A Reusable Software Copy Protection Using Hash Result and Asymetrical Encryption

Desktop application is one of the most popular types of application being used in computer due to the one time install simplicity and the quick accessibility from the moment the computer being turned on. Limitation of the copy and USAge of desktop applications has long been an important issue to application providers. For security concerns, software copy protection is usually integrated with the application. However, developers seek to reuse the copy protection component of the software. This paper proposes an approach of reusable software copy protection which consists of a certificate validator on the client computer and a certificate generator on the server. The certificate validator integrity is protected using hashing result while all communications are encrypted using asymmetrical encryption to ensure the security of this approach.


INTRODUCTION
Desktop application is one of the most popular types of application being used in computer due to the one time install simplicity and the quick accessibility from the moment the computer being turned on.However the one-time installation of the desktop application also raise problems regarding the user's rights and capabilities in copying, duplicating and even distributing the desktop applications software to other party without the application provider's consent.Software copy protection is a method designed to counter such problems.By planting extra file(s) or data such as license key to be used as the application legality validator, the software creator are able to provide some degree of countermeasure against user tendency to illegally duplicate and distribute the software.Users knowledgeable in computer programming might be able to decode information or duplicate a license file.Encryption method and hash result technique are common ways to ensure information hiding and file integrity.
Software copy protection reusability has also become a challenge on its own.To be able to reuse such complex mechanism also means leaner program, reduced development time and ultimately development cost which will affect the product's price.This paper focuses on a reusable software copy protection approach.A hashing technique and encryption method are used to ensure the integrity of reusable components as well as the certificate generated.

Reusable Software Component
Nowadays, there is a shift to reusing components in software development.According to AL-Badareen, et al (2011), the software reuse became a base of most software design because it can reduce cost, effort, time, and increase the quality and productivity of the software development process.Sojer and Henkel (2010) stated that efficiency and effectiveness are the two main purposes that a developer choose to reuse software code or components.Sojer and Henkel (2010) also stated that a software component to be reused needs to be a component with proper modification just as needed.Nobody will ever know what condition may appear in the future which drives modification of part of a software component.Therefore, a reusable software component needs to be as general as possible to avoid uneccessary future modification.

Software Copy Protection
Software industry uses software copy protection to prevent software usage by users who have not purchased the software yet.This method is used by companies who sell commercial software product.There are many software copy protection techniques.Bahaa-Eldin and Sobh (2014) stated that these techniques include these common points: (1) Software authentication -a copy protected software should check for the existence of a valid private certificate.(2) License integrity -the private certificate for authentication needs to proved that it is not altered.(3) Entity authentication -each license should be linked with a hardware/media to prevent license redistribution.(4) Protection security -the private certificate should be encrypted, so it cannot be altered or read by anyone.Bahaa-Eldin and Sobh (2014) proposed an approach for software copy protection based on the four common points above.The technique requires authentication via a certificate generation over the internet.This certificate is encrypted using public-private key mechanism, so that the license integrity can be achieved.The software also checks for a USB dongle, so that every software copied into different computers can only be used with the existence of one USB dongle.The certificate contains a sequence number which is validated in the activation server through internet connection.Using this approach, the license can be validated for its originality, expired date, and so on.However, this approach requires the software copy protection module to be integrated with with the main software.Therefore it does not support reusability.Continuous internet usage for license validation in activation server also has its own disadvantage.The software will not be available for use when the user does not have an internet connection.Another problem for companies which might arise from this approach is the expensive investment on USB dongle for every copy of the software.

Encryption
Encryption is used to hide information from untrusted party.The encrypted information will show a long string of unreadable/nonsensical character.To understand the real information, it should be decrypted first by a key.There are currently two types of encryption: symmetrical and asymmetrical encryption.The symmetrical encryption is faster than asymmetric encryption.It also uses lesser memory (Agrawal & Mishra, 2012).The symmetrical approach uses a single key to encrypt and decrypt the information.When the information is transferred via network, the key has to be transferred as well.This causes the encrypted information to be vulnerable to untrusted party intercept.The asymmetrical approach is much more secure than the symmetrical approach because it use public-private key method where everyone knows what the public keys is and they are able to encrypt their message with it.However, for each public key, there are only several trusted parties that already hold the private key which match the said public key.This private key is the one that can be used to decrypt the message which was encrypted by the matching public key (Barukab, et al, 2012).Since the private key is not transferred through the network, it cannot be acquired by the untrusted party.

