Creating Secure Trial Versions for .NET Applications - A Tutorial

View: 1487    Dowload: 0   Comment: 0   Post by: hanhga   Category: Embedded Systems   Fields: Computers - Technology


One of the most successful models for selling software is the trial software model.  In this model, potential customers are allowed to download and use the software free of charge for a limited period of time, after which the software stops working unless a license is purchased. Unfortunately, this model is also one which can cause loss of revenue because it increases the risk of software piracy. 

The Trial Model Flow 

After the user downloads your trial software, you must do the following:

  • Determine the trial expiration date 
  • Store the trial expiration date in such a way that the user cannot alter it 
  • Prevent additional trial installations after the trial expires  
  • Make sure the user does not manipulate the system clock such that your trial software thinks that the trial period is not yet over

As you can see, this is easier said than actually done. Some pressing questions appear: where do you store the expiration data such that the user cannot find and alter it ? How can you make sure the user didn't alter the system clock ? The answers below... 

The Big Issue #1: Where to Store the Expiration Data ?  

The answer to this question is that if you have to hide data from the user, your licensing model is already compromised. A good licensing model should never be based on hiding or obscuring data from the user.  

The solution that I have found to this matter is to use an online licensing service in conjunction with digital signatures based on public key cryptography.  I chose to use SoftActivate Licensing SDK (from www.softactivate.com) because it is quite cheap, and it includes an ASP.NET licensing service which can issue short, human readable license keys (digitally signed using elliptic curve cryptography) and supports product activation which strongly resembles the trial licensing model. In addition to this, it can generate unique hardware id strings, which are very important (see below).  

Of course, you can build your own service for this purpose, for example using RSA public/private key pairs and digital signatures. The algorithm is as follows:

  • After downloading and installing the product, the customer must press a "Start Trial" button. 
  • Upon clicking this button, the product connects to an online licensing service (preferably via HTTPS in order to ensure that the server is the intended one by checking its SSL certificate) and sends a "hardware id" string unique to the customer's computer 
  • The server checks against a database if the hardware id has already been used for trial purposes. If the hardware id has not been used before, the server sends back a digitally signed message (we name it "trial license" containing the trial expiration date (for security reasons this MUST be absolute, and not relative like a number of days). The trial license is signed using a private key known only by the server. The computer's hardware id should also be included in the license data. 
  • After receiving the signed trial license from the server, the product saves it in a usual settings location and validates the digital signature at every startup and (optionally) at random times during the program execution, using the corresponding public key which is embedded into the product. Please note that the digitally signed message doesn't need to be hidden from the user; the user cannot alter it in any way because it is digitally signed and the signing (private) key is only known by the server. Also, if the trial license is deleted the software would not run, and if a trial version is requested again from the server, the server would not issue another trial license because the hardware id has already been used once for issuing a trial license.

This approach solves the "where to store the expiration data" problem. Basically, you can store this data anywhere you want. You don't need to hide anything, because this data cannot be altered without the product detecting it.   

The Concept of  "Trial License Keys"

 Almost every software product uses license keys to "unlock" the software. A good idea is to embed a certain license key into the product, which is marked as a "trial license key". If the product detects the trial license key at startup, it behaves like a trial version, and if it detects a regular license key, it behaves like a registered product.

The concept of trial license keys is important when using online software activation with your products (see my previous article for details). When the product sends the license key to the activation server, the servers issues a license with a shorter expiration date if it receives a trial license key, and a license with a longer (or unlimited) expiration date if it receives a regular (purchased) product key. The samples in this article use this concept: they have an embedded "trial key" which is sent to the licensing service. The licensing service searches for this license key into its database, and issues a digitally signed expiration date according to what is specified for that particular trial key (30 days from the time of receiving the request). You can modify this value in the licensing service database.

The Big Issue #2: How to detect system  clock manipulation ?  

System clock manipulation detection involves searching a computer for evidence that the system clock was turned back with the purpose of prolonging a software license past its expiration period.

To my knowledge there are no 100% bullet-proof methods of doing this, but usually this involves:

  • Searching certain system files for file times (usually the "last modification time") that are in the future 
  • Searching the event logs for evidence that some events have occurred in the future 
  • Searching popular browser caches / cookies  for evidence of file times occurring in the future 
  • Combining the evidence and drawing a conclusion

The included samples contain some simple clock manipulation detection routines searching the event logs for event dates that occur in the future.   See the ClockManipulationDetector class in the sample projects. 

Using the code   

The samples are created with Visual Studio 2010. Also, SQL Express 2005 or higher should be present on the development machine for the licensing service database. Also make sure that SoftActivate Licensing SDK (2.0 or higher) is installed on the development machine.  Before compiling, copy the LicensingService subfolder under the Bin folder from the SoftActivate Licensing SDK installation folder, inside the Tools folder created by unzipping the sample. 

