|
|
| Home | Product Evaluation | Resources | Contact Us |
The Java world by definition is standards based and more open than any similar software industry initiative in the history of the computer business. This approach makes it very tough to protect product source code, and this is even more challenging when the code contains licensing logic. With openly available reverse engineering tools any willing Java savvy person can easily eliminate license logic and gain access to the software product. This is not good news for the many companies building software products using Java.
'Saffeine' solves this problem by protecting valuable Java based product code from modification and offering a simple yet powerful license management tool.
The main features of 'Saffeine' are:
The following benefits are rendered from using 'Saffeine':
A major strength of Java is it's open and portable technology base, so products are typically packaged using standard widely known formats. Therefore there are tools available to the public that allow those formats to be opened, reverse-engineered and restored down to clear and easily readable source code. In this case the major strength appears also as a major weakness.
Of course having a product license should provide code protection, and most if not all licenses are embedded in product source code in the form of conditional logic such as a simple "if" statement. The wide availability of Java decompilers makes it significantly easier to expose and modify such code and therefore break the license. Not only can this be done by an experienced hacker, but also by virtually any developer who has some experience in fixing other people's code. The goal is to drill down into the code to locate such conditional statements and change them so they will always be "true".
Some developers use obfuscators (special code scramblers) that convert Java class and method names into an assumed unreadable syntax such as "zGrT08". It certainly makes reading the reverse engineered code more difficult, but it's still possible. Some developers even like this style (imagine having a developer on your team with a really bad habit of naming variables and methods... sound familiar?).
There are some other popular licensing techniques, such as having a table of modules that should be available for a given license type. The problem remains - it is nearly impossible to hide this kind of code when the entire program source can be obtained so easily, and it is just a matter of time (a few hours or even minutes) for the person examining the code to find the right spot.
Electronic distribution has become the most popular and widely accepted method of software product delivery. It is efficient for software product vendors and publishers, since it saves media costs, packaging and shipping. It's also very convenient for customers, because it offers the fastest possible way to get the products they need with minimal effort; get the latest versions and updates in time; and most importantly, evaluate the product before making a purchasing decision.
However, this method has a major drawback - it is very difficult to control the unwanted distribution of the product. For example if a product has limited, professional and enterprise editions, and an embedded license enforces this functional limitation, then by simply breaking the license, anyone can upgrade from say a limited version to a fully functional enterprise version without the cost.
Other steps that might be taken include installing an evaluation copy over and over again or sharing the license with somebody else. This is not in the spirit of the open nature of the product and ease of distribution required. The vendor really wants to provide the product, but also has to protect this valuable asset and maximize revenue from the development investment.
'Saffeine' offers a solution that protects code and provides the mechanisms to build a solid license without embedded logic. Its primary goal is to make it extremely hard or even impossible to access and alter the application code without having a license. With 'Saffeine', a product is packaged as a bundle and encrypted using a strong, mathematically proven cipher. Moreover, it's not necessarily encrypted with a single key - different parts of a product can be encrypted using different keys. A license issued to a customer includes a collection of keys needed to successfully decrypt portions of code to which access is permitted. More importantly, the license itself is also encrypted by the customer's own public key and can only be deciphered using their private Key, which like any other personal secret information, should be kept secret by the owner.
The main benefit of this technique is that a client only has access to the product features permitted by the license. It might take years for someone to decrypt the parts of the bundle they do not have keys for, especially if a strong mathematically proven cryptographic algorithm is used. Any Java Cryptography Extension (JCE) compliant provider can be used with 'Saffeine', from the various software-based implementations available on the Internet free of charge, to smart cards and expensive hardware. No code modification is necessary to support additional providers.
The use of public/private key pairs strongly discourages customers from releasing their licenses to other people. With a unique key for a customer, it is easy to track down and find a customer who has violated the license. Licenses and their keys may also be stored in certain hardware types such as smart cards or cryptographic tokens, and it is very difficult to clone that kind of hardware.
