Solved

copy protection

Posted on 1998-04-21
13
253 Views
Last Modified: 2013-12-25
I am interested in a couple ideas or an algorithm to do the following:  (no code is really necessary -- I am looking forward to working on this -- and learning a CGI language)

Our company would like to implement a copy protection scheme for our software.  We would like to do this via our web site with a CGI program so finishing software installs occurs automatically when they submit a form from our web site.  

This could take place as a "nugget" with password protection that they download.  We've thought of setting a cookie and have the downloaded "nugget" look for that (but the placement of the cookie depends on the web browser that they use and is a text file that can be manipulated.  
Pretty much the only requirements are that it is secure:
1. the client cannot send someone else the software and the nugget and have the install work on the other system)  
2. the client cannot send someone else the software and the other person can download the nugget themselves

and easy for the customer to use.

I would like to incorporate a "clock winding" where a copy protection clock (that we have already embedded in the system) would be "wound" so that their software will not quit working after the clock reaches 0.  We do this now but they have to call us.  I would like to be able to do this automatically.

Thanks for any ideas you may have.

Mark    
0
Comment
Question by:mbunkows
13 Comments
 
LVL 5

Expert Comment

by:icd
ID: 1827689
The simplest way to do this is for your protected program to request a validation code. This validation code would be obtained by them filling in a form on your web server. The validation code can be tied to some characteristic of their machine or to a hidden/protected file in the file system to prevent the program from working on another machine.

I have produced several products that do this where the code is obtained over the telephone but an Internet solution is more appropriate nowadays.
0
 

Author Comment

by:mbunkows
ID: 1827690
Thats exactly what Im looking for...

However wouldnt the characteristic of their machine exist on the pirated copy of the software as well.  Thats kindof the problem i have been wrestling with... if we dont put the characteristic on the computer ourselves (with the initial installation) how do we know what that characteristic is (says?) ... thats why I thought about using a cookie but of course their are problems with that also (namely it being in different locations for different browsers)

I think I need to be able to do one of the following:

1) put something on their system at the initial installation and have that change if another installation occurs (but what if they install twice?)
2) put something on their system (similar to a cookie) and then when they submit the form have the file that is included in the email look for that cookie (but how do i know where the cookie is located?)

We currently also give our clients the code over the phone (via modem actually) however we need this to be automotated.

Thanks

Mark  
0
 
LVL 5

Expert Comment

by:icd
ID: 1827691
Use some characteristic of the PC, such as hard drive serial no. or something. This together with the time of day could be used to generate a code value. This code value is sent to you server and you use it to encode a validation key which is sent back to the user.

When the program runs it compares the PC characteristic with the stored code value which is also used with the validation key to 'unlock' the program. If the program is copied then the code value will not match the PC.

0
 

Author Comment

by:mbunkows
ID: 1827692

Excuse my ignorance in CGI matters but how is that code value sent to my server?

They obviously dont include it the form...

I understand that the time of day can be determined by the server itself but how will the server know the characteristic of the PC (like a hard drive serial number)?

Also how does the program know what time of day the form was sent?

Again I apologize for my ignorance in these matters.. I guess thats why I asked the question...

I'll up the points a bit (cuz im sure this is getting frustrating to you)
Mark



0
 
LVL 3

Expert Comment

by:bigelos
ID: 1827693
Yeah, but you get some pissed off users when they upgrade their system and find their software no longer works.
0
 
LVL 5

Expert Comment

by:icd
ID: 1827694
The information you get from the PC time of day and other characteristics are encoded into a code value, something like aeds-1s3e-fr56-s3wb (for example) The method you use to encode it will depend on how much information you need to send, how secure you want it etc. To give you a solution here would not exactly be secure! :-)

In the simplest method you ask the user to type this into a form on your server together with their name, address etc... This then tells your server the information about the PC that you need to create a validation code. This validation code is printed out on a html page (preferably secure) and the user types the validation code into their program.

