Asymmetric-key cryptography can be used to build a simple yet reasonably strong method of licensing enforcement. It can't do much if your users are willing and able to whack the executable to remove the checks, but not many manageable systems can. What it can do very well is make sure that a license key is present and produced by a trusted agent. This is how it works:
- An asymmetric key pair is generated. The public half is burned into the distributed application, and the private half is kept secret with the licensing agents.
- When a copy is bought, some identifying information about the legal owner is recorded, hashed, and signed with the private key. The resulting file is the license key, and is sent to the owner.
- When the application starts, it gathers all that identifying information, hashes it, and checks it by decrypting the signed version in the license file with the public key.
Note that this does require a persistent, unique piece of data to identify an owner, so it works better for server applications (especially ones bound to a domain) than end-user applications.
No comments:
Post a Comment