Java authentication/authorization server

Question

I've been thrown in at the deep end a bit here, as I never expected I would have to do something like this and I have no idea where to start; so I'm helping somebody will be able to help me (ideally by providing some java code)...

In my effort to protect my Java software from piracy I have found that it is completely impossible unless I continusely check online - so thats what I want to do. Only, the only details I know are that, my program needs to communicate with some sort of script online and verify the licence key the program is using and then report back accordingly.

However, that's all I know - I am still stuck as to what the server side actually consists of. I'm hoping that the fact I am not hosting the website myself (an using JustHost) will not stop me from being able to do what I need.

So basically, I would like some help in creating a setup that allows my prevent anyone from pirating my software while connected to the internet. I though about having something like a login system; the users licence key would act as a username and password, but to be honest I really have no idea because if I did it that way would have to manually login and logout each time they wanted to use the software.

And not to run before I can walk but what happens when the user is not connected to internet? Even worse, how do I tell if somebody has stealed an legitamate users licence key? etc.

Thanks in Advance,

Andy

PS If it helps, I plan to use PostgreSQL (or maybe MySQL) and I am not paying for a dedicated server with JustHost.com...

I think you should start [with this StackOverflow question](http://stackoverflow.com/questions/599837/how-to-generate-and-validate-a-software-license-key). Read the accepted answer carefully. It is based on a few fundamental principles in cryptography, although not all of it is fundamentally secure. It's a good start though. — Vineet Reynolds, Jun 11 '11 at 15:09
To make my previous comment less vague, I would add that your scheme should have at least one secret key or a public-private key pair involved. — Vineet Reynolds, Jun 11 '11 at 15:13
I do hope your customers like depending on _your_ server being on-line for their payed-for software to be useable. — extraneon, Jun 11 '11 at 17:19
Vineet Reynolds, thank you for that link. Now I can see absolutely no licensing scheme that is fool proof or better than another, I think I'm just going to keep it simple and create a hardware fingerprint using the best hardware ID i get get using Java. I haven't got any more time to by worried about causing inconvience to those minority of people who don't have a MAC address or have changed some major hardware - as the majority of my target audience probably won't be that IT literate or ever come across an issue regarding their hardware etc. — Andy, Jun 11 '11 at 18:43
@extraneon FYI, my software would not depend on an internet connection, it would just take every oppotunity it could to verify whether the serial key being used is genuine somehow. However, I think an auth server would be to complex and problematic to build for my purposes (at the minute) unless I used an actual login system with a username and password which would cause inconvience and agro to my users - something I want to avoid! — Andy, Jun 11 '11 at 18:44

score 1 · Accepted Answer · edited May 23 '17 at 12:04

1

Once your code is on their machine they can modify to simply ignore your checks. You can make it as hard as possible but it will never be hack proof.

In general your question is identical to this one which has some good discussion.

edited May 23 '17 at 12:04

Community

1
1

answered Jun 11 '11 at 15:08

Andrew White

52,720
19
113
137

Andrew, I realise anyone with the skills can bypass anything once they have it in their hands, but were talking about a very small percentage of people - especailly considering my target audiences are adults and teenagers who probably won't be the most IT literate at the best of times. AND yes, in general most questions to do with piracy end the same! It seems to be that the simpler schemes are the more popular as well! Maybe because the cause the least amount of inconvience for every one but still account for the 90th percentile! Thanks Anyway... – Andy Jun 11 '11 at 19:14
The problem is that it only takes ONE person to break it and redistribute it in ways that non IT literate understand and your entire anti-piracy investment is blown. – Andrew White Jun 11 '11 at 20:38
@Andrew To be honest, I understand and accept your point and that is partly why I am only deploying a simple piracy protection scheme - but I have to draw a line between putting a considerable ant-piracy scheme in place to **deter** piracy and going extremely silly with expensive licensing schemes that are going to be cracked anyway, somewhere! I would like to know what you consider to reasonable amount of piracy protection, then? It seems to me _we_ are over complicating things whilst trying to outsmart the smartest of crooks; forgetting I am only a small company etc! – Andy Jun 12 '11 at 10:25
Plus, not only is it a small company but I am aiming my software at people who struggle a bit on the computer OR simply can't be bothered to do things the _right way_. I am selling my software at a very cheap/reasonable price also and it is very easy to use. So I very much doubt the people who are interested in my software will even me aware of warez or torrent sites etc; for that reason I am hoping that illegal distribution will **start off** at a very low rate - managable enough for me to deal with myself - so I will just have to take anything on the chin and think of it as a compliment! – Andy Jun 12 '11 at 10:48
@Andy: for your case, I would simply generate a license file or key and store it in a secret place. If your software gets popular enough to attract pirates then you can invest more then. – Andrew White Jun 12 '11 at 12:23
Thank you for your reply Andrew. I think that is near enough what I plan to do! I will generate a licence key which will be emailed to the customer. If a genuine licence key is entered in the program, the program will create a hardware ID fingerprint and store it in an encrypted folder somewhere secret - marking the licence key as in use on our database/server etc. – Andy Jun 12 '11 at 12:51

score 1 · Answer 2 · answered Jun 11 '11 at 15:17

Try to delegate part of your business logic to server side. This way some core processes can not complete unless the application license is valid. Of course, if you have some logic that can be delegated. If your application is client-only than this approach is a bad choice.
If your application will be sold for a lot of money, try implementing solution using HASP key approach (which is investment by itself) instead of server authentication I understand this is not what you asked, I am just giving another idea.
try to create security by obfuscation/encryption and you will fail if your application becomes popular, since there will always be someone who will crack it in 5 minutes :(

Thanks Milan, as you can see by my previous comments I have gone off the idea of an auth server. Sadly, I am unwilling to invest money in piracy protection seeing as the thing does not EXIST and am not selling my software for vast amounts of money either. Lastly, I realise that obfuscation alone is not protection against piracy, rather interlectual property. (But I do have obfuscation sorted with ProGaurd)! — Andy, Jun 11 '11 at 19:07

Java authentication/authorization server

2 Answers2