EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Simple licensing for my software

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#18728
Posted: 01/15/2012 17:55:25
by Leonardo Herrera (Standard support level)
Joined: 02/14/2011
Posts: 66

Hello,

I want to implement some simple licensing for my software to deter casual hacking, and thought of using the components of this suite.

I'm thinking in two things:

  • Since I obtain the identity data from my customer when they sign a contract, I can use it to generate a license file. This license file contains the customer details (company name and tax id, which cannot be changed) so the application reads them from this file
  • Use authenticode for the executable.


Since Tax Ids here in my country are basically public information, I think I can get away with this schema. My questions:

1) For encrypting the customer information I'm thinking of using a public key contained in the executable, and I will generate license files on my side and sending them via email or other means (I may implement an automated method in the future.) I'm not concerned with a hacker removing or changing the key, because I know I cannot avoid that. As I said, I want to prevent casual hacking. Is this schema reasonable? What ElDos objects should I use? (PKI?)

2) For Authenticode, can I use it to make the application self-verify? Should I be able to include some of my company details in the executable to verify that the certificate used to sign the application seems valid? Can I verify a running application?

I'm just getting into this part, so any hints will be mostly welcome.
#18730
Posted: 01/16/2012 02:05:41
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Quote
1) For encrypting the customer information I'm thinking of using a public key contained in the executable, and I will generate license files on my side and sending them via email or other means (I may implement an automated method in the future.) I'm not concerned with a hacker removing or changing the key, because I know I cannot avoid that. As I said, I want to prevent casual hacking. Is this schema reasonable? What ElDos objects should I use? (PKI?)


For such scheme you should use your private key to sign identity data and a public key stored in executable to verify this signature. If the signature is valid then the license key is also valid. You can use TElPublicKeyCrypto and its descendants to implement public key encryption algorithms.

Quote
2) For Authenticode, can I use it to make the application self-verify? Should I be able to include some of my company details in the executable to verify that the certificate used to sign the application seems valid? Can I verify a running application?

Yes you can use Authenticode to "self-verify" an application and you can include your company details into the signature. You can also avoid the use of Authenticode and just implement public key integrity checks in a few places of your code.

Reply

Statistics

Topic viewed 704 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!