GitBucket
....................................................... Title: Licensing Version: 1.0 Author: John Ryland Company: Subflexion Copyright: (C) Copyright 2020 All rights reserved .......................................................
Terms
| Term | Definition |
|---|---|
| User | either a trial or paying Customer |
| Customer | a paying User |
| License | terms of use / a digitally signed file showing a Customer's proof of purchase |
| The Software | a particular version of the application |
| Machine | a specific computer (identified by atleast 2 of 3 of the same HDD+CPU+NIC) an instance is installed on |
| VirtualMachine | a virtualized computing environment that gives the appearance of being a Machine, but could be cloned or transferred |
| Installation | an installed instance of the software on a Machine |
| Trial | an evaluation Installation |
| Evaluation | to test out before purchasing |
| Registration | the process of purchasing a License |
| Fingerprint | method of identification based on collection of pertinent/unique data of a Machine |
Database
| table | field | field | |||||||
|---|---|---|---|---|---|---|---|---|---|
| users | id* | name* | email* | puchaseId? | inst1 | inst2 | inst3 | inst4 | inst5 |
| products | id* | name | |||||||
| versions | id* | productId | version | ||||||
| trials | id* | ||||||||
| purchases | id* | userId* | date* | ||||||
| installations | id* | fingerprint* |
* - required ? - optional
License needs to contain at a minimum:
| Record | Description |
|---|---|
| UserId | server can have mapping to user/customer record with all known details |
| ApplicationId | identification of what is licensed (application, version(s) etc) |
| PurchaseRecordId | reference number for the purchase |
| Date | when the purchase was made / license was created |
ActivationLicense
This is the file used to determine if allow the software to run
| Record | Description |
|---|---|
| UserId | |
| InstallationId | server can have mapping of InstallId -> Fingerprint |
Potential Hacking Attempts
- Domain redirect
- Eg using /etc/hosts file to redirect requests directed to license server to a fake server
- Binary Patching
- Patching the application to change the code or data
- replacement of the public key used for license verifying / signing of data - skipping out license checks - patching license check code to always return true
- Patching the application to change the code or data
- Wireshark packet rewriting
- inspection of protocol and rewriting of requests and responses
- equivalent to domain redirection, but could manage to fool attempts to verify domain is correct
- inspection of protocol and rewriting of requests and responses
- Denial of service
- overload license server with too many requests
- Get feedback from various people
- Vincent/Haydn on pages / php / vulnrabilities
- Ask Sean Finn if he can hack in
- Sarah on general thoughts / beta test
- Probably better to ask outside of work people though
Mitigations
- Domain verification
- Check DKIM? Make assumptions not to implicitly trust server responses unless they are signed
- Additional crypto
- Add more layers at application layer to verify communications with server (public/private key signing)
- Avoid verify/check patching
- The license checking code which returns true/false could be called in places with expecting a false result sometimes
- this means that code patching needs to find all the call sites and patch those.
- The license checking code which returns true/false could be called in places with expecting a false result sometimes
- Patch of keys
- Need to check hash of application
- this is defeatible as the hash that is checked could also be patched if they have a fake server or patch properly.
- perhaps can hash different parts of the code, different hashes, each hash contains the other, the hash is stored xored.
[ part 1 + pad ] [ part 2 + hash_p1^pad ] [ part 3 + hash_p2^pad ] license + hash_p3
part of the problem is the data will be in different section to the code
- Need to check hash of application
Licensing Server
TODO:
- Probably should isolate it from the website and put on a different domain and make it product generic
- need to protect customer data - produce a unique CustomerId - make mapping that is stored off-site or something
- probably should try to have shared CustomerId across products - perhaps salted hash of the customers details
- make sure there are good server logs being collected
- produce graphs and metrics out of that data
harden/test security of the site
should try to track when a trial is converted to a registration
- one thing is when click on link in the application, to add parameter to the URL request to the server to track when a trial user is thinking of being a potential customer
- track actual license activations from existing trial license - can do this from the application
- add parameter which contains the installation Id of the trial in the server request
- server should be able to see that the machine fingerprint matches
- server therefore could have two installation licenses for a given fingerprint
- add parameter which contains the installation Id of the trial in the server request
Registration
- purchase made with PayPal
- triggers generation of a purchase license/certificate file
- emailed to customer
- nothing ties this to an installation yet (but does link the purchase to the customer)
- user runs software and 'applies' or 'installs' the license
- this triggers registering the installation (this links the purchase with a machine)
- the server generates an installation license which is sent to the application and saved
- the application can validate this installation license
License Checking/Validating
- Online Valiadtion
- need to be careful about validation server load - if too many requests then impacts customer's user experience
- command-line tool may be run 1000s of time from a script, probably want to not do anything too intensive
- probably the command-line tool will be used on servers - might be less strict with its license checking for non-trial licenses
- GUI tool can be more strict and require intermittant internet connectivity for non-trial licenses
- GUI trial licenses can be more strict - but need to be careful about server load
- need to be careful about validation server load - if too many requests then impacts customer's user experience
- Offline Validation
- can check that installation license details are correct
- provided the machine fingerprint is same, it should validate - how about in a server environment with virtual machines?
- perhaps for the command-line tool, only check they have a signed non-trial installation license, nothing more - no online checking
- GUI tool behaves differently - can avoid online check for months if non-trial installation
- the period that can run without on-line check should be tweakable from the server by means of the installation licenses it generates
License types
purchase license (proof of purchase certificate) (limited to activated on 5 machines - every 6 months this resets)
(can be used to generate up to 5 active non-trial installation licenses with 6 month validity, after 6 months if not used/renewed, the installation license is non-active and allows using on another machine,non-trial installation license
- trial installation license (30 day limited -
User runs trial -> user enters details -> server generates an installation license
User registers -> 'license' is emailed to customer -> customer applies license inside of application
track installations
Customer ID
Activation ID
License ID - unique for the user
Installation ID