Blog on Software Licensing, Commercialization, and Revenue Optimization

Ways of protecting your private data – a short intro to cryptography

January 8, 2019

Encryption is important. Although intuitively you might say that you have nothing to hide, it’s important to ask yourself the following question: would you be willing to give your Facebook password to a stranger or publish it online? Probably not. Most people have something to hide and encryption is one way of safe-guarding your private information.

The focus of this article is on how to protect your data against physical compromise (symmetric encryption), when you send it to someone (asymmetric encryption) and when you would like it to be retrievable (secret sharing).

Your own data (symmetric encryption)

If you want to protect files that only you will be working with, symmetric encryption is quite useful. Symmetric encryption means there is only one key to encrypt and decrypt data.

By default, it’s a good idea to have full-disk encryption to make sure your files are inaccessible if the computer or phone is lost. If you have a USB stick, it’s also useful to encrypt the information on it as these tend to be lost more frequently.

Tech savvy:

Nowadays, AES (Rijndael) is the one that is considered to be secure, so by default this is the way to go. The most common AES versions are with 128-bit keys and 256-bit keys. For most cases, 128-bit keys should be ok, but for extra paranoid users, you can both increase the key size and combine it with other encryption methods, such as AES-Twofish-Serpent (all of these are AES finalists).

If you leave your computer unattended, please make sure it’s turned off. Preferably you should let it be off in 10 min to avoid cold-boot attack.

Tools

BitLocker (built into Windows, mainly for full-disk encryption)
VeraCrypt (cross platform, full-disk encryption and encrypted containers)

Sharing data with others (asymmetric encryption)

Imagine you would like to allow everyone to contact you securely without having to agree on a secret key first (which is the case with symmetric encryption). This is where asymmetric encryption is useful. Instead of one secret key there are two: one to encrypt and one to decrypt.

There is a good analogy with real objects. To enable others to send you shipments securely, one way of accomplishing this would be to hand out unlocked padlocks with a box. If they want to send you something, they would lock the box with your padlock, ensuring that only you can open it.

Tech savvy:

The most common asymmetric encryption methods are RSA and Elliptic curves. There are some arguments which method is more secure. Both RSA and ECC base their security on mathematical problems that are hard to solve. Since we are better at factoring large numbers (which can help to break RSA) than we are at solving the elliptic curve discrete logarithm problem, RSA keys tend to be larger than those in ECC (2048 vs 256) to guarantee the same level of security.

There are also different kinds of ECC curves, ones proposed by NSA (NIST curves) and by independent researches, eg Curve25519 by Daniel J. Bernstein, and there are mixed opinions on which one to choose (an interesting article on the topic).

I tend to use either RSA 4096 or Curve25519 for ECC.

Tools

GnuPG (for email communication)
Signal (end-to-end encrypted messaging)

Splitting a secret (secret sharing)

In case something happens to you and you don’t want your encrypted data to be inaccessible, you can break up a password (eg to your personal files) into multiple pieces that you give to your close friends. All friends need to agree to retrieve the original secret.

Tech savvy:

Additive secret sharing (code snippet shown later) is the easiest to understand and implement but it requires all parties to be present to retrieve the secret. Shamir Secret sharing allows us to define how many shares will be necessary to get the secret.

The cool thing about secret sharing is that it’s unconditionally secure, meaning that we need all shares to retrieve the secret and we don’t gain more info with more shares. It also means that the modulus Q does not need to be large.

If it’s ok to require all parties to be present to get the secret key, you can use the code for additive secret sharing below. Your secret can be any number less than 2^512 (512 bits).

import secrets

Q = 2**512

def encrypt(x, no_shares = 3): 
    """
    Splits the secret up into 'no_shares' shares
    """
    shares = [secrets.randbelow(Q+1) for i in range(no_shares - 1)]
    shares.append((x - sum(shares)) % Q)
    return shares

def decrypt(shares):
    """
    Combine all shares to retrieve the secret
    """
    return sum(shares) % Q

Tools

Additive secret sharing (the code above)
Shamir Secret Sharing (Python)

Not a customer yet? Sign Up for a free trial and implement our software licensing system within minutes.