Running the samples   

First and foremost, you must start the licensing service by running the RunLicensingService.bat file from the Tools folder. Make sure that the paths in the .bat (to Visual Studio and to the sample folder) are set correctly ! Go to the \bin\Release folder and run the SampleAppCS.exe or SampleAppVB file. Click the "Start 30-day Trial" button to start the trial. The application will then connect to the licensing service and request a trial license. Please note that if you try to click it again, it will not work since a trial license has already been issued for your computer. In order to try again, you must connect to the licensing service database (found in the Tools\LicensingService\App_Data folder) and delete the record from the Activations table. 

Points of Interest  

You should be aware that your trial product is not secure if you do not employ the typical software copy protection techniques explained in the first article of this series here . This is because if your application binaries can be altered, the trial checking mechanisms can be bypassed altogether.

Creating Secure Trial Versions for .NET Applications - A Tutorial

This article actually represents a second part of my previous article Software Copy Protection for .NET Applications - A Tutorial. In that article I have presented several methods for achieving satisfactory software copy protection for .NET applications. In this article I will show you how to create trial versions of your products in a secure manner. Note that completely eliminating software piracy is not generally possible given the today's OS and hardware infrastructure, but this doesn't mean you cannot control it with careful consideration. Attached to this articles are C# and VB.NET samples (derived from my first article's samples but significantly different) showing how to implement trial versions of your products. The article does not contain source code (it's in the samples), because I would rather concentrate of explaining how to do it, rather than duplicating source code that can already be found in the samples.

Posted on 08-04-2014 


To comment you must be logged in members.

Files with category

  • OpenTheme : An open source graphic user interface (GUI) toolkit

    OpenTheme : An open source graphic user interface (GUI) toolkit

    View: 4803    Download: 4   Comment: 0

    Category: Embedded Systems     Fields: Other

    OpenTheme is an XML based GUI toolkit with a set of foundation class and WYSIWYG editor. Although it's originally designed for full screen GUI, it is also good for Windowed user interface, with full localization support and arbitary...

  • Design State Machine Engine for embedded system development

    Design State Machine Engine for embedded system development

    View: 4403    Download: 4   Comment: 0

    Category: Embedded Systems     Fields: none

    Embedded systems are some special purpose computers that are used inside of devices. Embedded systems generally use micro controllers that contain many functions of a computer on a single device. Embedded systems have to tightly work together with...

  • The StateWizard VC++ Add-in and Engine with Source Code

    The StateWizard VC++ Add-in and Engine with Source Code

    View: 4507    Download: 0   Comment: 0

    Category: Embedded Systems     Fields: none

    In an environment where software systems are more and more complex, concurrent, and real-time oriented, the choice of modeling languages and tools becomes the success key for many projects. This article introduces a cross-platform state-oriented...

  • Template merging with NVelocity and ASP.NET

    Template merging with NVelocity and ASP.NET

    View: 3320    Download: 0   Comment: 0

    Category: Embedded Systems     Fields: Other

    If you have ever tried to implement a newsletter system or a service for communicating with website users, you have probably faced the requisite to send multiple email messages with a common template and some differences, like a personalized greeting...

  • Use PowerShell to Manage your Intel AMT Data

    Use PowerShell to Manage your Intel AMT Data

    View: 2247    Download: 0   Comment: 0

    Category: Embedded Systems     Fields: Other

    This article is in the Product Showcase section for our sponsors at CodeProject. These reviews are intended to provide you with information on products and services that we consider useful and of value to developers.

  • A C++ Embedded Web Server

    A C++ Embedded Web Server

    View: 3446    Download: 1   Comment: 0

    Category: Embedded Systems     Fields: Other

    Do you have a web page or two? Nothing fancy, perhaps, but a neat demonstration of what can be achieved with a handful of HTML tags? Do you have a sophisticated C++ Windows desktop application which now needs to be controlled and monitored remotely?...

  • Java/.NET Integration as Simple as Possible

    Java/.NET Integration as Simple as Possible

    View: 1765    Download: 2   Comment: 0

    Category: Embedded Systems     Fields: Other

    For a number of years, I have been developing software for integrating applications written in different platforms. And in my business, I face with interoperability issues: Java and C++, Java and COM, Java and .NET. To solve them, I have developed a...

  • Writing a 16-bit dummy kernel in C/C++

    Writing a 16-bit dummy kernel in C/C++

    View: 2992    Download: 3   Comment: 0

    Category: Embedded Systems     Fields: Other

    In my previous articles I was only briefing about on how to write a boot loader. That was fun and challenging. I enjoyed it a lot. But after learning how to write a boot-loader I wanted to write much better stuff like embedding more functionality...

File suggestion for you
File top downloads
Codetitle - library source code to share, download the file to the community
Copyright © 2018. All rights reserved. codetitle Develope by Vinagon .Ltd