Category: Software Licensing Best Practices

Consumption based software licensing offline

Licensing software that will run in an offline environment is more challenging, specifically in cases where one needs a certain response from the server (for example, to activate a new devices or record usage). However, it tends to be a real problem when changes need to be recorded fast, which occurs in the floating license model and pay-per-use model).

A few days ago, we introduced support floating license that can work offline using our license server. Today, we would like to introduce the new release of the license server that supports the pay-per-use model offline.

How it works

Instead of contacting our server to record usage, the license server will, on a regular basis, write down all the updates to a data object to disk. Each time an update is written, we will use your public-key to encrypt it along with the previous encrypted block (if you want to learn more about how it works, please check out ‘asymmetric encryption’ in this article). Since the public key is used, there is no way to see what information has been recorded, and because each update is encrypted with the previous update, once it is on disk, there is no way to tamper with the usage (assuming the client has not backed up the previous version). And even if a client would be able to tamper with this file, it may still be detected by our AI anomaly detection module. In addition to the collection of usage information, if your clients send you these files regularly, you may be able to detect any tampering with their local clock.

You can read more about our protocol on the following page: https://eprint.iacr.org/2021/937. The implementation can be found in the following repository: https://github.com/Cryptolens/license-server.

As always, if you would have any questions, please reach out to us at [email protected].

Introducing reseller portal for software licensing

Since the end of last year, we have made the reseller portal generally available for all users. We would like to thank all our beta customers for their feedback during the development process.

Idea

The goal behind the reseller portal is to allow you to delegate license issuance rights to other users. This can be your resellers/distributors, IT-admins of your customers or your employees. In other words, “reseller” can be any user that should only be able to create specific amount of new licenses based on a pre-defined template.

The reseller portal also introduces new logging capabilities. All events related to new licenses, customers, etc, are stored in the object log. Thanks to this log, you can, for instance, bill your resellers or customers only when they have successfully created a new license.

Getting started

Once you have created a new account, the reseller portal will be available in the top menu. If you are an existing customer, you can enable it on the billing page. As the next step, we recommend to check out the wiki page for more information.

Please let us know if you have any questions 🙂

Be careful with sessions: Garmin Connect App example

It’s not uncommon nowadays to see people with a smartwatch, be it Apple Watch or another brand such as Garmin. I think there are many advantages of using one; to me, it’s about keeping track of exercises in the gym as well as other parameters such as stress and sleep.

Many smartwatches record a wide range of data points: puls, movement, altitude and location. This amounts to large amount of data, which can be used to infer various things about the individual. Therefore, it’s important to keep this data safe.

In this post, I would like to share the security issue in the Android version of the Garmin Connect app and list several tips on how this can prevented when you work with sessions in your projects.

Background

When developing an application that requires user authentication, most of the time one needs the state to persist so that users don’t need to enter the username or password each time they visit a new page. Sessions can help us to accomplish that. Using sessions is less secure than asking for credentials all the time, but it’s trade-off that most of us can accept.

The issue

Before we start: I have confirmed with Garmin that they have fixed the issue before publishing this post.

Early in April last year, I changed my password to Garmin Connect on their website. I was already logged in into the Android version of the Garmin Connect app with my old password and my expectation was that the app would ask me to re-authenticate at some point. But, it did not. I cannot tell how long the session would persist, but I could keep using the app for several weeks with the old session.

The problem with such a long session duration is that it gives users a false sense of security when they change their password. For example, imagine that the user had a weak password at some point and an adversary was able to login and obtain a new session. Even if the user would have changed the password later, an adversary would still have access to their health data.

If this problem would have occurred in, let’s say, the Neftlix app, I would not be as worried, but since Garmin Connect stores large amounts of health data, I felt like that the consequences of a potential breach could be huge.