Try For Free

Pricing

Cryptolens joins Stripe partner program

November 12, 2018

Most people today don’t know that only three percent of GDP is online. That’s why we’re
excited to join the Stripe Partner Program to increase internet commerce and help
companies start, run, and scale their businesses.

By joining the program, our mutual customers will now benefit from the combination of
Cryptolens secure licensing platform with Stripe’s seamless payments platform.

We believe that removing barriers to online commerce helps more new businesses get
started, levels the playing field, and increases economic output and trade around the
world. Together with Stripe, our mission is to bring more commerce online and increase
the GDP of the internet.

Not a customer yet? Sign Up for a free trial and implement our software licensing system within minutes.

Try For Free

Pricing

Secure User Account Authentication inside Apps for Software Licensing

October 23, 2018

A year ago we announced the ability to authenticate your customers inside the app using their credentials instead of using license keys. The key advantages are security (harder to crack properly secured account than a license key string) and time savings (customers can easily restore access to an account vs. restoring access to a lost license key). Today, we have released several changes to make the implementation of this much easier, as described under What’s new later in the article.

How Cryptolens approach is different

When we reviewed the way our competitors solve the problem of authenticating users, all of them used the simple solution of a method that takes in username and password and returns an access token. The problem with this approach is that the user needs to trust the client application, which can be compromised (eg. an attacker can create a similar app to trick the user to expose their login information). Even if the account itself may not pose high value, since users tend to reuse their passwords, it can serve as a gateway into their other accounts.

Instead of trusting the app, our approach puts trust in the web browser. The app will never receive the username or password. For extra-paranoid users, it is also possible to authenticate the request on a different machine.

To put the problem and our solution in simple terms, there is a concrete example from everyday life, namely when you pay using your credit card. The first approach we described is similar to paying using the terminal provided by the shop (i.e. you need to trust each store that their terminal does not record your card number and PIN). The second approach is similar to new types of payment methods where you need to scan a QR code and authorise the transaction on your phone. It is easier to trust your phone than the terminals provided by the store (and you will have to trust every single one of them).

What’s new

With the new release of Cryptolens.Licensing, implementation of account verification has become much simpler (as you can see later in the Getting started section). It now supports .NET Framework 4.0, 4.6 and .NET Standard 2.0. Moreover, we improved the backend to help automating account creation for customers (eg. portal link can now be obtained through Add Customer method).

Getting started

We have summarised the necessary steps to get started in this article. To sum up, two steps are necessary. First, you need to send an invite link to your customer (which can be automated). The second step is to include the following code in your application.

string RSAPubKey = "RSA Pub key";
string token = "access token with GetToken permission";

string existingToken = null; // in case you've already authenticated them once and the token is still valid.

var res = UserAccount.GetLicenseKeys(Helpers.GetMachineCode(), token, "TestApp", 30, RSAPubKey, existingToken);

if(res == null || !string.IsNullOrEmpty(res.Error))
{
    Console.WriteLine("Something went wrong.");
}

// if they have a license with F1=true and which has not yet expired.
if(res.Licenses.Count(x => x.F1 == true && x.Expires >= DateTime.UtcNow && x.ProductId == 3349) > 0) 
{
    Console.WriteLine("Success");
}
else
{
    Console.WriteLine("Failure");
}

Not a customer yet? Sign Up for a free trial and implement our software licensing system within minutes.

Try For Free

Pricing

License Key System for PHP Applications

October 17, 2018

If you want to implement a license key system for PHP applications, you have several options to choose between. A short-term and quite simple way is to code a license key generator and generate a subset of license keys. However, for more serious and in-production use cases, we would recommend having a software license solution that is much more long-term and robust. In this blog, we will briefly cover these two alternatives to help you license and protect your PHP code.

