Java Dongles
May 20, 2005 11:31 AM   Subscribe

Has anybody ever used a cross-platform (Win, OSX) USB dongle/hardware key to copy protect a Java application? Which one(s)? How was it to integrate into the application?

I've been googling for days now, but can't find good third party information on Java dongles. I've found at least four or five different makers, but, as companies are wont to do, they all proclaim themselves the best.

One of my clients is insistent on using dongles to protect the next version of his product after reading an article in some suit magazine. And, since it offers better copy protection than the crap I wrote for the last version, I'm not opposed to putting it in. However, he wants me to do the research on which one to use (which is fair, of course)

And to the anti-copy-protection crowd: Don't worry about this, I swear on every geek point, bit of hacker cred, and my EFF donation money this year, it isn't software you or anyone else I know would buy (and you sure as shit wouldn't care about the source if you did buy it).
posted by Netzapper to Computers & Internet (3 answers total)
Don't have any direct info, but when we were evaluating hardware keys for VPN use, we got manufacturers to send us samples of the hardware and software. Years before that we got some sample smart cards and readers when I was doing research on them. If your client is big enough (i.e. you'll move enough units to make it worthwhile for them to even talk to you) they might send you some goodies.
posted by RustyBrooks at 2:06 PM on May 20, 2005

Unfortunately, they don't move that many units. It's a high-price, low volume product.

Alright, well, I guess I'll just start harassing the companies. I'm going to have fun with this.
posted by Netzapper at 2:39 PM on May 20, 2005

Are you interested only in security theatre to appease your clients, or actually making the software hard to copy? If the former, ignore the below. :)

Dongles are a pain in the butt for everyone involved, especially the users, and don't increase security compared with certain software-only solutions. Most all copy protection systems use public key crypto where it's imperative to keep secret the private key(s) used to authorize. With a dongle the private key is kept internal to itself . But where else could a private key be kept?

I'd recommend going with the serial number -> challenge code -> unlock code system used by many software systems. In such a system a challenge code is generated from the user's serial number and some particulars of the user's computer. This challenge code is sent to your servers where an unlock code is generated and sent back to the user. The implementation details (your private key(s)) of how to generate the unlock code are kept under your control (and not in a decompilable Java file) and the unlock code is only good for the particular serial number and computer combination. Essentially, let your servers act as the dongle, no need for custom drivers, platform issues, etc.

Relying on dongle hardware in Java to do this crypto would be problematic. A Java program lives in a sandbox, any time it pokes it's head out to get at hardware you can easily snoop that and potentially fool it. With a "network-based dongle" (heh), at least you get to watch attempts at breaking your crypto since it's your servers that contain the private key and not some physical thing.

And with any copy proection scheme implemented superficially, given a few hours and a decompiler a skilled programmer could route around it. For example, don't put your copy protection code in an obvious class method called com.mycompany.LicenseChecker.isLicenseValid() that's only called once on app startup. In five minutes one could write a stub class that always returns true and put that at the head of the classpath to override the real checker.

Copy protection is never perfect, one can only slow down casual copying.
posted by todbot at 5:03 PM on May 21, 2005

« Older Calling all historians: a ques...   |  I recently went to a wedding i... Newer »
This thread is closed to new comments.