Re: putting a licence key in a java program
From: Rene (invalid_at_email.addr)
Date: 06/21/04
- Next message: Andy Fish: "Re: The connection problem"
- Previous message: Richard: "Re: JDOM: java.lang.NoClassDefFoundError: org/jdom/Content"
- In reply to: Andy Fish: "putting a licence key in a java program"
- Next in thread: Andy Fish: "Re: putting a licence key in a java program"
- Reply: Andy Fish: "Re: putting a licence key in a java program"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 21 Jun 2004 13:58:02 GMT
> I want to add a licence key to my java program - some kind of encrypted
> string that tells the program what features are and aren't available etc.
>
> Here's the problem - say I have a class like this:
>
> class LicenceKey()
> {
> LicenceKey(String s) {...}
> Date getLicenceExpiryDate() {...}
> boolean isFeatureXEnabled() {...}
> boolean isFeatureYEnabled() {...}
> }
>
> then someone else can just delete that class out of my JAR, and replace
> it with their own class with the same method signatures that behaves as
> if any licence key was valid.
>
> is there any "proper" way round this (i.e. other than obfuscation)?
Dunno about proper, but if it is worth the time, consider writing your own
Classloader and make the "licence-key" contain the actual needed code in
encrypted form. For example, key one contains the (encrypted) byte-code for
method B and C and key two contains the byte-code for method A. Easy mixing
of the keys can be prevented by using proper encryption and integrity
mechanisms. Simply switching some feature on is also not possible since the
code for that (method F) just isn't there in the first place.
Be aware, however, that it is still possible to defeat this scheme by
having the proper key and changing the code somewhere else so that they can
get at the encrypted byte-code after validation and save it down in a
normal class. For every feature the attacker would need to have a valid key
first though. But it can also be defeated (to avoid a recurring cost or so)
- but it is quite a bit more difficult to do so. The drawback is, it is of
course also more difficult to implement.
Another method is to use a system that loads classes from your server via
internet and URLClassLoader. Can be defeated the same way as above and
requires an internet connection to your server but is easier to deploy.
The problem in itself is non-solvable as others have already commented.
It's up to you to decide how much effort and time you want to invest in
order to make it more difficult for an attacker. Evaluate market share and
"value" your product will have and how much incentive an attacker has to
break your system - then decide what you'll do. Maybe making the license
cheaper but forget any protection might also be an option, depending on the
evaluation.
CU
René
-- -------------------- http://NewsReader.Com/ -------------------- Usenet Newsgroup Service $9.95/Month 30GB
- Next message: Andy Fish: "Re: The connection problem"
- Previous message: Richard: "Re: JDOM: java.lang.NoClassDefFoundError: org/jdom/Content"
- In reply to: Andy Fish: "putting a licence key in a java program"
- Next in thread: Andy Fish: "Re: putting a licence key in a java program"
- Reply: Andy Fish: "Re: putting a licence key in a java program"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