License Key Generator for PHP Applications

A license key generator is a simple and lightweight licensing system that checks the validity of a subset of license keys using partial key verification. While this option is a pretty fast and easy way to implement software licensing for PHP apps, it is not recommended for long-term and more serious use cases. The reasons are that the system is quite easy to bypass, and the structure you use to generate license keys will begin to leak over time. If you want to learn more about this approach, please read this blog post.

Outsourced License Key System for PHP Applications

Instead of having to code a more robust license manager that performs full key verification, the best way to implement software licensing for your PHP application is to work with a Licensing as a Service (LaaS) provider such as Cryptolens. You will then get access to all of our advanced licensing features from day 1, such as offline licensing and more advanced licensing models. Coding and maintaining your own licensing system will take a lot of time, so why not outsource licensing to experts?

Getting started with our license key system for PHP applications is effortless! We have an SDK available on GitHub, and you can sign up to our platform for free. Then, you just need to paste a short code snippet into your PHP code. It looks something like this:

<?php
require_once('Cryptolens.php');

$activate = cryptolens_activate(
      // Access token
      'WyI0NjUiLCJBWTBGTlQwZm9WV0FyVnZzMEV1Mm9LOHJmRDZ1SjF0Vk52WTU0VzB2Il0='
      // Product Id
    , 3646
      // License Key
    , 'MPDWY-PQAOW-FKSCH-SGAAU'
      // Machine code
    , '289jf2afs3'
    );

// $activate is now a boolean indicating if the activation attempt was successful or not

?>

Not a customer yet? Sign Up for a free trial and implement our software licensing system within minutes.

Start For Free

Pricing

Usage-based (pay per use) software licensing in .NET

October 15, 2018

Many software vendors nowadays move away from one-time payments to other licensing models. One such example is the usage-based model. By doing so helps lowering the barrier of entry for new customers, as they no longer need to commit to the product long term, which is usually the case with one-time payments. If you already have a subscription model, supporting usage-based payments can help you to monetise a group of users who would otherwise not buy the product.

You can read the entire tutorial here.

Getting started

In Cryptolens, usage-based licensing can be implemented using data objects, aka custom variables. We can use these variables to record how often features are used and keep track of any usage credits that a customer has purchased. There are two ways of billing customers:

Upfront payment: customers need to purchase usage credits in advance.
Based on actual usage: customers pay for the actual usage in the end of the billing period.

Charging based on actual usage

If you choose to charge your customers based on actual usage, we can simply use the code below:

var auth = "Access token with AddDataObject, ListDataObject and IncrementIntValue permission. Please also set KeyLock value to '-1'";
var licenseKey = "LZKZU-MPJEW-TARNP-UHDBQ";

var result = Data.ListDataObjects(auth, new ListDataObjectsToKeyModel 
{
    Contains = "usagecount",
    Key = licenseKey,
    ProductId = 3349 
});

var obj = result.DataObjects.Get("usagecount");

if (obj == null)
{
    // make sure to create it in case it does not exist.
    Data.AddDataObject(auth, new AddDataObjectToKeyModel { Key = licenseKey, ProductId = 3349, Name = "usagecount", IntValue = 1 });

    if(res == null || res.Result == ResultType.Error)
    {
        Console.WriteLine("Could not create new data object. Terminate." + res.Message);
    }
}
else
{
    var res = obj.IncrementIntValue(auth, 1, licenseKey: new LicenseKey { Key = licenseKey, ProductId = 3349 });

    if (res == false) 
    {
        Console.WriteLine("We could not update the data object. Terminate.");
    }
}

Upfront payments

If you instead want to charge your users upfront, we need to create the data objects when creating the license. If you are using payment forms, we can set up two requests, one creating a new license and another creating a new data object (inspired by this tutorial), as the result from key creation will be “piped” into data object creation request. You can then have another payment form that allows users to refill their credits, in which case the custom field can be used.

