Based on the PKI (Public Key Infrastructure) technology, we can implement a secure and efficient license management system. This system can be used to control access to software applications, ensuring that only authorized users can use the software.

Motivation Link to heading

In traditional license management systems, licenses are often tied to specific hardware or user accounts, which can lead to issues such as license theft, unauthorized use, and difficulties in managing licenses across multiple devices. PKI-based license management addresses these issues by leveraging digital certificates and cryptographic techniques.

Signing Licenses Link to heading

  1. Generate a key pair (public and private keys) for the user. The private key is kept secure by the user, while the public key is shared with the license issuer.
  2. Upload the public key to the license issuer, which can be a server or a trusted authority responsible for managing licenses.
  3. The license issuer generates a license file that contains the necessary information about the license (e.g., license type, expiration date, allowed features) and signs it using the issuer’s private key.
  4. The license issuer builds a license file that includes the user’s public key and the license information, and then signs it using the issuer’s private key.
  5. The signed license file is then sent back to the user.

Verifying Licenses Link to heading

  1. Fetch the latest revocation status from the issuer using a CRL or OCSP response to confirm the license has not been revoked, and fail closed if the status cannot be verified.
  2. Verify the Root CA certificate chain, fingerprint, and trust-store entry to ensure the issuer is trusted and the root certificate has not been replaced or tampered with.
  3. When the user attempts to use the software, the application will read the license file and verify its authenticity by checking the signature using the issuer’s public key.
  4. If the signature is valid, the application will then check the license information (e.g., expiration date, allowed features) to determine if the user is authorized to use the software.
  5. If the license is valid and the user is authorized, the application will allow access to the software. Otherwise, it will deny access and may provide feedback to the user about the license status.

Integrate into business logic Link to heading

Use the license signing message to access the API to obtain software or firmware updates, technical support, or customer service. This can help ensure that only authorized users can access these resources and can also provide a way for the license issuer to track usage and enforce license terms.

Benefits Link to heading

Security
PKI-based license management provides a high level of security by using digital signatures and encryption, making it difficult for unauthorized users to forge licenses.
Flexibility
Licenses can be easily managed and updated without being tied to specific hardware or user accounts, allowing for greater flexibility in license distribution and management.
Scalability
The system can easily scale to accommodate a large number of users and licenses, as the license verification process is efficient and can be automated.
Revocation
The license issuer can revoke licenses if necessary, and users can be notified of revoked licenses through regular updates from the license issuer.

Disadvantages Link to heading

Complexity
Implementing a PKI-based license management system can be complex and may require significant resources to set up and maintain, especially for smaller organizations.
Dependency on License issuer
The system relies on the license issuer to manage and distribute licenses, which can create a single point of failure if the issuer’s infrastructure is compromised or experiences downtime.
User Experience
Users may find the process of obtaining and managing licenses more cumbersome compared to traditional methods, especially if they are not familiar with PKI concepts.

Known attack surface Link to heading

Replace Root CA (certificate authority)
An attacker could replace the Root CA in the trust store with a malicious one, allowing them to forge licenses that appear valid.
Replace with another user’s license
An attacker could replace the local private key with licensed signed by the attacker, allowing them to create valid licenses without authorization.
Using old revocation list
An attacker could use an old, revoked key to create valid licenses.
Rewind local time
An attacker could manipulate the local date on the user’s device to bypass license expiration checks, allowing them to use the software indefinitely.

Solution Link to heading

There are currently no readily available open-source solutions.

But we can leverage existing PKI technologies to build our own license management system.

For example, we can use: SSH CA or X.509 for certificate management, and OpenSSL for signing and verifying licenses.