Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Java (http://www.velocityreviews.com/forums/f30-java.html)
-   -   copy protection / IP protection (http://www.velocityreviews.com/forums/t152341-copy-protection-ip-protection.html)

g 04-18-2006 02:46 AM

copy protection / IP protection
 
Hello,

I need to build a WAR/JAR that will need to fulfil the following
requirements:

1. The code will only work for a trial period (30 days)
2. The code can be unlocked with a key
3. Unlocking the code will watermark the WAR/JAR with a unique key

I do not want to reinvent the wheel and would love to hear from other
folks that have experience with this type of packaging. Are there any
off-the-shelf solutions?

Cheers,
Godfrey Hobbs

blog: http://blogs.ebusiness-apps.com/godfrey/


Luc The Perverse 04-18-2006 04:14 AM

Re: copy protection / IP protection
 
"g" <cascadiadude@gmail.com> wrote in message
news:1145328373.668265.7110@u72g2000cwu.googlegrou ps.com...
> Hello,
>
> I need to build a WAR/JAR that will need to fulfil the following
> requirements:
>
> 1. The code will only work for a trial period (30 days)
> 2. The code can be unlocked with a key
> 3. Unlocking the code will watermark the WAR/JAR with a unique key
>
> I do not want to reinvent the wheel and would love to hear from other
> folks that have experience with this type of packaging. Are there any
> off-the-shelf solutions?


Keep in mind you will likely be limited by the system clock - your app won't
know if the time has been tampered with.

It wouldn't be hard to encrypt a single vital class and then have it loaded
with a class loader.

Keep in mind that marking the JAR file as "Activated" will leave the system
open to simply copying the activated JAR file.

I'm not familiar with off the shelf products for this - but I imagine that
trying to keep it strictly non platform dependant would inhibit your ability
to copy protect. You might want to consider special cases for the most
likely platforms to be pirated. Many windows Apps hide a special key deep
in the registry.

--
LTP

:)



Oliver Wong 04-18-2006 07:27 PM

Re: copy protection / IP protection
 

"Luc The Perverse" <sll_noSpamlicious_z_XXX_m@cc.usu.edu> wrote in message
news:cm5eh3xp5k.ln2@loki.cmears.id.au...
> "g" <cascadiadude@gmail.com> wrote in message
> news:1145328373.668265.7110@u72g2000cwu.googlegrou ps.com...
>> Hello,
>>
>> I need to build a WAR/JAR that will need to fulfil the following
>> requirements:
>>
>> 1. The code will only work for a trial period (30 days)
>> 2. The code can be unlocked with a key
>> 3. Unlocking the code will watermark the WAR/JAR with a unique key
>>
>> I do not want to reinvent the wheel and would love to hear from other
>> folks that have experience with this type of packaging. Are there any
>> off-the-shelf solutions?

>
> Keep in mind you will likely be limited by the system clock - your app
> won't know if the time has been tampered with.


To mitigate against this, the app could store (perhaps within the
encrypted class file) the current time at reasonable intervals, and if it
detects "going backwards in time", to assume the user is doing something
illegal and act accordingly.

>
> It wouldn't be hard to encrypt a single vital class and then have it
> loaded with a class loader.


Except to decrypt it, you'd have to store the key somewhere within the
JAR, and a sufficiently intelligent hacker could find that key and defeat
your system. This might not be too difficult since, for example, you could
use the Eclipse debugger to step through the JAR and see what's going on
(and the contents of all variables, for examples).

>
> Keep in mind that marking the JAR file as "Activated" will leave the
> system open to simply copying the activated JAR file.


I think the OP already took this into consideration, which is why the
activation key should watermark the JAR (so that the company can track down
the source of the leak).

>
> I'm not familiar with off the shelf products for this.


Me neither. I only have theoretical knowledge on the topic, nothing
practical. Sorry.

- Oliver


ducnbyu@aol.com 04-18-2006 08:06 PM

Re: copy protection / IP protection
 
I googled and found this off the shelf. Don't know if it meets your
needs.

http://www.chainkey.com/en/


Lasse Reichstein Nielsen 04-18-2006 10:19 PM

Re: copy protection / IP protection
 
"Oliver Wong" <owong@castortech.com> writes:

> Except to decrypt it, you'd have to store the key somewhere within
> the JAR, and a sufficiently intelligent hacker could find that key
> and defeat your system.


A sufficiently intelligent hacker can defeat any system that can run
standalone once.

If the key is stored in the jar file, and it is digitally signed, then
the key itself could be used as the "brand" of an activated version.

The signed key file must then contain enough information to identify
it, and could also contain an expirery date (so the 30 day trial period
would just be a normal key that expires).

Again, a sufficiently intelligent hacker will be able to reverse
engineer the class that checks the signature (or does whatever check
or decryption that is not necessary to the functionality of the
program) and create a functionally identical one without that check.
It's the curse of any program that doesn't communicate with a server,
it's impossible to prevent it being cracked. That's why people usually
settle for "hard", not "impossible".

/L
--
Lasse Reichstein Nielsen - lrn@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

Roedy Green 04-18-2006 11:04 PM

Re: copy protection / IP protection
 
On Wed, 19 Apr 2006 00:19:02 +0200, Lasse Reichstein Nielsen
<lrn@hotpop.com> wrote, quoted or indirectly quoted someone who said :

>A sufficiently intelligent hacker can defeat any system that can run
>standalone once.


You can make cracking considerably harder if you insist on an online
connection at least to start the app.

