Tuesday, May 23, 2017

Software Licensing

The purpose of a software licence is to allow a person to use a feature for a period of time.

In this discussion, I'm assuming the software is a desktop application in an offline lab, so there is no ability to coordinate with a central system.

An attacker can decompile the software to discover its secrets and change its behaviour. From this they can produce a version that opens all features to everyone forever. However this process is expensive and has to be repeated on each new release of the software. We accept this loss but ensure that the software contains no secret that would allow the attacker easy access to future versions of the software.

In asymmetric cryptography the secret that is used to establish a fact is physically separate from the public key that is used to verify that fact. Simple access to asymmetric crypto algorithms is available on all operating systems, so there is no need to pay for third party licensing schemes. All you need to do is write a license generator that uses a private key to sign blobs and embed the matching key in your software to verify those blobs.

Having done this, two challenges remain:
1. Keep the private key safe. Since it never leaves your office this is a matter of physical security and trust in your personnel. Anyone who copies your private key can issue unlimited licenses forever.
2. Decide what to put in the blob. This must identify the person, the feature, and the period of time.

Defining the feature is easy because it is internal to your application.

Defining the time is essentially hopeless because the attacker controls the clock. You can pay attention to past clock values, but with the ubiquity of VMs, it is very easy for the attacker to defeat any such scheme. Without a secure hardware dongle that provides a trusted time, your license duration is essentially unenforceable.

Defining the person boils down to machine binding, i.e. which device should be allowed to run these features?

The best solution here is a simple device that is able to perform asymmetric crypto. It should support a simple API where the caller provides a random number and the device replies with a signature over that number plus the current time. Then the "person" identified by the license would be the public key of the device. You software could then be sure that your office permitted certain features to that dongle. I believe the current cost of such a dongle is approximately $60 USD.

Any other scheme is fraught with errors. Any hardware you attempt to identify on the PC is either likely to change (hard drive) or easily forged or both.

Additionally, your customer is now bound to that PC. They can't change their mind and install it on a better one. Also you can't pre-sell units of software to re-sellers to be stocked on a shelf because you need to know the target PC in advance.

What concessions can be made? Without a secure dongle shipped from your office, you can provide passable machine binding via identifiers such as MAC address. However this requires customers or vendors to send you machine info from which to generate the license which introduces delay to software delivery.

Although the lab in which the software will be used is presumed to be offline, the customer or vendor could have internet access elsewhere. Instead of delivering the info to your staff, the customer or vendor could deliver it to an automated central system which has a pre-authorization for a customer identifier to be delivered along with the machine binding info.

What about writing your own secure dongle? Ideally it would have program memory that is write-once, read-never (without difficult physical tampering). Also it would be USB capable and have sufficient processor capacity to run an open source crypto library. Even better would be a battery and internal clock.

If we're currently binding to just MAC or HD or BIOS, isn't any dongle an improvement? Maybe so, but I imagine it is relatively easy to write a virtual USB device. So if your only machine binding is an insecure USB device then there is incentive to write an emulator. Once created, all your software is free forever.

{ "loggedin": false, "owner": false, "avatar": "", "render": "nothing", "trackingID": "UA-36983794-1", "description": "", "page": { "blogIds": [ 638 ] }, "domain": "holtstrom.com", "base": "\/michael", "url": "https:\/\/holtstrom.com\/michael\/", "frameworkFiles": "https:\/\/holtstrom.com\/michael\/_framework\/_files.4\/", "commonFiles": "https:\/\/holtstrom.com\/michael\/_common\/_files.3\/", "mediaFiles": "https:\/\/holtstrom.com\/michael\/media\/_files.3\/", "tmdbUrl": "http:\/\/www.themoviedb.org\/", "tmdbPoster": "http:\/\/image.tmdb.org\/t\/p\/w342" }