License for C# desktop application
Asked Answered
A

6

44

How can I add license to my C# desktop application? I need to find a suitable free method to prevent unauthorised users installing my software.

Afterworld answered 2/9, 2010 at 5:49 Comment(2)
What exactly do you mean by "add a license"?Bidentate
Application must have a license key for install.Afterworld
L
18

There are plenty of license management systems out there for .NET (there's even one built-in for licensing controls). A quick Google around for ".NET licence manager" threw up the Open License system, which is free.

I expect you can easily find more.

Lawrencelawrencium answered 2/9, 2010 at 6:8 Comment(0)
M
83

I'm probably a bit late, but I spent a bit of time trying to work out a quick and effective method of securing a little C# application, and I would like to share my results.

It seems you can build your own, fairly secure licensing system using RSA reasonably easily.

Obviously, nothing is bullet-proof when it comes to protecting software (It's like protecting your house from burglars: alarms, barking dogs and fences make it more trouble than it's worth, but they won't stop someone determined to get in)

So, making it more trouble than it's worth is the key phrase in software protection: if you are offering a $1,000,000 E.R.P. system, you would want to have really good protection that authorized via a web-service (and users paying that much for a system would not have a problem with allowing that system constant internet access)

However, if you are charging only $5-$30 for a little app, users are not going to put up with very heavy handed authorization.

I think the simplest system to produce is to digitally sign a license-file that contains the details of product, the user and it's duration.

This means any modification of the license file makes the digital signature invalid.

The digital signature can be obtained from the DSACryptoServiceProvider class, using the SignData method.

A private key is required to sign the data, and the public part of that key can be used to validate the signature: (thus the public key must be accessible by the application)

The DSAXCryptoServiceProvider has methods for creating and using keys:

DSACryptoServiceProvider.ToXMLString(bool includePrivate);

returns the Public or Public & Private keys currently in the service provider as an XML string.

DSACryptoServiceProvider.FromXMLString(String xmlString)

This method sets up a new DSACryptoServiceProvider with existing private or public keys obtained from DSACryptoServiceProvider.ToXMLString()

The only flaw in the security of this system would be the possibility of a user breaking in an supplying their own public-key. This would allow them to generate their own license files from their own private-key.

This can be gotten around by additionally signing a required resource for the application (like a .dll that contains essential logic for the application, or even the .exe itself) - thus if the public key is changed, this additional (hidden) signature will become invalid.

Other ways to improve this include obscuring the license terms (serializing a data-structure containing the license terms using the binary-formatter to a byte array, then using Convert.ToBase64String() will quite effectively obscure the licensing terms, and even if the user was able to replace the public-key they would still need to work out the representation of the data)

I have an example system I wrote, but it is too big to quote entirely, but this is the CreateLicense method from it:

    /// <summary>
    /// use a private key to generate a secure license file. the private key must match the public key accessible to
    /// the system validating the license.
    /// </summary>
    /// <param name="start">applicable start date for the license file.</param>
    /// <param name="end">applicable end date for the license file</param>
    /// <param name="productName">applicable product name</param>
    /// <param name="userName">user-name</param>
    /// <param name="privateKey">the private key (in XML form)</param>
    /// <returns>secure, public license, validated with the public part of the key</returns>
    public static License CreateLicense(DateTime start, DateTime end, String productName, String userName, String privateKey)
    {
        // create the licence terms:
        LicenseTerms terms = new LicenseTerms()
        {
            StartDate = start,
            EndDate = end,
            ProductName = productName,
            UserName = userName
        };

        // create the crypto-service provider:
        DSACryptoServiceProvider dsa = new DSACryptoServiceProvider();

        // setup the dsa from the private key:
        dsa.FromXmlString(privateKey);

        // get the byte-array of the licence terms:
        byte[] license = terms.GetLicenseData();

        // get the signature:
        byte[] signature = dsa.SignData(license);

        // now create the license object:
        return new License()
        {
            LicenseTerms = Convert.ToBase64String(license),
            Signature = Convert.ToBase64String(signature)
        };
    }

Verify Method:

    /// <summary>
    /// validate license file and return the license terms.
    /// </summary>
    /// <param name="license"></param>
    /// <param name="publicKey"></param>
    /// <returns></returns>
    internal static LicenseTerms GetValidTerms(License license, String publicKey)
    {
        // create the crypto-service provider:
        DSACryptoServiceProvider dsa = new DSACryptoServiceProvider();

        // setup the provider from the public key:
        dsa.FromXmlString(publicKey);

