1

I created a little hardware lock in my licensing process. A (hopefully) unique hardware ID is generated before installation and encoded as part of my license file. Whenever my application starts, the hardware key is regenerated and compared to the registered one.

Actually, the hardware key refers to the first CPU, BIOS and mainboard infos based on the solution by Alex Sutu.

So far so good - now, the system runs in a virtual environment where new CPUs are linked in dynamically - and so the order of CPUs changes. with the invalidated key, the software is not running anymore - as wanted and expected by me, not by my client. Therefore I have to change the process a bit.

As far as I remember, Windows 7 (or even previous versions) had some kind of robustness within their activation / registration IDs - smaller hardware changes did not invalidate the activation / license - an that is what I want to mimic in my licensing context.

I found a little explaination here - which lets me think of the following process in general:

For registration:

  1. Generate X different hardware IDs using different settings (CPU, mainboard, bios, whatever)
  2. Register these IDs within the license file

When starting the application:

  1. Generate X different hardware IDs using different settings (CPU, mainboard, bios, whatever) (is WMI access fast enough? Alternatives?)
  2. If more than X percent (95?) of the the newly generated ones are equal to the registered ones from the license file, everything is fine and the application starts

Actually, generating a hardware ID using WMI queries takes pretty long (somewhat between 4 to 8 seconds). 

static string identifier(string wmiClass, string wmProperty)
        {
            string result = "";
            var mc = new ManagementClass(wmiClass);
            var moc = mc.GetInstances();
            foreach (var mo in moc)
            {
                if (result == "")
                {
                    try
                    {
                        result = mo[wmProperty].ToString();
                        //Only get the first one
                        break;
                    }
                    catch
                    {
                    }
                }
            }
            return result;
        }

Example call:

string retVal = identifier("Win32_Processor", "UniqueId");

So I am quit a bit uncertain, whether taking more IDs into account is the right choice.

Therefore the final question: Is this a practicable way of creating a robust hardware licensing or am I missing a point? Secondly, if this is "state of the art", is my WMI approach the right one or are there better ways?

Thanks a lot in advance!

Community
  • 1
  • 1
Monga
  • 29
  • 3

1 Answers1

0

Your approach is generally correct. Collect different identifiers, store them securely and issue the license. Whenever only a few of the identifiers have changed, you update your storage to the new values, but still run the application.

As of the time to collect HW info, you may start loading the application in "locked mode". Once HW identifiers become available, you check the license and asynchronously unlock the application. This way you are not so limited by the communication delay - I used this approach with license validation against a remote server.

Boris Schegolev
  • 3,601
  • 5
  • 21
  • 34
  • Hi Robert, thanks a lot - I allready thought of updating the identifier storage, but I see one challange in this way: My license is generated with a private key, the application only knows the public one. The license file, where all IDs are stored is encrypted, so I could ether publish my private key (no good idea I guess) or store the IDs unsecure. I guess I will stay with the last approach, but with a little rule enhancement. The license is only valid, while at least X percent of the previous IDs and one of the original IDs are valid. The async way is also a way I will check. – Monga Aug 18 '16 at 06:14
  • Sure, you can store IDs unsecure. By "securely" I meant "ïmmutably", so simple hash will do. Simply make sure that removing or replacing the IDs is checked by the application. – Boris Schegolev Aug 18 '16 at 11:58