That makes it much harder to do experiments without being detected,
and allows you to change the rules as often as you please.
--
Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

Luc The Perverse 04-18-2006 11:09 PM

Re: copy protection / IP protection
 
"Oliver Wong" <owong@castortech.com> wrote in message
news:M4b1g.71357$K11.23128@clgrps12...
>
> "Luc The Perverse" <sll_noSpamlicious_z_XXX_m@cc.usu.edu> wrote in message
> news:cm5eh3xp5k.ln2@loki.cmears.id.au...
>> "g" <cascadiadude@gmail.com> wrote in message
>> news:1145328373.668265.7110@u72g2000cwu.googlegrou ps.com...
>>> Hello,
>>>
>>> I need to build a WAR/JAR that will need to fulfil the following
>>> requirements:
>>>
>>> 1. The code will only work for a trial period (30 days)
>>> 2. The code can be unlocked with a key
>>> 3. Unlocking the code will watermark the WAR/JAR with a unique key
>>>
>>> I do not want to reinvent the wheel and would love to hear from other
>>> folks that have experience with this type of packaging. Are there any
>>> off-the-shelf solutions?

>>
>> Keep in mind you will likely be limited by the system clock - your app
>> won't know if the time has been tampered with.

>
> To mitigate against this, the app could store (perhaps within the
> encrypted class file) the current time at reasonable intervals, and if it
> detects "going backwards in time", to assume the user is doing something
> illegal and act accordingly.
>
>>
>> It wouldn't be hard to encrypt a single vital class and then have it
>> loaded with a class loader.

>
> Except to decrypt it, you'd have to store the key somewhere within the
> JAR, and a sufficiently intelligent hacker could find that key and defeat
> your system. This might not be too difficult since, for example, you could
> use the Eclipse debugger to step through the JAR and see what's going on
> (and the contents of all variables, for examples).



You will find this problem with ANY non hardware based solution.

I think the idea is to keep most people honest, not everyone.

I for one would not hesitate to change a registered = NO to registered = YES
in an INI file - but would draw the line at disassembly of the jar file ;)

--
LTP

:)



Luc The Perverse 04-18-2006 11:10 PM

Re: copy protection / IP protection
 
"Roedy Green" <my_email_is_posted_on_my_website@munged.invalid > wrote in
message news:92sa42h1ba5dl1famtuhi5b6g2tn46spnb@4ax.com...
> On Wed, 19 Apr 2006 00:19:02 +0200, Lasse Reichstein Nielsen
> <lrn@hotpop.com> wrote, quoted or indirectly quoted someone who said :
>
>>A sufficiently intelligent hacker can defeat any system that can run
>>standalone once.

>
> You can make cracking considerably harder if you insist on an online
> connection at least to start the app.
>
> That makes it much harder to do experiments without being detected,
> and allows you to change the rules as often as you please.


As Microsoft has discovered and employed.

--
LTP

:)



Roedy Green 04-18-2006 11:50 PM

Re: copy protection / IP protection
 
On Tue, 18 Apr 2006 23:04:56 GMT, Roedy Green
<my_email_is_posted_on_my_website@munged.invalid > wrote, quoted or
indirectly quoted someone who said :

>That makes it much harder to do experiments without being detected,
>and allows you to change the rules as often as you please.


It makes it harder for the hacker to do experiments and allows the
vendor to change the copy protection scheme as often as he pleases.

Aspect programming might be a way of weaving the copy protection
through everything so there is not one easy code point to defang.
--
Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

James McGill 04-19-2006 01:15 AM

Re: copy protection / IP protection
 
On Wed, 2006-04-19 at 00:19 +0200, Lasse Reichstein Nielsen wrote:
> "Oliver Wong" <owong@castortech.com> writes:
>
> > Except to decrypt it, you'd have to store the key somewhere within
> > the JAR, and a sufficiently intelligent hacker could find that key
> > and defeat your system.

>
> A sufficiently intelligent hacker can defeat any system that can run
> standalone once.


Real copy protection involves punitive terms in the lease contract and a
stipulationt that no one shall have physical access to the system except
while accopmained by your representative.

Fortunately that scenario more or less ended when the mainframe/leased
datacenter stopped being the norm. Unfortunately, we still find people
who seriously desire the benefits of that model, but have no way to
deploy such a thing.

Now in the contemporary scenario, to have your cake and eat it too, you
must compromise. You want to allow people to anonymously obtain and use
your software (have your cake). You also want to limit their use
through some form of cryptographic protection scheme. So you have to
give them a key. Maybe you can go old-school, and give a field agent
some key that will boot the system, but will not be disclosed to the
customer. Or maybe you can do it like Microsoft does and force the
system to call home and get a one-way hash based on hardware parameters
or something like that. Or maybe you can use a dongle like ILok.

If you don't do something like this, then you have to give the customer
the key (eat it too). Sure, you might be able to hide it. Very
intelligent attempts have been made, and failed. The bottom line is,
either you give the customer the unlock key, and take the risk that it
will be discovered, or you keep the key, and take on the expense and
complexity of managing that relationship.

In the old days, when the equipment was leased from Unisys or IBM, and
simply would not be operated without the contractor present, it might
have been possible to control distribution, at least to the extent you
could trust your employees. Likewise, in a military scenario, you can
control distribution, because you can make it a crime for which the last
person who knew or should have known that the disclosure would be made,
can be executed for treason or whatever.

I suppose there are less extreme cases for which you must make a
due-diligence effort to put some kind of controls in place, but I
personally do not prefer illusory security to no security.

An example. I had a lock on the security screen door, the outer front
door to my house, which would sometimes not lock. It looked like it
locked, but sometimes you could turn the inner barrel without a key.
I found this to be inferior security to simply removing the lock.
Opinions vary on this, but I stand by mine.



All times are GMT. The time now is 09:11 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.