Symmetric Encryption
Symmetric encryption is useful for keeping the confidentiality of a message.As stated before, symmetrical encryption uses a single key to encrypt and decrypt information.Symmetric encryption can be generally viewed like figure (???).Suppose 'A' wants to send information 'X' to 'C'.'A' use a single key to encrypt 'K' the information and turn it into nonsensical message 'Y'.Now, if 'B' manage to eavesdrop the message 'Y', B will not be able to extract any useful information since the information 'X' has been encrypted into nonsensical message 'Y' and need to be decrypted first using the same single key 'K' that was used to encrypt the information.
When the message 'Y' is received by the intended recipient which is C, then the message should be decrypted using the key 'K' which might have been agreed upon before hand by 'A' and 'C' or transferred through other secure means from 'A' to 'C'.Of course this means that if the key 'K' falls into 'B', then B would be able to encrypt the message and tampered with the information.Using only symmetric encryption, there is no way to ensure that the message integrity has not been tampered or to ensure that the message sender is indeed 'A'.However the real problem with symmetric encryption is how to transfer the key 'K' securely to the intended party since it will somewhat defeat the purpose of the key unless it was agreed upon beforehand (Paar & Pelzl, 2009).

Asymmetric Encryption
Asymmetric encryption is developed to overcome the problem of key distribution in symmetric encryption.To put it simply, asymmetric encryption is like physical mailbox on the streets.Everyone is free to insert the mail, or encrypting the information using public key in this regards.However, everyone already has a way to open the mail securely using their own key or decrypting the message using theirown private key in this regards.Suppose 'A' wants to send information 'X' to 'C'.'A' then use C's public key to encrypt the information and turn it into nonsensical message 'Y'.Now, if 'B' manage to eavesdrop the message 'Y', B will only be able to decrypt the message using C's private key.If C want to send information to A, then C will encrypt the information using A's Public key and A will be able to decrypt the message using his own private key.This mechanism is quite safe since the private key is not shared or transferred.The only key that gets transferred is the public key which only useful to encrypt the information, not to decrypt it.This way, the message should be safe from unwanted party since they should not be able to get the private key which can be used to decrypt the message.

File Integrity
Ensuring file integrity means ensuring that a file has not been modified by any person.A file which is stored on a client computer can be modified by the user himself or a malicious attack.An integrity check is performed to check whether a file has been modified from the last time or not.One of the common ways to perform integrity check is by using hash result (Sivathanu, Wright, & Zadok, 2005).

Hash Result
One of the popular mechanisms to perform file integrity check is by checking the file hash result.This mechanism is done by computing a hash using some popular hash function like MD5 or SHA1.The hash result should be stored in a manner which it cannot be easily modified.To check the file integrity, the hash result is once again computed and then compared to the previously stored hash result (Sivathanu, Wright, & Zadok, 2005).Hash result is very sensitive to change.Whenever an attribute or a portion of a file is modified, the hashing process will provide different hash result (Euresti et al, 2014).If the hash result is different, a file must have been modified by unauthorized person.Therefore, hash result can be used to ensure that a file is indeed the one from the creator and not modified by other party.

METHOD
The idea behind this research is that many kinds of software products need to be protected from copy and usage without permission.Because the steps for product registration and validation is usually the same and used by many products, the licensing process is a good candidate for reuse.This paper's approach consists of a certificate validator application and a certificate generator.The certificate validator needs to be deployed along with the software using the software copy protection so that the software can interact with the certificate validator.The certificate validator is responsible for two things: (1) Generating Activation Code which contains serial key and hardware machine code needed to create a new certificate.(2) Validating the machine code and expired date.The certificate generator resides on the server.The certificate generator accepts the Activation Code from the certificate validator, decrypts it, validates the serial key, saves the machine code -used for re-registration process -to the database and returns a generated certificate to be used.
As our approach deals with software copy protection, in which a software cannot work if it is copied without permission, there are several security issues that need to be handled.The second issue is the encryption of the Activation Code and the certificate.If somebody can figure out the encryption, a fake certificate could be created.
The first security issue is that the certificate validator might be replaced by a fake application behaving as if a valid certificate exists even though it doesn't.To handle that issue, a md5 hash of the original certificate validator is stored on the application as a hardcoded field.Every time a software wants to interact with a certificate validator, the software needs to generate a md5 hash of the validator and compare the md5 hash to the one stored in its field.Because no other file can generate the same md5 hash, the replacement of the validator can be prevented.
To handle the second security issue, an asymmetrical encryption is implemented.The certificate validator holds public key A to encrypt activation code while the certificate generator holds private key A to decrypt the message.Meanwhile, the certificate generator holds public key B to encrypt certificate while the certificate validator hold private key B to decrypt the certificate before validating it.This way, no application can access the data except the particular target application.Also, without having the key, nobody can generate a certificate by his/her own.The software copy can be registered using a given serial key for a certain amount of computers.The application will ask for the serial key if the certificate file cannot be found at a determined file path.The user can register the application for the first time, or in case the certificate file is lost, reregister the application using the serial key previously used for the same computer.The certificate generator on the server checks the existence of the machine code in the database.If the machine code doesn't exist, the software copy is assumed to be registered for the first time, the machine code is inserted to the database; hence decreases the amount left for another computers' registration.Meanwhile, if the machine code already exists, a certificate will be generated without decreasing the amount left for another computers' registration.
The database structure used in this approach is illustrated in the Entity Relationship Diagram (ERD) in figure 3.1.The Applications table contains various desktop applications which use this software copy protection.The License table contains serial key used for registration, its expiration date and the maximum quantity the software can be installed in different computers.The Registered Computers table stores the machine code for registered software copy on different computers.

