How to make a file that user can read, but not write?

Question

I want to distribute s/w licenses as encrypted files. I create a new file every time someone buys a licence & email it out, with instructions to put it in a certain directory.

The PHP code which the user runs should be able to unencrypt the file (and the code is obfuscated to stuff him hacking that). Obviously the user should not be able to write a similar file.

Let's not discuss whether this is worth it. I have been ordered to implement it, so ... how do I go about it? Can I use public key encryption and give him one key?

---

Can't I just give the user one key & keep the other? HE can read & I can write

Answer 1

It sounds like what you are looking for is a digital signature.

When you create the license file, you sign it using your private key. When the application loads the license file, it verifies the signature using your public key, which is hardcoded into your obfuscated license check.

Obviously, the user can just patch the license check code itself - either to replace your public key with their own, or just to avoid the license check altogther - but there's really nothing you can do about that.

Answer 2

You can use a license like FlexNet Publisher License System.

There are two sides to the FlexNet license. The first is establishing that a site has a license. This can be done based upon IP, Mac Address, or an internal ID of the processor.

Once you've licensed the site, licenses at that site can be done on an active user basis (you can have thousands of users, but only ten users at a time can use the software), seat license (you have ten users at the site who can use it, and only those people can use it. If an eleventh person wants it, the site must move the license from one person who is licensed to that new user. Or, buy more licenses). And, you can have a site license with unlimited users.

FlexNet license can be broken, but are generally strong and can report back to you violations of the license policy.

Of course, you'll have to pay a licensing fee to Flexera Software to use their licensing scheme. And, there may even be some sort of "open source" implementation of the FlexNet licensing scheme although I don't know of one.

I've never used it because I believe fully in the open source software philosophy. That and the fact than no one would pay a cent for anything I wrote.

Answer 3

If you have a file that just says "yes, software may be run" you can of course not stop him from copying that file.

What you can do is to encrypt a file with something that is specific to the customer's system, the customer's name or an IP address or something. Then you can make your software check this IP address or print the customer's name on all reports or something.

You can do it with simple symmetric encryption or using a signature, neither of them preventing him from tampering with the program to find the key. So tell your boss it's an obstacle but certainly not unbreakable.

Answer 4

Simple RSA encryption will not solve your woes, once the code is in the clear anyone can get it.

A better question is "How much work am I willing to put into making it difficult for my client to get my code?" As no matter the language and method eventually it gets run, and when it's run it can be read.

The only fool proof way is to host it yourself and not allow your client or his servers any access to your code.

Answer 5

Possibly what you want to do is use XOR encryption (XOR each n-byte chunk of the file with the key) and since as @AndreKR said what you actually want to do is impossible, you might want to sign the encrypted file with your private key, then you can verify that the encryption was done by you.

Of course if you don't check this every time, and you don't use an opaque file-format and compiled/obfsucated code then it won't really make much difference

It is impossible in the general case to stop digital duplication of data if you are going to display that data to the user - in the worst case they can just take screen shots (or even capture signals sent to the monitor)