mv Routine or methods for license key validation, activating features and timed activations

157 views
Skip to first unread message

David Knight

unread,
Aug 28, 2015, 2:58:37 AM8/28/15
to Pick and MultiValue Databases
Hi,
We all have seen these things in software we use. The need for a "product Key' or somesuch which when valid will do a number of things...

Perhaps
  1. Activate a series of additional features in your software
  2. Ensure the software 'belongs' to a specific site; and finally
  3. Provides a timed activation. That is, after a certain period; it needs a new key to continue operating.
My question is: if one wants to implement such a method in deliverable mv software; how is that best done? I know little/nothing about cryptography/hashing algorithms etc

My goal is to [perhaps] have a core application which includes all the functions/extra features etc; so as to make distribution/new releases easy; but:

A given site may get:

  1. Core functionality 'free'
  2. Optional features can be turned on or off by altering their license key which would need to be requested; AND
  3. Those features are also time-dependant; ie: require a renewal of some kind of license fee on a monthly/annual/whatever basis
Ideally, I'd like this system to not have to 'ping' a web service to work, although that is not out of the question.

What is experience of developing this? What ideas have people used? Is this done entirely in mv? Are there generic routines available to do this, or at least point in the right direction?

Thank you, folks.

David

Simon Verona

unread,
Aug 28, 2015, 3:20:16 AM8/28/15
to Pick and MultiValue Databases
This can be as simple or as complex as you need...

You can simply encode the information you need in a single long key - we do this by converting the internal date to alpha chars by adding 64 to each digit - eg 12345 becomes ABCDE.  We encode no of users licenced in the same way - eg 5 licences becomes AAD (A being a zero, D being 5).   We encode product feature licencing as a long binary key with each bit being a feature - I then convert the final no to decimal and then to alpha in the same way.  finally I jumble the code up and add a CRC checksum to the end (add up the ascii value of all the individual chars and take the MOD when divided by 26, add 65 to convert to an ascii char)....     It's not perfect, but will beat most attempts to break.

Another way commonly used is to use a plain text file with your key in readable format   eg :

Customer : Fred bloggs
Licenced Users : 5
Features: Feat1 Feat3 Feat4
Checksum: 876556

The key to this is to have the method of calculating the checksum secret - one simpy example is to have a long (1000+ char) random string hardcoded in the software and then multiple the value of each character in the key by the value of each corresponding char in your secret string and adding it all together.  then take the last 7 digits as your checksum.  Again, it's breakable but you need to see a number of the licence codes to be able to break it!

there are many different ways of doing it.   another way is to store licences on a server somewhere using a guid as the id key.  Issue the GUID to the customer and then have the software download the key - this can be done from within databasic using CURL - curl is a windows/*nix freeware command line utility that allows http calls to be made from the command line and the results returned.  With this installed, you can simply do an osexecute (or the equivalent) capture the licence details and install accordingly....

Hope this gives you some ideas.

Regards
Simon  

Tony Gravagno

unread,
Aug 28, 2015, 10:17:20 AM8/28/15
to Pick and MultiValue Databases
(Friday morning, fresh with coffee and a need to exercise my fingers...)

My process is similar to what Simon describes but goes further.
- I get a unique ID from the OS. Since the method for this varies the code looks for key markers in the OS.
- Then I get the DBMS unique ID, the method for this is of course unique to each platform.
The result of the two above guarantees me that I can identify a unique system.
- From there I encode that data along with the ID for the software and version ID into a long string.
- The user is asked to email the string.
- My parser logs the OS, DBMS, product, and version, along with a manually entered company name. This allows for tracking upgrades, reinstalls, and license movement.
- A key is generated with the exact same details plus a termination date. I use a far-future termination for permanent keys.
- The key is emailed back and saved by the user in a data file. The product can be reinstalled and will run with that key.
- In addition to activating a specific product and version, it also passes in a set of features, identified by a couple binary-encoded bytes.