You can use the code below to verify if the limit was reached inside your application:

var auth = "Access token with AddDataObject, ListDataObject and IncrementIntValue permission. Please also set KeyLock value to '-1'";
var licenseKey = "LZKZU-MPJEW-TARNP-UHDBQ";

var result = Data.ListDataObjects(auth, new ListDataObjectsToKeyModel { Contains = "usagecount", Key = licenseKey, ProductId = 3349 });
var obj = result.DataObjects.Get("usagecount");

var res = obj.DecrementIntValue(auth, decrementValue: 1, enableBound:true, lowerBound: 0, licenseKey: new LicenseKey { Key = licenseKey, ProductId = 3349 });

if (!res)
{
    Console.WriteLine("Could not decrement the data object. The limit was reached.");
}

Not a customer yet? Sign Up for a free trial and implement our software licensing system within minutes.

Try For Free

Pricing

Protecting Software with Obfuscation and Software Licensing

October 2, 2018

Software applications can be secured with two layers of protection. The first layer is software licensing, whose aim is to enforce a license model (eg. by restricting the number of machines where the application can run). The second layer is software obfuscation, where the end goal is to make it hard or impossible for the end users read and alter the source code. In this article, we will focus on obfuscation.

Types of obfuscations

There are two ways of making it harder for the adversary to read or alter the source code. We can either achieve it by altering the source in such a way that more time is necessary to understand how the code works and to make it harder to remove existing licensing logic (eg. for key verification). This is usually what is thought of as obfuscation. The second approach is to move critical code away from the client machine to your own servers and provide it as an API endpoint that your application will call.

Both methods have their pros and cons. In the case of code obfuscation, you can relative easily increase the difficultly of reverse engineering at the cost of that eventually the source code will be reversed engineered or licensing logic bypassed. With custom API endpoints, you always retain control of code execution (since it runs on your servers) and if everything is correctly implemented, it’s impossible to reverse engineer the code. This is at the cost of requiring active internet connection to your server and potentially some regulatory issues (since data has to be transferred to your servers).

Conventional obfuscators

There are many obfuscators out there, some that even are free of charge. For the .NET platform, you can either use Ofuscar or ConfuserEx. The idea behind all of them is to make the IL code (which C# and VB.NET compile to) harder to read for an adversary. They should be quite easy to use, so you can simply add the key verification logic anywhere in the software.

API endpoints

Creating an API endpoint for highly sensitive code is the best way to protect it against reverse engineering. Although it may sound as very cumbersome to set up and maintain, the good news is that most cloud providers today support some form of serverless computing. We will describe how this is achieved using Azure Functions, but it should be fairly similar to other cloud platforms. The reason why we chose the serverless model is because it abstracts most things away, allowing you to focus on expressing the actual method. Moreover, cloud providers tend to allow a “per request” model, meaning that you do not have to pay for the time when the application is idle.

Azure Functions demo

To create an Azure function, go to the Azure portal and create a new “Function App”. You can then select either “consumption plan” or “app service plan” (please see this for more details). Once it’s set up, create a new HTTP Trigger and change the run.csx as shown below. To get the license verification to work, we will need to add an additional file, function.proj (or project.json for older versions of the runtime), which we cover further down in the article.

run.csx

#r "Newtonsoft.Json"

using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;

using SKM.V3;
using SKM.V3.Models;
using SKM.V3.Methods;

public static async Task Run(HttpRequest req, ILogger log)
{
    // this function will return 'Hello, <name>' if the correct license key is provided.

