Software product licensing has long been one of the biggest headaches for software producers and end users alike, and was especially so before Internet connectivity became ubiquitous. For enterprise software products, we have found that licensing generally has the effect of annoying legitimate customers, while hardly deterring unauthorized usage. An ideal solution would be a simple one that protects software companies and the time and resources they have spent on their products, while providing this security in a seamless and transparent manner to the user.
Many applications now enforce licenses by requiring online verification with the vendor’s license server. This works as long as Internet connectivity is available for all the machines running the software, but is still a bit problematic when, say, re-installing the license on a replacement machine or even after a major hardware change. However, most enterprises today do not allow connectivity outside of the data center due to security concerns (understandably so). Therefore many applications today still rely on key codes – a traditional licensing method, although one that’s fraught with issues.
A promising alternative to license key codes is a smartcard – something we use at CDS for all our products.
A smartcard is a fully functional microcomputer. It has its own processor and non-volatile memory. Although CPU power and memory are limited, its purpose is specifically fine-tuned for cryptographic operations, especially for Public Key Infrastructure (or PKI) support. While the “infrastructure” part of PKI might sound massive and overwhelming, it is not necessarily so. Our licensing uses a mini-PKI, involving a simple utility program which generates the root key pair and public key certificate, creates the license packages and database that tracks all the licensed smartcards and materials, and programs the smartcards.
Each smartcard has its own private key and public key pair generated inside, with its public key certificate signed by the CDS root private key. A license processing program inside the smartcard performs the necessary cryptographic operations, including symmetric and asymmetric encryption, hash, and digital signatures. The private key of the smartcard never actually comes out of the device.
There are quite a few vendors marketing software licensing solutions using smartcard. The way these smartcards typically work is by allowing the software vendors to deposit a piece of critical code inside the smartcard. Authorized users are provided a specific smartcard that is attached to the host – usually via USB – on which the software is running. The application then looks to the smartcard for the authorization code during run-time. Such a design is defeated quite easily though, since the code has to come out for the applications to be run, even though the code inside the card cannot be read. Any time code comes out, there is always a way to intercept it, thus breaking the protection.
Even more problematic is that the licensing using this method is static. Many enterprise software functions and features are licensed individually, and dynamically. If a feature is not licensed when first purchased, for example, it may be needed later, requiring the new features to be separately licensed on-demand. This scenario is one of the most challenging licensing requirements.
At CDS we use a smartcard for licensing the right way, which is to fully utilize the PKI power that comes with the smartcard (or in our case, the smart dongle). Each smart dongle has its own unique ID. Licensed contents are binary files created for specific dongles. The package is signed by the CDS root private key. All dongles already have the CDS root public key certificate inside. Therefore, the package can be verified, and the only accepted packages will be packages signed by the CDS root private key, or those signed by private keys that are from legitimate CDS dongles (from the same PKI).
If a license dongle exports its own license material to another dongle, it can sign the package, and the intended dongle will be able to verify its signature and accept the license material. Therefore the license can be transferred between dongles at will. This way individual licensed features can be purchased for specific systems, and licensed features can be transferred to other systems, and do so without leaving the transferred license materials behind. Legitimate users do not have to worry about getting stuck, or losing the license, and unauthorized usage is not possible. All these operations are supported by the intuitive GUI in our products under the licensing section.
Licensing is enforced by our software applications. All our software has the root public key certificate built into the code. When the CDS software checks the license, it uses a random number as a token, then requests the license dongle to create a signed response with the random number, along with the license contents. In this way, the contents cannot be fabricated, even if there is software present to intercept communication between the application and the dongle. Only the private key can sign the response, and the corresponding public key certificate can be verified by the application using the CDS root certificate. With this scheme, even the CDS engineers who coded the license software will not have any advantage in cracking the license. The party that controls the license is the one person with the CDS root private key, which is contained in a physical smart dongle. A backup version of the private key is held by three executives, at least two of which are required to be present to enter their key decryption passwords if recovery of the private key is needed.
Because of the flexibility provided by this scheme, our customers can freely use their full license quota without worrying about how the licensed items are distributed, since customers themselves can always redistribute license contents by transferring the partial contents from one key to another. Customers can also easily determine what license contents are present for each system, and the contents can be purchased in an on-going manner for a specific dongle — to “refill” — if dynamic usage in a metered manner is required.
In our migration product, the number of terabytes available for migration is stored in the key and is deducted accordingly when the amount of data is migrated. If more capacity is required, it can be purchased from CDS, and a license package for that specific key will be created in the form of a file. Once the file is received, the customer can simply import to the key to add the new capacity to the licensed amount. If the package contains capacity for two different appliances, the extra capacity can be exported to another key for importing to the second appliance.
This smart licensing scheme can pretty much fulfill all software licensing requirements in a precise, fair, and simple manner. We are actually considering productizing this smart licensing system to make it available to others who need a licensing system that is easy to use and that is totally secure. This system would include our mini licensing PKI, which is a software application allow the user to create, manage their root keys and create license keys and contents. Since the root key is generated by the user, CDS does not hold any information regarding the user of this system. The entire security of the product license is controlled by the private key they generated when using the system.
Now how should we license this licensing system to others? Well, we happen to have this great smart licensing scheme…
An alternate version of this post appeared simultaneously in Voxxed.