Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
Hi there,
 
I have an issue regarding developing a secure way of doing licensing for a software application. This application would allow the user the possibility to use some how of "offline licenses" for consuming, stored in an encrypted file.
The problem is that the main vulnerability is when the user decides to hack the licensing system, by cloning at first the entire usb flash contents (cloning byte by byte) and after consuming all of it's x licenses, he would restore the clone to the same usb stick and re-consume the same licenses.
 
So, the question to you would be:
Is there a way to somehow know if a usb flash has been cloned ? Maybe with some sort of specific generic usb flash hardware feature including some counters or something like that?
Or do you have another idea on doing the "offline licenses" mechanism safe (without requiring internet connection and server sync) ?

 
Thank you !
Posted 9-May-13 5:59am
Comments
Ron Beyer at 9-May-13 13:55pm
   
Why not just use a dongle that is designed specifically to do this? These are the ones that I use: http://esecutech.com/ and are relatively cheap and work well. As far as I know, there isn't a fool-proof way to detect if a drive has been cloned. Some WMI queries can give you the drive serial number (not the same as disk serial number) but from my experimentation not all disks will return this information, especially removable ones.

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Don't use a flash drive for delivering licenses. Open source tools and proprietary apps like Ghost will eat you alive. It is too easy to image a thumb drive and post the image to BitTorrent or, God forbid, put it into a thumb drive duplicator and create 50 copies at once.
 
Either look for an on-line solution that supports operating in an off-line mode after the initial validation (never using a dongle) or get USB license key dongles... which are NOT thumb drives. They are devices with a processor and encryption that will usually require some sort of library to be added into your application. You make a simple call within your code to the library and it handles the rest. A lot of times these will be used in a two-part license scheme where you deliver the USB dongle to the customer and the first time they run the app with the key present, a thumbprint of the system is made and that license is activated on that system. The thumbprint ties the license to the hardware. The customer can't move the license from machine to machine (unless you choose to let them) and since these are secure license hardware keys, they can't be cloned.
 
If you are trying to develop a solution on your own, you should seriously consider abandoning that idea and just buy something off the shelf. Since you are asking this question I'll assume you aren't versed in license key management so you are likely to make a serious mistake in trying to roll your own implementation. Same reason people don't write their own encryption... you will fail miserably.
 
If you value your app enough to protect it with a hardware key, then spend the money on a real licensing system.
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 George Jonsson 215
1 Kornfeld Eliyahu Peter 169
2 OriginalGriff 120
3 PIEBALDconsult 110
4 BillWoodruff 85
0 OriginalGriff 6,165
1 DamithSL 4,658
2 Maciej Los 4,087
3 Kornfeld Eliyahu Peter 3,649
4 Sergey Alexandrovich Kryukov 3,294


Advertise | Privacy | Mobile
Web01 | 2.8.141220.1 | Last Updated 9 May 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100