where to save activation data of the application?

Question

In my application I am gonna use online activation to control piracy.but the problem is that once user activates the software, how do i detect that that application is activated.is there any way to store the data that this application is activated. don't tell me registry because this way is not secure.Any information related to online activation will be helpful to me.i have decided to create file in system drive and my application check for that file every time it starts.If file found then application starts and if it doesn't then it ask for the key. is that secure ?any suggestion will be good!!

Answer 1

The issue you mentioned is one you need to consider, but there are many others:

• How can users activate licenses on systems that don't have a network connection?
• If you follow the standard practice of node-locking each license (automatically reading some system parameters such as MAC address, host name, hard disk ID etc.) and checking these at run time, how will you accommodate users who upgrade their system and so cause one of these parameters to change?
• What about users who want to relocate their license to a different system, such as moving it from their desktop to the laptop, or to a new system?
• What about users who call you (and they will) and say: "Help, my system has crashed so I need to get my license running on a different machine?"
• If you are using the activation system to set a license time limit, such as 30 days for a trial license or a year for a subscription, how can you protect against users who try to cheat on this by mis-setting their system clock either before they activate their license or after it is activated?
• What if you decide to offer different versions of your application - can your activation system manage this? e.g. enable or configure product features for each user based on their activation license, but all from one executable
• How about reporting on licenses activated - does your server capture the data on licenses activated and provide reports, alert etc.?
• What if someone wants to buy a pool of, say, 20 licenses? Do you have to provide 20 different activation IDs, or can you provide one ID that will allow 20 licenses to be activated?

Just some things to think about based on years of experience in the field.

Answer 2

There are two different takes on "securing the activation data" that I can see:

1) If you are trying to secure the activation data from the user, so that the user can not copy the data to a different computer and use the software there as well, I propose the following protocol:

During activation, uniquely identifying features of the user's environment are hashed and sent to the activation server. The activation server generates an activation that is signed using a secret key. On product start, your product verifies that the activation was signed by your server (using the server's public key) and that the local environment hashes to the same signed value contained in the activation. If it fails, then the environment has either changed (new installation of the operating system?) or the data has migrated to a new environment requiring (by the sounds of it) a new license / activation. Either way, the user requires a new activation.

2) If you're trying to protect the activation data from corruption then consider supplementing the former protocol with logic that, if the customer tries to re-activate with the same UID, allow the activation to go through again, which should result in an identical activation instance being sent back to the customer.

These are off the cuff, I don't guarantee either of these to be bulletproof. Also, remember, a pirate only has to bypass verification for activation to be a moot point.

Also, I feel it's important to note that, with this scheme the idea is that you don't have to hide activation information anywhere. You can store it wherever is convenient.