611 Chapter 22 CHAPTER 22 Licensing Your Application22 Proper .NET content licensing can mean the difference between marketplace domi- nance and financial bankruptcy. And I’m just talking about trying to understand the license agreement that comes with Visual Studio. You still have to figure out a licens- ing method for your own application before you send it to your customers. Licensing and license agreements are an essential means of protecting the intellectual property you’ve worked so hard to develop. How does licensing work? The key is found in the roots of the word itself: license comes from “li-” (to tell a lie) and “-cense” (from “cents” as in “pennies”). Together, these roots mean “to tell lies about small units of currency.” The confusion brought about in trying to figure out what this means keeps the bad guys perplexed and occupied long enough so that they don’t steal your application. If this method doesn’t work, there are software solutions, some of which I’ll review in this chapter. Part of the discussion focuses on designing a licensing system that will appear in the Library Project. The .NET Framework does include classes for component licensing but they are primarily used for designers of controls used by other programmers within the Visual Studio IDE, and not for end-user applications. We will not be covering these licensing features in this chapter. If you’re curious about such features, start by reading about the License Compiler (lc.exe) in the Visual Studio online help. Software Licensing Options Back in the early days of software, licensing wasn’t an issue: if you could get to the computer, it was because you were authorized. All user interaction with the system was through the programmers and technicians. If some user wanted to steal some- thing, it would be in the form of 20 tons of steel, wires, and vacuum tubes. Fun? Yes. Easy? No. 612 | Chapter 22: Licensing Your Application Today, it’s a different story. Most users are non-technical, and some are unethical. So, now we have licensing agreements and teams of lawyers to back it all up. But we also have software, software that can delicately enforce some of the rules. For a par- ticular piece of software, there is still the question of “How much licensing enforce- ment code do I add to my application?” The amount of software control you include will fall somewhere in the “Freedom–Security” continuum shown in Figure 22-1. If you go for the Freedom end of the spectrum (“convenient for users and hackers”), you will have to go on the trustworthiness of your users, and any armed guards you have dispatched to their offices, to keep the program in compliance. At the Security end of the scale (“secure for programmers and highly paid law firms”), the software implements practices and policies that ensure that only licensed users of the applica- tion ever use or install it; no armed guards needed. The rest of this section discusses some possible options you could choose within the Freedom–Security range. License Agreement Only The license agreement-only method clearly opts for freedom over security. When you supply the user with software, it comes with a carefully crafted license agreement that lays out the terms of use for both the user and the software supplier. It generally gives the user certain rights as to installation, use, and distribution of the software. When you write an application for use only within a specific organization or by a small group of users who you will have regular contact with, the license agreement- only method may be just what you need. In fact, I would bet that most Visual Basic applications are in this vein. Microsoft has announced over the years that the vast majority of Visual Basic programmers target their applications for use in a specific business organization, tied to a specific custom database. Such systems often require very little in the way of license enforcement, since the application is useless when carried outside the building where it was meant to reside. Even if your software achieves widespread distribution, this licensing scheme may still be the way to go. Many open source applications, including a major operating system that rhymes with “Plinux,” use the Free Software Foundation’s GNU Gen- eral Public License (http://www.fsf.org/licensing/licenses/gpl.html) as their primary licensing and distribution policy. Figure 22-1. The licensing enforcement continuum: where are you on it? Freedom Security Perhaps here? Software Licensing Options | 613 Generated General License Key If you need a bit more control over the distribution, installation, and use of an appli- cation, you can impose a generated general license key—basically a password that allows the application to be installed or used. Such keys are often entered at the start of the installation process, with the user prompted for a specific key. Without the key, it’s goodbye installation. The software vendor will need a way to generate a good set of unique installation keys. There are a couple of options: • Just generate a sequential serial number, and mix into it a product ID and ver- sion number. The great thing about such a key is that it is easy to generate. The installation program doesn’t need to perform any complex verification logic on the key. It only needs to ensure that the general format is correct. One of the products I used to develop online help documentation for my older Visual Basic 6.0 applications used such a license key. In a way, it’s not much more secure than using just a license agreement, since anyone who knows the general format can make up his own key. • Use a hashed or scrambled key, based on some original serial number or for- mula that can be verified by the installation program. A well-crafted hashing algorithm can generate a wide range of keys, but makes it difficult for others who don’t know the formula to generate their own fake