....................................................... Title: Licensing Version: 1.0 Author: John Ryland Company: Subflexion Copyright: (C) Copyright 2020 All rights reserved ....................................................... Terms ----- Term | Definition -----------------|--------------------- User | either a trial or paying Customer Customer | a paying User License | terms of use / a digitally signed file showing a Customer's proof of purchase The Software | a particular version of the application Machine | a specific computer (identified by atleast 2 of 3 of the same HDD+CPU+NIC) an instance is installed on VirtualMachine | a virtualized computing environment that gives the appearance of being a Machine, but could be cloned or transferred Installation | an installed instance of the software on a Machine Trial | an evaluation Installation Evaluation | to test out before purchasing Registration | the process of purchasing a License Fingerprint | method of identification based on collection of pertinent/unique data of a Machine Database ----- table | field | field | | | | | | | ---------------|-------|--------------|---------|------------|-------|-------|-------|-------|------- users | id* | name* | email* | puchaseId? | inst1 | inst2 | inst3 | inst4 | inst5 products | id* | name | versions | id* | productId | version | trials | id* | purchases | id* | userId* | date* | installations | id* | fingerprint* | \* - required ? - optional License needs to contain at a minimum: ----- Record | Description -------------------|---------------- UserId | server can have mapping to user/customer record with all known details ApplicationId | identification of what is licensed (application, version(s) etc) PurchaseRecordId | reference number for the purchase Date | when the purchase was made / license was created ActivationLicense ----- This is the file used to determine if allow the software to run Record | Description -------------------|---------------- UserId | InstallationId | server can have mapping of InstallId -> Fingerprint Potential Hacking Attempts ----- - Domain redirect - Eg using /etc/hosts file to redirect requests directed to license server to a fake server - Binary Patching - Patching the application to change the code or data - replacement of the public key used for license verifying / signing of data - skipping out license checks - patching license check code to always return true - Wireshark packet rewriting - inspection of protocol and rewriting of requests and responses - equivalent to domain redirection, but could manage to fool attempts to verify domain is correct - Denial of service - overload license server with too many requests - Get feedback from various people - Vincent/Haydn on pages / php / vulnrabilities - Ask Sean Finn if he can hack in - Sarah on general thoughts / beta test - Probably better to ask outside of work people though Mitigations ----- - Domain verification - Check DKIM? Make assumptions not to implicitly trust server responses unless they are signed - Additional crypto - Add more layers at application layer to verify communications with server (public/private key signing) - Avoid verify/check patching - The license checking code which returns true/false could be called in places with expecting a false result sometimes - this means that code patching needs to find all the call sites and patch those. - Patch of keys - Need to check hash of application - this is defeatible as the hash that is checked could also be patched if they have a fake server or patch properly. - perhaps can hash different parts of the code, different hashes, each hash contains the other, the hash is stored xored. ``` [ part 1 + pad ] [ part 2 + hash_p1^pad ] [ part 3 + hash_p2^pad ] license + hash_p3 ``` part of the problem is the data will be in different section to the code Licensing Server ----- TODO: - Probably should isolate it from the website and put on a different domain and make it product generic - need to protect customer data - produce a unique CustomerId - make mapping that is stored off-site or something - probably should try to have shared CustomerId across products - perhaps salted hash of the customers details - make sure there are good server logs being collected - produce graphs and metrics out of that data - harden/test security of the site - should try to track when a trial is converted to a registration - one thing is when click on link in the application, to add parameter to the URL request to the server to track when a trial user is thinking of being a potential customer - track actual license activations from existing trial license - can do this from the application - add parameter which contains the installation Id of the trial in the server request - server should be able to see that the machine fingerprint matches - server therefore could have two installation licenses for a given fingerprint Registration - purchase made with PayPal - triggers generation of a purchase license/certificate file - emailed to customer - nothing ties this to an installation yet (but does link the purchase to the customer) - user runs software and 'applies' or 'installs' the license - this triggers registering the installation (this links the purchase with a machine) - the server generates an installation license which is sent to the application and saved - the application can validate this installation license License Checking/Validating - Online Valiadtion - need to be careful about validation server load - if too many requests then impacts customer's user experience - command-line tool may be run 1000s of time from a script, probably want to not do anything too intensive - probably the command-line tool will be used on servers - might be less strict with its license checking for non-trial licenses - GUI tool can be more strict and require intermittant internet connectivity for non-trial licenses - GUI trial licenses can be more strict - but need to be careful about server load - Offline Validation - can check that installation license details are correct - provided the machine fingerprint is same, it should validate - how about in a server environment with virtual machines? - perhaps for the command-line tool, only check they have a signed non-trial installation license, nothing more - no online checking - GUI tool behaves differently - can avoid online check for months if non-trial installation - the period that can run without on-line check should be tweakable from the server by means of the installation licenses it generates License types - purchase license (proof of purchase certificate) (limited to activated on 5 machines - every 6 months this resets) (can be used to generate up to 5 active non-trial installation licenses with 6 month validity, after 6 months if not used/renewed, the installation license is non-active and allows using on another machine, - non-trial installation license - trial installation license (30 day limited - User runs trial -> user enters details -> server generates an installation license User registers -> 'license' is emailed to customer -> customer applies license inside of application track installations Customer ID Activation ID License ID - unique for the user Installation ID