Protect application data from the administrator i.e. such as a licensed flag

According to this article there is no good way of doing this

http://msdn.microsoft.com/msdnmag/is...a/default.aspx

"Chris" <ch*********************@technocisive.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

I am trying to create licensing functionality in a .NET application.
When the software is licensed then I want it to store this fact somewhere on the user's computer, this way the next time the program is run it will know it is licensed. Does windows provide a secure store for applications to put data such as this?
It seems to me that windows could easily provide a store class that
would store data in an os protected location authenticated by the hash of
the calling dll or executable. Not much space would be needed only 1K or so to store a private key for the application to use to encrypt/decrypt larger data stored in unsecure locations.

Additional details:
Basically I need to store three pieces of information, an installID, a
licensed flag, and a license expiration date.
I need to make it impossible or difficult for someone with
administrative rights to change the licensed flag and/or license expiration date to make the software think it has been licensed. The location at least needs to be very difficult to find or detect (such as entropy scanning).

I know these demands are difficult and it is an age old problem ensuring
legitimate software use in the face of people that write crack programs etc.
I have given the issue some thought and have come to the conclusion that the only way to make this perfectly secure is for it to be a feature available
in hardware (such as the CPU). However, I believe there must be many less
perfect solutions that would work well. Any ideas?

Thanks,

-Chris

Hello Chris,

Thanks for your post. As I understand, you want to license in a .NET
application. Please correct me if there is any misunderstanding. I now
share the following information with you:

1. In the .NET Framework, licensing is designed into the runtime. You can
create you main class as a licensed class which requires run-time license.
Please refer to the following articles for detailed information:

.NET Licensing
http://windowsforms.net/articles/Licensing.aspx

Licensing Components and Controls
http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconlicensingcomponentscontrols.asp

2. In addition, you can also encrypt your license information (say,
installID, a licensed flag, and a license expiration data) and then save it
to the persistent storage say, registry, file, etc, during the installation
of your application. What the app startup, it will check if the license
inforamtion exists, descrypt it, and then verify it. .NET Class Library
provides cryptographic services.

.NET Samples - How To: Cryptography
http://msdn.microsoft.com/library/de...us/cpqstart/ht
ml/cpsmpnetsamples-howtocryptography.asp

System.Security.Cryptography Namespace
http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecurityCryptography.asp?frame=true

Hope this helps.

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! -- www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Thanks for the information on licensing. I am aware of the .NET
cryptography namespace. The problem is not hiding the license information
from being seen, but preventing someone from replacing the licensing
information to activate the software without licensing it. I could encrypt
the license file so only my application would be able to decrypt it. The
problem is that my application would need to have the key to decrypt the
license file(where can this key be safely stored so the administrator cannot
obtain it, use it, or replace it?). If I embed this key in my code a
cracker could easily find this key in my application's code by searching for
areas in the code containing high randomness. Once they have obtained the
key they can use it to decrypt the license file and see the format it is in.
Once this is done they can change any flags such as the licensed flag to
true, re-encrypt the file and replace the legitimate license file with their
own.
I was not aware there were licensing classes in .NET thank you for
drawing my attention to them. I am however concerned that the .NET license
classes might become a common target for crackers however, perhaps it is
built strongly enough to withstand attack. Unless the operating system
protects the .NET licensing dll from the administrator it seems to me that a
cracker could simply replace the .NET licensing dll with their own which
would of course provide them with the ability to render this license
checking class ineffective.
-Chris
"Tian Min Huang" <ti******@online.microsoft.com> wrote in message
news:XS**************@cpmsftngxa10.phx.gbl...

Hello Chris,

Thanks for your post. As I understand, you want to license in a .NET
application. Please correct me if there is any misunderstanding. I now
share the following information with you:

1. In the .NET Framework, licensing is designed into the runtime. You can
create you main class as a licensed class which requires run-time license.
Please refer to the following articles for detailed information:

NET Licensing
http://windowsforms.net/articles/Licensing.aspx

Licensing Components and Controls
http://msdn.microsoft.com/library/de...us/cpguide/htm l/cpconlicensingcomponentscontrols.asp

2. In addition, you can also encrypt your license information (say,
installID, a licensed flag, and a license expiration data) and then save it to the persistent storage say, registry, file, etc, during the installation of your application. What the app startup, it will check if the license
inforamtion exists, descrypt it, and then verify it. .NET Class Library
provides cryptographic services.

NET Samples - How To: Cryptography
http://msdn.microsoft.com/library/de...us/cpqstart/ht ml/cpsmpnetsamples-howtocryptography.asp

System.Security.Cryptography Namespace
http://msdn.microsoft.com/library/de...us/cpref/html/ frlrfSystemSecurityCryptography.asp?frame=true

Hope this helps.

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! -- www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Thanks for the information on licensing. I am aware of the .NET
cryptography namespace. The problem is not hiding the license information
from being seen, but preventing someone from replacing the licensing
information to activate the software without licensing it. I could encrypt
the license file so only my application would be able to decrypt it. The
problem is that my application would need to have the key to decrypt the
license file(where can this key be safely stored so the administrator cannot
obtain it, use it, or replace it?). If I embed this key in my code a
cracker could easily find this key in my application's code by searching for
areas in the code containing high randomness. Once they have obtained the
key they can use it to decrypt the license file and see the format it is in.
Once this is done they can change any flags such as the licensed flag to
true, re-encrypt the file and replace the legitimate license file with their
own.
I was not aware there were licensing classes in .NET thank you for
drawing my attention to them. I am however concerned that the .NET license
classes might become a common target for crackers however, perhaps it is
built strongly enough to withstand attack. Unless the operating system
protects the .NET licensing dll from the administrator it seems to me that a
cracker could simply replace the .NET licensing dll with their own which
would of course provide them with the ability to render this license
checking class ineffective.
-Chris
"Tian Min Huang" <ti******@online.microsoft.com> wrote in message
news:XS**************@cpmsftngxa10.phx.gbl...

Hello Chris,

Thanks for your post. As I understand, you want to license in a .NET
application. Please correct me if there is any misunderstanding. I now
share the following information with you:

1. In the .NET Framework, licensing is designed into the runtime. You can
create you main class as a licensed class which requires run-time license.
Please refer to the following articles for detailed information:

NET Licensing
http://windowsforms.net/articles/Licensing.aspx

Licensing Components and Controls
http://msdn.microsoft.com/library/de...us/cpguide/htm l/cpconlicensingcomponentscontrols.asp

2. In addition, you can also encrypt your license information (say,
installID, a licensed flag, and a license expiration data) and then save it to the persistent storage say, registry, file, etc, during the installation of your application. What the app startup, it will check if the license
inforamtion exists, descrypt it, and then verify it. .NET Class Library
provides cryptographic services.

NET Samples - How To: Cryptography
http://msdn.microsoft.com/library/de...us/cpqstart/ht ml/cpsmpnetsamples-howtocryptography.asp

System.Security.Cryptography Namespace
http://msdn.microsoft.com/library/de...us/cpref/html/ frlrfSystemSecurityCryptography.asp?frame=true

Hope this helps.

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! -- www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Hello Chris,

Thanks for your response. I suggest that you can also encry each machine's
hareware information to the license information, so that the license
information cannot be deployed to other machines and it's also difficult to
crack. Please also kindly note that there is no system which is 100% cecure.

In addition, I'd also recommend you post such security questions to more
appropriate newsgroups, say,

microsoft.public.win2000.security
microsoft.public.platformsdk.security
microsoft.public.dotnet.security

Have a nice day!

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! -- www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.