        // get the license terms data:
        byte[] terms = Convert.FromBase64String(license.LicenseTerms);

        // get the signature data:
        byte[] signature = Convert.FromBase64String(license.Signature);

        // verify that the license-terms match the signature data
        if (dsa.VerifyData(terms, signature))
            return LicenseTerms.FromString(license.LicenseTerms);
        else
            throw new SecurityException("Signature Not Verified!");
    }

The License Terms Class:

    /// <summary>
    /// terms of the license agreement: it's not encrypted (but is obscured)
    /// </summary>
    [Serializable]
    internal class LicenseTerms
    {
        /// <summary>
        /// start date of the license agreement.
        /// </summary>
        public DateTime StartDate { get; set; }

        /// <summary>
        /// registered user name for the license agreement.
        /// </summary>
        public String UserName { get; set; }

        /// <summary>
        /// the assembly name of the product that is licensed.
        /// </summary>
        public String ProductName { get; set; }

        /// <summary>
        /// the last date on which the software can be used on this license.
        /// </summary>
        public DateTime EndDate { get; set; }

        /// <summary>
        /// returns the license terms as an obscure (not human readable) string.
        /// </summary>
        /// <returns></returns>
        public String GetLicenseString()
        {
            using (MemoryStream ms = new MemoryStream())
            {
                // create a binary formatter:
                BinaryFormatter bnfmt = new BinaryFormatter();

                // serialize the data to the memory-steam;
                bnfmt.Serialize(ms, this);

                // return a base64 string representation of the binary data:
                return Convert.ToBase64String(ms.GetBuffer());

            }
        }

        /// <summary>
        /// returns a binary representation of the license terms.
        /// </summary>
        /// <returns></returns>
        public byte[] GetLicenseData()
        {
            using (MemoryStream ms = new MemoryStream())
            {
                // create a binary formatter:
                BinaryFormatter bnfmt = new BinaryFormatter();

                // serialize the data to the memory-steam;
                bnfmt.Serialize(ms, this);

                // return a base64 string representation of the binary data:
                return ms.GetBuffer();

            }
        }

        /// <summary>
        /// create a new license-terms object from a string-representation of the binary
        /// serialization of the licence-terms.
        /// </summary>
        /// <param name="licenseTerms"></param>
        /// <returns></returns>
        internal static LicenseTerms FromString(String licenseTerms)
        {

            using (MemoryStream ms = new MemoryStream(Convert.FromBase64String(licenseTerms)))
            {
                // create a binary formatter:
                BinaryFormatter bnfmt = new BinaryFormatter();

                // serialize the data to the memory-steam;
                object value = bnfmt.Deserialize(ms);

                if (value is LicenseTerms)
                    return (LicenseTerms)value;
                else
                    throw new ApplicationException("Invalid Type!");

            }
        }

    }
Mide answered 30/5, 2011 at 0:58 Comment(8)
I guess if you scramble the datastructure, like give it completely irrelevant attributes that seem relevant and make the relevant attributes somehow calculable from some seemingly irrelevant attributes, then serialize it and base64-encode it, it should be really hard to figure out how the system worksSanguinary
can you please upload fully working application using this?? I really need thisFecundity
LicenseTerms is not available in ComponentModel can you please quote the exact reference to thatFecundity
@Simon where is License class?Tisdale
@TomDoodler: security by obscurity is quite hard in an IL based environment like C#.Hutchins
I must admit I am quite ashamed of the nonsense I wrote back thenSanguinary
@TomDoodler what did you write? 😂Preinstruct
"This can be gotten around by additionally signing a required resource for the application (like a .dll that contains essential logic for the application, or even the .exe itself) - thus if the public key is changed, this additional (hidden) signature will become invalid." Wouldn't it be preferable to store the public key in the license file? It's public, so who cares if people see it. Plus, the license file is signed, so nobody can modify the public key without invalidating the license.Terrazzo
L
18

There are plenty of license management systems out there for .NET (there's even one built-in for licensing controls). A quick Google around for ".NET licence manager" threw up the Open License system, which is free.

I expect you can easily find more.

Lawrencelawrencium answered 2/9, 2010 at 6:8 Comment(0)
K
16

I thought it would be worth adding another answer to this as the accepted answer seems to reference a project that is not currently maintained.

I would recommend looking at Standard.Licensing, which is a free, open-source licensing library for .Net that works with the .Net Framework, Mono, .Net Core, .Net Standard and Xamarin. Is modernises the older Portable.Licensing by adding support for newer platforms, specifically .Net Core and .Net Standard.

