Infralution Support Forum Index Infralution Support
Support groups for Infralution products
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Encrypting .lic file?

 
Post new topic   Reply to topic    Infralution Support Forum Index -> Licensing Support
View previous topic :: View next topic  
Author Message
dcvchicago



Joined: 01 Sep 2006
Posts: 12

PostPosted: Thu Dec 14, 2006 12:48 am    Post subject: Encrypting .lic file? Reply with quote

I noticed that the license key is stored in clear text in the the .lic file in the application directory. Does ILS support storing the license key in an encrypted format? If not, can it be done easily within .NET? Where would I look to learn how to do it? Thanks

David Veeneman
FS Components
Back to top
View user's profile Send private message
Infralution



Joined: 28 Feb 2005
Posts: 5027

PostPosted: Tue Dec 19, 2006 2:26 am    Post subject: Reply with quote

Sorry must have missed this post - I know I have already responded via email to your query but just in case anyone else has a similar query.

The license key is already encrypted and the user must have had the key in the first place in order to enter it – so there is not a lot of point hiding it. However you can do this if you really want. You can derive a new class from EncryptedLicenseProvider and override the WriteKeyToFile and ReadKeyFromFile methods.
_________________
Infralution Support
Back to top
View user's profile Send private message Visit poster's website
jsobell



Joined: 11 Apr 2007
Posts: 3

PostPosted: Wed Apr 11, 2007 11:58 am    Post subject: Reply with quote

It seems odd to me that the key is left in plain text in the application folder, as one major method of avoiding piracy is to restrict access to the key required during installation. Yes, it's available in the user's email or on their CD case, but this is generally much more difficult to locate from externally.
Leaving the key in plain text means I can (for example) Google or FTP search for any MySpecialApp.lic files that have been left in public folders, read them in plain text, then type them in after downloading a demo version of MySpecialApp.
If this data is stored encrypted (or even stored in the registry) then this becomes much more complex, particularly for novice users.

I know we could override the class, but why exactly is it stored this way by default?

As a point of reference, many large vendors, in particular Microsoft, will refuse any software that stores its license key in this manner.

Cheers,
Jason
Back to top
View user's profile Send private message
Infralution



Joined: 28 Feb 2005
Posts: 5027

PostPosted: Wed Apr 11, 2007 10:15 pm    Post subject: Reply with quote

One reason it is stored this way by default was given above. Another is that many users of software manage to lose their emails and CD cases etc (we regularly get emails from customers who have done this) and storing the license in clear text means they can easily find and reenter their license key.

We can look at adding this an option. I'd be interested to see your reference for Microsofts policy on that.
_________________
Infralution Support
Back to top
View user's profile Send private message Visit poster's website
jsobell



Joined: 11 Apr 2007
Posts: 3

PostPosted: Wed Apr 11, 2007 11:02 pm    Post subject: Reply with quote

Hi, thanks for responding so quickly.
The reference is that we develop and supply software software for internal use by Microsoft, and part of their internal deployment process is that it must go through an internal acceptance test, with this being one of a key requirements.

This Google search demonstrates the problem, and Google actively filter out license files and password files wherever possible, yet thousands still get through:
http://www.google.com/search?q=+filetype:lic

Changing the license provider is not actually as simple as you make out, as overriding the WriteKeyToFile has no effect if you use the LicenseInstallForm class.
The form's GetLicenseProvider() is hard coded to return a new EncryptedLicenseProvider(), so the overridden WriteKeyToFile is never called. Would it not make more sense to provide a constructor that either takes the EncryptedLicenseProvider that you want to use, or accepts the Type so that it can instantiate an instance of that object internally?

(quick edit)

The following solves theproblem if you pass the type in:

Code:
        protected virtual EncryptedLicenseProvider GetLicenseProvider()
        {
            if (_licenseType == null)
                return new EncryptedLicenseProvider();
            else
                return (EncryptedLicenseProvider)Activator.CreateInstance(_licenseType);
        }


(/quick edit)


If this is not how you expected people to store license keys somewhere other than a file then perhaps you could add something into the FAQ?

Apart from this initial hiccup, all looks good Smile

Cheers,
Jason
Back to top
View user's profile Send private message
Infralution



Joined: 28 Feb 2005
Posts: 5027

PostPosted: Thu Apr 12, 2007 8:18 am    Post subject: Reply with quote

Quote:
This Google search demonstrates the problem, and Google actively filter out license files and password files wherever possible, yet thousands still get through:
http://www.google.com/search?q=+filetype:lic


This only reveals licenses that are stored in public web folders (most likely for ASP type apps). I thought we were talking about windows forms apps. If the folder your windows forms app stores its license in is exposed through a web server then you have more problems to worry about then showing your license key to the world Smile

For ASP.NET apps then perhaps encrypting the license key makes some sense to cater for those users who don't know how to properly secure their web sites. The problem for ASP.NET apps is that the app typically doesn't create the license - so normally they are licensed by the user copying the key into the file manually. I guess you could provide a separate utility to generate the encrypted key from the original key.

Quote:
The form's GetLicenseProvider() is hard coded to return a new EncryptedLicenseProvider(), so the overridden WriteKeyToFile is never called. Would it not make more sense to provide a constructor that either takes the EncryptedLicenseProvider that you want to use, or accepts the Type so that it can instantiate an instance of that object internally?


The LicenseInstallForm has a LicenseProvider property that you can set with an instance of the LicenseProvider you want to use. The internal GetLicenseProvider function is only called if this property is not set.
_________________
Infralution Support
Back to top
View user's profile Send private message Visit poster's website
jsobell



Joined: 11 Apr 2007
Posts: 3

PostPosted: Thu Apr 12, 2007 9:32 am    Post subject: Reply with quote

Infralution wrote:
This only reveals licenses that are stored in public web folders (most likely for ASP type apps). I thought we were talking about windows forms apps. If the folder your windows forms app stores its license in is exposed through a web server then you have more problems to worry about then showing your license key to the world Smile


Yes indeed, if we were using ASP.NET then it would be a pretty stupid thing to allow public access too, but I only gave that Google query as an example. If you do the same with any of the public FTP Search engines then you also get all the files where people have drives open to the network, particularly educational establishments, so this is most definately not a web folder only problem.

Infralution wrote:
The LicenseInstallForm has a LicenseProvider property that you can set with an instance of the LicenseProvider you want to use. The internal GetLicenseProvider function is only called if this property is not set.


Ah... OK, thanks, this makes sense. I still think you should add a quick FAQ entry on your site on how to modify the key storage location to be the registry or a Settings entry, as I couldn't find any mention of this property in the doco and somehow managed to overlook it when browsing the form source.

Thanks for the feedback, and as always it's fantastic to have a human responding to questions so promptly and completely! Smile
Just so you know, the reason I chose this product is largely because the forum system had prompt and extensive responses to technical questions. To me this is a major deciding factor in choosing our product tools. 'Good on ya, mate' Very Happy

Cheers,
Jason
Back to top
View user's profile Send private message
Infralution



Joined: 28 Feb 2005
Posts: 5027

PostPosted: Thu Apr 12, 2007 9:53 am    Post subject: Reply with quote

Quote:
Just so you know, the reason I chose this product is largely because the forum system had prompt and extensive responses to technical questions. To me this is a major deciding factor in choosing our product tools. 'Good on ya, mate'


Thanks for the positive feedback. Nice to hear from a fellow Melbournian. I'm actually taking a long W/E this weekend to head down to Wilsons Prom - so forum responses might be lacking till I get back.
_________________
Infralution Support
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Infralution Support Forum Index -> Licensing Support All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group