I'm evaluating inexpensive license managers for a customer of mine who would like to commercially distribute his software. I was evaluating what appeared to be a very easy to use product, Quick License Manager 4.0, when I came across a glaring security hole in their key authentication scheme:
They use symmetric "encryption" to determine if a key is valid.
That means you have to put the "password" to your whole serial number scheme into the software to check to see if a given serial number is valid. All information required to generate a new key is encoded into every executable of the program, including all the evaluation versions. You just open up a program that uses QLM with a text editor, find the call to the DefineProduct method of the COM object, and magically, you have all you need to plug back into their products.xml file to generate an infinite number of new codes. Even if you encrypt the data which you eventually pass to DefineProduct, any number of debuggers can easily snatch the parameters to the COM object call.
What does this mean for you? Say you make a program that catalogs your customer's pet fish collection. You sell it for $40. A reasonably intelligent guy named Mel downloads your free trial. He opens up the exe in a text editor, and looks through and sees the calls to QLM. Mel can now download a copy of QLM himself (they have a 15 day free trial....), and then not only can generate an unlocked license for himself, he can also generate as many license codes as he'd like. He can effectively sell copies of your product himself, at whatever price (free if he wants, just cheaper than you is also possible).
Quick License Manager is a strong avoid. If you have it, it is a strong replace now, and remove all download copies that are locked by it. Make sure whatever you replace it with uses asymmetric encryption.
--Michael
Thursday, March 13, 2008
Subscribe to:
Posts (Atom)
