Tech Off Thread

11 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Copy protection

Back to Forum: Tech Off
  • User profile image
    brussell

    Hey, I have a product that I want to protect from being copied.
    I want to make sure that if they buy and return the product, they can't continue using it. Also, if they make a copy for a friend, the friend can't use it.

    The customer will have an internet connection.
    I'll have a server with account information for the user and this is preferable to use somehow in this check.

    What is the best way to do this?

  • User profile image
    W3bbo

    I'd recommend "Product activation" but make the hardware check less tolerant, don't produce any "volume license" keys, and keep a look out on the internet for serials.

  • User profile image
    brussell

    I'm thinking of something like this:

    Have it check the server for permissions. If the product has been returned, then it doesn’t open.

    This would prevent people from using it after it is returned.

    Have it send in a key created from the various parts of hardware in the computer and have it check against that on open.

    If it doesn’t match at all (allow for a piece or two of hardware to be changed out), then it doesn’t open.

    That would protect it from being installed on more than one computer.


    Any ideas or comments

  • User profile image
    Maurits

    Here's my comment -

    At installation time, generate a GUID for the installation.  Combine this with the user-entered registration key (or they can enter their email address.)  Include the computer name, the MAC of the first network card (if there is one,) the IP address...

    Connect to your license server and log the installation.  Every time.

    Periodically have your app send "hello" messages to your license server.
    Log these.  Every time.

    If something is suspicious, disable the license, send the customer an email, and wait for them to get in touch with you.

  • User profile image
    eddwo

    You must allow the purchaser to change/upgrade their hardware, so don't be too strict with the checks. Only disable it if you get sent "hello" messages from two installations on different machines at the same time. Like MS product activation allow a few of the factors to change a few times before requesting reauthentication.

  • User profile image
    Deactivated User

    Comment removed at user's request.

  • User profile image
    kriskdf

    There are some details that people seem to be leaving out that could prevent this from being a good solution.  Whatever solution you choose, make sure that someone can't use netmon, some simple code, and a host file to break it.  If the response from the server is predictable in any way (like having the server send back "OK" after your app sends the key), it can be easily spoofed (and just encrypting it isn't any better).

    Personally, if this is something that is very important to the app, I would sit down and spend a lot of time coming up with a good solution.  Make sure you evaluate all the ways to break the solution you choose. 

    Some of the solutions mentioned are ok at a high level, but the devil is in the details.

  • User profile image
    Maurits

    kriskdf wrote:
    it can be easily spoofed (and just encrypting it isn't any better)


    Predictability isn't bad if you do it right...

    You could sign it... something like

    Client: Hello this is installation <their unique number> checking in
    Here's a random string <random string> which is different at every "hello"

    Server (sign this whole packet)
    I, the license server for <your app name>, do find that your software installation with unique number <their unique number> is perfectly acceptable to run as of this moment <date and time>
    And here's your same random string back: <random string>

    The client would immediately shut down the application if the server response has anything even remotely fishy about it, with a nice friendly message like "Sorry, there was a problem verifying your license - please contact Customer Service (contact info)"

  • User profile image
    W3bbo

    The returned random string would have to be predicted by the client.

    ...or is that what the signing is for?

  • User profile image
    Maurits

    W3bbo wrote:
    The returned random string would have to be predicted by the client.


    The random string is to prevent hard-disk cloning.

    The client comes up with a random string: AJCHSJH
    The server just echos it in its response.

    Without the random string you get this duplication technique:

    (as black hat)
    Install a legitimate workstation A
    Secretly clone it as workstation B

    A will send out a "hello" packet, expecting a server response
    The server will send a confirmation packet back to "A", keeping A happy.

    What about B?

    B will send out a "hello" packet.  Because the installation key is the same, the time is the same, ..., the packet will be the same as A's packet.

    The black hat can then copy the response packet that A received, and send a duplicate of it to B, keeping B happy in violation of the license.

    Adding the random string makes A's and B's packets different... and the expected server responses different.

    Signing the packet makes it impossible to just hex-edit the packet to contain the "correct" random string, because then the signature would be invalid.

  • User profile image
    brussell

    Lots of great stuff. Thank you very much for all the thoughts and suggestions.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.