Sunday, 8 June 2008

SMSRelay Suite: Licensing Issues

For SMSRelay and other commercial applications I am, and will be, developing I need to establish a method for licensing. Having been annoyed and frustrated by software licensing in the past I have decided that the primary goal of whatever licensing mechanism I introduce will be to not frustrate genuine customers for the sake of trying to stop thieves. Therefore it is necessary to keep it simple and to a certain extend rely upon the honesty of my customers.

Therefore I am tinkering with the following idea:

Upon payment an XML file is generated which contains the Name of the customer and a Serial Number which will be an AES 128 encrypted version of the Name. The contents of the file will look similar to this:



The software will check for the existence of the file and when (if) the file is found the software will become a fully working version.

There will be nothing to stop the user copying this file to another machine and then activating a second (or third, or fourth) copy of the software. There will be nothing to stop the customer giving this to their friends and therefore enabling their version of the software.

If somebody covertly obtains, or is given, the license file they will have to put up with the fact that the software has the name of the genuine customer in various places. Any attempt to edit the customer Name in the XML file will cause the software to not run unless the encrypted Serial Number is also edited to match the edited Name. Without access to my encryption phrase there is not much chance of them succeeding to ‘license’ it to themselves.

The drawbacks mentioned above are problems for me. The customer however has a simple and easy way of licensing. If they need to install on a third or fourth computer they can do so easily and immediately, and if they are honest they will inform me and pay a reduced fee for subsequent licenses.

The second copy of the program will be allowed under the EULA, as I don’t think it’s unreasonable to expect that people may have both a desktop and laptop computer nowadays and wish to install on both, I don't expect them to pay twice for this.

This is new to me, my previous commercial programs were protected by the fact they were large corporate systems that needed support contracts etc. (Nobody trusts their Finance and ERP systems to 'pirate' software) and the rest of my experience has been developing for a single customer from within the corporate environment, where obviously licensing wasn't an issue.

I’d appreciate any thoughts or feedback on this and am interested to know what other developers are doing concerning licensing.

"In the depth of winter, I finally learned that within me there lay an invincible summer." - Albert Camus

5 comments:

Phillip Flores said...

Hi Steve,

The licensing scheme that you described is similar to the one I have implemented in my time tracking application that I have been selling on the Internet for the last 7 or 8 years (sales are not that great and it is something I have to work on...). It has been working for me and I will use the same idea for my misvCRM app. The only drawback (at least for me) until now is that I have to run a little program to generate the key which sometimes can take a few minutes to several hours before the purchaser receives it. A little suggestion that you might find useful is that try to use one or two other algorithms in conjunction of what you have to generate the serial number i.e. get the hash or cipher of a generated key and then use it as input to another cipher with a seed that you specify. Hope this helps.

Steve Cholerton said...

Hi Philip. Thanks for the comments and suggestions. It's important to me also that the customer gets the licence file fast. I'm thinking of automating that process, passing the Customer Name through a program located on the webserver which will generate the encrypted Serial Number and spit out the License file to the users email account.

That's one for later though, we've got a few days left yet :-)

Phillip Flores said...

Steve,

Th funny thing though is that after I posted my comment I realised that I discovered that I can easily create a webservice that generates the licence key. I'm actually looking forward to experimenting with this approach as I have not really dabbled with webservice before. As you say there are still a few days left.

Mike Wilson said...

Hi Steve,

In terms of generating the license key; I can highly recommend taking a look at Brandon Stagg's excellent article here:

http://www.brandonstaggs.com/2007/07/26/implementing-a-partial-serial-number-verification-system-in-delphi/

Of course the principles apply to any language.

With regard online checking of the license key and online licensing; please consider taking a look at my 30 day project: www.software-monitor.com. It won't generate keys for you, but will let you store a repository of keys in order to challenge/authenticate them; which might provide an extra layer of security. It's an extension of the same technology that my company has been using for years now, only I'm making it more generic and offering it to other developers :)

Warm Regards,

Mike Wilson

Steve Cholerton said...

Hi Mike. I have printed that article and will read through it later today. Thanks for the heads up :-) I have been keeping an eye on Software Monitor, it's an ambitious and interesting project - I wish you all the best with it. Cheers - Steve