Proposals

After filing this security concern to Garmin, I proposed the following changes:

  • Make sure that sessions are reset everywhere (especially in the android app) during a password reset (or at least offer the user the choice of selecting this option on the website)
  • Time-limit the sessions on the mobile devices
  • Enable two-factor auth for each account

Conclusion

To sum up, whenever you have to persist a state, make sure that sessions expire at some point and that users have the option to log out from all devices. It’s always a trade off between security and convenience, so when you decide the session length etc, you need to take into account the impact of a potential breach, etc. In some cases, you can require users to re-authenticate if the operation is highly sensitive.

Managing app settings in software licensing

When developing apps, you will likely need to store some metadata. This can either be specific to a certain user or be shared among all users.

Data objects offer an easy way of managing metadata either on the product, license key or machine code level. They are quite useful since it’s easy to change them as your application evolves and user-specific data will stay the same across all devices.

In this article, we will cover data objects associated with a product.

Editing metadata

To add or edit data objects on the product level, you can click on the Data Objects link as shown below:

On the next page, you can either add or edit existing data objects. The names are case-sensitive and duplicates are not allowed.

Retrieving metadata on app start

Let’s assume our application needs to obtain the currently supported DOTNET_RUNTIME (which we defined in the previous step). This can be accomplished with the code below (the project files are available here).

To get it up and running, we need to specify an access token and modify the ReferencerId. The access token needs to have the “ListDataObjects” permission checked and we also strongly recommend to specify the product it should work with. The ReferencerId should be the Id of the product.

 var systemSettings = Data.ListDataObjects("access token", new ListDataObjectsModel
 {
     ReferencerType = DataObjectType.Product,
     ReferencerId = 3349,  // <- the product id
 });
 
 if(!Helpers.IsSuccessful(systemSettings) || systemSettings.DataObjects == null)
 {
     Console.WriteLine("Could not retrieve the settings.");
 }

 var settings = systemSettings.DataObjects.ToDictionary(x=> x.Name, x => x);

 if(settings.ContainsKey("DOTNET_RUNTIME"))
     Console.WriteLine(settings["DOTNET_RUNTIME"].StringValue);

What’s next?

In the future tutorials we will describe how you can store user specific information. In meantime, let us know if you have any questions đź‘Ť

Autodesk Maya plugin software licensing

In the beginning of the year, we looked at licensing for Autodesk AutoCAD. Today, we are announcing support for another Autodesk product, Maya. Similar to AutoCAD, Maya allows you to develop plug-ins, and in this post we are going to cover how licensing works if you plan to sell them.

Adding software licensing library

Maya supports Python 2 for plugin development. To add license verification, only two things are necessary:

  1. Download and place cryptolens_python2.py into your plugin folder.
  2. Add the correct namespaces and the key verification logic, as described here.

If you want to read more about plug-in development in Maya, please check out this tutorial.

The next step is to sell your plugin, which we covered in the AutoCAD article. As always, let us know if you have any questions 🙂

Unity Software Licensing

Unity is a powerful cross-platform game engine. Since it uses C# as the scripting language, we can easily integrate it with Cryptolens client library. In this post, we explain how you can add license key verification into a Unity game and briefly cover payment integration.

Adding software licensing

  1. Download the binaries (please pick those without “System.Management”).
  2. Place these binaries into “Assets” folder.
  3. Add code from the key verification tutorial.

A sample Unity project can be found here.

Adding payments

Once licensing is in place, the next step is to add payment integration. Since Cryptolens is cloud-based, you can easily integrate it with your own billing system or use our existing integrations with popular platforms such as Stripe and PayPal. You can read more about how this can be accomplished here.

Please feel free to reach out should you have any questions!

Automating offline activations

Many times your customers may have either restricted internet access or no internet access at all. Although Cryptolens is a cloud-based licensing solution, you can still use it to protect offline devices. In this post, we cover three ways internet access can be restricted and how license key verification can be performed.

Periodic internet access

If your users are connected to the internet on a regular basis, we can cache the response from the “Activate” method each time we are able to contact the server. If, at some point, internet connection would not be present, we would fallback on a cached version of the license object.

