i want to protect my Java product by using some USB-based authentication and password management solution like you can buy it here: aladdin This mean that you have to connect a USB stick with a special software on it, before you can start your application.

I would like to here some experience of users which have used hardware like this.

• Is this as safe as it sounds?
• General: How much money you would spend to protect a software which would sell 100 times?

I will obfuscate my Java code and save some user specific OS settings in a crypted file which is lying somewhere on the hard disk. I dont want to constrain the user to do a online registration, because the internet is not necessary for the application.

Thanks

Comment: The company i am working for is using Wibu for now more than 5 years.

Please just don't. Sell your software at a price point that represents its worth, with a basic key-scheme if you must to keep honest people honest, and leave it at that. The pirates will always steal it, and a hardware dongle will just cause grief for your honest customers.

Besides, any scheme you build in will just be defeated by reverse engineering; if you make it a pain to use your software, you will motivate otherwise honest people to defeat it, or to search the internet for a crack. Simply make the protection less painful than searching for a crack.

Even though my view on the subject is to not use such piracy protection schemes, I can give you a few pointers since we have used such a solution in the past. In particular we used Aladdin tokens as well.

This solution in terms of security is quite robust, since it is something that you either have it on the system, or you don't. It's not something that you can easily override, provided that your code is secure as well.

On the down side, we came across a problem that made us drop the Hardware token solution. Our application is an intranet web Application, (i.e. a web app running in the local intranet of the customer, not a hosted solution) and quite often the customers wanted to deploy our app on blade servers or even virtual servers, where they did not have USB ports!

So before you choose such a solution, take such factors under consideration.

Whilst I agree with most of the other answers, there is a case where hardware dongles work and that is for low volume, high value software. Popular high volume software will always be cracked so there is little point in annoying your customers with a costly hardware system.

However it is unlikely that anyone will bother going to the effort of cracking specialised, low-volume software. Yet if it is easy to just install on another machine many customers may 'forget' to buy another license, and you lose out on valuable income. Here dongle protection works as they need to come back to you for another dongle if they want to run two copies simultaneously.

I've used Aladdin dongles but be aware there are software emulators available for these and so you must also program the memory on the dongle with something an emulator cannot know.

Just to add evidence to what SoftDeveloper says. In the area of low value software, protection is counterproductive. Likewise for high volume.

However, our money-earner is a product that sells for £10-25K per user license. The vast majority of our consumer base is very careful to be compliant - large corporations - and for some of these we have sold unlimited unprotected products.

However, we have had evidence in the past that when used by smaller companies for short-term use attempts have been made to break the protection. When you stand to lose £100K+ per incident, you must at least discourage that.

In the past we have used SuperPro but that product is weak and obsolete now.

For our latest product we are still evaluating, but Sentinel/Aladdin (http://www.safenet-inc.com/sentinelhasp/), SecuTech Unikey (http://www.esecutech.com/Software-Protection/UniKey-Family/UniKey-Drive/UniKey-Drive-Overview.html) and KeyLok Fortress (http://www.keylok.com) are among the subset selected.

One thing we are doing is allowing extreme flexibility in the model. That way when marketing comes up with the next bright idea, we will be ready. Also, ensuring extremely robust and informative license control is vital too. Protection shouldn't mean a bad customer experience (although it often can!).

I've used such products and they are a pain. I personally wouldn't spend any money at all on a hardware scheme or a 3rd party protection scheme.

Do not be tempted by a hardware based protection scheme.

The only things that are certain:

• Any protection schemes will be cracked.
• You will annoy legitimate customers
• You will lose time supporting problems related to the protection
• There will be problems when a legitimate customer cannot use your product because of the protection.
• It is a better investment to use any time and funds that you would have spent on protection on improving the product or finding more customers.

The golden rule of protection is to make it painless for your customers. Hardware protection schemes make life inconvenient for your customers and easier for those who've ripped you off, which clearly isn't right.

Just as another slightly different opinion:

There's one situation where I would gladly accept the "dongle" approach. MATLAB has a pricing structure where if you install something on a single fixed machine, it costs $X. If you want to install it as a concurrent license (license server on the network) for one person to use it at a time, it costs $4X. That makes no sense whatsoever for rarely-used software.

The business model for buying a super-accurate torque wrench shouldn't matter how many people want to use it, and if person A wants to use it but person B is already using it, then person B has to finish using it before person A can make use of it. I don't have any problem with software following this model by using physical tokens, if it's being used at sites where it's shared by multiple users. It's a much fairer business model than jacking up the price for a concurrent license. The physical-token approach may be less attractive to individual customers, but if you have a product that command the price, then why not?

If you don't have a product that's in demand to that degree, I wouldn't bother.

And you'd better have a mechanism for dealing with lost tokens. (alas I don't have any idea there)

Modern dongles, used correctly, can provide very strong levels of protection against illegal copying. CodeMeter from Wibu-Systems has survived several public cracking contests (most recently in China!) with no winners.

The reason is strong encryption: the executable is encrypted completely with AES 128-bit encryption, and the key generation for decryption occurs only in the dongle. Since the half-life of the keys is short, even discovering one key (which would require enormous effort) doesn't provide a universal crack.

Crackers are very smart people, and won't work any harder than necessary to crack software. It's easy to leave vulnerabilities in the software if software protection isn't the main focus of your research and development efforts. Getting a good dongle and following carefully the manufacturer's suggestions for protecting are the best insurance against illegal copying.

Some useful questions when evaluating a system for protection: 1. Does it support the OS versions you want to target with your executable? 2. Does it encrypt the communications between the dongle and the OS? 3. Can it detect debuggers and lock the license if a debugger is running? 4. Does it use a smart card chip (harder to sniff with hardware tools)? 5. Does it use a single key or multiple keys? 6. Does it support the license models (pay per use, pay per time, etc) that you want? 7. Are a rich set of tools available to make it easy to use? 8. Can it protect other file types besides .exe files? 9. How good is their developer support? Has it been outsourced to another country? 10. How many reference customers can they provide?

Cost can be $50-$100 per copy (or less or more; depends on a bunch of factors). Most reputable vendors will provide you with pricing information with a simple phone call.

Hope this helps.

First, make sure that it will not be counter-productive. It has a non-negligible cost in development, test, maintenance and customer support. Cases where such a protection is the more appropriate is when your software is THE software, almost with a machine dedicated to it.

I know that latest wibu products have a pretty good robustness, and are in practice hacker proof. (Other similar products probably exist also). Basically, parts of your code can be encrypted in the key itself, with an encryption key changing all the time. They ran worldwide hacker contests where no one was able to use unauthorized versions of a protected software.

For piracy protection I use OM-p They provide: - free piracy consulting - free anti piracy monitoring - and payed piracy takedowns