Software copy protection/licensing

I've been asking many times, how to protect your code so that it will not be possible to use it illegally. It's nearly impossible (to divert a highly-motivated software cracker or reverse engineer), but there are several ways.

Moving a very important part of your algorithm to a smartcard

Smartcards are like tiny computers. There are smartcards with a small .NET interpreter, with a very limited .NET library (only most important parts). A piece of C# code can be written and pushed to a smartcard.

Then your code sending a data to a smartcard (via USB) and getting results. This secret and important piece of your code is absent in your real code executing on the host computer, of course.

I won't mention/advertise several brands here, but they are quite cheap today. Java cards are popular too.

The only nuisance: a smartcard has to be connected to a computer via USB. They are also slow. So you can't access smartcard very often.

Way of breaking: decapsulation and reading it's memory. Expensive, but possible: read Ken Shirriff's blog.

Using smartcard as encryption engine

The most popular way, probably.

SIM-cards are in fact work as such engines. As well as PayPass feature of credit cards.

You can use AES, IDEA, Blowfish, any other well-known cryptoalgorithm. It may be even known to software cracker/attacker. But the encryption/decryption key is hidden on smartcard.

(This is why in cryptoalgorithms competitions its speed/performance on tiny microcontrollers is also considered. Side-channel attacks are also an issue -- smartcards were cracked with this method.)

Again, accessing that secret encryption key is possible with (expensive) decapsulation.

Your software can encrypt/decrypt its data files via smartcard. Hence, it will only possible to decrypt them via another smartcard with the same key.

It will be possible to bypass encryption/decryption, but then, cracked software will only be able to work with unencrypted files, created with another cracked piece of the same software. It will not open data files created with the official software that works with a (legally obtained) smartcard.

Copy-protection dongles

Copy protection dongle is a young brother of smartcard with some of features borrowed: small memory and secret function (secret even to programmers who use these dongles to protect their software).

Nearly all of them are cracked.

Also, smartcards are as cheap as dongles, but usually much better developed and protected, involving high-profile security and cryptography experts.

It was quite popular to encrypt/decrypt a packed executable file via dongle. And it was nearly impossible to run/unpack an executable file without access to that dongle.

A secret part of algorithm is executed on your server

So a software will not work without internet connection.

Privacy issues -- not all users will agree with such a method, when their data is passed to your server.

But anyway, a current trend is that a user should login into your server at start. Your MAC address, IP address may be checked during that.

Hard to crack but possible: breaking into your server.

Executable packing, code obfuscation, virtual machines, etc

Will divert a software cracker for some time. But can be cracked by a highly motivated one.

Trends

Many software vendors open their code and publish open-source versions.

Some proprietary software is not protected at all.

Like Oracle RDBMS, SAP, IBM DB2...

You'll be able to use it and learn. But you will not be able to use it without support from these companies: sooner or later, bugs will surface. So this is a form of vendor lock-in.

However, this is not suitable for shareware, videogames, etc -- software that can be used without support.


List of my other blog posts.

Yes, I know about these lousy Disqus ads. Please use adblocker. I would consider to subscribe to 'pro' version of Disqus if the signal/noise ratio in comments would be good enough.