1

I have the requirement that I have to distribute software in SD card. And this application should work without internet. I can share the installation key through SMS.

Since application and installation key are distributing through offline (without internet). Is there anyway to track application installation and restrict users to share software package themselves?

I would expect that the software should not be installable or in-accessible, even they are sharing SD-Card and SMS.

Please suggest right direction on this.

HILARUDEEN ALLAUDEEN
  • 203
  • 2
  • 6
  • If people can read data, they can copy data - doesn't matter if it's an executable, bunch of secret information. In this case, you can't prove that software hasn't been installed reliably, and you can't prove that a given key hasn't been used before (no internet connection, so no central store). You could potentially have a dongle requirement, but that adds a lot of complexity and cost, so it may not be economically sound. There are a few questions about similar situations around on the site. – Matthew Nov 01 '16 at 16:06
  • @Matthew Please can you explain more in dongle based protection? or any other cost effective method. The goal is everything should work in offline. – HILARUDEEN ALLAUDEEN Nov 01 '16 at 16:17
  • Basically, you need some kind of active device which can determine when a single installation has happened. This can't rely on the host computer (which can be tampered with) and has to respond in a way which can't be faked, such as by signing a value sent by the application. Might be viable if your application is really expensive (e.g. $10ks+), otherwise, it's likely to wipe out any profit margin... – Matthew Nov 01 '16 at 16:22
  • @Matthew Is there any possibility in customised device level software? – HILARUDEEN ALLAUDEEN Nov 01 '16 at 17:00

2 Answers2

1

Here is an approach that partially solves the problem: Probabilistic encryption to generate installation keys.

When a user wants to install the software, they call you and give you their MAC address. You append the MAC address with the current UTC timestamp and encrypt it with a probabilistic encryption(PCBC or something similar) scheme and send the installation key using SMS.

The computer decrypts the installation keys and verifies the MAC and timestamp. IF the timestamp is of upto a tolerable time before current time (you neeed to factor in slow typing), then the software installs otherwise not.

Please keep in mind that this is not a completely foolproof mechanism. There can be multiple machines installing the software together and doing a MAC spoof. Also, you will have a challenge in keeping the generated installation key to human readable characters.

Limit
  • 3,191
  • 1
  • 16
  • 35
  • 1
    MAC addresses can be spoofed ... you can also install on a VM and set the physical MAC address to whatever you want. – CaffeineAddiction Nov 01 '16 at 16:25
  • 1
    That is what I wrote in my answer... "Please keep in mind that this is not a completely foolproof mechanism. There can be multiple machines installing the software together and doing a MAC spoof. Also, you will have a challenge in keeping the generated installation key to human readable characters." – Limit Nov 01 '16 at 16:27
  • @Limit Make sense. If I understand clearly, it is like OTP. And end user is novice or normal user, is there any other way to improve transactions? – HILARUDEEN ALLAUDEEN Nov 01 '16 at 16:28
  • Your ultimate purpose is to avoid the same key being used twice. Since the machine cannot talk to others, the onus of generating a fresh token is on you. And in order to make sure that the token is not replayed, the machine has to know the timestamp of the token. That is why you encrypt the timestamp along with the token. – Limit Nov 01 '16 at 16:31
  • Which part of this do you want to avoid? The human interaction or the cryptography? – Limit Nov 01 '16 at 16:35
  • @Limit I would prefer to less or no human interactions and I can't compromise in security as well. I cracked my head a lot, I couldn't find better solution on my requirement. – HILARUDEEN ALLAUDEEN Nov 01 '16 at 16:50
  • @hilarudeens Well, your question says you are ready to send installation key using SMS so instead of calling you, the customer can send an SMS with what they have and your server can parse it verifies that payment is done, generate a key and you're done. – Limit Nov 01 '16 at 17:00
  • @Limit If I understand correctly the flow would be as follows, 1. Send SD card to user. 2. Generate unique key in first time boot. 3. Collect unique key and purchase indentification (may be username and password) through SMS. 4. Parse all the information from SMS and validate purchase 5. Send time based installation key to user through SMS. – HILARUDEEN ALLAUDEEN Nov 01 '16 at 17:32
  • @hilarudeens yes. – Limit Nov 01 '16 at 17:38
  • 1
    Along with MAC spoofing, I don't see why you couldn't change the clock on your computer as well. So as @Limit mentioned, this is easy to work around if the user knows how the local installer checks the key. – Steve Nov 01 '16 at 20:45
0

If the SD card is just a standard SD card then there is no way to accomplish your end goal. The person installing could just make a backup of the SD card as many times as they want and use the same key.

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40