Date: Sun, 28 Sep 1997 10:14:58 +1000 (EST) From: Ada T Lim <ada@not-enough.bandwidth.org> To: hackers@FreeBSD.ORG Cc: wpaul@skynet.ctr.columbia.edu, ada@noether.blah.org Subject: Re: Idea for a software licensing scheme Message-ID: <199709280014.KAA01982@polya.blah.org> In-Reply-To: <199709272231.PAA16504@hub.freebsd.org> from "owner-hackers-digest@FreeBSD.ORG" at "Sep 27, 97 03:31:19 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> From: Bill Paul <wpaul@skynet.ctr.columbia.edu> > Date: Sat, 27 Sep 1997 14:25:26 -0400 (EDT) > Subject: Idea for a software licensing scheme > > I'm hoping some of the more mathematically astute out there can answer > a question for me. A while ago, there was a discussion on -hackers about > possibly creating a software licensing system for FreeBSD as an incentive > to commercial software vendors to port their code. Well, the > Diffie-Hellman patent expired earlier this month, and that started me > thinking about a way to possibly use D-H key pairs as part of a licensing > scheme. I _think_ I've come up with a viable way to do this and have even I'm not completely sure that utilising D-H in this way doesn't violate also RSA. [algorithm deleted] > Now for the verification part. When the application program runs, the > license checking code reads the license file and regenerates the license > secret key, Xl, by computing the MD5 hash of all the license information > (feature name, number of users, etc...). It also reads the authorization > passcode and considers that to be Yl. So now the code has 5 values: > Xa, Ya, Xl, Yl and p. It performs the following computations: > > s1 = Ya ^ Xl % p > > s2 = Yl ^ Xa % p > > This yields two 'session keys,' s1 and s2. If s1 == s2, then the code > considers the license to be valid and the program runs, otherwise it > signals an error and bombs. > > The logic is this: the only way s1 and s2 can come out being the same > is if the license public key, Yl, and the application public key, Ya, > were both generated using the same Diffie-Hellman parameters, g and p. > But I, the vendor, keep g a secret. (Unfortunately, you can't keep p > a secret since the application needs it to compute the session keys.) > This means that only I, the vendor, can derive a license public key (Yl) > that will satisfy the equality. > > Now comes the part I'm not sure about. In theory, it is possible for > an 'attacker' to obtain values for p, Xl and Yl. My question is: can Don't you mean p, Xl, Xa, which are stored in the application, and Yl, which is generated by the attacker? An attacker can then generate Yl values not-very-easily by bruteforcing Xl ^ Ya % p = Yl ^ Xa % p which equates to Xl ^ Ya % p = Yl ^ ( Xa % (p - 1) ) % p. Is there a further shortcut I have forgotten? > Of course, any licensing software can be defeated by patching the > application executable, and my scheme does nothing to defend against > that. But that kind of attack requires a fair amount of OS-dependent > and CPU-dependent knowledge which the ovwewhelming number of computer > users in the world today are unlikely to have. Also, consider what > happens when a vendor makes their software available for multuple > platforms and uses the same licensing software for each one. This makes > it convenient for the vendor since he only has to generate one license > file, and the customer can use it on whatever platform he chooses. It > also makes it very convenient for a software pirate: rather than have > to generate patched binaries for every platform, all he has to do is > coerce the application into generating a magic unlimited-use license on > one platform, and he has automatically defeated the licensing scheme for > all platforms in one stroke. > > Anyway, the question stands: does my idea have merit, or should I > make a reservation for the conical hat. It looks good, as long as D-H remains strong. Whether this has been proven I don't know. Have you seen how OSS distribute their license keys? They produce a license file which is plaintext readable, containing the license number and suchnot. Then they do a pgp sign of the license file. This signature is only creatable using their secret key, which isn't released. The application contains their public key, which can be used to verify the signature. Admittedly, this is based upon RSA, which is still patented. Does D-H have a method of signing documents? Ada
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709280014.KAA01982>