keys. Although I am not privy to Microsoft’s internal processes, this appears to be the method it uses for its 25-character “CD Keys,” including the one supplied with Visual Studio. Although it is difficult for keys to be invented out of whole cloth, the public nature of the keys makes them subject to sharing. For some of its products, Microsoft combines a CD key with an online or phone-based registration pro- cess to enhance security. • Supply a hashed or encrypted key based on a serial number that is (secretly) sup- plied with the installation program or distribution media. When the user enters the key, it is unencrypted or otherwise prepared, and then compared with the serial number. Only if it matches will the software installation complete properly. Generated Custom License Key A custom-generated license key is similar to a general generated key, but uses per- sonal information supplied by the user as part of the generation process. Such a key is more interactive, and requires that the end-user specifically communicate with the soft- ware vendor (or an application on its web site) to complete the installation process. During the purchase or installation process, the user makes specific information (such as the owner’s name and the date of purchase) available to the software ven- dor. The vendor then uses public-private key encryption (asymmetric cryptography) 614 | Chapter 22: Licensing Your Application to either fully encrypt or digitally sign the relevant information. The encrypted signa- ture is then returned to the end-user for installation. The installation process uses the public portion of the key pair to ensure that the signature is valid. We will use this license key method in the Library Project, so I’ll have more to say about it a little later. License Key with Hardware Identity or Lock For paranoid software vendors, or for those who have a legitimate need to keep a tight rein on their installation base, there are solutions that involve regular access to hardware or services to confirm that previously installed software is legal and valid. One popular method uses a “dongle,” typically a USB port-based device that the soft- ware must have access to each time it runs. The software vendor supplies a dongle with the licensed software, and may encode it with date-based or use-based limits. With the prevalence of the Internet, software vendors also have the option of real- time verification over the Web. Each time the program runs, it could access a known vendor site to engage in a usage verification process. Such a system allows for ongoing monitoring of the software by vendors who may have a business or governmental rea- son to limit use of the software. For one of my customer projects, I must access a third-party web site on a monthly basis and download proprietary data for use with that vendor’s software. The ven- dor requires that I always access their web site from a specific machine with a spe- cific IP address. It will refuse to supply the data if I attempt to connect from any other machine. If I have a real need to use a fresh IP address (if, for example, I change Internet service providers), I must submit paperwork to the vendor inform- ing them of the new IP address. It seems pesky, and it is an irritation. But the data they supply is unique and valuable, and they feel they have a business need to pro- tect that investment. Since my customer requires the data, I have no choice but to comply with the monthly verification procedures. Controlled Access The highest level of security requires a blatant distrust of the user, although there may be good reason for this. For highly sensitive applications, the software vendor may make their product available to only a limited number of customers, and then only on a lease basis. As part of the lease agreement, the customer agrees to have a trained staff member of the software vendor on-site, running and maintaining the application for the customer. At the very least, the vendor will require that one of its employees be immediately available to the customer whenever the application is used. License Agreements | 615 In a world of off-the-shelf software applications, it seems unconscionable that such a system could exist. But in high-risk situations, security concerns are raised to such a level that neither party is willing to fully assume the risks of installing and using the application apart from the other. Although I was tempted to use this system for the Library Project, I think we’ll stick with our original plan of employing a custom-generated license key. License Agreements A license agreement is a document wherein the party of the first part hereby and does amicably render to the party of the second part certain rights, quid pro quos, trea- sury bonds, and other benefits; in exchange, the party of the second part will do the same for the party of the first part without respect for any other party or festival. Let’s try that again. A license agreement tells a user “Go ahead, install and use the software, but you have to follow these rules.” Although they are often written in legalese, they can also appear in a real language, such as English. They also range in granted rights, from “You can use this, but when you’re finished, you must destroy all copies” to “Use it, and feel free to pass a copy of the program and its source code to your friends and relations.” The Library software provided with this book comes with a license agreement. (I’ve included it in Appendix B.) When you installed the sample code, you agreed to the terms of the license agreement, including the part about supporting my family finan- cially well into my retirement years. But enough about me; let’s talk about license agreements you may want to use for your applications. If you’re developing a DVD catalog program for your cousin Fred, you can probably skip the license agreement part. But