    // licensekey and machinecode stored as query string
    if(!KeyVerification(req.Query["licensekey"], req.Query["machinecode"])) 
    {
        return new BadRequestObjectResult("License key verification failed");        
    }
    
    string name = req.Query["name"];

    return name != null
        ? (ActionResult)new OkObjectResult($"Hello, {name}")
        : new BadRequestObjectResult("Please pass a name on the query string or in the request body");
}

public static bool KeyVerification(string licenseKey, string machineCode) {

    var RSAPubKey = "<RSA public key>";

    var auth = "<access token>";
    var result = Key.Activate(token: auth, parameters: new ActivateModel()
    {
        Key = licenseKey,
        ProductId = 3349,
        Sign = true,
        MachineCode = machineCode
    });

    if (result == null || result.Result == ResultType.Error ||
        !result.LicenseKey.HasValidSignature(RSAPubKey).IsValid())
    {
        // an error occurred or the key is invalid or it cannot be activated
        // (eg. the limit of activated devices was achieved)
        Console.WriteLine("The license does not work.");
        return false;
    }
    else
    {
        // everything went fine if we are here!
        Console.WriteLine("The license is valid!");
        return true;
    }
}

function.proj

In order to add support for license key verification, we need to add Cryptolens.Licensing. Depending on the version of function apps that you are using, you might either need to create a project.json or function.proj file. The newest version of the runtime uses function.proj.

<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
    <TargetFramework>netstandard2.0</TargetFramework>
  </PropertyGroup>
 
  <ItemGroup>
    <PackageReference Include="Cryptolens.Licensing" Version="4.0.9.2"/>
  </ItemGroup>
 
</Project>

In case you get any issues with namespaces not being found, it can be useful to try to re-create the function entirely.

Accessing form client side

In order to access your method through the client application, we can use RestSharp or similar library. When you click on “Get function url”, you will get a string similar to “https://<cluster-name>.azurewebsites.net/api/HttpTriggerCSharp1?live=<secret key>”. The live parameter may not be present for some access levels

var client = new RestClient("https://<cluster-name>.azurewebsites.net/api/");
var request = new RestRequest("HttpTriggerCSharp1", Method.GET);
//request.AddParameter("code", "<secret key>"); // depending on access level of the function in Azure

// for licensing
request.AddParameter("licensekey", "AAAA-BBBB-CCCC-DDDD");
request.AddParameter("machinecode", Helpers.GetMachineCode());

// parameter to our function
request.AddParameter("name", "Bob");

var result = client.Get(request);

Console.WriteLine(result.Content);

Console.ReadLine();

If all worked out correctly, we should see “Hello, Bob” in the terminal.

Privacy

The best advice when it comes to privacy is to send as little personal identifiable information as possible. Always ask yourself what data really needs to be processed externally. Even if it is not always possible to make it entirely anonymous, it’s good to strive to at least pseudo-anonymize data (i.e. associate an id to each user instead of using their real name). In some cases, such as with IP address, you can remove the last digits, eg. from 10.1.1.5 to 10.1.1.0 without affecting the geographical data of the IP. For advanced users, you might want to look into homomorphic encryption and follow the recent research.

Not a customer yet? Sign Up for a free trial and implement our software licensing system within minutes.

Try For Free

Pricing

How to protect SDKs with Software Licensing in .NET

September 12, 2018

Software Development Kits (SDKs) are a great way to give your users the ability to build on top of the functionality offered by your library/package. From a licensing perspective, desktop apps and SDKs are quite similar, which we will go through in this article. We will first take a look at the applicable licensing models and then skim through some example code. You can jump directly to the tutorial here.

Licensing Models

SDK licensing is special since the developer of the SDK (the customer) is not its end user. Instead, it’s their customers that will be the end users. In this article we focus on “node-locked” and “pay per install” licensing models (you can read about all applicable licensing models here).

Node-locked is equivalent to “pay per machine”, which essentially means that each time a new machine activates the license, this is recorded so that it can be taken into account when you charge the developers (your customers). Each user will be able to re-install the app that uses the SDK any number of times, without affecting the counter.

Pay per install is similar to “pay per machine”, with the only difference being that fingerprints of the end user machines are not recorded. Instead, a counter is used that increment whenever the SDK is first launched. With this model you get a bit less control of end user instances, but since the fingerprints (aka machines codes) are not tracked, the subscription cost for Cryptolens will reduce significantly (since you are only paying per license key).

