A safe license System

Question

So I'm trying to think of a good way to check if the license key a user supplies for a program is legit or not.

Let's suppose this is the way they get there license

1. They make some type of purchase.
2. A server generates a license based on their username
3. Server gives license to user
4. When user tries to use program for the first time, they use said license key
5. Server checks to see if the license is legit.

The parts I have a question of is what's a good way to generate a "secure" license with just a username.

Currently I have something similar to this on a Java server.

username += "a long random string literal here";
        username = username.toUpperCase();
        md = MessageDigest.getInstance("SHA-256");
           md.update(username.getBytes());
            byte[] mdbytes = md.digest();

So as you can see, I'm adding a long random string to the username, and then making it case insensitive by changing it to uppercase.

I'm using SHA on the edited username.

So what exactly are the weak points in this? Is their a better way to check licenses?

Obviously the client would never see the generation method, so I don't see how they could generate their own licenses unless they obtained the string I'm adding to the username.

Answer 1

The license generation method isn't really that important, as long as it's non-trivial. The trick is how your client verifies that the license is correct.

Let's say you do something like this:

BOOL verifyLicense (char* licenseKey)
{
    BOOL result = false;

    if(strlen(licenseKey) > 128)
        return false;

    char* url = (char*)malloc(1024);
    sprintf(url, "%s%s", LicenseServerBaseURL, licenseKey);

    char* response = http_get(url);

    if (strcmp(response, "OK") == 0)
        result = true;

    free(result);
    free(url);
}

This is pretty simple - we do some basic checks on the license key, create a URL that contains the license key, then do a HTTP GET to the server to check the license. If it returns "OK" we accept it.

The problem with this is that anyone can disassemble the client:

 ...
 push 06f2011c        ; address of url string
 call http_get        ; http_get(url)
 mov ebx, eax         ; store a copy of the result address
 push 04830040        ; ASCII "OK"
 push eax             ; address of response string
 call msvcrt.strcmp   ; strcmp(response, "OK")
 test eax, eax        ; if( ^ == 0 )
 jnz exit             ; skip if branch if non-zero
 mov eax, 1           ; result = true
exit:
 push ebx
 call msvcrt.free     ; free(result)
 push 06f2011c
 call msvcrt.free     ; free(url)
 ret

All I have to do is alter the jnz exit to a series of nop instructions, so the jump is never taken and the result is always true. That way, any license key is accepted. Even better, I could simply modify the start of the method to immediately set eax to 1 and return, so it never even bothers to ask your server for license validation.

So, how do we solve this problem? Unfortunately for you, we can't. You're running into the DRM problem, which essentially states that if you hand someone some data, they can always change it. No matter how much you obfuscate your code, it's possible for the user to eventually reverse engineer it and work out how to make changes, or extract data. If you encrypt content, you eventually have to have the key on the system in order to decrypt it, so there's always a way for the user to extract that key and decrypt the content permanently.

The best you can do is make it difficult, which involves a lot of time and effort. Eventually your software will be cracked and end up on a torrent site somewhere. It sucks for developers using this kind of business model, but it's the world we live in. My suggestion is that you go down one of two routes:

1. Create a basic licensing system that works, and accept the fact that some people will pirate it. Serve your real customers by spending your development time actually making improvements to the software, rather than implementing and maintaining draconian DRM systems.

2. Alter your entire development and business paradigm, so that your product is a service rather than a software application. SaaS has been very successful, since it's (practically) impossible to pirate services, and the model allows you to make real-time changes to your codebase, and perform analytics on usage.

If you go for option 1, don't involve a server for validation. It adds complexity, provides no added security, brings some privacy concerns, and makes it impossible for your users to use your software if your licensing server is down. Just stick with something simple, e.g. a hash of the username and a secret value on the client side. It's trivial to break, but it gives a minimum barrier to piracy.

Answer 2

If all you are trying to do is generate a license key that is hard to replicate then by using the username as part of the input to the hash you are actually going to make the license key weaker, and therefore easier to guess. The username is non-random and therefore decreases the entropy of the resulting license key, and the username can be guessed by the attacker who could then, making some assumptions about your method, brute-force your key much easier.

If you are adding a random string to the username then there's no good reason to use the username at all, just use all random data. The only reason you'd use the username to generate the license key would be to make it reversible.

Answer 3

Or you could send the user an email with a verification link. once they click the link your server knows that the software is legit. the app periodically 'phones home' to see if its been verified, and becomes feature-limited if it receives a negative response.

This also may protect against excessive multiple activations, as the server would know how many licenses a user has, and how many have been used.. Obviously all communication between the app and server is via ssl.