Licensing system with expiration date

c++ encryption licensing crypto++
user2057222 picture user2057222 · Feb 9, 2013 · Viewed 10k times · Source

I want to implement a simple licensing system based on this article.

Everything works fine. But now I want to add a expiration date and I do not know how.

Can someone explain me how to add the expiration date? It is not important to know exactly how to implement, but I need to understand the algorithm behind it :)

Answer

Mats Petersson picture Mats Petersson · Feb 9, 2013

The most useful way is to have a server that checks if the key is still valid. That makes it hard to fake.

But if you don't want to (for some reason) use a "online" technique, then you need to store the expiration date somewhere in the data that client uses. It can be encrypted, but your software will have to contain the decryption key. Because at some point or another, your application will have to compare the current date with the date of the expiration date.

As others have said, it's easy to spend a lot of energy on making this hard to break, but sooner or later, it comes down to some simple compare "Is it in date, or not?", and that code can always be "broken" by replacing the if (!in_date) exit_with_message("License expired..."); ith if (false) .... So, unless you do that sort of thing in 100s of different places, and make the code look very different in each place [don't call the same function, don't use the same message, don't use the same calculation, don't use the same result, etc, etc]

I wanted to use a compiler that we used at work on my home machine [to do some work related projects from home!]. It had a "demo license" built in, so you could try it out, but it stopped after 10000 lines of source code. So I looked for all occurrences of 10000 in the binary. I think there were three places that contained 10000. I changed one, tried compiling my test-sample of more than 10000 lines, and it still failed - changed it back and changed the next one: wohoo, it worked... Now, the coder could have made it much harder, but had I been interested enough, I'm sure I could have fixed that as well. This was just much easier than getting a second license, installing a license server on my home machine, etc, etc.

Bear in mind also that most people who break things like this are not doing it for money, but for the challenge. And that's just a bigger motivation if it's hard!

Edit:

I would do something like this:

1) Create a license.dat, which contains:

  • A license number of some sort.
  • An expiration date (somewhat encrypted)
  • A cryptographic hash of the two above components)

2) When loading the software [or at regular intervals in your software], load the license.dat.

3) Verify hash of the license file.

4) Check if the current date is greater than expiration date.

5) If checks all work out, continue, else exit with some relevant message.

Exactly how you store/encrypt the date is something I can't really advice on. One option is a 64-bit integer that has been suitably "scrambled", based on a time_t (time in seconds). The encryption is probably more of a case of "don't make it so darn obvious that it's a timestamp" - but the hash is really what is protecting your timestamp.

Related questions

Example of AES using Crypto++

I have been searching the Internet for good c++ AES code sample/tutorial that teaches the basics of the encryption technology and the use of the Library but so far I have had no luck getting decent material. good: Easy …

Read More
Decrypt password created with htpasswd

I created a protection for my web pages with apache2 in ubuntu. Now I am creating an application in c++ and I want it uses the same file that Apache2 uses for authentification, but my problem is that I don't …

Read More
encrypt- decrypt with AES using C/C++

How can I encrypt and decrypt a file with a 256 key AES in C or C++?

Read More