COCKOS
CONFEDERATED FORUMS
Cockos : REAPER : NINJAM : Forums
Forum Home : Register : FAQ : Members List : Search :
Old 04-26-2017, 06:48 PM   #1
CaptnWillie
Human being with feelings
 
Join Date: Dec 2016
Posts: 51
Default Registration Protection

Hi WDL users,

I've used the search as much as I could to find information on protecting plugins with serial number registration and locking;

while I've found resources such as LibTomCrypt which will do one way hashing, various cryptography, and the like (which there is a fair amount of documentation regarding); I haven't understood anything in reference to how to actually implement the hash into my code to lock the plugin.

I'm not looking for anything too horribly fancy at the moment, essentially the simplest locking mechanism that prevents sharing the .component or .vst, where one user could share the plugin with an entire circle.

As always, any example code is MUCH appreciated.

best,
Willie
CaptnWillie is offline   Reply With Quote
Old 04-28-2017, 07:43 AM   #2
JD Young
Human being with feelings
 
JD Young's Avatar
 
Join Date: Nov 2014
Location: Leiden, the Netherlands
Posts: 36
Default

Hi Willie,

I have been looking into several customs solutions the past year, and had the chance to play around with iLok and WiBu as well, which was very interesting. First of all I think it is very important to distinguish between two protection types. I am using the following terms: ‘licensing’ and ‘true copy protection’.

‘Licensing’ is having some kind of limitation to your plug-in, that goes away if you install a license file with a serial key in there, or fill in a serial key in your GUI somehow. These licenses or serial keys can be shared between users. Therefore this is only a mild incentive to ‘keep honest people honest’, as they say. It is relatively easy to implement, but not safe at all.

‘True copy protection’ is similar to licensing, with the big difference that the licenses or serial keys used are bound to the user’s machine, and cannot be shared between users. For this you need a way to create a unique machine ID for each customer, based on some hardware component in their system, and 'bind' the license to this. Moreover, if you want to automate the purchasing and activation of this kind of licenses you need to set up a licensing server that's able to communicate with your web shop, and with the plug-ins on users machines as well (which requires an internet connection). This can be just one classic challenge-response call, or some elaborate scheme with all kinds of checks.

All encryption techniques like hashing and keys are just to make systems like these harder to crack, but do not provide any relevant infrastructure for actually protecting or activating a plug-in. So it’s up to you to setup something that makes sense, which is especially complex when you aim for true copy protection. How safe such a system is, is a whole other question, and the reason why software protection companies like iLok and WiBu spend years updating and perfecting there API’s.

I must say that I am not an advocate for elaborate protection systems. They should be as intuitive to the user as possible. Keeping hackers out is just a mild concern of my own, as it seems that anything can be hacked. I’ve been doing a lot of experiments lately, including building a test licensing server. So if you have any questions, fire away. I think it’s a very interesting subject to discuss, and maybe I can point you in the right direction of finding a solution that fits your projects.

Regards, JD

Last edited by JD Young; 04-28-2017 at 12:44 PM.
JD Young is offline   Reply With Quote
Old 04-29-2017, 09:47 PM   #3
CaptnWillie
Human being with feelings
 
Join Date: Dec 2016
Posts: 51
Default

Quote:
Originally Posted by JD Young View Post
Hi Willie,

I have been looking into several customs solutions the past year, and had the chance to play around with iLok and WiBu as well, which was very interesting. First of all I think it is very important to distinguish between two protection types. I am using the following terms: ‘licensing’ and ‘true copy protection’.
Thanks for the help JD; that's definitely a step in the right direction. I might lean more towards licensing as I think anything will get cracked, and as an amateur programmer I think the margin that my security will improve would require more effort than it's worth haha.

Plus, I feel as I should not punish honest people with many hoops. This license file seems like a relatively easy way to do things.

My next question is, how might you "lock" the plug-in before registration in either case? I was thinking that I could create a class in a header (as I have been doing with my partner for many of the modules of our plug-in) that will blur out the screen or something if it does not find the registration?

Or would this be something implemented in the main routine of my plugin through WDL OL framework?
CaptnWillie is offline   Reply With Quote
Old 04-30-2017, 01:46 AM   #4
JD Young
Human being with feelings
 
JD Young's Avatar
 
Join Date: Nov 2014
Location: Leiden, the Netherlands
Posts: 36
Default

Hi Willie,

Well, the way you would implement the actual limitations in your plug-in is entirely up to you. Here are a few schemes I’ve encountered so far, in various combinations:

- A ‘nagscreen’ popping up when loading the plug-in – or every few minutes or so - telling you it’s a demo. You can click this screen away.
- Not being able to save your settings.
- Adding a beep, some noise or silence every minute or so. This is extremely annoying, and I wouldn’t recommend it if you want your users to like you
- Additionally, you could also implement a trial period, and have the plug-in show a permanent nagscreen when it expires (or a blurred version). Don’t forget you can disable the GUI in most hosts, so you might want the plug-in to let through the audio unaffected as well when the trial ends.

In any case, it’s up to you to set it up from scratch. This can be a challenge sometimes, especially when you want to do a trial period, and come up with an intuitive solution for the user to enter his license code, or place his license file. But to generalize the process, if you just check in your plug-in constructor if a valid license is present, you can from there set some flags that enable the limitations you have setup – like letting the audio through unaffected in the process function - or setup some kind of ‘nagscreen’ GUI object.

Take some time to think it through, and approach it step-by-step, testing all parts one-by-one. If you want to make it easy for yourself and the user though, you could also skip the license check altogether, and just make two versions of your plug-in: one demo version, and one full version. The licenses can be shared anyway with regular ‘licensing’, so just having two versions would sort of have the same outcome, without having to setup the whole license generation and check. When I started to figure out the best way to do this kind of stuff, I kept thinking in circles for a while, until I realized that no elegant solution to regular ‘licensing’ really exists, and no simple solution to ‘true copy protection’ neither.

As the whole software protection thing can be a sensitive subject, and can seriously affect your image as a vendor, I would indeed try to make the whole activation experience as painless and intuitive as possible for the user. As a programmer, I don't like this stuff in my code haha, but I understand the need for a simple incentive. So in my opinion, only one action should be required by the user, which is filling in an activation code, using an open file dialog to load your license, placing a license file in a dedicated folder somewhere or running a second installer.

Regards, JD
JD Young is offline   Reply With Quote
Old 04-30-2017, 05:48 PM   #5
CaptnWillie
Human being with feelings
 
Join Date: Dec 2016
Posts: 51
Default

Quote:
Originally Posted by JD Young View Post
Hi Willie,

Well, the way you would implement the actual limitations in your plug-in is entirely up to you. Here are a few schemes I’ve encountered so far, in various combinations

Regards, JD

Thanks JD, that was very informative and I have a lot of food for thought. I'm also in talking with my friend about an ecommerce platform that can deliver personalized download in the instance of a licensing file or something. Thanks for the help!
CaptnWillie is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 07:34 AM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.