mbunkows
asked on
copy protection
I am interested in a couple ideas or an algorithm to do the following: (no code is really necessary -- I am looking forward to working on this -- and learning a CGI language)
Our company would like to implement a copy protection scheme for our software. We would like to do this via our web site with a CGI program so finishing software installs occurs automatically when they submit a form from our web site.
This could take place as a "nugget" with password protection that they download. We've thought of setting a cookie and have the downloaded "nugget" look for that (but the placement of the cookie depends on the web browser that they use and is a text file that can be manipulated.
Pretty much the only requirements are that it is secure:
1. the client cannot send someone else the software and the nugget and have the install work on the other system)
2. the client cannot send someone else the software and the other person can download the nugget themselves
and easy for the customer to use.
I would like to incorporate a "clock winding" where a copy protection clock (that we have already embedded in the system) would be "wound" so that their software will not quit working after the clock reaches 0. We do this now but they have to call us. I would like to be able to do this automatically.
Thanks for any ideas you may have.
Mark
Our company would like to implement a copy protection scheme for our software. We would like to do this via our web site with a CGI program so finishing software installs occurs automatically when they submit a form from our web site.
This could take place as a "nugget" with password protection that they download. We've thought of setting a cookie and have the downloaded "nugget" look for that (but the placement of the cookie depends on the web browser that they use and is a text file that can be manipulated.
Pretty much the only requirements are that it is secure:
1. the client cannot send someone else the software and the nugget and have the install work on the other system)
2. the client cannot send someone else the software and the other person can download the nugget themselves
and easy for the customer to use.
I would like to incorporate a "clock winding" where a copy protection clock (that we have already embedded in the system) would be "wound" so that their software will not quit working after the clock reaches 0. We do this now but they have to call us. I would like to be able to do this automatically.
Thanks for any ideas you may have.
Mark
ASKER
Thats exactly what Im looking for...
However wouldnt the characteristic of their machine exist on the pirated copy of the software as well. Thats kindof the problem i have been wrestling with... if we dont put the characteristic on the computer ourselves (with the initial installation) how do we know what that characteristic is (says?) ... thats why I thought about using a cookie but of course their are problems with that also (namely it being in different locations for different browsers)
I think I need to be able to do one of the following:
1) put something on their system at the initial installation and have that change if another installation occurs (but what if they install twice?)
2) put something on their system (similar to a cookie) and then when they submit the form have the file that is included in the email look for that cookie (but how do i know where the cookie is located?)
We currently also give our clients the code over the phone (via modem actually) however we need this to be automotated.
Thanks
Mark
However wouldnt the characteristic of their machine exist on the pirated copy of the software as well. Thats kindof the problem i have been wrestling with... if we dont put the characteristic on the computer ourselves (with the initial installation) how do we know what that characteristic is (says?) ... thats why I thought about using a cookie but of course their are problems with that also (namely it being in different locations for different browsers)
I think I need to be able to do one of the following:
1) put something on their system at the initial installation and have that change if another installation occurs (but what if they install twice?)
2) put something on their system (similar to a cookie) and then when they submit the form have the file that is included in the email look for that cookie (but how do i know where the cookie is located?)
We currently also give our clients the code over the phone (via modem actually) however we need this to be automotated.
Thanks
Mark
Use some characteristic of the PC, such as hard drive serial no. or something. This together with the time of day could be used to generate a code value. This code value is sent to you server and you use it to encode a validation key which is sent back to the user.
When the program runs it compares the PC characteristic with the stored code value which is also used with the validation key to 'unlock' the program. If the program is copied then the code value will not match the PC.
When the program runs it compares the PC characteristic with the stored code value which is also used with the validation key to 'unlock' the program. If the program is copied then the code value will not match the PC.
ASKER
Excuse my ignorance in CGI matters but how is that code value sent to my server?
They obviously dont include it the form...
I understand that the time of day can be determined by the server itself but how will the server know the characteristic of the PC (like a hard drive serial number)?
Also how does the program know what time of day the form was sent?
Again I apologize for my ignorance in these matters.. I guess thats why I asked the question...
I'll up the points a bit (cuz im sure this is getting frustrating to you)
Mark
Yeah, but you get some pissed off users when they upgrade their system and find their software no longer works.
The information you get from the PC time of day and other characteristics are encoded into a code value, something like aeds-1s3e-fr56-s3wb (for example) The method you use to encode it will depend on how much information you need to send, how secure you want it etc. To give you a solution here would not exactly be secure! :-)
In the simplest method you ask the user to type this into a form on your server together with their name, address etc... This then tells your server the information about the PC that you need to create a validation code. This validation code is printed out on a html page (preferably secure) and the user types the validation code into their program.