Since my products run on most DBMS/OS platforms I need to send a different install package for each permutation (usually just an account to be restored). I use a single code base and the code includes platform-specific hooks which are activated during a build process on each platform. So if I'm building for D3 all of the other code is commented out during the build. If you've ever looked at the AccuTerm BASIC source, the approach is the same. I use a version of Kevin King's XBASIC to toggle the platform. (See FOSS4MV)

My source code (for the most part) does not include readable strings for the activation - messages from the activation are decrypted at runtime. This is to avoid the possibility of simple binary/debugger changes on the object modules. Depending on the platform, the build process strips the object code of strings and recognizable variable names. Yeah, I took it that far, primarily because this was going to be marketed as a NebulaSecure package of its own and I wanted to make sure it was bulletproof.

I separate the custom encryption algorithms from the functional code so that I can replace it if necessary. The string from the end-user includes an encryption version, so the decryption code will use the right algorithm based on the specific string. The algorithms include character movement, byte counting, bit shifting, and checksums. That was a fun system to design and code but looking back it was serious over-kill.

I did not implement a cURL interface for automated activation, though I wish I had and will probably do so in a new version. The issue here is that many sites are very locked-down for security and people get very uptight with "phone home" technology, though that's changed significantly over the last decade. So this needs to be implemented as an option, not the only mechanism. When you don't have personal contact in the key exchange, the automated function needs to be able to distinguish between a reactivation in the same environment versus a re-hosting by a given end-user. Another issue is that when it doesn't work people get frustrated and then more time is spent down the rabbit hole of network diagnostics for an activation process - and even if your software works flawlessly that's what people will remember. So again, I opted to avoid that but should have added it later to simplify the activation for other sites when it was possible.

The only known flaw with this security mechanism involved the OS-level integration. Windows Update modifies the OS-level markers that I was using, and for some reason a Daylight Saving Time change did the same. We lost a few clients because their software kept deactivating and I couldn't fix it fast enough. For Unix platforms I needed to occasionally change the mechanism to get the unique system ID because the OS providers sometimes change it (didn't see that one coming). And there's a RedBack bug over AIX which affects how my software interacts with the OS. A new version of my code uses OS-level code (rather than BASIC) to get a disk signature, avoiding OS issues. But again, I feel this process has gone down the path of over-development and I haven't yet put this into full production. It also adds another component to the package, which some people find objectionable.

The good thing about the system is that we have been able to track the movement of licenses across systems. When someone says they're just reinstalling their DBMS, it's confirmed with the same OS/hardware ID. When they say they're migrating their system from a dead hard drive, we just issue a new key, no questions asked. But I can see when another request comes in for another key on the old "dead" hard drive with the same OS/DBMS markers.

While it has worked for many years, without incident except for the above situations, I think my system was a fine example of over-development. While every part of the process seems necessary, at the same time, MV sites simply don't share code. (Heck, as discussed in this group we can't even get people to share FREE code.) A complex activation mechanism (even as simple as "run this command and email the results) only interferes with the user installation experience. I'd prefer a simpler, more interactive, and personal activation process, as long as it's non-intrusive and not time consuming. The detail in a system like this depends on the Value of what you're trying to protect. For my software that only costs $200, the activation is severe over-kill, but it was designed for much more expensive packages, and for that reason alone I've held onto it.

The take-aways:
- Decide what your supported DBMS and OS platforms are. Don't get blind-sided by people installing on unsupported platforms.
- Consider end-user security concerns and offer options (even for-fee if you need to accommodate unique environments)
- Don't over- or under-engineer for your purposes.
- Related, decide the trade-offs of end-user convenience (and UEX) with your need to protect your assets.
- Trust, but verify. Most MV people aren't inclined to run away with software. Don't hassle your good clients in an attempt to protect against the bad. Is it really a financial loss if some sites bypass your system and get your software illegally? Or does that just serve to increase your user base? Weird, yes, but worth consideration as for some companies this has become an unexpected part of their business model.

[AD] Rather than writing your own system, if you'd like to use mine and are willing to pay something for it, I'll be happy to address those issues and provide it as a package. Really, you could spend months developing your own package (or years and still not get it the way you want it). Are you selling an application or security tools? This kind of development is 100% expense with no ROI, and should be minimized.

As another option, Brian Leach has mvInstaller (http://brianleach.co.uk/pages/deploy.htm) I don't know if that includes a licensing mechanism.

