Master certificates that are already included in Windwos

© Wibu-Systems

A certificate confirms the owner of a public key. The owner can be a person, an organization or an IT system. It contains attributes that describe the purpose of the certificate and a signature of the issuer. Herbert has a certificate issued for his public key by a certification authority such as VeriSign. The certification authority verifies Herbert's identity before creating his certificate. Now that Herbert has his certificate, he attaches it to his software instead of his public key. This allows Uwe and Ute to check the authenticity of his public key. The public key of the certification authority is used to check the certificate. But how do Uwe and Ute obtain it? And more importantly, how do Uwe and Ute know that this public key is genuine? The answer lies in the root certificates.

A root certificate verifies the authenticity of your own public key and is already available to Uwe and Ute, as root certificates are already integrated into the operating system and are also updated when the operating system is updated. Such updates are necessary if a root certificate has expired, a new one is added or a certificate has to be revoked. In other words, regular updates of the operating system are essential to keep the list of trusted root certificates up to date.

An application signed with Authenticode

© Wibu-Systems

One example of such a certificate mechanism is Authenticode. Herbert provides his software with a digital signature and the operating system automatically warns Uwe and Ute if the signature is invalid. Unfortunately, it does not warn them if the signature has been removed or replaced by another signature. Uwe and Ute have to check this manually themselves.

Herbert could now come up with the idea of using such certificates as licenses. However, in this respect, he has made the calculation without the malicious user Anton. Unlike Uwe and Ute, who want to buy the software, the malicious Anton intends to use a pirated copy. He doesn't care at all whether the software issues a warning that the signature is incorrect when it is started. He would also never think of manually checking the signature himself, and he would not hesitate to manipulate his computer in order to use the pirated copy. So certificates alone are not enough to realize secure licensing.

Certificates as licenses

Generation of a private key from the properties of a computer with SmartBird

© Wibu-Systems

The solution to this is asymmetric encryption. With asymmetric encryption, any person can encrypt a text, but only a dedicated recipient can decrypt the text again. The recipient's public key is used for encryption. The recipient uses their private key for decryption.

This method is perfect for software protection with the binding of a license to a specific computer. Herbert implements a mechanism in his software that generates a fingerprint of the computer. In a simple case, this can be the serial number of the hard disk. He uses this fingerprint to generate a private key. With ECC, this fingerprint can easily be used as a private key. This is another reason to prefer this method to RSA.

Uwe now starts Herbert's software. This generates the key pair and sends the public key to Herbert as part of an online activation. Herbert uses it to encrypt the license for Uwe and sends it back. Only Herbert's software on Uwe's computer can now decrypt and use the license. For everyone else, the license is just 'gibberish'. If Ute performs the same action, she receives another encrypted license that can only be decrypted on her computer.

The best of both worlds

The malicious Anton cannot use Herbert's software with either Uwe's or Ute's license file. But the evil Boris - our hacker - could in this case write a KeyGen and generate a license. Therefore, a mixture of signatures/certificates and encryption is the final solution for good software protection - i.e. a certificate-based solution with encryption, as implemented by Wibu-Systems in CodeMeter, for example.

On the one hand, each license file is encrypted exactly for the respective computer. A fingerprint is used as the private key, which is made up of many different hardware properties of Uwe and Ute's computer. These properties are included in the fingerprint with different weightings. The exact composition of this fingerprint is a trade secret of Wibu-Systems. A patented process - known as SmartBind - is used to add a tolerance so that the hardware of Uwe and Ute can change within certain limits and the private key is still retained.

Secondly, the license file is signed by the manufacturer Herbert with a private key. He automatically adds a certificate that he has received from Wibu-Systems. At runtime - i.e. when his software checks the license - CodeMeter Runtime can use this certificate to check the validity of the license. In addition, Herbert can use the certificate to authorize his users to pass on the license or lend it out for a limited period.

Ultimately, software manufacturers like Herbert are always faced with the question of whether they should implement licensing themselves or purchase an appropriate solution. The more extensive the requirements become and the more security you want to achieve against pirated copies, the more you should opt for the latter.

Author:
Rüdiger Kügler is a security expert at Wibu-Systems.