A more sophisticated method would do away with the browser at all. The address information would be entered into the users program which would obtain the PC fingerprint. The program would then make a secure socket connection to your server and the handshake between them would insert the validation code directly into the customers program. This avoids any transcription errors, makes it easier for the user and allows you to transmit more details between the customers PC and your server.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:mbunkows
ID: 1827695

In the simplest method, if the user types in all the information that is used to create the validation code then another person can type in the exact same information and get the correct validation code.  As far as I understand it, at least part of the information has to come from the computer itself.  This could be the time of day or whatever but both their PC and our server will have to have the exact same time.  If they type the time in the form, I might as well use some combination of address, name, etc.  I just dont know how to get information about the PC without the users knowledge (meaning they dont type at least part of it in a form).  I could have a list of clients in a file that the server has access to that the server deletes when the email (or secure web page) gets sent (created).  However having to update a file each time we get a new client is something I dont really want to do.
 
Im trying to make it as secure as possible without causing too many hardships on either myself or our clients.

Mark
0
 
LVL 5

Expert Comment

by:icd
ID: 1827696
The point is, the code that is produced on the PC will always be different. The user has no control over this code since it is generated from the time of day and the characteristics of the PC that you want to monitor. It is encrypted, or at least mangled in some way. The same code would not be repeated on another PC and not even on the same PC twice (since the time of day is incorporated into it). The server does not need to synchronise with the PC time of day since the TOD is only used to ensure a different code each time it is generated.

To get information about the PC will involve some system level programming (for example finding out how to read the hard disk serial number from your program).


0
 

Author Comment

by:mbunkows
ID: 1827697
If the server doesnt need to know the PC specific information (TOD, hard disk serial, etc) how can it generate a different validation code each time... one that the PC will be able to understand and confirm the validation?  

heres a senerio:
1) a new client buys our software and has it on CD
2) the client installs the software using our install program--at the end the install program has a link to our web site to finish the installation
3) the user goes to the web site and fills in a basic form--client number,name,address,etc
4) from the basic information that the client gave us a CGI program mangles the info and creates a validation code that either sends them the email or prints it on a newly created page just for them
5) the client then types the validation code into our software and runs the program

where in these steps do the PC specific items get put in? it has to be before the server creates the validation code.. otherwise the client could hand off the CD to his buddy and have him type in exactly what the client typed in and have the validation code work (because it would be the same exact one)

In my way of thinking the two either have to be synchronized or the PC needs to send specific information about itself without the client knowing

Mark  
0
 
LVL 5

Expert Comment

by:icd
ID: 1827698
Step 2. The client installs the software, during the installation process the program obtains the PC specific information. It creates a hash value from the PC data, the Time Of Day, the User information to create a code (call it a PC code).

Step 3. The user enters the PC code into the form.
etc.

If the installation process were to make a socket connection then the user would not act as an intermediary by reading the PC code from his pc, entering it on the web form and then reading the resulting authorisation code from the cgi output and entering back on his pc.


0
 

Author Comment

by:mbunkows
ID: 1827699

icd,

Thanks for putting up with my ignorance of this situation.

It makes sense now (I dont know what I was thinking... I got the lightbulb)

Please submit an answer and ill give you an A... You've been most helpful!

If you could point me to a link or another resource that may give me more information about a socket connection that would be exceedingly helpful.  If you dont know of anything thats ok too.

Thanks

Mark
0
 
LVL 5

Accepted Solution

by:
icd earned 220 total points
ID: 1827700
A search for '"socket program" and perl' on Alta-Vista or perhaps '"socket example" and perl' is likely to bring up something of relevence. It will take a bit of trawling however to find a suitable example.
0
 
LVL 84

Expert Comment

by:ozo
ID: 1827701
a CPAN search for "socket"
http://theory.uwinnipeg.ca/search/cpan-search.html
may bring you more directly to some perl examples
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I hope you'll find this tutorial useful and interesting. So let's try to extend Tcl with a new package.  For anyone more deeply interested please check out the book "Practical Programming in Tcl and Tk". It's really one of the best written books abo…
It is a general practice to get rid of old user profiles on a computer  in a LAN environment. As I have been working with a company in a LAN environment where users move from one place to some other place at times. This will make many user profil…
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
The viewer will learn how to count occurrences of each item in an array.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now