HTH
T

CDMI - Steve T

unread,
Aug 28, 2015, 10:32:56 AM8/28/15
to mvd...@googlegroups.com
we use execute 'curl' command(s) to retrieve current updates, de-activations, etc
if curl does not execute, email is sent to our admin for further investigation.
if periodic update(s) to our server does not happen, admin further investigates.
the idea here is to manage the software, dbase, etc update(s) from one server location.
we have software and dbase access with date to/from specifications.
so, phone home to the mother ship, let her respond, if not, notify admin for further investigation.
nowadays, people are used to updating, licensing, this way.
my dish satellite service works this way. if their receivers don't get answers from the mother ship, they de-activate themselves. then, a human has to call (me) and a quick re-activation is managed.
works for us.
be well,
 
Steve Trimble (501) 615-8674
Computerized Data Mgmt Inc (CDMI)


From: David Knight <david...@matash.com.au>
To: Pick and MultiValue Databases <mvd...@googlegroups.com>
Sent: Friday, August 28, 2015 1:58 AM
Subject: [mvdbms] mv Routine or methods for license key validation, activating features and timed activations

--
You received this message because you are subscribed to
the "Pick and MultiValue Databases" group.
To post, email to: mvd...@googlegroups.com
To unsubscribe, email to: mvdbms+un...@googlegroups.com
For more options, visit http://groups.google.com/group/mvdbms


Wols Lists

unread,
Aug 28, 2015, 10:40:42 AM8/28/15
to mvd...@googlegroups.com
On 28/08/15 15:17, Tony Gravagno wrote:
> While it has worked for many years, without incident except for the
> above situations, I think my system was a fine example of
> over-development. While every part of the process seems necessary, at
> the same time, MV sites simply don't share code. (Heck, as discussed in
> this group we can't even get people to share FREE code.)

I designed a similar system, nothing to do with MV, to protect data. And
yes, deciding what the value of what it is you're protecting and how
much you're prepared to spend is crucial.

For us, most of the value was only there for a couple of months, so I
spec'd a system where everything was on the CD, but could only be
accessed if you knew the key. The key was partly based on the company
name, which the software would display on startup.

Seeing as our staff regularly visited customers as a matter of course, I
was working on the assumption that if customers shared keys, we would
see the wrong name come up on the software :-)

And it was fairly easy to break, but as I say, the aim was really just
to protect the data for say six months.

Cheers,
Wol

Bob Rasmussen

unread,
Aug 28, 2015, 10:44:30 AM8/28/15
to Pick and MultiValue Databases
Wow, Tony, that's elaborate!

What OS call do you make in Windows, to get a supposedly unique ID?

I addressed that part by getting the MAC address of the first real network
adapter. I don't believe we have ever seen that change.
> Hi,We all have seen these things in software we use. The need
> for a "product Key' or somesuch which when valid will do a
> number of things...
>
> Perhaps
> 1. Activate a series of additional features in your software
> 2. Ensure the software 'belongs' to a specific site; and finally
> 3. Provides a timed activation. That is, after a certain period; it
> needs a new key to continue operating.
> My question is: if one wants to implement such a method in deliverable
> mv software; how is that best done? I know little/nothing about
> cryptography/hashing algorithms etc
>
> My goal is to [perhaps] have a core application which includes all the
> functions/extra features etc; so as to make distribution/new releases
> easy; but:
>
> A given site may get:
>
> 1. Core functionality 'free'
> 2. Optional features can be turned on or off by altering their
> license key which would need to be requested; AND
> 3. Those features are also time-dependant; ie: require a renewal of
> some kind of license fee on a monthly/annual/whatever basis
> Ideally, I'd like this system to not have to 'ping' a web service to
> work, although that is not out of the question.
>
> What is experience of developing this? What ideas have people used? Is
> this done entirely in mv? Are there generic routines available to do
> this, or at least point in the right direction?
>
> Thank you, folks.
>
> David
>
> --
> You received this message because you are subscribed to
> the "Pick and MultiValue Databases" group.
> To post, email to: mvd...@googlegroups.com
> To unsubscribe, email to: mvdbms+un...@googlegroups.com
> For more options, visit http://groups.google.com/group/mvdbms
>
>

Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: r...@anzio.com
company e-mail: r...@anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
street address: Rasmussen Software, Inc.
10240 SW Nimbus, Suite L9
Portland, OR 97223 USA

Tony Gravagno

unread,
Aug 28, 2015, 1:45:17 PM8/28/15
to Pick and MultiValue Databases

Bob Rasmussen wrote:
Wow, Tony, that's elaborate!

