How to prevent usage of expired license through system clock tampering? [closed]
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
开发者_JAVA百科 Improve this questionI am currently working on a license manager using java, I will be specifying a start and end date for my application so I can force a licensed user to re-license the program after a certain amount of time.
But the problem I am facing is that any one can roll-back their system date and time in order to maintain the validity of license. Is there any way in Java to detect the system date and time is changed. I have already tried Network Time Protocol to get the current date and time from a time server.
You likely are storing a license file on the system. a) include the time that the software was registered in the license file, b) digitally sign the file.
The digital signature will tell you if the license file was tampered with. If not, the time will tell you when the software was registered; if the "current time" is less than the registered time, your license manager knows something funny is going on and it can respond according (refuse to run, delete the license, ...
If you really want to enforce the date range, write the current time on each program execution to a separate digitially signed file, verifying that time always goes monotonically up.
You can also check your last recorded time against any files your application writes-then-reads. Such a file with a date later than your last recorded time indicates some kind license-file rollback.
These wont stop the user from setting the clock back some, but it will make it pretty hard for him to do this in an organized way.
It is basically impossible to do anything about. A user could "restore" his entire computer so that the software thinks its running at any particular date.
You could make it harder by letting the program ask some time-server for the time. (Still though, if someone really wanted to use an old license he could reroute any such traffic to a local time server.)
Related questions / answers:
- Using Java to Query a Server for the Time
As @aioobe said, applications have no control over the environment in which they are running.
What you can do (if your program also maintains data that is important to your users) is to record what it knows about the date/time and the passing of time. For instance you can store the current time at a regular interval after checking that it did not rollback (when a rollback is detected, output a message with an encrypted code to pass on to you for relicensing so you know that that happened).
You can also keep a "counter" that is incremented every hour your program runs giving you another way to estimate the usage of your license.
Using all three your license would run out after a year, a rollback or x hours runtime.
You have a couple of scenarios to combat:
- The user who turns back their system clock before they install your product, and
- The user who rolls back their system clock after it has been installed.
There are several levels of security you can apply, and if this is a major concern then you may want to use all of them.
The most secure is to check the time against an external reference e.g. your server. If there is no network access, you can then use the local methods described above, of using local (hidden) files to keep track of the time on the system, so you can detect rollback. By using more than one such file in more than one location, and having them cross-check each other, you can make this arbitrarily hard to rollback without detection (and you can always keep periodically trying to connect to the external server).
Code your app to send you emails with user's session use and check arrival times. Automate the email monitoring! Otherwise you yill become a slave of your success.
Jorge
精彩评论