How to implement run-time licensing?

Question

I need to implement run-time licensing in an embedded protocol stack.

I already have an idea about how to achieve this but I am interested in hearing any alternative approaches, or any pitfalls to watch out for. You can assume that each device running the stack will have a unique hard-coded identifier (MAC address equivalent) and access to some non-volatile storage.

My planned approach is to provide a licence key generated via a hash function from the device identifier which the manufacturer should store in the non-volatile store. The stack will hash the identifier using the same hashing function and verify that it matches the stored key before it will run.

Answer 1

You have to make sure that the license cannot be recomputed easily by an attacker. The most obvious way of doing so is to have the license be a signature of the device identifier using your private key, and have the application verify it using your public key which will be embedded in the software.

You also need to make sure that the software is not tampered with, but this is another story altogether.