Software License Key - Protect Digital Products?

[minik]

Hey guys. Haven't been here for a while. Anyway, I'm creating a commercial PHP software and I don't know how I'd go about protecting it using license keys.For example,User purchases yearly/monthly lease of my product -> A license key is generated -> When they install, they are asked for license key -> Check with my server whether it is valid and whether it is installed on another site -> Proceed with installation -> When license expires, show message on user's site.Does anybody know how I would go about doing this?Thankyou,Ryan

[The Sea King]

Maybe use SQL database to store the data?

[boen_robot]

Unfortunatly, PHP doesn't work this way, and it won't. Publish such an application, and I'll crack it on the same day you release it. It's a matter of finding the code that connects to your server, and telling it to always assume the key is there and is OK. This can be done easily by just emulating a response from your server. And that can be done in numerous ways.What you need to do is buy Zend Guard and require from your customers to install Zend Optimizer on their servers. There's no other good way to protect your application.

[justsomeguy]

You can still include licensing code, just encrypting the source code isn't going to protect against people moving it all over the place. When someone buys your application they will need to tell you what domain they are using it on. You store the domain and give them a license key. When the application contacts your server and sends it the license key then you need to do a reverse DNS lookup on the IP address and make sure that it matches the domain, or do an IP lookup on the domain and make sure it matches the IP from the server making the request. You will also need to encrypt your source code so that they can't stop the code from doing that. But, again, it will be easy enough to get around this. You can tighten it up and make it so that they use your server's IP address instead of hostname to contact it, that would make it a little more difficult to get around, but then if your server moves all of your existing applications break.

[boen_robot]

Sure. Both server authentication and source obfuscation should both be in place.As for authenticating by IP, you can buy your own IP with an "IP transit" service, and keep this IP of yours regardless of your ISP. ISPs can hook up this IP and give you traffic on it. At least so I've heard from (reliable?) sources. I've never really seen it in action though.If you use a domain name, a cracking would be somehow possible. I think I can make an executable program that will crack it with some effort and reserve engineering... for a day or two, maybe week, depending on the complexity involved in your authentication process.At least on this level, before I can try to crack your system, I'll have to actually buy a licensed copy, as I'd need to know how an "OK" response looks like, and I can't do that without seeing the source or spying the HTTP traffic on a successful response. The latter can be achieved only by buying a license.(Note: I'm not a real cracker by nature, but if give it to me as a challenge, and I'll see what can be done. Others do it for money. I do it for the thrill.)

[justsomeguy]

That's pretty trivial, other then knowing what response the server needs to send back, all you need to do is modify the hosts file to point that DNS entry to your local machine and then have a page that just sits there and sends the correct response back.

[boen_robot]

That's pretty trivial, other then knowing what response the server needs to send back, all you need to do is modify the hosts file to point that DNS entry to your local machine and then have a page that just sits there and sends the correct response back.

That's exactly the kind of executable I was thinking about . A loopback to the originating web server, possibly creating a virtual host on another port, and adjust the system to nat HTTP requests on that other port. The received virtual host would return the "OK" message under all cirtumstances.

[justsomeguy]

You don't even need to go that far. Windows uses a hosts file for DNS lookups. You can just make an entry there to route whatever the domain they are checking to 127.0.0.1 and then make sure you have a page with the same path structure set up to send out the correct response. It can even be a static page.

[jeffman]

boen_robot, justsomeguy: you should know that I have forwarded this entire thread to Homeland Security. The next time you hear a knock on the door . . .

[Synook]

Isn't HS national? I doubt they will be going to Bulgaria...

[boen_robot]

boen_robot, justsomeguy: you should know that I have forwarded this entire thread to Homeland Security. The next time you hear a knock on the door . . .

Isn't HS national? I doubt they will be going to Bulgaria...

I know you're both just joking, but seriously - the guy is looking for an advise to protect himself against crackers. What better way of showing "how to" than to ask yourself "How would I crack it?" and "How it should be made so that even I can't crack it?"? And BTW, I don't think we have an agency like HS. We instead have НСБОП or NOFOC (National Office for Fighing the Organized Criminality), but they only protect the Bulgarian desktop software developers. All foreigners are expected to look for their rights at their own country's agencies, and I don't know about any existing laws regarding web work.

That's pretty trivial, other then knowing what response the server needs to send back, all you need to do is modify the hosts file to point that DNS entry to your local machine and then have a page that just sits there and sends the correct response back.

Yes, but if he uses an IP instead of a DNS entry, I think there was another file that needs to be tweaked. Still, that only makes it "slightly" more complicated. And yeah, I was thinking about a static page too. There's no point in dynamics if you're going to send "OK" in all cases.

[justsomeguy]

Yes, but if he uses an IP instead of a DNS entry, I think there was another file that needs to be tweaked.

Yeah that's why I was saying an IP would be more secure (at the risk of breaking everything). I'm sure there's some routing table or something you can modify that would route an IP to a specific machine, but I haven't done anything like that. I can think of the hosts file off the top of my head though (and if that's a security crime then we're all in trouble; might as well be 1984 already anyway though).

[Skemcin]

Encrypting and protecting an application is possible, but if I told you would be able to crack it - so I'd rather not mention it here in an open discussion. I'm not sure about ASP and PHP, but ColdFusion can work with a couple of different tools that would allow you to compile an application (in part or entirely) that could conduct a secure licensing check through the internet that isn't vulnerable to the cracks mentioned in this thread.