Trial version
-
Am I reading this right? A virtual machine just to manage application rights? How does it affect the program? I mean, it seems like it'd be effective, but not necessarily efficient.
Reminiscent of my younger years...
10 LOAD "SCISSORS" 20 RUN
-
They would have to resubmit the license request file (basically, the unsigned XML file) and have it resigned and reissued. This is, however, similar to current public key cryptography. If you change your key, you must redistribute it and your old public key won't work anymore with the new private key. The computer's SID 1) isn't supposed to change unless you change domains, and 2) uniquely identifies the computer, just like your private key identifies you. Speaking of domains, if you change the domain name in ActiveDirectory, the server certificates and everything the CA has signed is invalid. In public key cryptography, uniqueness is required somewhere so that you can verify signatures (basically, the encrypted hash). I guess one could say that no content / application protection scheme is 100% effective and versatile. This one just uses standard cryptography practices that have been proven time and time again. It still isn't the best because of problems like you pointed out, but it'll work in most cases - a large most. Besides, think of it like Microsoft activation thingy. If you change something major, you have to reactivate and probably will end up calling Microsoft. Your customers could have the same option where they explain the situation, so you can verify their credentials (perhaps a business ID or passphrase) and resign the file however you see fit.
Reminiscent of my younger years...
10 LOAD "SCISSORS" 20 RUN
-
Am I reading this right? A virtual machine just to manage application rights? How does it affect the program? I mean, it seems like it'd be effective, but not necessarily efficient.
Reminiscent of my younger years...
10 LOAD "SCISSORS" 20 RUN
The virtual machine thing is mostly fluff. What they basically do is embed a piece of code within your .exe. I believe someone posted a related article on Cp about doing such things. Then, anytime you start the .exe it checks a license key somehow and, depending on the result, starts an internet-driven activation process. This process is meant to let/force users buy the software.
-
They would have to resubmit the license request file (basically, the unsigned XML file) and have it resigned and reissued. This is, however, similar to current public key cryptography. If you change your key, you must redistribute it and your old public key won't work anymore with the new private key. The computer's SID 1) isn't supposed to change unless you change domains, and 2) uniquely identifies the computer, just like your private key identifies you. Speaking of domains, if you change the domain name in ActiveDirectory, the server certificates and everything the CA has signed is invalid. In public key cryptography, uniqueness is required somewhere so that you can verify signatures (basically, the encrypted hash). I guess one could say that no content / application protection scheme is 100% effective and versatile. This one just uses standard cryptography practices that have been proven time and time again. It still isn't the best because of problems like you pointed out, but it'll work in most cases - a large most. Besides, think of it like Microsoft activation thingy. If you change something major, you have to reactivate and probably will end up calling Microsoft. Your customers could have the same option where they explain the situation, so you can verify their credentials (perhaps a business ID or passphrase) and resign the file however you see fit.
Reminiscent of my younger years...
10 LOAD "SCISSORS" 20 RUN
What about using the MAC address of the computer instead of the SID? -Nick Parker
-
What about using the MAC address of the computer instead of the SID? -Nick Parker
That's a possibility, but if memory serves me correctly, that can be changed, too. Besides, isn't this on the NIC and not the computer as a whole? Swapping out the NIC - which happens much, much more often than changing the computer's SID - would render the license invalid.
Reminiscent of my younger years...
10 LOAD "SCISSORS" 20 RUN
-
That's a possibility, but if memory serves me correctly, that can be changed, too. Besides, isn't this on the NIC and not the computer as a whole? Swapping out the NIC - which happens much, much more often than changing the computer's SID - would render the license invalid.
Reminiscent of my younger years...
