tags:

views:

42

answers:

2
Q: 

Software Validation Server in Python?

I have been working on a huge project for work for a while now, and it is almost done. However, in an effort to prevent the program was being pirated (I already know there is pretty much no method that can't be cracked ), the software needs to be able to validate. I'm not exactly sure how to do this. Could some sort of software validation server be written in Python? How would the software communicate with the server? Would the softwre check each time it is launched to see if it is valid? The program requires internet access to run anyway, so checking for validation at each launch might not be so bad.

I am programming in Python 2.6 on Windows 7. Any help would be great!

A: 

I would really urge you not to do this. As you said, whatever you do will be broken, and you may actually cause more copies of your software to be pirated by including this barrier. Asking your users nicely not to steal may do better...

That said, implementing this in a way that discourages the most casual piracy is easy: just have the program send a serial number encrypted with the server's public key to your validation script, and have the server return a version of the number encrypted using its private key. Instant validation. Yes, this server could be written in Python easily.

Borealid  2010-08-17 02:33:11
+2  A: 

The software, when starting, should launch an https (so it can't just be sniffed easily;-) request to your server, identifying itself (however it is that you choose to identify, e.g. a serial number or whatever), and the server's response will tell it what to do (run normally, or terminate, or ask the user to register -- whatever).

Of course, any competent hacker will find and disable the part of your code where you're sending the request and dispatching on the answer, but then you already do know that everything can easily be cracked;-).

A less-easily crackable approach would be to keep some crucial part of the functionality on your server, so that the client's basically useless (or at least less useful) if it hasn't checked in with your server and obtained a token to be used in other "functionality requests" during a session.

Hard to tell, without knowing a lot more about your app, if there are bits and pieces of functionality in your app that lend themselves well to this treatment, but for example you could delegate in this way any kind of cryptographic functionality (encrypting, decrypting, signing, ...) -- if only your server knows the secret/private keys to be used for such purposes, and only performs the functionality for application sessions that have properly registered and been authorized, suddenly it's become very hard for even a good hacker to work around your registration and authorization system.

Alex Martelli  2010-08-17 02:38:19
I like the way you are going with this. I'm just not sure how to get the software to identitfy itself to the server, then the server return a response, depending on the status of the activation for that copy. Each copy of the program will have a serial number, that is calculated based on the HDD serial number, this way it can't easily be changed. I gues my question is, how would I write a server that can do this? How does my program communicate with this server?
Zachary Brown  2010-08-17 03:47:18
@Zachary Brown: SOAP, a REST API, or even pickled Python objects would work...
Borealid  2010-08-17 04:03:51
@Zachary, @Borealid has listed several possibilities -- I'd recommend simple HTTPS posts (which can be seen as a simple subset of REST;-). PS, basing the serial number on the HDD's identification gives obvious problems if the HDD ever breaks and gets replaced, or ever gets upgraded -- I hope you're set up with a good and fast service department for reissuing serial numbers to customers in any such circumstances!-)
Alex Martelli  2010-08-17 04:22:16
Ok, I am having some trouble here. I wrote an HTTP server ( no need for HTTPS as the info will be encrypted? ). Now, to do a POST, I will send the serial and other activation information as headers, right? I wrote the server, and have code to make the post, but I'm just not sure how to "conect the dots" to make it work. Any ideas? Is there something special for the server that needs to be done?
Zachary Brown  2010-08-17 19:24:25
@Zachary, no, the info should be in the post's body -- why hide it in headers? And the server must check that info and reply, as the response, with either a "validated token" or an error message. Plus, you really should use HTTPS -- otherwise you're open to e.g. a variety of "man in the middle" and "replay" attacks. With HTTPS your traffic isn't effectively sniffable nor replayable and that saves you a lot of heartache, no matter how cleverly you'd rather be reinventing your own encryption wheel;-).
Alex Martelli  2010-08-17 23:44:21
Ok, I think I'll have to agree with you. How would I implement an HTTPS server that can do this sort of thing? I have done some research and was able to create a simple HTTP srver that accepted SSL connection, (HTTPS), but I don't know how, and couldn't find anything that could teach me how to do the activation.
Zachary Brown  2010-08-18 00:37:18
@Zachary, https vs http is just a question of avoiding sniffing and replay and has nothing to do with "how to do the activation". For the latter, as I already said: the client POSTs a form with all the relevant values for identification, the server analyzes this and replies with either a validation token (which the client can use for further server interactions in that session, if any -- or, just accept as it being validated for that session) or an error message. No deep difference with any other web POST and response!
Alex Martelli  2010-08-18 01:40:32
Ok, I understand what you are saying. Use HTTPS POST! What I don't know how to do is write an HTTPS server that will know what to do with the post. How do I get and analyze the body of the POST, which I think is the params, right? I have code for making the post, but the server doesn't know what to do with it, how do I "teach it"?
Zachary Brown  2010-08-18 02:23:17
@Zachary, what underlying framework are you using? If `BaseHTTPServer` from the standard library, for example, see a tutorial at http://blog.doughellmann.com/2007/12/pymotw-basehttpserver.html (shows how to use `cgi.FieldStorage` to parse the posted data). Each web framework has a proper way to parse posted data, and of course they differ among them.
Alex Martelli  2010-08-18 02:43:18
OK, cool! I will check it out!! Thanks.
Zachary Brown  2010-08-18 02:49:10
@Zachary, you're welcome!
Alex Martelli  2010-08-18 03:09:10
Thanks everyone who helped! I finally got the server built and working! Cheers to Stackoverflow and it's members!
Zachary Brown  2010-08-18 06:24:10

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)