3

I am looking for a solution to license a WPF, Silverlight and WP7 assembly. The assembly in question is a chart control which has a single API for use across platforms. I am in the process of creating a separate MSI for each platform (WPF, SL, WP7) which users will be able to download and install. This will register the assemblies in their GAC for development use.

What I would like to do is ensure that a single development license is only used by a single developer. It doesn't have to be super secure, just enough to deter would-be hackers. Ideally a solution that covered all three platforms would be beneficial.

I already have a cross-platform obfuscator which I am very pleased with. Shame this doesn't include licensing!

Edit: Additional requirements are that I will be allowing users to download updates for up to one year from purchase date, however the assemblies they purchase will be available for their use indefinitely whether or not they update. Assemblies are to be redistributed so any licensing model must be redistributable on WPF/SL/WP7 platforms.

Your suggestions / comments welcome.

Best regards,

Dr. Andrew Burnett-Thompson
  • 20,980
  • 8
  • 88
  • 178
  • This is more for http://programmers.stackexchange.com – paparazzo Dec 30 '11 at 23:39
  • Is it possible to move it? I'd do so if I knew how, else just repost. Regards, – Dr. Andrew Burnett-Thompson Dec 31 '11 at 09:01
  • 2
    Silverlight and WP7 don't have a component licensing technology built in, you may want to consider other non-technical ways of enforcing component use with your customers. – Jeff Wilcox Jan 05 '12 at 19:12
  • @JeffWilcox thanks for the comment. Any ideas? I'm aiming to go live with a component in the next month. Just finished the code and tidied up some bugs. Next task is packaging, ecommerce and licensing. I just need something basic that will "do the job" and prevent low-level license abuse. – Dr. Andrew Burnett-Thompson Jan 05 '12 at 23:07

1 Answers1

1

For your requirements that the licencing methodology 'will "do the job" and prevent low-level licence abuse' I would personally recommend not getting too fancy; that is, to avoid the use of web-activated/maintained licencing. My advice would be similar to the approach outlined here.

  1. Select a symmetric encryption algorithm using the one of the .NET libraries as described in the link above.
  2. Create the required encryption key using a random generator (if you contact me I am happy to share a piece of code I developed to generate a variety of random strings/keys for any required key size), there are also .NET classes to help you do this yourself by generating pseudo-random numbers (RNGCryptoServiceProvider).
  3. Transform/’custom-hash’ the key to provide a new 'hashed encryption key'.
  4. Use this key to generate an Initialisation Vector (IV) and encrypt your licence file.

How you now deploy the application (in terms of licencing) is up to you. The two methods below will work for all three application types above and will offer some degree of consistency for the licencing of each of your products. The above method uses two files for licencing. 'ProductKey.myExtension' and 'LicenceFile.myOtherExtension'. The first contains the randomly generated key, that will be 'hashed'/transformed in the same way as in the licence generator application (you will need a separate (small) application to ‘cut’/create the licence files). The second is the encrypted file with user info, licence period etc.

A. You could now provide an install package for your application that will install your application in the relevant directory (i.e. C:\Pogram Files etc.) without providing the licence files, in which case you can deploy the licence files with a licence installer. The licence could then separately be installed for each user employing `Environment.SpecialFolder's to ensure each user has their own licence (of course this would assume that the 'Administrator' installed the application in the first instance for all users and that the licence install pack would be run on a user-by-user basis). Note: I am currently not familiar with WP7 applications and the specifics in this case.

B. The second way would be to allow individual users to install the application, and to install the relevant licence files upon the applications installation.

I have deployed several WinForm applications using this methodology after an extensive research period and it seems to work well. I hope this is of some help.

Community
  • 1
  • 1
MoonKnight
  • 23,214
  • 40
  • 145
  • 277
  • appreciate the extensive answer. I'm half tempted to give this a go since there seem to be no commercial WP7 SL WPF licensing models out there. Tell me, are there any caveats I should know about regarding reflection / IL injection? I am using a cross-platform obfuscator which I am happy with. Regarding licensing per-user - installation of licence files in Environment user folder is a stroke of genius. Thank you so much – Dr. Andrew Burnett-Thompson Jan 18 '12 at 13:29
  • 1
    Hi Andrew, sorry in the delay in getting back to you, it has been one of those days. You don't need to involve `System.Reflection` or 'IL Injection' what-so-ever in coding this methodology. If you need some help with this stuff I am happy for you to email me. Which obfuscation package do you use at the moment? I am currently using PreEmptive Solution's 'Dotfuscator', which is proving to be an expensive option! – MoonKnight Jan 18 '12 at 16:21
  • no problem. My email is on my profile, I'd be interested to talk yes :) regarding reflection / IL what I meant was can a user decompile and app and replace your code to license it. Obfuscators are useful but they dont obscure everything. I'm using Babelfor.net which I found to be the one that "just worked" across WPF/SL/WP7. Best regards – Dr. Andrew Burnett-Thompson Jan 18 '12 at 16:36
  • 1
    Sorry I see what you mean. Well yes, there is always a possibility of reflecting the CIL code even with it obfuscated but they would have to be very good and want to waste a lot of their time. This is why I include the 'hashing'/transforming of the encryption key before you use it for encryption - it 'spreads-out' the decryption code and confuses the situation even more as hacker are of course looking for the licence stuff at the entry point… – MoonKnight Jan 18 '12 at 16:54
  • 1
    Moreover, with the 'hash' algorithm in place you can store the result of the 'hash' at start-up (when the licence is checked), and during some core-processing run the cheap 'hash' process again on the ProductKey.txt, any tampering with the initial check will cause this to fail (shutting your application down and sending you an email?). This will give them yet more thousands of lines of CIL to sift through! – MoonKnight Jan 18 '12 at 16:56
  • 1
    wise. writing secure code seems to be tantamount to writing spaghetti code. It's funny as the component I am developing is quite spaghetti with chunks of code factored out to internal classes to allow obfuscation to do its job. Fortunately its small enough to be navigable. I will give this a go - thanks for the info and feel free to send me your contact (see my profile for email addr). Regards, – Dr. Andrew Burnett-Thompson Jan 18 '12 at 17:10
  • 1
    finally it seems there is a gap in the market for WP7/SL/WPF cross platform licensing if you fancy building one ;-) – Dr. Andrew Burnett-Thompson Jan 18 '12 at 17:11