any software you craft in a business capacity for use outside your own company should include some sort of agreement between you (or your company) and the user of the software. This agreement could be defined as part of the contract that established the software development project (this is typical for software consulting), or you could include the agreement as a component of the software (common for off-the-shelf programs). Whichever method you choose, it is important that you state it in written form because it can save you grief down the road. I once had a customer who insisted that I fork over a copy of the source code for an application I wrote for them so that they could enhance it and sell the new version to other businesses (the nerve!). Fortu- nately, we had a written contract that stated the rules of engagement. They were entitled to a copy of the source code for archive purposes, but they could not use it or derive products from it without written consent from me. This granted a level of safety for them while still providing the means for me to provide the best support possible for their organization. Fortunately, it all came to a happy conclusion, and since that Visual Basic 3.0 code doesn’t even run anymore, it’s a moot point. 616 | Chapter 22: Licensing Your Application A license agreement usually exists to protect the rights of the software vendor, but it would be useless if it didn’t also grant meaningful rights to the user—and some of the rights can be rather generous. Did you know that the standard consumer licens- ing agreement for Microsoft Office allows you to install the product on two different systems using a single licensed copy of the program? It’s not a complete install-fest. Both computers must belong to the same person, and one must be a desktop whereas the other is a portable device (a laptop). But it’s still a meaningful benefit to the typical user. The legal department at O’Reilly Media wants to remind you that Tim Patrick does not have a sufficient understanding of the law, and cannot advise you on the con- tents of any licensing agreement you may want to craft for your projects. Obfuscation I hinted a little about the obfuscation features in Visual Studio 2008 in Chapters 1 and 5, but it’s high time we actually took a look at the features. Visual Studio includes a stripped-down version of Dotfuscator from a company named PreEmptive Solutions (not a part of Microsoft—yet). To access the program, use the Tools ➝ Dotfuscator Community Edition menu command in Visual Studio. The main interface appears in Figure 22-2. As of this writing, Dotfuscator Community Edition is not included with Visual Basic 2008 Express Edition. Figure 22-2. It’s time to obfuscate! Obfuscation | 617 Even though this is the basic version of the product, you can see that it has a gazil- lion options. If you want to dive into its enhanced features for your project, that’s fantastic. I’ll just cover the basic usage here. Let’s recall quickly why you would want to obfuscate your code, or even use the word obfuscate in mixed company. Here’s some code from the Library Project: Public Function CenterText(ByVal origText As String, _ ByVal textWidth As Integer) As String ' Center a piece of text in a field width. ' If the text is too wide, truncate it. Dim resultText As String resultText = Trim(origText) If (Len(resultText) >= textWidth) Then ' Truncate as needed. Return Trim(Left(origText, textWidth)) Else ' Start with extra spaces. Return Space((textWidth - Len(origText)) \ 2) & _ resultText End If End Function This code is quite easy to understand, especially with the comments and the mean- ingful method and variable names. Although .NET obfuscation works at the MSIL level, let’s pretend that the obfuscator worked directly on Visual Basic code. Obfus- cation of this code might produce results similar to the following: Public Function A(ByVal AA As String, _ ByVal AAA As Integer) As String Dim AAAA As String AAAA = Trim(AA) If (Len(AAAA) >= AAA) Then Return Trim(Left(AA, AAA)) Else Return Space((AAA - Len(AA)) \ 2) & AAAA End If End Function In such a simple routine, we could still figure out the logic, but with more effort than in the original version. Naturally, true obfuscation goes much further than this, scrambling the readability of the code at the IL level, and confounding code readers and hackers alike. To obfuscate an assembly: 1. Build your project in Visual Studio using the Build ➝ Build [Project Name] menu command. 2. Start Dotfuscator using the Tools ➝ Dotfuscator Community Edition menu com- mand in Visual Studio. 618 | Chapter 22: Licensing Your Application 3. When prompted for a project type, select Create New Project, and click the OK button. 4. On the Input tab of the Dotfuscator application window, click the “Browse and add assembly to list” toolbar button. This is the leftmost button—the one that looks like a file folder with a small arrow above it—on the panel shown in Figure 22-2. 5. When prompted for an assembly file, browse for your compiled application, and click the OK button. The assembly to use will be in the bin\Release subdirectory within your project’s source code directory. 