Having different parts of code in the bundle encrypted with different keys offers incredible flexibility in license management. The product can be split into modules, so you can create various license types offering access to different parts of your product in any combination.
Let's imagine you are developing a Java developer's suite. A basic license might consist of a text editor and GUI building tool; a more expensive professional edition adds a UML modeling tool, and finally the top of the line enterprise edition enables EJB deployment capability and database bindings.
All this can simply be done by carefully organizing the code and assigning different keys to each module. Then all that is needed is to issue several license types that carry different key sets. Most products are built to be modular from the beginning already, especially if a methodology such as 'Feature Driven Development' or 'Use Case Modeling' was used in development, so all that is left is to define the key sets using 'Saffeine'.
A good example is the SwingSet2 application found in Sun's JDK demos and illustrated using 'Saffeine' on our website. It handles the loading of its demo modules carefully enough to function properly if only a few of them are loaded, and the demo shows what is loaded based on what is licensed. 'Saffeine' also operates equally well at protecting code using one license applied to the whole product.
'Saffeine' takes the worry out of the electronic distribution of products. With a simple 'Saffeine' license a limited or full version of a product may be distributed with no fear of duplication or access to protected features.
Another great feature of having multiple key sets is that multiple versions of the same module, class or resource can be shipped in the same bundle. 'Saffeine' will seamlessly load the feature corresponding to the customer key. This is a convenient way to distribute updated versions of software products or implement different logic based on a different type of license. Just pack them using the keys defined for the previous release, and customers will be able to use this new version. Alternatively, keep an old version encrypted with an old set of keys and add new versions with new keys to the same bundle. In this scenario customers will continue to use an old version, and only those who paid for an upgrade would get new code activated by the 'Saffeine' engine. This is an industry leading capability.
The core part of 'Saffeine' Runtime is a sophisticated dynamic Java class loader. This uses cryptographic keys from the license to access the code in the bundle containing the distributed product. At application startup the 'Saffeine' loader substitutes the original system class loader and then handles all the Java class and resource loading for the application. The product code itself might not even be aware of the fact that it is protected, containing no license validation code, which means that there is no conditional license logic to break.
The 'Saffeine' class loader is not likely a target for an attack as well, since all it does is decrypting and loading the product code using the keys found in the license. It uses an open API - the JCE based ciphers - and has nothing to hide. If the user's license has the appropriate key, the code will load. It makes no sense to break into code that already works for you. If the license doesn't have the key for a particular module, cracking the class loader will not help. It's like running out of gas in your car. You cannot drive it, and the only way to help is to go buy some gas.
'Saffeine' provides several significant benefits:
Revenue and Asset Management
Computer Software Vendors can effectively manage their product revenue stream with 'Saffeine' based protection. Product key management will eliminate the need to worry about software assets made available to customers on a time-boxed basis. This also applies to maintenance versions. In addition, customer asset management and license obligations are easier to maintain for customer financial and legal departments conscious of their need to manage their software licenses.
Simple Preparation for Electronic Product Distribution
'Saffeine' protection makes it much easier to manage Electronic product distribution. 'Saffeine' enables the software vendor to distribute the complete product at all times with keys that permit feature access as per purchase order or demo requirements.
Runtime based license management
With 'Saffeine' protection, the product license is not built into the source code for possible breakage through reverse compilation. License generation is completed after the product has been developed and can now be part of the distribution process. Developers can ignore license considerations completely. There are no API's to use, no code changes to make, and no proprietary dependencies.
Developers free to focus on product design
With licensing eliminated from product code development, engineers can focus only on product functionality and never have to consider code protection or license logic design. There is no proprietary API to consider or license code to maintain. 'Saffeine''s ability to license on a per feature basis supports and promotes object and modular design techniques. The more modular the design, the easier it is to license the product on a per feature basis.