Software licencing scheme [closed]

问题

Closed. This question is opinion-based. It is not currently accepting answers.

---

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 4 years ago.

I've devised the following mechanism so as to license a software without direct connection to a server, it seems simple, yet I fail to find any serious flaw:

I plan to use asymetric crypto so as to send a message from 1 server (the licence server) to n clients (the n computers on which the software is installed)

1. The client sends (via mail, for example) some informations about the computer (MAC address, machine name, you name it)

2. On the licence server, these informations are encrypted using a well secured public (not so public) RSA key, this encrypted payload is the licence.

3. the encrypted licence is sent to the client

4. When the software is launched, it cheks for a licence file, it is able to ensure the payload was encrypted with the server key, using the corresponding RSA private key, shipped with each version of the software.

5. Once the licence decrypted, the software checks it's running on the same machine the licence was given to.

   In my opinion, no one will be able to forge an encrypted payload without access to the Licence server RSA key.

Of course, the licence might be stolen, then the software launched in a virtual machine which mimics a genuine client machine, or the software might be disassembled so as to unplug the licence check.

But is this scheme good enough, or am I utterly naive in this regard?

Thanks

回答1:

It's a decent scheme, although are you sure you want the client to have the private key and the server the public key? Unless you're generating one keypair per install, shouldn't it be the other way around?

The scheme is simple, but is it practical? If your goal is to prevent casual cracking of your application there are simpler solutions that are just as effective. And if your goal is to prevent crackers from running your application, chances are that (a) you won't succeed and (b) your program isn't important enough to merit such attention.

And why would someone seek to attack the cryptography part of the license scheme when simply hex-editing the binary to change the license checking code to NOPs will almost certainly work just fine?

I'd rethink the licensing strategy and its importance to your product and its success if I were you.

来源：https://stackoverflow.com/questions/12696581/software-licencing-scheme