Standard.Licensing works by creating a digitally signed XML file that contains information relevant to your product, such as the type of the product and the expiry date. The fact that the XML file has not been changed can be verified when you check the licence and your application can then trust the claims made in the licence file. (Note that you might want to also verify that the computer's clock is accurate to prevent someone just changing the date.)

Standard.Licensing signs the XML file using the Elliptic Curve Digital Signature Algorithm (ECDSA) algorithm, which uses a pair of keys, one public and one private when creating the licence file. You only need to use the public key to decrypt and verify the licence. As it is not possible to use just the public key to modify the licence file, you can just safely include the public with your application and you do not need to resort to approaches such as obfuscating your assembly to prevent people from seeing the public key. Note that this is similar to the approach mentioned in Simon Bridge's answer above.

Standard.Licensing has a fluent API that you use to create and verify the licences. Here's the snippet from their website showing how to create a licence:

var license = License.New()  
    .WithUniqueIdentifier(Guid.NewGuid())  
    .As(LicenseType.Trial)  
    .ExpiresAt(DateTime.Now.AddDays(30))  
    .WithMaximumUtilization(5)  
    .WithProductFeatures(new Dictionary<string, string>  
        {  
            {"Sales Module", "yes"},  
            {"Purchase Module", "yes"},  
            {"Maximum Transactions", "10000"}  
        })  
    .LicensedTo("John Doe", "[email protected]")  
    .CreateAndSignWithPrivateKey(privateKey, passPhrase);

In your application, you then load and validate the licence file:

using Standard.Licensing.Validation;

var license = License.Load(...);
var validationFailures = license.Validate()  
                                .ExpirationDate()  
                                .When(lic => lic.Type == LicenseType.Trial)  
                                .And()  
                                .Signature(publicKey)  
                                .AssertValidLicense();
Koehn answered 15/12, 2019 at 10:2 Comment(6)
Seems great, although the project has not been updated since 2018, and does not support .NET 5. There is a fork here that does: github.com/jshergal/Standard.Licensing-5.0Austronesian
Thank you, @A.Niese - it's useful to have a .Net 5 version on the radar.Koehn
Hey, I have a question. If I bought the app and have the License XML, can I just not distribute it? The distributed app will use the same license file and public key. The same license file will be valid for everyone with the public key. Since, license doesn't store my system (computer) info anywhere?Slake
Yes, that could happen. To stop that from happening you have to add other details into the licence XML such as machine name, etc. Similarly, you would need to verify that the computer's clock is accurate to stop the user from changing the date to extend their licence.Koehn
Hi Sean, what do you think of storing both public key and license.lic file in a user's cache? So that user won't have to enter a public key to validate and the desktop app would just quickly check if the cache has the right public key and a license file?Slake
github.com/junian/Standard.Licensing now supports .NET 8, and github.com/jshergal/Standard.Licensing-5.0 has been archived. It seems to me it'd be a good idea to store the public key in the license file (using .WithAdditionalAttributes()). It doesn't matter if people can see it, and this way, nobody can change it. Also, if you ever change your key pair (e.g., when you release a new major version), your application will not need to update a public key in its code. (I also suggested this in a comment on a different response.)Terrazzo
J
2

Technically, its not easy task to create working and secure licensing system. In case you plan to develop commercial software, I would recommend to use some commercial solution for it. Custom coded licensing systems tend to be vulnerable.

I have best experience with Treek's Licensing Library. Its cheap even for single developer, its safe and with good support. When comparing costs, TLL is cheaper than renting your own developer to do the same job.

Also, you'll need to protect your sources. For that we do use EAZ Fuscator, but there are also free options available. EAZ is very good, but very expensive.

Jamesy answered 3/2, 2019 at 14:40 Comment(1)
Looks good, but does not support .NET Core 3.1 or .NET 5 (Only .NET Framework 4.x)Austronesian
T
0

One approach is to roll your own partial key verification system. There is a VB.NET version available on Code Project:

http://www.codeproject.com/KB/security/cdkeys.aspx

Terpstra answered 2/9, 2010 at 6:16 Comment(0)
C
0

Be wary of how much effort you put in to protecting your app; it may be wasted time if it is easily broken or off putting to users if very strong (e.g. having to enter a password every time it is run).

An interesting article on software protection (of games) can be found here: http://www.positech.co.uk/talkingtopirates.html

Cumulative answered 2/9, 2010 at 6:26 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.