In both of the models above, you could create multiple plans for your customers that depend on the actual usage of the SDK. Eg. 1-10 could be a testing tier, 10-10,000 could be another pricing tier, and so on.

Example

From a developer standpoint (eg. your customer), the license key will have to be specified to unlock functionality of your SDK. You could potentially have different pricing tiers depending on the methods that your customers will use. Below is an example of class initialisation that requires a license key to work.

var math = new MathMethods("FULXY-NADQW-ZAMPX-PQHUT");

Console.WriteLine(math.Abs(5));
Console.WriteLine(math.Fibonacci(5));

To see all the code, please take a look at the entire tutorial.

Obfuscation

If you have algorithms in your SDK that you want to be 100% secure from reverse-engineering, we would recommend to create an API endpoint for them hosted in the cloud. Most of the cloud providers support “server less” functions, eg Azure Functions and AWS Lambdas. These are quite simple to setup. Your server less functions would require a license key and potentially a machine code to return a successful response. On the client side, you could use libraries such as RestSharp to access your API endpoint. We will cover this in a future article.

Not a customer yet? Sign Up for a free trial and implement our software licensing system within minutes.

Try For Free

Pricing

User Accounts instead of License Keys

October 8, 2017

The common way of distributing licenses has always been using license keys (or files). Each time a customer needs more features, they have to get a new license key. Thanks to a cloud-based solution such as SKM, it’s possible to limit the number of licenses a customer needs to keep track of, since you can always change the properties of a license in the control panel.

With the “user login authentication” feature, we want to take distribution of licenses a step further and make it even more seamless for you and your customers. Below are some of the benefits of using user login authentication:

Benefits of User Login Authentication

Security – an account is much easier to protect than a license key (SKM has many security mechanisms in place, including two-factor authentication).
Time – if your customer loses a license key, they will first of all contact you, which will require more maintenance time per customer (SKM account can always be restored automatically and if more support would be needed, we will take care of it).
Trust – every user account comes with an easy-to-use control panel that makes it easier for your customers to manage their licenses.

Getting Started

A quick way to get going with user login authentication is by watching a short video and reviewing an example implementation on GitHub.

Note: In addition to SKM Client API, you need to install Cryptolens.SKM, which requires .NET Framework 4.6.2 or above (or .NET Core 1.0 or above). Cryptolens.SKM targets .NET Standard 1.4, so if you target any other .NET friendly platform, you can find more information here.

If you have any feedback or suggestions, please contact us at support (at) skmapp.com.

Useful Facts & Links

Accessing your RSA Public key.
Creating a new access token (it needs to have “GetToken” permission to work for this example).
User Login Auth use case (for you and your customers).
In addition to SKM Client API, Cryptolens.SKM has to be installed as well.

Not a customer yet? Sign Up for a free trial and implement our software licensing system within minutes.

Try For Free

Pricing

Happy New Year (2017)

December 31, 2016

This year has almost reached its end (at least here in Sweden) and within several hours a new year will begin – 2017.

By looking back on 2016, I’m very happy that we are getting closer to achieve our mission: to make software licensing more accessible. This is thanks to our partners and customers, who continue to support us with new ideas and insights. I’m very thankful to all of you.

Soon 2017 will begin, and I’m convinced that this new year will come with new interesting challenges and opportunities for all of us.

I wish you all the very best! 🙂

/Artem

Lead Developer, Founder

Fixed downtime Dec 18th due to invalid certificate

December 18, 2016

Today we had a major downtime because the new TLS certificate was not upgraded properly. This caused most of the versions of SKM Client API (aka SKGL Extension) not being able to validate license keys.

I’m very sorry for all the problems that this caused you. Downtimes occur because of various issues; at SKM we are constantly working on making sure to reduce them and their impact.

I’my happy to tell that this issue is now fixed!

/Artem

Lead Developer