Software protection by encryption

Question

Hello,

For our software we use hardware dongles to protect the software. No protection is perfect but this commercial solution is affordable and keeps honest people honest (as mentioned in another thread). The advantage is the 128 bit key that is stored 'unreadable' on the hardware dongle.

We want to remove this hardware dongle and start using software protection. Basically we can use a commercial product, but on the other hand that won't be unbreakable either. I don't know much about encryption and that's why I am posting this. How do I store a key on a windows computer that will not be possible to read by using reflector or something else? However I should be able to access the key for testing the license code.

I would just like a simple solution that can't be hacked by simply using reflector.

Or am I asking a very stupid question?

Erik

Answer 1

There is no way to completely secure the key. If it can be read by your program, then it can be read by another program.

Answer 2

Whilst nothing is going to be perfect, check out the CryptProtectData API if you want to do it yourself.

To be honest though, you are likely in for less headaches just buying a solution.

Answer 3

And this is why Copy Protection and 'keeping honest users honest' is a losing battle. You don't need to keep honest users honest, they already are.

The majority of effective Copy Protection schemes these days center around doing occasional key-checks against a central server. Have the application check it's key against the central server every so often, and you can determine if the software is licensed correctly. I'm over simplifying things a lot, obviously, but that is one approach.

Answer 4

Basically, you will need to use a commercial solution. The approach here is different from a dongle, and you cannot expect to simply replicate a dongle.

Instead, the main solution is to use some kind of key that is calculated in part from things about the computer that is running the software. Keygens that do the same thing can be made by crackers, but so it goes. They could have simply patched your software to not look for a dongle.

Answer 5

My recommendation is, if it's livable, stick with the dongle. Those tend to be the most viable approaches.

If it's not an option, then definitely go to an outside provider. You'll be looking for, among other things, a few key features (no pun intended):

• Secure storage of the key
• License checking
• Compile-time obfuscation (to make it harder to disassemble your app)

None of this is sure-fire. The bottom line is that developers have been fighting piracy for a long time, and we always lose when the pirates are determined enough. If your main goal is to keep honest people honest, then a decent commercial software protection package will probably do so for you.

Answer 6

The absolute answer is, of course, that a determined and skillful attacker can break any protection, but, especially for software which is not in a high level of demand or fame, skillful and determined attackers are rare, so taking protective measures makes sense.

To validate a license, sending the key to a central location is the safest way, because they'd have to crack your server (or protocol, watch out) to be able to validate. That'd require connectivity to use the software which may or may not be feasible. You could also distribute a 'license server' along with your software for big installs that'd require only local network access. If you can't and have to validate locally only, you could write a dll in native code that'd make it harder to reverse engineer.

To protect the code itself, and make its protection harder to bypass, obfuscate: http://stackoverflow.com/questions/2525/best-net-obfuscation-toolsstrategy http://stackoverflow.com/questions/31882/why-should-i-use-obfuscation http://stackoverflow.com/questions/12075/should-i-be-worried-about-obfuscating-my-net-code http://stackoverflow.com/questions/71146/whats-the-best-value-for-money-c-code-protection-for-a-single-developer

All in all, you might get a better value out of a packaged solution

Answer 7

Is this data simply commerical stuff or things you share with workers and so fort?

If it is the latter, perhaps you can write a quick c++ program to xor it. Basically if the key length is equal to the length of the document, it should be "unbreakable." What I do in c++ is create a buffer of random chars of the size of the document, then xor it, then simply send the document and key file seperately and then the other person xor them together to get back the document.

Don't know if that'll help you though.

Answer 8

If you store the key on the users local computer a cracker will be able to acess it no matter how hard you try to prevent this.

Why not store either the key or a crucial part of the copy protection code remotely and maybe process it remotely?

Answer 9

Generate the hash (SHA1, MD5, etc) for a key and hardcode the hash in your application. Distribute the key to your users. In your executable can check the hash of the user specified key against the hardcoded hash:

bool CheckKey(string keyFromUser) 
   return SHA1(key) == "ABC2983CF293892CD298392FG";
}

This means that anyone that can get hold of the key from your organization (or another user) can run the application, It will practically difficult to determine the key by inspecting the executable.

This is obviously not a very strong protection.