What OS call do you make in Windows, to get a supposedly unique ID?

I addressed that part by getting the MAC address of the first real network
adapter. I don't believe we have ever seen that change.



Well, that was the original problem. Originally I was getting the install timestamp of 3 key OS files that I thought were never going to change. Since it's unlikely that any two systems would be installed at the same instant I figured this was a fairly unique signature. Just in case one of them was updated, if any of the three were the same as the original then the system was authorized. Unfortunately I was surprised to find Microsoft updating all of those files, and fairly often. I combined this with the network hostname, admittedly not perfectly consistent, but "mostly consistent". And also the network card MAC address which I think I get from parsing ipconfig. I admit none of these were great mechanisms but as a whole these and a couple other metrics did serve the majority of installations until those three files started changing a couple times per year. When combined with valid usage of virtual machines where even the MAC might change, the mechanism proved faulty. Mind you, this was only for Windows - there was Never a problem with any Unix/Linux platform which uses similar markers.

In the follow-up to that mechanism, I considered getting a MachineGuid from the registry, but this is a hassle from BASIC. With the WMI class you can get an OS SerialNumber value, but that's not dependable with different versions of Windows. What I finally settled on was an external executable which gets the hard drive manufacturer serial number, the calls for which differ from one version of Windows to another. Combining that with an attempt to get the MachineGuid and OS SerialNumber once again provides a fairly reliable set of markers.

Sorry for being a bit vague, at the moment I don't remember the details and it's been changing every year, which is why I haven't gone full production with that mechanism yet. Anyone who does a Google search will see that every year there are new requests for questions like "how do I get a unique Windows serial number" by people writing utilities like this. I encountered the exact same issue in the Android development community. Go figure.
 
T

Glen Batchelor

unread,
Aug 28, 2015, 1:53:29 PM8/28/15
to mvd...@googlegroups.com
Why not just make a salted hash of the windows key and use that?

--

Tony Gravagno

unread,
Aug 28, 2015, 5:54:08 PM8/28/15
to Pick and MultiValue Databases


GlenB wrote:
Why not just make a salted hash of the windows key and use that?


Obtaining the Windows key can be non-trivial from BASIC as (last time I looked) it required using WMI or a registry query. These days it can be probably be done with PowerShell too. The problem is that (as many of us recognize) code like this needs to cater to the lowest common denominator. We can't rely on PowerShell being installed. We can't rely on the ability to write a script out to the OS to execute, we can't rely on other things being present in the OS. Once I decided that my need for stability outweighed my desire to avoid an OS component, other options opened up. But (and to the OP) these are some of the considerations.

T

Ross Ferris

unread,
Sep 1, 2015, 12:44:28 PM9/1/15
to Pick and MultiValue Databases
Hi David,

FWIW Visage includes a comprehensive licence management system as part of our packaging capabilities. We do need you to "ping" a webservice (which you can run on your own gear) for initial activation (and to ensure licence not activated on other hardware). You can have different ,licences for different areas of your application, and licences can be timed, or have limits for number of concurrent users, maximum version upgrades & a whole lot more. We use it for Visage & our own applications - interface at your end is a single subroutine call.

Could probably extract as a stand alone product if you had a real need ... give me a call if there is any interest

fwinans

unread,
Sep 9, 2015, 9:50:08 PM9/9/15
to Pick and MultiValue Databases
I wonder if it would be a good thing or not, to design one's activation scheme so that doing a secure wipe of hard disk
then doing a really effective restore from backups using nice 3rd party backup software,
was effective enough to reestablish that activation , not just the os, all software, and all data.

One could say 'sure, it is the same computer as before, so it is a fair use of the activation',
but I'm not sure if detecting any hardware swaps is adequately bulletproof if the software being protected from piracy
is really expensive.

Reply all
Reply to author
Forward
0 new messages