I agree, but this is why I told about the need to obfuscate the whole code to protect the CA certificate and the code around...
and why I've said it was probably useless overkill, since it is very hard to avoid code to be read , and to protect data that are used internally in the virtual or real machine. morever even if the code and data are really protected, the environment around can fake the fact to be the good machine... at the price of horrible hack in the engine (change the gethostname and alike)... in fact the need is only to protect from easy attacks (copy and drop), since hard attacks are never put "in production" in serious corp which can pay the product... and since the problem for commercial software vendors is to make people who can pay, to pay, there are no advantage to restrict software usage for people who will never pay. but it is a philosophical and sociologic problem... technically the problem is: what level of competence is needed to hack my protection? with a simple system of site certicicate and embedded CA, a good developer with a disassembler is enough... if the certificate and the code are obfuscated, either you need some one able to change the appserver internals, and by the way find what to fake, ... if the parameters used cannot be faked, someone able to hack th JAVA VM could do the job. This risks may be important to analyse for financial transaction security, privacy protection, or secrecy, but not just for software licensing. > -----Message d'origine----- > De: Dain Sundstrom [mailto:[EMAIL PROTECTED]] > Date: jeudi 21 février 2002 16:29 > À: Coetmeur, Alain > Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] > Objet: Re: [JBoss-user] Copy protection > > > You really don't understand the basic theory of cryptography, which > assumes you have a trusted source and a trusted sink. The > source and > sink are people not machines. For example the movie industry > believed > that DVD copy protection was unbreakable, because they controlled the > sink software. As everyone knows they were wrong. As Bruce > Schneier > said "you can't protect bits". > > -dain > > Coetmeur, Alain wrote: > > > one way is to use > > a public key protocol to check for right to execute > > > > maybe a privatekey can also be enough. > > > > an example could be: > > > > a key component of your EAR looks > > at the server name, and check > > if it is coherent with a certificate > > it has in it's keystore. > > > > you can create a certificate for each of your licensee, > > and deliver them in the EAR as a ressource > > (this mean you have to add it to your keystore > > in the program), or as a separate certificate > > to add to the java keystore... > > > > by the way to check that the certificate is > > your own, you should also embedd a (sub)CA certificate > > in your application, so that the user cannot change it. > > why not the text version of the certificate as a string... > > then load it in your java key store, > > and check the certificate that is deployed somewhere > > if it is > > 1- signed by the CA > > 2- having a name coherent with the server name. > > > > beside that, you should obscurate the java classes > > to avoid the smarters to hack your system... > > but is it your interest ? > > to avoid copy/paste license violation can be enough > > and hackers won't be frequent in serious organisations... > > > > If JSSE/JCE froml sun is not enough flexible > > try cryptix JCE which should use PKCS key storage formats... > > > > If it works, and if you want your solution to be maintained > for free, put > > yout license system opensource ! > > > > It looks a little perverse but it could be usefull > > to explain that license respect and opensource are not oposite. > > > > > > > > > > > > > > > >>-----Message d'origine----- > >>De: Leigh Wanstead [mailto:[EMAIL PROTECTED]] > >>Date: jeudi 21 février 2002 03:59 > >>À: [EMAIL PROTECTED] > >>Objet: [JBoss-user] Copy protection > >> > >> > >>Hello everyone, > >> > >>I am not sure if this is a correct place to ask. Anyway, here is the > >>question. > >> > >>How to protect your ear files? I mean if you deploy ear into > >>application > >>server, how you prevent others simply copy this ear to > >>another application > >>server? What 3rd party tools would you recommend? > >> > >>Thanks in advance. > >> > >>Best Regards > >>Leigh > >> > >> > >> > >>_______________________________________________ > >>JBoss-user mailing list > >>[EMAIL PROTECTED] > >>https://lists.sourceforge.net/lists/listinfo/jboss-user > >> > >> > > > > _______________________________________________ > > JBoss-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-user > > > > _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
