Re: spoofing the ethernet address (license managers)

[Michael.Wojcik () MERANT COM (Michael Wojcik)]

> From: Eric Sherrill [mailto:sherrill () ti com]
> Subject: Re: spoofing the ethernet address (license managers)

> > Many UNIX license managers (e.g. FlexLM, the most common) use a license
file
> > with an encrypted string, hostname and Ethernet MAC address or "hostid"
[...]

> IMHO the Ethernet MAC is not a reliable security or identity provider,

Agreed.

> and the license managers are stupid to rely on them

I disagree.  This comes up all the time on sci.crypt, comp.security.unix,
and other newsgroups, and the consensus is always the same.  Software
licensing is a best-effort procedure; you're raising the piracy bar to
something above "trivial" but well below "impossible".  You try to make idle
license violations too difficult to be worthwhile.

Any software licensing scheme ultimately depends on the software detecting
that it doesn't have a valid license.  It's always possible to track the
software under a debugger, find the point at which validation is done, and
branch around it.  License keys, "key disks", dongles, and all the other
copy-protection technologies are grounded in a threat model that says that
the user won't modify the software to simply skip the license check
entirely.

Yes, people have proposed arcane, byzantine schemes like encrypting portions
of the program, scattering license checks through it, etc.  Sooner or later,
though, the software has to decide to trust something that's under the
user's control.

Software licensing is mostly about keeping honest customers honest; the
target is the customer who's just going to install on another machine
temporarily for whatever reason, and never gets around to taking it off.
That's still a huge area for price recovery; when we went to software
licensing with one of our products, we found a big customer with twice the
workstation installations they had actually purchased.  (What's more, they
were paying maintenance on more copies than they had purchased, but fewer
than they were actually using.)  They simply hadn't bothered to keep very
good records of who had installed the software.  That's only one example -
we found many.  When the error was pointed out, they were perfectly willing
to make amends.

Similarly, we have usage-based licensing for some of our products, which
allows customers to purchase the amount of throughput they need, in a fair
manner - they know other customers are also getting what they pay for.

So a trivial identification scheme is fine.  That's not the weak link in the
chain anyway.

> (although I can't think of a
> better replacement off the top of my head, maybe X.509 certificates or
> something).

Plenty of people have considered using asymmetric encryption for software
licensing.  It's just not worth the effort.

> Plus one of these days distributed.net might start cracking
> away at license strings.... ;^)

License keys generally don't need distributed.net.  Ours are a 64-bit
cryptographic hash, for example (and a 32-bit hash would have been plenty; I
just used 64 bits to reduce the possibility of a collision, so we could use
the keys as probably unique identifiers for searching the license database).
By the Birthday Paradox, finding a collision is a work factor of 2^32.  The
difficulty is slightly greater than with a MAC or other general-purpose
cryptographic hash application, because the input is forced into canonical
form that reduces the degrees of freedom for varying the preimage a bit.
But not by much.

In any case, with a license key the attacker generally has the algorithm (by
analyzing the software), the preimage or plaintext, and the image or
cyphertext.  That makes cracking the system pretty easy.  If there's a
symmetric key in the system, it has to be embedded in the algorithm
implementation, so the attacker can find it.  If the system uses asymmetric
keys, then perhaps some cracking horsepower would be required; but again
this is the wrong place to attack, unless the attacker wants to be able to
generate keys in bulk.  *That* is a possible goal of software pirates, but
since they also have the opportunity to distribute modified software with
the license checks pulled...

Michael Wojcik             michael.wojcik () merant com
MERANT
Department of English, Miami University