10 LOAD "SCISSORS" 20 RUN
Heath Stewart wrote: Besides, isn't this on the NIC and not the computer as a whole? Swapping out the NIC - which happens much, much more often than changing the computer's SID - would render the license invalid. Good point, good conversation though. :-O -Nick Parker
-
One thing I did with our software was to use an XML file with the computer's SID (unique to every computer) along with a timestamp and then sign the XML with our private key (kept secure, of course). The application can verify the XML signature (uses standard WS-Signatures from the Microsoft.Web.Security assembly since the ones in the .NET class library don't work in some cases) and compare the SID stored in the file with that of the computer's. If the signature is invalid, the user changed it and the app doesn't run. If the SIDs are different the computers are different and the app doesn't run. The timestamp tells you when it was installed and you can diff from the time from this. If the user modifies it, the app doesn't run. You could further extend this by making that file the actual license so that you don't have multiple builds of your application. When the user purchases the license, they send you a raw XML file (timestamp and computer SID) that you add a value to which signifies that they bought it, then sign the XML and email it back to them (or use some sort of online system, which wouldn't be hard to develop). Either way, if the file is modified, it is invalid. Now, here's the trick. It's better to use an enveloped signature (the signature is part of the XML document) because it keeps your schema valid. You also shouldn't include the public key in the signature because if your app uses the public key provided, then someone else could change the values and resign the XML document with their information. If your app trusts the public key included, the user just pirated your software! So, make sure your app uses its own public key stored in its code (or uses the one that is part of its manifest if you sign the XML document and your assembly with the same key pair) and you're good to go!
Reminiscent of my younger years...
10 LOAD "SCISSORS" 20 RUN
Is it worth posting an article to cover this topic (which you seem to know a lot about)? Myself and seemingly many other CPians would be interested to read the full story. Derek Lakin. Try the Code Store for instant integrated access to an online repository of .NET components. I wish I was what I thought I was when I wished I was what I am. Salamander Software Ltd.
-
Is it worth posting an article to cover this topic (which you seem to know a lot about)? Myself and seemingly many other CPians would be interested to read the full story. Derek Lakin. Try the Code Store for instant integrated access to an online repository of .NET components. I wish I was what I thought I was when I wished I was what I am. Salamander Software Ltd.
Yeah, I could probably do that. It shouldn't take too much time and I've already got the code ready. In case I don't remember to post when I finish here, just keep an eye out for it. Probably'll be about a week since I'm pretty swamped at work.
Reminiscent of my younger years...
10 LOAD "SCISSORS" 20 RUN
-
Yeah, I could probably do that. It shouldn't take too much time and I've already got the code ready. In case I don't remember to post when I finish here, just keep an eye out for it. Probably'll be about a week since I'm pretty swamped at work.
Reminiscent of my younger years...
10 LOAD "SCISSORS" 20 RUN
Great! I'll keep an eye out for it :) Derek Lakin. Try the Code Store for instant integrated access to an online repository of .NET components. I wish I was what I thought I was when I wished I was what I am. Salamander Software Ltd.
-
Yeah, I could probably do that. It shouldn't take too much time and I've already got the code ready. In case I don't remember to post when I finish here, just keep an eye out for it. Probably'll be about a week since I'm pretty swamped at work.
Reminiscent of my younger years...
10 LOAD "SCISSORS" 20 RUN
Hi, I was wondering if you ever got to write the article about this? I am very interested and it sounds exactly like what i want. Even some sample code would be great --Adam Turner
-
Hi, I was wondering if you ever got to write the article about this? I am very interested and it sounds exactly like what i want. Even some sample code would be great --Adam Turner
No, not yet unfortunately. I just finished moving (though not unpacking) and have a deadline at work coming up soon. I do plan on writing bits of the article within the next couple of weeks, though, so stay tuned.
-----BEGIN GEEK CODE BLOCK----- Version: 3.21 GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++ -----END GEEK CODE BLOCK-----
-
Hi, I was wondering if you ever got to write the article about this? I am very interested and it sounds exactly like what i want. Even some sample code would be great --Adam Turner
I finally found some time to write the article: http://www.codeproject.com/dotnet/xmldsiglic.asp[^] I hope this helps.
-----BEGIN GEEK CODE BLOCK----- Version: 3.21 GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++ -----END GEEK CODE BLOCK-----