When using this approach, it’s important to define how long time your users can be offline. There is a field called “SignDate” in the license key object, which is the time when the response was signed by the server (i.e. the last time you successfully called Activate). So, if you only want to allow your users to be offline for 30 days, you can compare the current date with the “SignDate”.

License server (re-routing)

If your users have certain devices that have no direct internet access, one option is to use a license server, which will re-route all requests through a server hosted by the user. Only the server has internet access.

There is currently a Windows version of the server, freely available on GitHub.

Air gap (no internet)

If the devices have no internet access at all, we can use a similar idea that was described in periodic internet access, with the only difference that we always fallback on the license file.

In Cryptolens, there are three ways you can create such a file:

In the dashboard

Next to each license key, there is a yellow button which can be used to create license files:

Using activation forms

Activation forms allow your customers to download activation files themselves.

Using the API

If you want to automate license file creation, you can either call the Activate method using one of our client APIs or call the Web API directly (eg. using curl).

Floating licenses in Java

Floating licenses makes it easier for your customers to switch between machines that actively run your software, without having to deactivate them first. For instance, you can constrain the number of concurrent users to 10, but still allow the software to be installed on eg. 100 computers.

In Cryptolens, floating licensing works by letting your app to regularly poll the server to check if the number of concurrent users has been exceeded, which can be accomplished with the code snippet below:

import io.cryptolens.methods.*;
import io.cryptolens.models.*;

public static void main(String args[]) {
    String RSAPubKey = "RSA Public Key";
    String auth = "Access token";

    LicenseKey license = Key.Activate(auth, RSAPubKey, new ActivateModel(3349, "MTMPW-VZERP-JZVNZ-SCPZM", Helpers.GetMachineCode(), 300, 1));
    if (license == null || !Helpers.IsOnRightMachine(license, true, true)) {
        System.out.println("The license does not work.");
    } else {
        System.out.println("The license is valid!");
        System.out.println("It will expire: " + license.Expires);
    }
}

Normally, if the app stops polling the server, that user will be automatically deactivated within the specified period of time. However, if you want to deactivate it instantly, you can use the code below:

import io.cryptolens.methods.*;
import io.cryptolens.models.*;

public static void main(String args[]) {
    String auth = "";

    boolean result = Key.Deactivate(auth, new DeactivateModel(3349, "MTMPW-VZERP-JZVNZ-SCPZM", Helpers.GetMachineCode(), true));
    if (result == true) {
        System.out.println("Deactivation successful.");
    } else {
        System.out.println("Deactivation failed.");
    }
}

To see all the required parameters, please check out the GitHub repo of the Java client. Should you have any questions, please feel free to reach out.

Protecting Rhinoceros plugins with software licensing

Rhinoceros® (aka Rhino 3D) is a powerful computer graphics and CAD application. It’s also quite extensible as it allows developers to create their own plug-ins and add-ons. The aim of this post is to give you quick way of getting started with software licensing in your application, with focus on .NET.

One way of developing Rhino 3D applications is using Visual Studio. To add a simple key verification mechanism, only three steps are necessary:

  1. Right click on your project in the Solution Explorer and click on Manage NuGet Packages.
  2. Search for Cryptolens.Licensing and install it.
  3. Add the code-snippet form this page in the code where the plugin loads for the first time.

You can know create a license key in the Cryptolens dashboard to test that the key verification code works. That should be it! If you would have any questions, please feel free to reach out.

License server for software licensing

One of the problems experienced by software vendors when selling to large customers is that some of their machines that will be running the software do not have direct internet access.

Although it is still possible to use offline activation, having an active connection to Cryptolens makes things much easier for both you as the software vendor and your customers.

To solve this, we can use a license server that will re-route all the license verification requests from the computers in the network to Cryptolens, as shown below:

If you have already implemented key verification in your application, the license server can be set up quite quickly in two steps:

  1. Install the license server as described here.
  2. In the Key.Activate method, add LicenseServerUrl parameter and set it to point to the license server (the IP and port of are shown in step 1).