0

I need to add a license to my application to limit time & device that my app. can be used.
So I thought to store HDD and/or NIC serial numbers and expire date in my license file.
Now how can I protect my license in a way that:

  • My application be able to decrypt it and read & check the expire date and serials
  • User shouldn't be able to create a license file for himself.

Can I use public/private key encryption to achieve this?

If I can use public/private key encryption can the user that has private key (for decryption) use that private key for encryption (making a license manually using the private key that be able to decrypt using that private key) or only the pubic key can encrypt in a way that private key decrypt it?

Is there a better solution?

Ariyan
  • 14,760
  • 31
  • 112
  • 175
  • sounds ok, but what stops a knowledgeable user from editing the application binary and change the license check code into a bunch of `NOP`s? – Marc B Jan 06 '14 at 19:17
  • @MarcB: I'm using some obscuration & packing techniques on my application but of-course nothing provides 100% security; I just want to protect my licenses from a user to change expiration date or device IDs – Ariyan Jan 06 '14 at 19:32
  • 1
    PK encryption would do, but you're getting the terms reversed. You'd use YOUR private key to encrypt the license file. The users would all have the same PUBLIC key which they use to decrypt the file. If they use any other key, they get garbage instead of a license. Of course, you could always set up a P-K pair for every user, but that's a lot of work. – Marc B Jan 06 '14 at 19:37
  • 1
    No no no, you would use the private key to *sign* the license file. Signing and encryption are two different concepts. Of course if the user can access or alter the runtime code then nothing hinders him from skipping the licensing altogether, adjusting the clock etc.. In the end this is trying to make DRM work - and that is not possible without having full control over the runtime. As for the time, it may be better to use a licensing server. Note that even that is not full proof, and you would require a network connection during runtime. – Maarten Bodewes Jan 07 '14 at 01:10

1 Answers1

0

Usually a license contains this kind of information (count, dates, etc) in human readable format so your customer can verify them. You then add a signature using your private key so licenses cannot be forged / changed.

Your app can now use the public key (that is built into it) to verify the license, even if someone can read that key they cannot produce valid licenses. [until they replace the public key in your app with their own]

Stephan B
  • 3,671
  • 20
  • 33