views:

42

answers:

2

I have been working on a huge project for work for a while now, and it is almost done. However, in an effort to prevent the program was being pirated (I already know there is pretty much no method that can't be cracked ), the software needs to be able to validate. I'm not exactly sure how to do this. Could some sort of software validation server be written in Python? How would the software communicate with the server? Would the softwre check each time it is launched to see if it is valid? The program requires internet access to run anyway, so checking for validation at each launch might not be so bad.

I am programming in Python 2.6 on Windows 7. Any help would be great!

A: 

I would really urge you not to do this. As you said, whatever you do will be broken, and you may actually cause more copies of your software to be pirated by including this barrier. Asking your users nicely not to steal may do better...

That said, implementing this in a way that discourages the most casual piracy is easy: just have the program send a serial number encrypted with the server's public key to your validation script, and have the server return a version of the number encrypted using its private key. Instant validation. Yes, this server could be written in Python easily.

Borealid
+2  A: 

The software, when starting, should launch an https (so it can't just be sniffed easily;-) request to your server, identifying itself (however it is that you choose to identify, e.g. a serial number or whatever), and the server's response will tell it what to do (run normally, or terminate, or ask the user to register -- whatever).

Of course, any competent hacker will find and disable the part of your code where you're sending the request and dispatching on the answer, but then you already do know that everything can easily be cracked;-).

A less-easily crackable approach would be to keep some crucial part of the functionality on your server, so that the client's basically useless (or at least less useful) if it hasn't checked in with your server and obtained a token to be used in other "functionality requests" during a session.

Hard to tell, without knowing a lot more about your app, if there are bits and pieces of functionality in your app that lend themselves well to this treatment, but for example you could delegate in this way any kind of cryptographic functionality (encrypting, decrypting, signing, ...) -- if only your server knows the secret/private keys to be used for such purposes, and only performs the functionality for application sessions that have properly registered and been authorized, suddenly it's become very hard for even a good hacker to work around your registration and authorization system.

Alex Martelli
I like the way you are going with this. I'm just not sure how to get the software to identitfy itself to the server, then the server return a response, depending on the status of the activation for that copy. Each copy of the program will have a serial number, that is calculated based on the HDD serial number, this way it can't easily be changed. I gues my question is, how would I write a server that can do this? How does my program communicate with this server?
Zachary Brown
@Zachary Brown: SOAP, a REST API, or even pickled Python objects would work...
Borealid
@Zachary, @Borealid has listed several possibilities -- I'd recommend simple HTTPS posts (which can be seen as a simple subset of REST;-). PS, basing the serial number on the HDD's identification gives obvious problems if the HDD ever breaks and gets replaced, or ever gets upgraded -- I hope you're set up with a good and fast service department for reissuing serial numbers to customers in any such circumstances!-)
Alex Martelli
Ok, I am having some trouble here. I wrote an HTTP server ( no need for HTTPS as the info will be encrypted? ). Now, to do a POST, I will send the serial and other activation information as headers, right? I wrote the server, and have code to make the post, but I'm just not sure how to "conect the dots" to make it work. Any ideas? Is there something special for the server that needs to be done?
Zachary Brown
@Zachary, no, the info should be in the post's body -- why hide it in headers? And the server must check that info and reply, as the response, with either a "validated token" or an error message. Plus, you really should use HTTPS -- otherwise you're open to e.g. a variety of "man in the middle" and "replay" attacks. With HTTPS your traffic isn't effectively sniffable nor replayable and that saves you a lot of heartache, no matter how cleverly you'd rather be reinventing your own encryption wheel;-).
Alex Martelli
Ok, I think I'll have to agree with you. How would I implement an HTTPS server that can do this sort of thing? I have done some research and was able to create a simple HTTP srver that accepted SSL connection, (HTTPS), but I don't know how, and couldn't find anything that could teach me how to do the activation.
Zachary Brown
@Zachary, https vs http is just a question of avoiding sniffing and replay and has nothing to do with "how to do the activation". For the latter, as I already said: the client POSTs a form with all the relevant values for identification, the server analyzes this and replies with either a validation token (which the client can use for further server interactions in that session, if any -- or, just accept as it being validated for that session) or an error message. No deep difference with any other web POST and response!
Alex Martelli
Ok, I understand what you are saying. Use HTTPS POST! What I don't know how to do is write an HTTPS server that will know what to do with the post. How do I get and analyze the body of the POST, which I think is the params, right? I have code for making the post, but the server doesn't know what to do with it, how do I "teach it"?
Zachary Brown
@Zachary, what underlying framework are you using? If `BaseHTTPServer` from the standard library, for example, see a tutorial at http://blog.doughellmann.com/2007/12/pymotw-basehttpserver.html (shows how to use `cgi.FieldStorage` to parse the posted data). Each web framework has a proper way to parse posted data, and of course they differ among them.
Alex Martelli
OK, cool! I will check it out!! Thanks.
Zachary Brown
@Zachary, you're welcome!
Alex Martelli
Thanks everyone who helped! I finally got the server built and working! Cheers to Stackoverflow and it's members!
Zachary Brown