6. Select the File ➝ Build menu command to generate the obfuscated assembly. You will be prompted to save the Dotfuscator project file (an XML file) before the build begins. Save this file to a new directory. When the build occurs, it will save the output assembly in a Dotfuscated subdirectory in the same directory that contains the XML project file. 7. The build completes, and a summary appears as shown in Figure 22-3. Your obfuscated file is ready to use. The process also generates a Map.xml file that documents all the name changes made to types and members within your appli- cation. It would be a bad thing to distribute this file with the assembly. It is for your debugging use only. To prove that the obfuscation took place, use the IL Disassembler tool that comes with Visual Studio to examine each assembly. (On my system, this program is accessed via Start ➝ [All] Programs ➝ Microsoft Windows SDK v6.0A ➝ Tools ➝ IL Disassembler.) Figure 22-4 shows the global variables included in the Library Project’s General.vb file. The obfuscated version of these same variables appears in Figure 22-5. I will not be performing obfuscation on the Library Project through this book’s tuto- rial sections. Feel free to try it out on your own. The Library Licensing System The tools and procedures we will use to design the Library Project’s licensing system can be built from featuresMapMap.xml file.xml file alreaMap.xml filedy Map.xml filediscussed in previous chapters: • The license file contains XML content. (Chapter 13) • The license appears as a separate file in the same directory as the Library.exe assembly. The Library software reads content from the license file. (Chapter 15) • The license will include a digital signature, which is based on public-private key encryption. (Chapter 11) The Library Licensing System | 619 Figure 22-3. Summary of the obfuscation, with some advertising thrown in Figure 22-4. Global variables before obfuscation 620 | Chapter 22: Licensing Your Application Each time the Library application runs, it attempts to read the license file. If the file doesn’t exist, or if it contains invalid data or an invalid signature, the program down- grades its available features, disabling those features that are considered licensed. Designing the License File The Library Project’s license file contains some basic ownership and rights informa- tion related to the user who purchased rights to the software. Here’s the XML con- tent I’ve come up with: <?xml version="1.0" encoding="utf-8"?> <License> <Product>Library Project</Product> <LicenseDate>1/1/2000</LicenseDate> <ExpireDate>12/31/2999</ExpireDate> <CoveredVersion>1.*</CoveredVersion> <Licensee>John Q. Public</Licensee> <SerialNumber>LIB-123456789</SerialNumber> </License> That seems sufficient. The process that builds the digital signature also stores an encrypted signature within the XML content. Generating the License File In the “Project” section of this chapter, we’ll build a new application that exists solely to generate license files for the Library application. It will have three primary components: 1. Generate and manage the public and private keys used in the signature process. Figure 22-5. Global variables after obfuscation [...]... 1/1/2000 12/31/ 299 9 1.* John Q Public LIB-1234567 89 Dn6JYIBI/qQudmvSiMvuOvnVBGU= NULghI4WbzDLroIcf2u9aoybfSjXPJRN5 0UMrCPYa5bup+c7RJnqTM+SzP4jmfJWPPs7pOvDC/fbdNY VMaoyXW0jL3Lk8du3X4JXpW3xp9Nxq31y/Ld8E+RkoiPO6 KRGDI+RRZ8MAQda8WS+L2fMyenRAjo+fR9KL3sQ/hOfQX8=... application, and examine it and its parts to discover what it’s all about If you are using Visual Basic 2008 Express Edition, you will not be able to fully follow these instructions directly since that product does not include any ASP.NET or web development features Instead, you need to download Visual Web Developer 2008 Express Edition from the Microsoft MSDN web site (http://msdn.microsoft.com/express)... streamlined, offers much of the same functionality as the full Visual Studio product The tutorial included here was written using Visual Studio 2008 Professional Edition Start Visual Studio and select the File ➝ New Web Site menu command The New Web Site form appears (see Figure 23-1) Unlike desktop applications, you must immediately tell Visual Studio where you are going to store the files We’ll choose... contains data similar to the assembly version number included in NET applications It has up to four dot-delimited parts: ... Each component can include a number from 0 to 99 99, or the * character, which indicates all valid values for that position 622 | Chapter 22: Licensing Your Application The section contains the generated digital signature Its format is dependant... license file content: Library Project 1/1/2000 12/31/ 299 9 1.* John Q Public LIB-1234567 89 Digital signature appears here (not shown) The and tags indicate... and nicely formats the response as a web page This is actually all there is to the World Wide Web You have just experienced the major features involved: the transfer of basic data through a TCP/IP port So, where does programming come in? Programming the Internet Static pages were good for a while, but then the Internet became humdrum Finally someone had a bright idea: “We have a program running on our... (knighted in 2004!) invented the World Wide Web in 198 9, it really wasn’t a big deal As the primary designer of HTTP and HTML, he certainly was no slouch But most of the technologies that went into structuring and transporting web pages had been around for years, even decades SGML (the basis of HTML) and hyper-linking systems had been around since the 196 0s, and Internetbased transmission of data between... in the Library system Summary Since you will often spend dozens or hundreds of hours designing and developing a quality Visual Basic application, it is important to use appropriate licensing and obfuscation technology to protect your hard work Licensing is another one of those common programming tasks that didn’t make it into the NET Framework as an Summary | 621 easy-to-use class—unless you are building . need. In fact, I would bet that most Visual Basic applications are in this vein. Microsoft has announced over the years that the vast majority of Visual Basic programmers target their applications. Edition menu command in Visual Studio. The main interface appears in Figure 22-2. As of this writing, Dotfuscator Community Edition is not included with Visual Basic 2008 Express Edition. Figure. <ExpireDate>12/31/ 299 9</ExpireDate> <CoveredVersion>1.*</CoveredVersion> <Licensee>John Q. Public</Licensee> <SerialNumber>LIB-1234567 89& lt;/SerialNumber> </License> That