Managing licenses in a Java app

digitprop · January 18, 2005, 1:27pm

Hi,

I am pondering the option of automatically managing licenses for my programs. Can anybody point me to tutorials, examples, etc. in this field?

What I mean by ‘managing licenses’ is a system of signed (authentifiable) license files which grant the right to use a software for a limited time. With automatic management of expired licenses, demo versions, grace periods - you name it.

Something which is regularly needed for shareware games, so I felt I may be reinventing the wheel if I tried to solve that on my own.

Cheers,
Digitprop

shawnkendall · January 25, 2005, 11:57pm

Any luck yet?
I am interested as well.

digitprop · January 26, 2005, 7:07am

Well, some luck at least. Obviously there are two classes of Java license managers out there - expensive ones and inexpensive/free ones.

I didn’t bother to look too closely at the expensive ones, as they are out of the question for me anyway; and I was after simple functionality - just being able to handing out licenses, with some property settings attached, an expiration date, and the user ID, of course.

This is handled quite well by the inexpensive ones. Here is a list, in no particular order, of what I found:

[]http://www.logemann.org/day/archives/000121.html is a blog entry about some license managers, with links to the respective websites - very useful collection.
[]http://www.websina.com/products/jlicense.html is the tool I finally went with

JLicense costs 50 USD, and seems to be very similar to Licens4J. It basically is a signing / authentication toolkit. It’s probably very easy to do it on your own, but I figured the time required for diving into the whole cryptography thing would be worth more than 50 USD.

Anyway, the difficult - and not really adressed by JLicense - part is to securely hide your authentication mechanism in your code. For example, if you validate the license in the main method of a small starter class, it would be very easy to replace that method, using a simple debugger.

Obfuscation (another interesting issue) could help, but it’s probably not foolproof. So the effort you have for making your licensing scheme secure has to be traded off against the value of the property you want to protect.

In my case, with a very limited user base which consists mostly of non-Java non-geeks, a simple validation is probably sufficient, and anything more complicated would not make sense.

However, with a prime time, top-notch 3D FPS (JDoom 4…?!) it would be an entirely different story.

shawnkendall · January 26, 2005, 10:19pm

Most excellent, i will have a look-see.
I, too will be distributing a shareware app meant for user/dev types not familiar with Java code (limiting hack worries), so the simplier the better.

princec · January 27, 2005, 8:00am

I manage licenses using a handrolled system of server validation, and a public/private key (only I know the private key, natch). The user’s registration details are encoded by the private key - their name, address, and email address - and I display these on the title screen to discourage people passing their keys around to people they don’t know. I have absolutely no problem with people giving copies of my games to friends. That’s how the world works and it’s good.

Because PK encryption produces enormous keycodes (1024 bit) this is totally impractical to type in, so I use a server to simply download the key on request using the email address and the last 14 hex digits of the encoded data.

I am not in the least worried about hax0r McL33t commenting out my registration checking code. Locks keep honest people honest. Even a script kiddie can hack a jar file with a minimum of knowledge so it’s really a complete waste of time. Time is money! Spend the week that you would otherwise waste in complex copy protection and license management which will be hacked in no time on marketing your game instead. You will gain more than you lose.

Cas

oNyx · January 27, 2005, 9:51am

I am not in the least worried about hax0r McL33t
commenting out my registration checking code.

Doing so is actually more time consuming than disabling average native protection. And why should “haxx0r mc1337” spend his/her precious time with that, if he/she could get much more fame by disabling the cd check of a handfull of AAA games at the same time?