views:

225

answers:

3

I have an application (C#) and I am tasked with putting some simple licensing scheme in it. While doing that I need to save that information somewhere in computer to limit the usage.

I need to save a date and a counter.

How and where I should save the information which, on Windows Vista, doesnt require administrative privileges to run? (Which means saving it in System32, Program Files, HKEY_LOCAL_MACHINE is not an option.)

Please do not flood the answers with "don't do it" or "it will be cracked anyway". I do understand those logics. I just need to do anything best that can be done for this purpose.

+3  A: 

Consider using a third-party licensing component, such as XHEO - there's no need to reinvent the wheel.

If you are still required to write your own license system, consider using the user's profile directories or the HKEY_CURRENT_USER branch.

ASk
The one advantage to a "roll your own" is security through obscurity. If it doesn't take too long, and meets the requirements, it might be fine.
John Christman
Such things starts out seemingly simple, but more often than not, it starts sucking lots of time. I would instead want to focus on my core functionality instead and use third party system instead. One such system which you should consider is CryptoLicensing.
logicnp
A: 

for enterprise we always use the app_root/LICENSE directory.

we also use an own custom solution, but it is rather trivial encrypting this data and verifying the license log for manipulation.

b0x0rz
+3  A: 

we use a signed XML license file. It's a simple XML file, that displays what the user has purchased.

The nice thing about this is that it's future compat. You can easily add a product feature, or product line, expiration dates, and feature attributes.

It's easy for our commerce site to create and package licenses on demand, just be sure your private keys never get out. The pros outway the cons here for us, and the biggest problem we can't circumvent, is simply coping the license file.

here is a sample xml file

<?xml version="1.0" encoding="utf-8"?>
<ProductName>
  <License>
    <LicenseId>20025fb9-5349-46d4-a530-55b0295beaaa</LicenseId>
    <CustomerName>[email protected]</CustomerName>
    <MajorVersion>2008</MajorVersion>
    <Product>Friendly Display Name</Product>
    <ProductType>Enterprise</ProductType>
    <Features>
      <!--Add features here-->
    </Features>
    <Expires>0001-01-01T00:00:00</Expires>
  </License>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>u3{..........}U2jo=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>QFg1kI{...............}DwDIE=</SignatureValue>
  </Signature>
</ProductName>

And we use simple .NET built in API's to do the XML signing, and confirmation that it is singed and valid.

Things I like ...

.. It's easy to read. (for tech support) .. It's easy to replace .. Easy to store, in the files system, or in our case, the database, for easy access into and out of the UI. (we have an in place update/upgrade system) .. it's easy to upgrade. We have a service that takes your old license, and after validation, offers upgrade pricing based on what's already been purchased. Then the commerce system logs the old and new license files for reference.

Things I don't like ...

.. Could be copied, stolen easily

ScottCate
One possible way to improve it is to store a hardware-derived ID in the license and sign that.
ASk