Storing secret code for all users

[Guest]

Hello,

We want to add a secret code which is the expiration date and the number of
uses of the trial software in storage. Saving this code in the Windows
Registry is not a good choice, because the user may not have access right.
Also adding it to IsolatedStorage is for one user and is not for all the
users. Eventhough I thought IsolatedStorage could help on this.

I am wondering how and where we could add the expiration date and number in
a safe place, so it will be hard for the user to find and delete that code.
Is there any other idea on how to manage the trail software expiration, so it
will expire at the specified date or the number of uses?

Regards,

 

[Lloyd Dupont]

typically there are 2 places you hsould be able to write in all
circumstances:
- the registry hive for the application
- the aplication's app data directory

 

[Guest]

Registry Aplication Hive could be deleted by the user as well as the
application app directory. Is it possible to give an example code in both
cases? For me these two cases are not secure, but I see that Windows XP or
some other apps write in a secure place until they are activated. Where does
Windows write the key until it is activate?
--
Mike

typically there are 2 places you hsould be able to write in all
circumstances:
- the registry hive for the application
- the aplication's app data directory

 

[=?iso-8859-1?Q?Anders=20Nor=e5s?=]

I am wondering how and where we could add the expiration date and

number in a safe place, so it will be hard for the user to find and
delete that code. Is there any other idea on how to manage the trail
software expiration, so it will expire at the specified date or the
number of uses?

Store the data in the application's registry hive, and require the key to
be present for the application to start. To stop users from changing the
expiration date you can use the Cryptography classes to calculate a hash
for the expiration data.

Anders Norås
http://dotnetjunkies.com/weblog/anoras/

 

[William Stacey [MVP]]

In this case you don't have reinvent the wheel. Check out
sharewarestarterkit.com.

 

[Guest]

What if the user uninstall and then install the application? If the user
unistalls the application and then delete the application hive and then
install the application, it will add a new key to the registry upon
installation. We need a place in the registry that if the user uninstalls the
application and deletes the application hive it won't remove the secret key
or the expiration date.

By the application hive do you mean in the
HKEY_LOCAL_MACHINE\SOFTWARE\Company\Application ? or another place?

 

[WRH]

Hello

Perhaps writing encrypted values in the registry not during
installation but upon first startup and in two locations, one not
associated with the app. I believe the only way to delete it would
be a registry edit of both locations. I realize that the keys would
be left over if the app is uninstalled and thus the app would not
be a good registry citizen but its hard to come up with
reasonably secure means.

 

[Guest]

Sounds nice, but does anyone knows of any algorithm I can use for this purpose?
--
Mike

Hello

Perhaps writing encrypted values in the registry not during
installation but upon first startup and in two locations, one not
associated with the app. I believe the only way to delete it would
be a registry edit of both locations. I realize that the keys would
be left over if the app is uninstalled and thus the app would not
be a good registry citizen but its hard to come up with
reasonably secure means.

 

[William Stacey [MVP]]

Most times it is done with a public/private key pair. The server signs a
license (full, or trial) and the license has an expire date and license
type - among other fields you want to track. This could be just a simple
xml file in plain text. The signature could only be signed with your
private key at your server site. Then distro the license files as needed
(purchased, etc). If the user does not have a valid license file, your
program stays in eval mode (for example.) So absence or presents of a
license file is the controlling factor, not some reg key that you can't
really hide anyway. The program verifies the license and signature using
the public key. It gets a bit more complex as now this license will work
for anyone. So you also want to factor in a machine hash so that means they
need to send you a machine hash (that your program calculates) and that is
stored in the license. The program also verifies the machine hash in
license against a new machine hash that calculated at each startup to see if
they match. Simple in the abstract, but the devil is in all those details.
That is why I pointed you to the MS code that already does all this for you.

--
William Stacey [MVP]

Sounds nice, but does anyone knows of any algorithm I can use for this
purpose?