Need secure date based lisence protection that will allow me to kill execution of a servlet after x days without a new key.

Eugene Kuleshov

I've been told that this feature is planned for Saffeine 1.1. It will be enable to protect web applications and their license already have expiration time.

Saffeine uses encryption to split the single distribution unit into several independently licensed modules as said in their whitepaper. For this scenario license will not have keys for decription of the unlicensed modules, there is just nothing to break. From other hand, because code is hidden behind of the Saffeine runtime and doesn't appears in the jar file it will be more difficult for the intruder to get access to it, change and run without limitations unlike it could be done very simple with the traditional jar archive (there are some tools allows you to work with jars like you do with the directories and run the contextual search recursively on your classes).

So, if you decide to have some protection or licensing, you should implement it very carefully or use good 3rd party solution insteat od wasting your own time which is can be used to focus on your own product.

Either way, a good solution should include the following parts:

  • License validation (time based or so)
  • Code protection to protect the logic of the license validation from overview and modification
  • License protection to avoid unauthorized regeneration of the license (force to break the original distributive to reduce distribution of the hacked software)
Unless your license validation or decryption code is not secure it doesn't matter what do you use - cipher or diges, because code for license validation can be reverce engineered in 30 seconds, changed to do not check the license in another 30 seconds, so you will save time on the phone calls to your tech support. :-)

Actually calculating of digest doesn't help much (even there is some algorithms could be used to generate them from the date ranges) because all unformation about them is available in open and it is simple to regenerate them and put on your unchanged application! Only usage of asymmetric decryption can force hacker to change your code because there will be no way to regenerate the license with another dates without having the another part of key. So, customer who need to run hacked illegal copy of your product have to obtain it separately, but not as an evaluation from your site and also could not use the original distributive which is may give him a problems and stop from using illegal copy.

Unfortunately there is more philosophical problem about software protection. Remember Microsoft let customers to use their product and only now start to add some protection in there. Customers already addicted on MS Office Suite and can't switch anywhere else, so problems with the protection will not make any sence for them because they are adicted. :-)