LicenseProvider

  • Thread starter Thread starter Frédérick Jacquet
  • Start date Start date
F

Frédérick Jacquet

Hi,

I need to write my custom LicenseProvider. I would like to kown if the
license key stored with context.SetSavedLicenseKey(...) is stored in a
secure way in the assembly resource ? should i encrypt the license key or
not ??

thank you.
 
Hello,

Thanks for your post. As I understand, you want to know where the license
key is stored. Please correct me if there is any misunderstand. Based on my
experience, the license key should be read from a .LIC file. The License
Key can then be verified either by calling the IsKeyValid method or in the
GetLicense method itself. Please refer to the following article for
detailed information and a sample custom LicenseProvider:

.NET Licensing
http://windowsforms.net/articles/Licensing.aspx

Hope this helps.

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! -- www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
I read the custom LicenseProvider sample. But when the license compiler
extract the license key and store it in a resource, is the license key
stored in a secure way ? (encrypted ?)
 
Hi, Frédérick

Your best bet would be to use an obfuscator. Since the dotfuscator from
VS.Net ignores constants and variables, you will need to look for a third
party solution.

A couple of other alternatives that you might wish to investigate

1) You would have is to generate the MSIL code using ildasm.exe and then to
write your own obfuscator that modifies this code and then use ilasm.exe to
recompile the MSIL code back into a binary. This necessitates that you
know MISL code (the language definition is available on the MSDN website).

2) You create a C++ or VB6 dll and store the key in this binary which you
then invoke from your .NET assembly at runtime and use it as necessary.
The only problem with this is that you are still vulnerable to persons
using hooks to determine what api’s you’re calling. In addition to this
you make it possible for someone to brute force attack the library to get
the key value.

This is all that I can offer you. Please let me know if you have any
additional questions.

Thank you for choosing the MSDN Managed Newsgroups,

John Eikanger
Microsoft Developer Support

This posting is provided “AS IS” with no warranties, and confers no rights.
--------------------
| From: "Frédérick Jacquet" <[email protected]>
| References: <#[email protected]>
<[email protected]>
| Subject: Re: LicenseProvider
| Date: Fri, 30 Jan 2004 09:01:56 +0100
| Lines: 32
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework
| NNTP-Posting-Host: afontenayssb-102-2-1-74.w193-252.abo.wanadoo.fr
193.252.107.74
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework:64012
| X-Tomcat-NG: microsoft.public.dotnet.framework
|
| I read the custom LicenseProvider sample. But when the license compiler
| extract the license key and store it in a resource, is the license key
| stored in a secure way ? (encrypted ?)
|
| "Tian Min Huang" <[email protected]> a écrit dans le message
de
| | > Hello,
| >
| > Thanks for your post. As I understand, you want to know where the
license
| > key is stored. Please correct me if there is any misunderstand. Based on
| my
| > experience, the license key should be read from a .LIC file. The License
| > Key can then be verified either by calling the IsKeyValid method or in
the
| > GetLicense method itself. Please refer to the following article for
| > detailed information and a sample custom LicenseProvider:
| >
| > NET Licensing
| > http://windowsforms.net/articles/Licensing.aspx
| >
| > Hope this helps.
| >
| > Regards,
| >
| > HuangTM
| > Microsoft Online Partner Support
| > MCSE/MCSD
| >
| > Get Secure! -- www.microsoft.com/security
| > This posting is provided "as is" with no warranties and confers no
rights.
| >
|
|
|
 
hi john,

thank you for your reply but it didn't quite answer my question that was
about the license key extracted by the licence compiler and saved in the
..licences ressource, is that key securely stored ? if a person extract the
ressource, is this person able to get the key and alter it ?

thank you.

"John Eikanger [MSFT]" said:
Hi, Frédérick

Your best bet would be to use an obfuscator. Since the dotfuscator from
VS.Net ignores constants and variables, you will need to look for a third
party solution.

A couple of other alternatives that you might wish to investigate

1) You would have is to generate the MSIL code using ildasm.exe and then to
write your own obfuscator that modifies this code and then use ilasm.exe to
recompile the MSIL code back into a binary. This necessitates that you
know MISL code (the language definition is available on the MSDN website).

2) You create a C++ or VB6 dll and store the key in this binary which you
then invoke from your .NET assembly at runtime and use it as necessary.
The only problem with this is that you are still vulnerable to persons
using hooks to determine what api's you're calling. In addition to this
you make it possible for someone to brute force attack the library to get
the key value.

This is all that I can offer you. Please let me know if you have any
additional questions.

