2

I've developed software that I want to protect with licensing. So far I've got code that uses the details of hardware components to generate a unique ID for each machine. I can then permit the activation of 5 machines against one single serial key (5 machines per license is what I'm selling).

This all works fine, but obviously only on machines that have internet connection. Is this just a limitation of this sort of protection and there's nothing I can do about it? Or is there a way I can tackle this problem?

NB: At this point, in this thread, I'm not open to critique regarding the way in which I've generated the unique ID, this is the method I've chosen and, rather ignorantly, need to stick by for a few reasons.

  • 2
    See http://stackoverflow.com/questions/175857/how-do-you-protect-your-commercial-application-from-being-installed-on-multiple?rq=1 – BugFinder Aug 29 '12 at 14:06
  • 1
    Just to clarify: You incorporate the unique ID of all 5 machines into one single key? And what do you need the internet for? Only for the generation of the key or also for the validation? – Daniel Hilgarth Aug 29 '12 at 14:07
  • @DanielHilgarth - the unique ID is simply a way of determining the amount of machines that are registered against one serial key, and this serial key is generated independently of any sort of unique machine key. Thanks. –  Aug 29 '12 at 14:12
  • @DeeMac: OK, so your license is not bound to 5 specific machines. You just want to ensure that a maximum of 5 machines concurrently make use of one license, correct? – Daniel Hilgarth Aug 29 '12 at 14:13
  • 2
    @BugFinder - that post is completely different to mine. Mine is not an open ended question about available approaches to software licensing, I've chose my approach - I need help solving a problem specific to what I've already implemented. –  Aug 29 '12 at 14:14
  • @DeeMac: You already stated that you don't want to deviate from your approach, still I am asking: Is it an option to allow only 5 specific machines? If yes, your problem would vanish. – Daniel Hilgarth Aug 29 '12 at 14:15
  • @DanielHilgarth - I will deviate from my approach to an extent, but not generating the unique id's in this way or paying for a library that handles licensing are not options at the moment. Well really, I need to limit it in a way that only 5 separate installations (on any machines) can be activated with one given, purchased serial key. –  Aug 29 '12 at 14:17
  • @DeeMac: My proposed solution would have been: Let the user send you the unique IDs of five machines. Generate a serial key that somehow incorporates those five IDs. When starting or installing the application, the ID of the current machine is generated and checked against the serial. No internet connection would be needed in that case. – Daniel Hilgarth Aug 29 '12 at 14:19
  • And you still have not answered the question on what you need the Internet for. In the question you state unique ID for each machine and then in a comment state the unique ID is generated independent of machine key. And now purchased serial key is a new term. – paparazzo Aug 29 '12 at 14:21
  • @Blam: It's quite clear what the internet is needed for: Each running instance sends its own unique key and the key to the server. The server verifies that a maximum of five unique IDs exist for a given serial at any time. – Daniel Hilgarth Aug 29 '12 at 14:25
  • @Blam - I don't recall being asked that!? Maybe I should've probably have given more context but I'd have assumed it was the basics of such a typical licensing approach. –  Aug 29 '12 at 14:36
  • why internet connections is a problem? 99% of users have it. – ChatCloud Aug 30 '12 at 22:15
  • @ActivationCloud - with the statistic you've presented - 1 out of every 100 installations of my application will not activate without necessary measures in place. –  Aug 31 '12 at 08:49
  • Are you sure that guy that does not have inet will download and install your stuff? – ChatCloud Aug 31 '12 at 09:28
  • @ActivationCloud - I don't understand what you're getting at. I understand you're responsible for licensing software - is there a void in what I plan to do here that your product tackles? I don't understand how someone that does not have internet will download my 'stuff'? Thanks. –  Aug 31 '12 at 09:56

2 Answers2

2

I think you have several options:

  1. As described in the comment, don't make your license floating but machine specific by incorporating the unique IDs of all allowed machines in the key. Upon startup check the unique ID of the current machine against the key
  2. Use your current approach but with the difference that the server is not on your side but on customers premise, i.e. a license server the customer needs to install somewhere.

  3. Implement some kind of self check: Each running instance sends its unique ID into the network and in turn listens for the unique IDs of other running instances. The first instance that receives more than four unique IDs via the network shuts itself down. I guess this could be implemented using UDP broadcasts. The implementation of this is not that trivial:

    • You need to make sure that exiting one instance and starting a new one right afterwards doesn't lead to a shutdown elsewhere.
    • Furthermore, you might want to implement a check that the machine is indeed networked

    If I were to implement something like that, I would introduce the following three package types:

    • Start: Instance just started and broadcasts its ID for the first time. All other instances need to broadcast their own ID as an answer. The reason for this is twofold:
      1. Fail fast
      2. Ideally, the instance that has been started last should exit if the maximum number of allowed instances has been exceeded. It would not be ideal if one of the already running instances would shut down.
    • Periodic: All instances periodically send their unique ID, just in case a previous transmission was missed
    • Exit: If one instance is closed it tells this fact the other instances

In all cases, you should think about encoding the number of allowed instances into the key, so you can later hand out differently sized keys.

Daniel Hilgarth
  • 171,043
  • 40
  • 335
  • 443
  • Thanks a lot for your help Daniel, appreciate it. I like the sound of number 3, I didn't think of this - and considering the fact I can safely assume all machines will be networked (should've mentioned that) - this sounds like a reliable approach. Thanks again, saved me a lot of messing around here. –  Aug 29 '12 at 14:37
  • 1
    @DeeMac: You are welcome. I added some additional thoughts to the third option. – Daniel Hilgarth Aug 29 '12 at 14:44
  • 1
    Thanks a lot for the additional comments, gives me a bit of direction with it. One last question - all (upto) 5 instances of this application will target an SQL database. What's your opinion on me storing the unique ID's in there? I'd assume it removes the need for UDP broadcasting? –  Aug 29 '12 at 14:56
  • 1
    @DeeMac: If all instances target the SAME database, that would be another option and much simpler. Just make sure, that it isn't as easy to crack your licensing mechanism as adding a trigger that automatically removes any entry in the `registered_machines` table :-) – Daniel Hilgarth Aug 29 '12 at 14:58
  • Yep, one common database. Thanks for your help. Sorted. –  Aug 29 '12 at 15:06
2

Make it a requirement to have central licensing server. Each program on startup registers with that server. The server tells the client if it can start or not. In case of 5 programs are already started, the program refuses to start.

when the program stops, it tells the licensing server again that it's license is not needed any longer.

Job done. No internet required.

hakre
  • 193,403
  • 52
  • 435
  • 836
  • I think this is along the same lines as Daniel's 3rd suggestion (providing I treat the first installation as the 'server'), ideal to be honest - I'm going to go with this. –  Aug 29 '12 at 14:39
  • @DeeMac: Actually, this is equivalent to my second suggestion. The problem with this approach is that you need a central server that is to be installed seperatly or you need some relatively complicated way to figure out which one is the server. My third approach suggested the usage of UDP broadcasts so you **don't** need a central server. – Daniel Hilgarth Aug 29 '12 at 14:45
  • I see what you mean, I was probably putting too much reliance on the first instance then to act as the 'server', and judging by your additional comments in your answer I need to remove any sort of heavy dependence on this first instance (makes sense). Next task is to start reading around UDP broadcasts then. –  Aug 29 '12 at 14:47