Figure 3 ERD of License Database
The detailed steps of our approach can be viewed in figure 4, which is explained as the following: Figure 4 Steps of Certificate Generation and Validation 1.When the software starts, it generates md5 hash of the certificate validator and compare it with the original one.
2. If the md5 hash is invalid, the application displays error message and closes, else the application validates certificate.
3. The application searches for a certificate.If it is found, the application will request the certificate validator to validate it.The software copy is assumed as unregistered if the certificate doesn't exist; hence the software will ask for a serial key.The serial key is usedfor registering the application for the first time or re-registering by using the same serial key as before.
4. In registration process, the application asks for a serial key, then send it to the certificate validator.
5. The certificate validator access the hardware machine code.The hardware machine code can be anything that is unique to a computer and is seldom changing like MAC address, CPU serial number, network card or combination of them.
6.The hardware machine code and serial key are encrypted into activation code using public key A and then sent to the certificate generator.
7. The certificate generator decrypts the activation code using private key A to get the hardware machine code and serial number.
8. The certificate generator registers the software identified by its serial key.
9. The hardware machine code and expired date are encrypted into certificate using the public key B. The certificate is sent to the certificate validator which saves the certificate as a file and validates it.
10.If the certificate exists, the certificate validator decrypts the certificate using private key B to get the hardware machine code and the expired date.
11.The certificate validator validates the hardware machine code and the expired date.The certificate validator will return a code specifying the validation result to the software.
12. According to the result, the software either shows an error message or starts the application.

RESULT AND DISCUSSION
This approach offers a one-time developed certificate validator and certificate generator to be used by limit the distribution of copies of different applications.Asymmetrical hash helps to ensure the certificate validator's integrity -that the certificate validator hasn't been replaced by another false program which only returns a valid value of certificate checking without actually checking the files.This software copy protection's security is difficult to be compromised.Because the certificate is generated on the server side using the public key residing on the server, unless the user acquires access to the server and stole the public key, he/she will not be able to self-generate his/her own certificate.By storing the computer's machine code inside the certificate file, the software cannot be run when it is copied to a different computer as there is a unique machine code for every computer.Also, a keygen will not work because this approach requires to contact the server for the registration process.
This approach also has an advantage for computers that cannot always be connected to the internet.This approach only needs internet connection at the beginning of the registration process to communicate with the server for certificate generation.After the certificate has been generated, the certificate validator can work to validate the certificate without the need of internet connection.However, if the user of the application loses the certificate file, e.g.accidental deletion or new operating system installation, the software copy needs to be re-registered for a new certificate file.Reregistration is made possible by the storage of computer's machine code at the server.So, as long as the user still has the serial key and there is no changes on the computer's hardware, the machine code sent to the server will always be the same with the one stored on the server, thus enabling the reregistration process.Of course an internet connection is also needed for this re-registration process.This paper recommends the application to have an internet connection only at the first registration, each time the certificate is lost and each time the license expires.
In this approach, a periodic licensing is required.So the certificate file includes a pre-specified expired date.If a lifetime license is needed, the expired date part can be omitted from the certificate, so the certificate file consists of encrypted hardware code only.A prototype of the certificate validator and the certificate generator was built using Qt (C++) programming language.An experiment showed that the prototype can be used by several desktop applications developed using Qt (C++), C#.NET, and Java.

CONCLUSION
This paper proposed an approach to a reusable software copy protection which includes a certificate validator deployed with the software and a certificate generator on the server.As an interacting application, the certificate validator needs to be checked for its integrity.Md5 hash is chosen to ensure the application's integrity.To ensure that the certificate validator is not a selfgenerated certificate by the user, an asymmetrical encryption-public-private key -is used.The certificate is generated on the server, encrypted using a public key and can only be decrypted using the matching private key.By keeping the certificate validator on the client computer, the application will not need internet connection once the certificate has been created.Some future study extensions from this paper might include the following: rather than determining one hardware machine code to use, this paper gives some options like MAC address, CPU serial number, network card, or combination of them.A research can be done to determine the best hardware machine code to use.A research can also be done to prove this approach's effectiveness to prevent a software from being copied and used without permission.