A more sophisticated method would do away with the browser at all. The address information would be entered into the users program which would obtain the PC fingerprint. The program would then make a secure socket connection to your server and the handshake between them would insert the validation code directly into the customers program. This avoids any transcription errors, makes it easier for the user and allows you to transmit more details between the customers PC and your server.
In the simplest method you ask the user to type this into a form on your server together with their name, address etc... This then tells your server the information about the PC that you need to create a validation code. This validation code is printed out on a html page (preferably secure) and the user types the validation code into their program.
A more sophisticated method would do away with the browser at all. The address information would be entered into the users program which would obtain the PC fingerprint. The program would then make a secure socket connection to your server and the handshake between them would insert the validation code directly into the customers program. This avoids any transcription errors, makes it easier for the user and allows you to transmit more details between the customers PC and your server.
ASKER
In the simplest method, if the user types in all the information that is used to create the validation code then another person can type in the exact same information and get the correct validation code. As far as I understand it, at least part of the information has to come from the computer itself. This could be the time of day or whatever but both their PC and our server will have to have the exact same time. If they type the time in the form, I might as well use some combination of address, name, etc. I just dont know how to get information about the PC without the users knowledge (meaning they dont type at least part of it in a form). I could have a list of clients in a file that the server has access to that the server deletes when the email (or secure web page) gets sent (created). However having to update a file each time we get a new client is something I dont really want to do.
Im trying to make it as secure as possible without causing too many hardships on either myself or our clients.
Mark
The point is, the code that is produced on the PC will always be different. The user has no control over this code since it is generated from the time of day and the characteristics of the PC that you want to monitor. It is encrypted, or at least mangled in some way. The same code would not be repeated on another PC and not even on the same PC twice (since the time of day is incorporated into it). The server does not need to synchronise with the PC time of day since the TOD is only used to ensure a different code each time it is generated.
To get information about the PC will involve some system level programming (for example finding out how to read the hard disk serial number from your program).
To get information about the PC will involve some system level programming (for example finding out how to read the hard disk serial number from your program).
ASKER
If the server doesnt need to know the PC specific information (TOD, hard disk serial, etc) how can it generate a different validation code each time... one that the PC will be able to understand and confirm the validation?
heres a senerio:
1) a new client buys our software and has it on CD
2) the client installs the software using our install program--at the end the install program has a link to our web site to finish the installation
3) the user goes to the web site and fills in a basic form--client number,name,address,etc
4) from the basic information that the client gave us a CGI program mangles the info and creates a validation code that either sends them the email or prints it on a newly created page just for them
5) the client then types the validation code into our software and runs the program
where in these steps do the PC specific items get put in? it has to be before the server creates the validation code.. otherwise the client could hand off the CD to his buddy and have him type in exactly what the client typed in and have the validation code work (because it would be the same exact one)
In my way of thinking the two either have to be synchronized or the PC needs to send specific information about itself without the client knowing
Mark
heres a senerio:
1) a new client buys our software and has it on CD
2) the client installs the software using our install program--at the end the install program has a link to our web site to finish the installation
3) the user goes to the web site and fills in a basic form--client number,name,address,etc
4) from the basic information that the client gave us a CGI program mangles the info and creates a validation code that either sends them the email or prints it on a newly created page just for them
5) the client then types the validation code into our software and runs the program
where in these steps do the PC specific items get put in? it has to be before the server creates the validation code.. otherwise the client could hand off the CD to his buddy and have him type in exactly what the client typed in and have the validation code work (because it would be the same exact one)
In my way of thinking the two either have to be synchronized or the PC needs to send specific information about itself without the client knowing
Mark
Step 2. The client installs the software, during the installation process the program obtains the PC specific information. It creates a hash value from the PC data, the Time Of Day, the User information to create a code (call it a PC code).
Step 3. The user enters the PC code into the form.
etc.
If the installation process were to make a socket connection then the user would not act as an intermediary by reading the PC code from his pc, entering it on the web form and then reading the resulting authorisation code from the cgi output and entering back on his pc.
Step 3. The user enters the PC code into the form.
etc.
If the installation process were to make a socket connection then the user would not act as an intermediary by reading the PC code from his pc, entering it on the web form and then reading the resulting authorisation code from the cgi output and entering back on his pc.
ASKER
icd,
Thanks for putting up with my ignorance of this situation.
It makes sense now (I dont know what I was thinking... I got the lightbulb)
Please submit an answer and ill give you an A... You've been most helpful!
If you could point me to a link or another resource that may give me more information about a socket connection that would be exceedingly helpful. If you dont know of anything thats ok too.
Thanks
Mark
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
a CPAN search for "socket"
http://theory.uwinnipeg.ca/search/cpan-search.html
may bring you more directly to some perl examples
http://theory.uwinnipeg.ca/search/cpan-search.html
may bring you more directly to some perl examples
I have produced several products that do this where the code is obtained over the telephone but an Internet solution is more appropriate nowadays.