[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encryption in software licenses...



On Feb 19, 14:25, "David J. Bianco" wrote:
} Subject: Encryption in software licenses...
} Does anyone have a pointer to any good discussions on how to build programs
} with encrypted license keys?  ftp.csua.berkeley.edu used to have such a file
} (/pub/cypherpunks/cryptanalysis/license.asc.gz), but the archive hasn't
} been accessible for a few days.  Although I remember this to be mostly about 
} how to crack such schemes, it has lots of useful information about how they
} are designed in the first place.

license.asc.gz and some other related stuff is available on
ftp://utopia.hacktic.nl/pub/replay/pub/cracking

This all goes back to the familiar lesson for all of us reading this 
newsgroup, the easy way to break most practical applications of 
cryptography is to find a way to "work around" or "subvert" the 
cryptosystem being used. 

Consider two popular UNIX licence managers

FlexLM - uses weak cryptography by default to produce licence keys, 
although vendors can plug in their own 

Elan (V4.1 and above) - can use DES or a 5-rotor enigma. Both of these
are better cryptosystems than that used by FlexLM.

Now, does anyone here think that Elan is significantly harder to 
crack than FlexLM because it uses better cryptography than FlexLM? I 
hope not. 

The Elan marketing literature makes the use of DES sound like a big 
advantage. But, it doesn't make any difference to the cracker. 

There is actually some good content in the marketing goo at
http://www.globetrotter.com
http://www.elan.com
if you're willing to sift through it.

Writing and debugging a floating network licence manager which is 
reliable and multiplatform is hard. For a real challenge, try and put 
in some sort of redundancy (multiple hosts), and keep everything 
sane. The danger for a software vendor is that they end up with a 
good software product, which has a licence manager that makes it 
unreliable and causes problems for customers. I've seen this happen a 
few times. In this senario, customers often abandon the product and 
stop paying for support and upgrades, which are a significant part of 
the income of a software vendor. If word gets around (and it will), 
that your licence manager is buggy will adversely effect new sales. 

I'm a sysadmin, and every time a licence manager craps out and needs 
to be restarted, users can't use their software until they can get a 
hold of me. For some products (I'm not going to mention names), this 
happens on a more or less weekly basis. Licence manager malfunctions 
are relatively rare with products like FlexLM and Elan. The 
home-grown licence managers tend to be a real problem from a systems
administration point of view. 

Here are my free (and worth every penny you paid) recommendations
to a software vendor considering some sort of software based licence 
management scheme.

1. Trust your customers (best choice!!!) and concentrate your efforts 
on producing good quality software. This way you'll get more 
customers, etc. Crackers will be able to get around any sort of 
licence-management scheme anyway (just check out Usenet newsgroups 
devoted to binary mods to unlock applications and distributing keys 
for applications) 

2. Buy an off-the-shelf licence manager which has a good 
track-record. It will already have the worst bugs worked out. Better 
to spend time working on improving the software you are trying to 
licence. 

3. If you must roll-your-own, avoid trying to write a 
network-floating licence scheme. These are harder to write and have a 
lot more potential to turn an otherwise good product into a worthless 
piece of crap. 

4. If you must roll-your-own network-floating licence manager, be 
prepared to expend a lot of time and effort debugging and testing. Be 
sure to build in some sort of redundancy

I mention FlexLM and Elan because I know a fair bit about them. This isn't
an endorsement, etc.

-- 
Mark Henderson -- [email protected], [email protected], [email protected]
PGP 1024/C58015E3 fingerprint=21 F6 AF 2B 6A 8A 0B E1 A1 2A 2A 06 4A D5 92 46
cryptography archive maintainer - ftp://ftp.wimsey.com/pub/crypto/README.html
ftp://ftp.wimsey.com/pub/crypto/sun-stuff/change-sun-hostid-1.6.3.tar.gz