Content tagged with article

Mar 22

admin

.NET Licensing System

  • Created: 3/22/2014
  • admin

If you're in the market for a licensing system for .net, here are some of the components you should consider as you evaluate the different products out there in the market.

Licensing System

This is the core part every product should have. It actually generates the licenses using a predefined algorithm to help protect the actual software program. The most popular and secure one is using digital certificates, essentially, private/public key system. With this, a private key is used to sign a document that contains information about the license. Then the public key is used by the software being protected to validate that the document hasn’t been altered and that is valid.

The licensing system should provide you with a way to keep track of these keys and save them somewhere safe. An online licensing system can do this by default by saving the key pairs on the online database where it can’t reached by malicious users.

License Management

This feature will allow you to manage the license files and generated serial numbers. For customer support reasons, you’ll need to go back to these licenses and verify the information in it. For example, you might save what version of a product your customer is using (Lite, Professional or Enterprise). This information is saved in the license.

Also you might need to modify the information for example when a customer upgrades or you want to give them a special license. You need a way to quickly find these licenses.

Customer Management

Similar to license management, customer management will allow you to find customers by their name or email, get their information and check what licenses they currently have of your product.

Again, for support reasons, this is the fastest way to find license information for a customer. This feature will also serve as the actual customer database for your products so you can also tap on it for resources and future notifications you want to send to your clients.

Notification System

The notification system will automatically deliver licenses to your end users after they buy or activate the license. This way, you don’t need to code this on your side of things.

The notification system will also make sure emails are delivered. At the same time, the licensing system should provide you with the tools to change the email templates so you can include your own wording.

Payment Provider Integration

If you’re licensing a software product it’s because your intention is to sell it to other people. Providing integration with major payment providers will allow you to automatically create the license or serial number on the fly when the customer pays. Then using the notification system, the license is also delivered to the customer instantly.

The integration with the payment provider should be done with the minimal amount of code or maybe none. For example, in LicenseSpot, you can configure payment providers with just a few clicks and using minimal information. This allows licenses to be created online.

Templating System

The templating system serves as way to automatically create licenses based on predefined templates. These templates contain information about the license.

For example, you can have a template for trials and a template for production licenses. The trial specifies how much time the license is valid. A template specifies the limits the application has. Furthermore, the production template can be divided into one for the lite version and one for the professional version. Then by just selecting the right template, the license is automatically created based on these values.

Hosting

When you’re doing online activations, also consider the hosting the license provider has. You don’t want to host this kind of systems by yourself as you can easily loose customers when they’re unable to activate because your server is unavailable. Ask for how many servers and what’s the SLA they provide on the service.

In LicenseSpot, this something we take really serious as we host the product on a server farm on Windows Azure providing high availability.

In conclusion, keep an eye on all these items when you’re looking to buy a licensing system for .net (either for C# or VB.NET) so you can get the best bang for your money.

Mar 16

admin

Licensing .NET Applications

  • Created: 3/16/2014
  • admin

When you’re done writing your application and everything is ready for launch, the final step is licensing your application. Licensing is the process of avoiding casual piracy in your software product and there are multiple ways to this in .NET.

Types of Piracy

The first thing you should know is that applying licensing to your app doesn’t mean that it won’t be pirated. There are two kinds of piracy in the software market: casual piracy and actual piracy. The actual piracy is when someone or a company is decided on using an unlicensed product and will do whatever is necessary to get it. This includes getting fake serial numbers or cracking the application. You can’t stop this kind of piracy from happening. There’s nothing you can do in your application that wouldn’t allow a person to deobfuscate your code and inject their own to prevent licensing from working.

But casual piracy is different. You can find this one generally inside companies when they have purchased a license of a product for five users. Then all of sudden they need an extra one a, sixth user, and they just proceed to install it and use it. This is the one we want to prevent. Their intent isn’t to pirate or crack the application, they’re just doing it because they can or it’s just temporary.

Protection mechanism

The most well-known way of protecting .NET software is using the public/private key mechanism or digital signatures. With this system, a private key is used to sign a document and a public key is used to verify that the document was signed using the private key. After the document has been originally signed, it cannot be altered. Changing its contents, will break validation using the public key.

Encrypting the data isn’t useful because you’ll need the encryption key to be present in the program to decrypt the document. The pirate could simply take a look at your IL code using any disassembler, take the key and unencrypt the file, change it and encrypt it again.

For your product, you can for example create an XML file that contains information about the user, company, serial number, what features the license allows and trial information. Then you can sign the XML using a private key and distribute this file as the license. Nobody will be able to modify the file because they don’t have the private key. This one is stored (safely somewhere) in your computer and never distributed. For creating the license file and delivering it to the user you can use online activation. This is the method used by Windows and Office and are the ones users are more familiar with so you don’t need to do any training or let them go through a manual process for copy the license file.

Additional Protection

The only downside to using digital signatures is that a hacker can create its own private/public key pair and inject this into your program. You can prevent this from happening by using signing your code using the strong name utility (SN.exe) that comes with Visual Studio and tell it to sign your assembly. By doing this, the runtime will always check the assembly hasn’t been altered before loading the application.

Obfuscation can also help, making it difficult for the person trying to crack your product. The person won’t be able to easily understand the code and adds an extra layer of complexity to the hacking process. But we need to keep mind, that users decided to crack the program, will find ways to deobfuscate it.

Also, you can spread the method for validating your app all over the place. This will make it more difficult for the cracker to inject its code in the product.

Conclusion

In conclusion, follow all these practices and you’ll get a better chance at protecting your application. Using obfuscation, strong name signing and digital signatures for the license file are effective at protecting your property.

Sample Code

Below you can find demo code for signing a document using a private key:

      public XmlDocument SignXmlDocument(string licenseContent, string privateKey)  

{

            RSA key = RSA.Create();

           key.FromXmlString(privateKey);

            XmlDocument doc = new XmlDocument();

            doc.LoadXml(licenseContent);

            SignedXml sxml = new SignedXml(doc);

            sxml.SigningKey = key;

            sxml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigCanonicalizationUrl;

            // Add reference to XML data

            Reference r = new Reference("");

            r.AddTransform(new XmlDsigEnvelopedSignatureTransform(false));

            sxml.AddReference(r);

            // Build signature

            sxml.ComputeSignature();

            // Attach signature to XML Document

            XmlElement sig = sxml.GetXml();

            doc.DocumentElement.AppendChild(sig);

            return doc;

        }

This code snippet will validate the document using a public key:

public bool VerifyXmlDocument(string publicKey, string licenseContent)

        {

            

            RSA key = RSA.Create();

            key.FromXmlString(publicKey);

            XmlDocument doc = new XmlDocument();

            doc.LoadXml(licenseContent);

            SignedXml sxml = new SignedXml(doc);

            try

            {

                // Find signature node

                XmlNode sig = doc.GetElementsByTagName("Signature")[0];

                sxml.LoadXml((XmlElement)sig);

            }

            catch (Exception ex)

            {

                // Not signed!

                return false;

            }

            return sxml.CheckSignature(key);

        }