Answer 10

Gentlemen,

Thank you all for your very fast and usefull replies. I don't want to use licensing over the internet, since the application is running not always on computers that are connected. I will then get probably more problems then solving them. We will now most probably go for a commercial solution. It seems that protection is not that trivial.

Thanks a lot!!

Erik

Answer 11

In general, software on a non-networked machine can be cracked. If your application is non-niche enough that pirates can sell cracked copies of it, you are going to see that out there. One solution I've heard of that apparently was successful is self-modifying code.

Answer 12

You could try standard methods usually used in PC Games such as: SafeDisc,StarForce,SecuROM or any other copy protection software. These systems are among the most developed software systems to protected your application.

Nonetheless the experience tells that no only-software protection system is unbreakable and the time taken to hackers to break them is directly proportional to the worth of the protected content. No matter how advanced a protection system has ben used to prevent pirated copies of a popular game, the crack awaits a few months ahead.

You have stated that license server is a trouble for your system, but I wouldn't drop it right away. I think a license server, that issues a license at least the first program run (say a decrypt key different per installation) is the best deterrent measure to reduce piracy. Not only by the the strength of the encryption method but also and mainly because of the automatic registration system. If you let your customers know that the software activation key is unique per installation/user and that it is stored and matched to user's profile they would think twice about giving away the key+software.

Answer 13

I run a software company that has dealt with this issue for nearly 20 years. As both a developer and a business owner, I'd like to first encourage you to broaden your goals a bit. For example, it is simply a mistake to define your problem as "preventing piracy." Your goal should be to maximize revenue.

With that being said, there are some people who simply will never buy your software but who may make fairly significant efforts to get it for free. It isn't "fair" that they get a free copy but placing a lot of resources into the effort to prevent it is largely a waste of time. Indeed, these folks often end up "going legit" simply to get on our update list, to get support or because their business evolves to the point where they can now afford our license. In these cases, the original piracy ends up enhancing our revenue.

So, how do we license?

We generate a random license number with each new install (a number between 10K and 99K does nicely). We then have an algorithm for generating a matching number (anything non-trivial will do). We use a random number, by the way, so that any attempt reinstall on another computer results in different license/match numbers.

Next, we ask users to call us on the phone to get the matching number for their license (this is important). The software looks at the matching number they enter and compares it to the matching value generated on the user's side. If there is a match, the software is fully activated.

I say that having them phone us is important because we use that as an opportunity to talk with them about their setup, answer any questions, and let them know they are dealing with real people. Very few people have the nerve to try calling and impersonating another company (we look them up and compare their information to our purchase database). Note that our package runs nearly $2K so phone calls are reasonable. If your package costs less and has higher volume, you could do this via email. Finally, we use the call-in to tell users how to get upgrades and technical support with their new license.

Finally, we store the key in the application's database (a locally-installed MSDE/SQL Express database) so that any attempt to copy the app will A) be non-trivial and B) bring over a lot of data specific to the organization that first bought the legitimate version (making them less likely to share). The licensing key is encrypted and "split" into two different keys that are kept in two different tables. Thus, a simple "find the key and enter it in the pirated version" will not work.

The bottom line? When you make the entire package more than just the software, build in a few basic protective mechanisms, and introduce the human element, you should see that you don't need the expense and trouble of a dongle to maximize revenue.

Answer 14

Please let me add some thoughts to Your question:

• Does Your software require any kind of internet connectivity?
  • If the answer is "yes", You can monitor the usage. (Do tell the customer about this functionality!)
  • If the answer is "no", You still can monitor the usage in most cases, but You cannot enforce a connection to Your servers for the product to work.
• Do You want to add copy-protection to Your software? This is no rhetorical question, because
  • some software has to be customized by the software company or its partners. If anyone makes a copy of software, that has to be customized by experts, it just won't be of any use for him.
  • e.g. if an employee of Your customer wants to use Your high-end circuit-design software for his private projects at home and You give him the permission to do so, then You have someone at Your customers site, who will vote for Your product on every purchase decision.
  • the effort for a working copy protection could be higher than the loss created by unauthorized copies. (Remember, You can still include it in the next version.)

Answer 15

I read an through an interesting presentation about how skype approaches the task of protecting software by encryption.