0

This question is related to my first question: How secure is this schema for Online Licensing System?

I'm trying to sell a subscription based software and I can't find a good way to generate a serial key for this case.

What is this key for?

When the user buys the program he will be asked to open it for the first time on the Computer he is going to use. When the program is first opened, some computer's information is sent to the server and there a key is made based on this information and then it's stored in a DB so each time the user logs in the server can check if it's the same Computer.

That program is designed to work ONLY when online and ONLY on 1 computer.

What's the main goal?

The main goal is to make each license work ONLY on 1 Computer without making the user have a bad experience. (like resetting the key every day)

What I tried

I already read a lot about hardware information, but as a beginner in all this I don't know what information can be easily changed, or what information should NOT be used for this.

What if the user changes his/her computer

In that case they have a button to reset the key, this button can be used only once every 3 days (in order to prevent the user from sharing his license).

What I need

I need to design a key that is enough to check if it's the same Computer and at the same time, this key can't be different everytime the user turns on the PC or after an update. (it's okay if it changes when the user upgrades his/her hardware).

What kind of answers I need

  • ANY information that is related to this that I can read.
  • ANY example, pseudo-code, code, etc.
  • ANY method to achieve the main goal.
  • Anything you think is helpful.

About DRM effectiveness and faked information

My software is not expensive and I think it won't have more than 50-100 users. I need a way to protect it from people that share the .exe or share their account. At the same time I want to protect it from common things like MITM, mac address spoofing, etc. So to make it short: I need a licensing system (or something else) that protects my software so people can't easy pirate it. I know you can't protect something 100% and that it will be hacked anytime, but I want to make it as hard as possible finding the best way to protect it. I don't mind if I have to work 6 months for that. I don't want to use a simple protection like "checking a unique serial inside the .exe" because that's easy to bypass even for a beginner.

Why I posted it here

Because after all, it's more a matter of security than code or programming language. It's about helping me find a way to achieve my goal which is about a secure method to make licenses tied to 1 Computer.

I already read about how I should ask a question, but in case this question doesn't belong here or is wrong formatted please tell me ASAP so I can change/delete it. Thanks in advance.

Roberto Carlos
  • 23
  • 4
  • I assume this is related to your other question? https://security.stackexchange.com/questions/201659/how-secure-is-this-schema-for-online-licensing-system – schroeder Jan 24 '19 at 15:45
  • Thanks for commeting. Yes, it's going to be used on that schema. Instead of making a question with a lot of "mini questions" inside, I think this is a better approach. BTW I'm still testing that schema because I don't know how safe it is. At the same time, this question is something I will apply for every software I will sell with this kind of licensing. – Roberto Carlos Jan 24 '19 at 15:52
  • Providing a link to the other question in this question would be helpful. – schroeder Jan 24 '19 at 15:53
  • Related: https://security.stackexchange.com/questions/4637/are-there-drm-techniques-to-effectively-prevent-pirating – Josef Jan 24 '19 at 15:55
  • 1
    Any information about the system that you can read can be faked by the user. – Josef Jan 24 '19 at 16:01
  • @Josef Copy protection systems can still be useful to protect against casual copying: "Oh, I'll get round to putting the PO in tomorrow." For protecting against a determined hacker, you have to use lawyers. – Martin Bonner supports Monica Jan 24 '19 at 16:28
  • What kind of subscription based software? If it's always supposed to be online, why not run it in the cloud - Azure (and presumably AWS) provide packaged applications (so, you provide the application, your clients rent/buy the app, plus pay for cloud hosting, and the cloud provider bills based on deployments for you). Also, why only one computer? I have at least two here at work, what if I want to move between them? If it has to be always-online, why isn't this handled via login functionality - only one connection at a time - rather than trying to fingerprint the machine? – Clockwork-Muse Jan 24 '19 at 17:16
  • Hi, thanks for all the comments. I will update the question with what's provided here. I can't run it in the cloud because it has to interact with other applications and simulate some input that it's impossible to make if the software is in the cloud. About login/sessions, because I couldn't find a good way to make sessions and disable multilogin (2 clients using the same username and password) without it being easy to bypass. – Roberto Carlos Jan 24 '19 at 17:23
  • I'm going to edit my question now describing more in detail what I need and I will talk about the "how effective is DRM and faked information" thing. – Roberto Carlos Jan 24 '19 at 17:55

0 Answers0