One of my company’s applications still requires a hardware key to run, but we’re currently in the process of removing that requirement and replacing it with an online check. The issue we are having is that we allow our customers to set up test systems with copies of their live databases. With the hardware keys, that isn’t a problem as they get a special key that tells the software it is a test, but we’re trying to figure a way to do this with a software only check. Our only idea so far is to check the hardware against a registered list in the database, but before we implement this, I want to ask how others have solved similar problems?
Certificates are easy to set up on a per-machine basis. Create a doc containing the limiting criteria that the cert is good for: DB size, # clients, # processes, CPU time, expiration date, etc. Then add something unique to the machine (e.g. the MAC address of one of their ethernet interfaces, UUID of the root device, whatever), and then sign the cert with your private key. The software uses your public key to verify the signature, then does whatever.
Note that this only requires a one-time net/phone/email verification process to generate the signed certificate, something that was important to us when we were dealing with certain government agencies who have air-gap security requirements. They would email us the unique value (we were using MAC addresses), and we would email back a signed certificate, which was then hand-carried into the SCIF.
Since the signing / verification process is completely independent of the contents of the license, you can change the contents/uses over time without having to reengineer your entire license management process.
You can buy software to do this, but there are a lot of open source resources on this subject. Things to read and / or download:
- Digital Signatures
- Certificate Authorities
- OpenCA
1