Java Dongles
May 20, 2005 11:31 AM Subscribe
Has anybody ever used a cross-platform (Win, OSX) USB dongle/hardware key to copy protect a Java application? Which one(s)? How was it to integrate into the application?
I've been googling for days now, but can't find good third party information on Java dongles. I've found at least four or five different makers, but, as companies are wont to do, they all proclaim themselves the best.
One of my clients is insistent on using dongles to protect the next version of his product after reading an article in some suit magazine. And, since it offers better copy protection than the crap I wrote for the last version, I'm not opposed to putting it in. However, he wants me to do the research on which one to use (which is fair, of course)
And to the anti-copy-protection crowd: Don't worry about this, I swear on every geek point, bit of hacker cred, and my EFF donation money this year, it isn't software you or anyone else I know would buy (and you sure as shit wouldn't care about the source if you did buy it).
I've been googling for days now, but can't find good third party information on Java dongles. I've found at least four or five different makers, but, as companies are wont to do, they all proclaim themselves the best.
One of my clients is insistent on using dongles to protect the next version of his product after reading an article in some suit magazine. And, since it offers better copy protection than the crap I wrote for the last version, I'm not opposed to putting it in. However, he wants me to do the research on which one to use (which is fair, of course)
And to the anti-copy-protection crowd: Don't worry about this, I swear on every geek point, bit of hacker cred, and my EFF donation money this year, it isn't software you or anyone else I know would buy (and you sure as shit wouldn't care about the source if you did buy it).
Response by poster: Unfortunately, they don't move that many units. It's a high-price, low volume product.
Alright, well, I guess I'll just start harassing the companies. I'm going to have fun with this.
posted by Netzapper at 2:39 PM on May 20, 2005
Alright, well, I guess I'll just start harassing the companies. I'm going to have fun with this.
posted by Netzapper at 2:39 PM on May 20, 2005
Are you interested only in security theatre to appease your clients, or actually making the software hard to copy? If the former, ignore the below. :)
Dongles are a pain in the butt for everyone involved, especially the users, and don't increase security compared with certain software-only solutions. Most all copy protection systems use public key crypto where it's imperative to keep secret the private key(s) used to authorize. With a dongle the private key is kept internal to itself . But where else could a private key be kept?
I'd recommend going with the serial number -> challenge code -> unlock code system used by many software systems. In such a system a challenge code is generated from the user's serial number and some particulars of the user's computer. This challenge code is sent to your servers where an unlock code is generated and sent back to the user. The implementation details (your private key(s)) of how to generate the unlock code are kept under your control (and not in a decompilable Java file) and the unlock code is only good for the particular serial number and computer combination. Essentially, let your servers act as the dongle, no need for custom drivers, platform issues, etc.
Relying on dongle hardware in Java to do this crypto would be problematic. A Java program lives in a sandbox, any time it pokes it's head out to get at hardware you can easily snoop that and potentially fool it. With a "network-based dongle" (heh), at least you get to watch attempts at breaking your crypto since it's your servers that contain the private key and not some physical thing.
And with any copy proection scheme implemented superficially, given a few hours and a decompiler a skilled programmer could route around it. For example, don't put your copy protection code in an obvious class method called
Copy protection is never perfect, one can only slow down casual copying.
posted by todbot at 5:03 PM on May 21, 2005
Dongles are a pain in the butt for everyone involved, especially the users, and don't increase security compared with certain software-only solutions. Most all copy protection systems use public key crypto where it's imperative to keep secret the private key(s) used to authorize. With a dongle the private key is kept internal to itself . But where else could a private key be kept?
I'd recommend going with the serial number -> challenge code -> unlock code system used by many software systems. In such a system a challenge code is generated from the user's serial number and some particulars of the user's computer. This challenge code is sent to your servers where an unlock code is generated and sent back to the user. The implementation details (your private key(s)) of how to generate the unlock code are kept under your control (and not in a decompilable Java file) and the unlock code is only good for the particular serial number and computer combination. Essentially, let your servers act as the dongle, no need for custom drivers, platform issues, etc.
Relying on dongle hardware in Java to do this crypto would be problematic. A Java program lives in a sandbox, any time it pokes it's head out to get at hardware you can easily snoop that and potentially fool it. With a "network-based dongle" (heh), at least you get to watch attempts at breaking your crypto since it's your servers that contain the private key and not some physical thing.
And with any copy proection scheme implemented superficially, given a few hours and a decompiler a skilled programmer could route around it. For example, don't put your copy protection code in an obvious class method called
com.mycompany.LicenseChecker.isLicenseValid() that's only called once on app startup. In five minutes one could write a stub class that always returns true and put that at the head of the classpath to override the real checker.Copy protection is never perfect, one can only slow down casual copying.
posted by todbot at 5:03 PM on May 21, 2005
This thread is closed to new comments.
posted by RustyBrooks at 2:06 PM on May 20, 2005