Thank you for choosing the MSDN Managed Newsgroups,

John Eikanger
Microsoft Developer Support

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Frédérick Jacquet" <[email protected]>
| References: <#[email protected]>
<[email protected]>
| Subject: Re: LicenseProvider
| Date: Fri, 30 Jan 2004 09:01:56 +0100
| Lines: 32
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework
| NNTP-Posting-Host: afontenayssb-102-2-1-74.w193-252.abo.wanadoo.fr
193.252.107.74
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework:64012
| X-Tomcat-NG: microsoft.public.dotnet.framework
|
| I read the custom LicenseProvider sample. But when the license compiler
| extract the license key and store it in a resource, is the license key
| stored in a secure way ? (encrypted ?)
|
| "Tian Min Huang" <[email protected]> a écrit dans le message
de
| | > Hello,
| >
| > Thanks for your post. As I understand, you want to know where the
license
| > key is stored. Please correct me if there is any misunderstand. Based on
| my
| > experience, the license key should be read from a .LIC file. The License
| > Key can then be verified either by calling the IsKeyValid method or in
the
| > GetLicense method itself. Please refer to the following article for
| > detailed information and a sample custom LicenseProvider:
| >
| > NET Licensing
| > http://windowsforms.net/articles/Licensing.aspx
| >
| > Hope this helps.
| >
| > Regards,
| >
| > HuangTM
| > Microsoft Online Partner Support
| > MCSE/MCSD
| >
| > Get Secure! -- www.microsoft.com/security
| > This posting is provided "as is" with no warranties and confers no
rights.
| >
|
|
|
 
Hi, Frédérick

I heard back from the developer today. He said to use the sample at
http://windowsforms.net/downloads/gdn/ComponentWithVersionCustomContext.zip
and modify it to fit your needs. I suspect that this is the same sample
that you have already looked at. If so, you would need to encrypt the
license yourself or do other things to prevent it from being modified. If
you are worried about it being changed, you could save the checksum and
verify it when you extract the license.

The difficult part here is determining how much security is enough. I
would look at how other people are handling this issue. That will help you
scope how far you need to go to match them.

Thank you for choosing the MSDN Managed Newsgroups,

John Eikanger
Microsoft Developer Support

This posting is provided “AS IS” with no warranties, and confers no rights.
--------------------
| From: "Frédérick Jacquet" <[email protected]>
|
| Subject: Re: LicenseProvider
| Date: Wed, 4 Feb 2004 14:30:44 +0100
| X-Tomcat-NG: microsoft.public.dotnet.framework
|
| hi john,
|
| thank you for your reply but it didn't quite answer my question that was
| about the license key extracted by the licence compiler and saved in the
| .licences ressource, is that key securely stored ? if a person extract the
| ressource, is this person able to get the key and alter it ?
|
| thank you.
|
| ""John Eikanger [MSFT]"" <[email protected]> a écrit dans le
| message de | > Hi, Frédérick
| >
| > Your best bet would be to use an obfuscator. Since the dotfuscator from
| > VS.Net ignores constants and variables, you will need to look for a
third
| > party solution.
| >
| > A couple of other alternatives that you might wish to investigate
| >
| > 1) You would have is to generate the MSIL code using ildasm.exe and then
| to
| > write your own obfuscator that modifies this code and then use ilasm.exe
| to
| > recompile the MSIL code back into a binary. This necessitates that you
| > know MISL code (the language definition is available on the MSDN
website).
| >
| > 2) You create a C++ or VB6 dll and store the key in this binary which
you
| > then invoke from your .NET assembly at runtime and use it as necessary.
| > The only problem with this is that you are still vulnerable to persons
| > using hooks to determine what api's you're calling. In addition to this
| > you make it possible for someone to brute force attack the library to
get
| > the key value.
| >
| > This is all that I can offer you. Please let me know if you have any
| > additional questions.
| >
| > Thank you for choosing the MSDN Managed Newsgroups,
| >
| > John Eikanger
| > Microsoft Developer Support
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > --------------------
| > | From: "Frédérick Jacquet" <[email protected]>
| > | References: <#[email protected]>
| > <[email protected]>
| > | Subject: Re: LicenseProvider
| > | Date: Fri, 30 Jan 2004 09:01:56 +0100
| > | Lines: 32
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <[email protected]>
| > | Newsgroups: microsoft.public.dotnet.framework
| > | NNTP-Posting-Host: afontenayssb-102-2-1-74.w193-252.abo.wanadoo.fr
| > 193.252.107.74
| > | Path:
| >
|
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
| > phx.gbl!TK2MSFTNGP12.phx.gbl
| > | Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework:64012
| > | X-Tomcat-NG: microsoft.public.dotnet.framework
| > |
| > | I read the custom LicenseProvider sample. But when the license
compiler
| > | extract the license key and store it in a resource, is the license key
| > | stored in a secure way ? (encrypted ?)
| > |
| > | "Tian Min Huang" <[email protected]> a écrit dans le
message
| > de
| > | | > | > Hello,
| > | >
| > | > Thanks for your post. As I understand, you want to know where the
| > license
| > | > key is stored. Please correct me if there is any misunderstand.
Based
| on
| > | my
| > | > experience, the license key should be read from a .LIC file. The
| License
| > | > Key can then be verified either by calling the IsKeyValid method or
in
| > the
| > | > GetLicense method itself. Please refer to the following article for
| > | > detailed information and a sample custom LicenseProvider:
| > | >
| > | > NET Licensing
| > | > http://windowsforms.net/articles/Licensing.aspx
| > | >
| > | > Hope this helps.
| > | >
| > | > Regards,
| > | >
| > | > HuangTM
| > | > Microsoft Online Partner Support
| > | > MCSE/MCSD
| > | >
| > | > Get Secure! -- www.microsoft.com/security
| > | > This posting is provided "as is" with no warranties and confers no
| > rights.
| > | >
| > |
| > |
| > |
| >
|
|
|
 
Back
Top