Tips for securing application with a licence key system?

views:

591

answers:

+6 Q:

Tips for securing application with a licence key system?

Hi, I've written an application, and would like to include a licence key system. We do have some requirements, but would like to know what tips you guys have as well.

The main purpose of the system is to make sure we keep track of every customer who has the product, and that we can set the key as invalid if they decide to stop paying.

We want to write it ourselves, not rely on 3rd party libraries.

I realize that a .NET programmer can reflect our app and view the algorithm, but we do not need to secure against those guys. It's not that important.

The licence key must contain an expiration date.

Which algorithms would you use? Any tips?

+2 A:

I use RSA to sign a XML document with a SHA hash. This will ensure the customer does not alter the license info.

You could then assign each license a unique value that would be stored in the XML file and contact your server to validate the license is still valid.

Something like this for the XML hash and signing:

http://www.codeproject.com/KB/security/xmldsiglic.aspx

Dana Holt 2009-05-20 19:48:51

This method requires a file which is slightly more irritating than just typing in a long number.

Jacob 2009-08-05 21:54:19

@Jacob - A file is not required. You could simply copy/paste the XML. Personally, I would rather point to a file any day than type in some kind of long code.

Dana Holt 2009-08-06 04:11:29

+2 A:

Brandon Staggs wrote a good article on Implementing a Partial Serial Number Verification System. The examples are written in Delphi, but could be converted to other languages.

Have a look at this related question, where I posted the above answer.

stukelly 2009-05-20 19:54:12

Personally I am a fan of the Steve Gibson licensing algorithm. It's very simple to implement, and creates no burden for your users:

Create a kick-ass product. Build value.
Just let your users download and run it.
Stand behind it. Support it well.

Treat your users like people and not potential criminals and they will compensate you for you work.

(I realize this is heresy for any company that makes software that includes the words "Enterprise", "Edition", or "Professional" in the title. Maybe one day they'll see the light.)

EDIT: Downvote me if you want, I understand that it's not a popular position, and might be considered as "not helping". But I'm of the opinion that any time you sit down to write a licensing algorithm you should take a good hard look at whether or not you really need one.

Bob Somers 2009-05-20 20:20:07

I agree, this has worked well for me for years. This is not a donation-ware scheme, it's simply allowing paying customers to download the app without being burdened by licensing. If people like it, and it's priced right, people will pay for it. Usually, if someone pirates your software, it's not a lost sale; they wouldn't buy it anyway (for whatever reason)

Ryan Emerle 2009-05-20 20:49:20

A significant percentage of otherwise paying customers will use a stolen code if available. There have been a few studies done that prove this. http://www.windowsusers.org/piracy.htmlI do agree that the licensing system should not burden the customer, but you are definitely leaving money on the table if you are not using some kind of licensing.

Dana Holt 2009-05-21 04:29:18

TwistedAphid, there is absolutely no indication that those users would have paid for it if it wasn't free. Like Ryan noted, most users who pirate your software aren't lost sales, because they wouldn't pay even if it cost a penny. Personally I think time is better spent building value into your software and making your users happy than playing a piracy cat-and-mouse game that you will always lose. Happy users will pay you more than once. Pissed off users will never pay you again.

Bob Somers 2009-05-21 07:54:59

@Bob - You are right that the link I provided does not show those people would purchase. I do have data through my own experiments and those of others in private organizations I am a member of that sales significantly increase when licensing is added. A good licensing system should not piss off customers. I am talking something simple, no hardare locking, activation, etc. I do agree you should spend more time on making your software great than on the licensing system but both things are important.

Dana Holt 2009-05-21 12:14:04

What the heck is a "Steve Gibson licensing algorithm"

Jacob 2009-08-05 21:55:26

Take all your license settings, such as username, email, date of expiration, etc and hash it and then use RSA algo to sign it. During validation, hash the settings again and then verify this hash against the signature. Once this is done, verify the settings such as date not expired, etc.

BTW why waste time developing your own, when a licensing system such as CryptoLicensing does all this and lots more! I would want to devote my resources into my core software instead.

logicnp 2009-12-26 05:29:39

ansaurus

tags:

views:

answers:

Tips for securing application with a licence key system?

related questions