RE: Licensing applications with custom assemblies

From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: 04/29/04

Next message: Shawn Farkas: "RE: How to find an algorythm code"

Previous message: David Riddiford: "Re: StrongNameIdentityPermission issue."
In reply to: Tim Wragg: "Licensing applications with custom assemblies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Apr 2004 01:20:23 GMT

I think I saw some code on CodeProject that implemented this. One solution would be to use public key cryptography to implement this. You
could create a license file that contains a machine name, expiration date, and any other identifying information you want. Then use an RSA private
key to sign this data.

This file could then be distributed to clients. Embed the public key into your application. Before starting up, verify the signature on the license file
using this public key. If the signature validates, you know that you have a valid license file.

Of course, your applicaiton is on the user's machine, if they want to circumvent your system they will. IL is easier to disassemble than standard
machine code, using programs such as ILDasm or Reflector (which can actually decompile into C# as well). An obfuscator will help with this
problem.

In a debugger I could follow the logic of your program as it steps through the signature verification steps. If you haven't signed the application, I
could modify the IL to make the "jump if this is valid" statement into a "jump if invalid". If you have signed your application, I could in theory replace
the CLR with a custom CLR that doesn't do strong name checking.

Without even modifying the IL, I can watch where the "jump if valid" instruction points to, and find the real entry point to your application. Then I
could use reflection to load up your assemblies and start at that point.

Think of a physical analogy. If you have something that you don't want me to have, but I need to hold onto it, all you can do is slow me down.

1. If you just hand it to me (no protection on your app), I can just take it.
2. If you put a combination lock on it, I can use a bolt cutters.
3. If you put it in a safe, I can get a blowtorch, and break in.

and on and on .... basically, if you're giving a user a copy of something to put on their hard drive, all you can do is raise the bar. If the user is
determined enough, they'll be able to bypass your system. What you need to do is figure out how high to raise the bar, and implement some
system that will do this for you.

-Shawn
http://blogs.msdn.com/shawnfa

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they 
originated.  
--------------------
>From: timmywragg@hotmail.com (Tim Wragg)
>Newsgroups: microsoft.public.dotnet.security
>Subject: Licensing applications with custom assemblies
>Date: 27 Apr 2004 20:09:16 -0700
>Organization: http://groups.google.com
>Lines: 20
>Message-ID: <923d1359.0404271909.58b3e459@posting.google.com>
>NNTP-Posting-Host: 202.44.174.233
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1083121756 9771 127.0.0.1 (28 Apr 2004 03:09:16 GMT)
>X-Complaints-To: groups-abuse@google.com
>NNTP-Posting-Date: Wed, 28 Apr 2004 03:09:16 +0000 (UTC)
>Path: cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news.glorb.com!
postnews1.google.com!not-for-mail
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:5873
>X-Tomcat-NG: microsoft.public.dotnet.security
>
>Hi All,
>
>I've been looking around the net for a good .net example of how to
>lock applications through custom assemblies.
>
>Basically I'm trying to come up with a registration class that
>requires activation to make whatever .net class thats calling it to
>run.
>
>Something that generates a key on the install date, machine name that
>kind of basic lock down. It doesn't have to be too complex but still
>act as a deterrent.
>This would be a good generic solution for any .net program security
>needs.
>
>Any examples, books or tutorials would be greatly appreciated as its
>been difficult to find anything in the .net space.
>
>Thankyou,
>Tim Wragg
>

Next message: Shawn Farkas: "RE: How to find an algorythm code"

Previous message: David Riddiford: "Re: StrongNameIdentityPermission issue."
In reply to: Tim Wragg: "Licensing applications with custom assemblies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Using the Public Key embedded in the Assembly?
... assembly and to embed the public key in the assembly. ... When I send the assembly to a customer (together with the license file), ... and no csp container with such name and content exists on the machine of the ... > ImportCspBlob method on RSACryptoServiceProvider, ...
(microsoft.public.dotnet.security)
Re: Using the Public Key embedded in the Assembly?
... your idea is not workable: you are not signing the license file (or ... then verifying this signature with the public key. ...
(microsoft.public.dotnet.security)
Re: RSA Public / Private Key encryption, RSA.ToXmlString method
... > to consume an encrypted license file. ... > create license files (public key). ... > private key widely available. ... Yes, the public information is always included, because it is .. ...
(microsoft.public.dotnet.security)
Re: Any experiences with "Creative Nomad Muvo TX" MP3 players?
... > All the player makers try to lock you in somehow. ... Support Free Software, ... You can get my public key from any of the ...
(Debian-User)
Re: SSH vs encrypted passwords
... This means that the SSH client and server ... SSH uses public key encryption. ... The other party then puts the lock on a box ...
(comp.os.linux.security)