storage and while this might be an idea if you had lots of settings files it is a total waste of time for security.

    I can't find any was to read the BIOS clock, and it looks like you can change it anyway, so again no way to prevent that. And even if you could I can't see any way to write a file that a user couldn't find and edit/delete.

    So I thought I would be stuck here, but I have now worked out how to do this! The idea I've had is a pretty good one I think and to be honest I don't want to make it public because that would make it less secure, however I'm happy to share it with you Derek as you have tried to help me, so I set up a temporary email where you can contact me if you wish - emaildereks@aol.com - post here when you've sent it so I know it's you!

    Thanks

    Thursday, March 4, 2010 3:36 PM
  • Hey Rich,
      Build your own clock using the timing pulses from the system clock. Make predefined amount of program operational time before validating. Attach this as encripted data to the end of another operational data file. This way if they tamper with it the program would stop functioning. Load this and add the run time and save time together at shutdown. This could be a small check that could be checked at various points during the run.This would allow them time when their not connected to the internet and you would have control over that time period. You could use this in conjunction with they way that was described above and it would give you a double check system. Such as allowing them 24 or 48 hours of run time without internet connection. Also you could tell them you x number of hours before shutdown.

    There is no such thing as a secure application. There is always someone out there that can find a way to bypass your protections.

    Curtis
    Always Lost in Code,
    Saturday, March 6, 2010 10:35 PM