From: Charlie.Lai@Eng (Charlie Lai)
Message-Id: <199801100037.QAA01278@angeles.eng.sun.com>
Subject: Re: copy protection with javakey
To: platibus@platibus.com (Platibus)
Date: Fri, 9 Jan 1998 16:37:45 -0800 (PST)
In-Reply-To: <34B3E7AA.86EF9719@platibus.com> from "Platibus" at Jan 7, 98 03:38:03 pm
hi,
> I have a jar file Iris.jar (or Iris.zip, depending on java/jre),
> containing a class IrisManager. I want to sign this archive and let
> IrisManager only execute if it was loaded from the jar/zip file and if
> there exists a certificate that matches the signature. How can I do
> that, both in applications and applets? I already know how to use
> javakey and create keys, certificates, and signed archives, but I don't
> know how to verify any of these programmatically.
>
> Background:
>
> Iris is a class library for accessing Rose models that I want to sell
> for $50 in high volumes. I want to protect the software from
> unauthorized use, but I want to make that protection non-intrusive at
> the same time.
>
> At least I want to be able to create distinguishable instances of my
> software, assigned to the respective user. As far as I understand that
> can be done with javakey signatures.
>
> I also want to be able to check at runtime whether a particular class
> was loaded from the signed archive (jar or zip). Right now it seems that
> nothing prevents a user to extract files from the jar archive and
> recreate an unsigned archive of his own, hence making an unauthorized
> copy.
>
> Most of the email messages I've seen so far refer to applets and their
> security restrictions, but I am also interested in creating applications
> that are digitally signed.
>
> Can that be done with certificates? Can I use the end date of a
> certificate to create a time limited demo version of my software?
>
> I understand that this is a weak protection, since nothing prevents a
> user to proliferate his certificates along with a pirated copy of the
> software. However, at least it would provide some kind of traceability.
> Furthermore, updates for expired certificates could be sent to only the
> original user, such that anyone else having obtained the software by
> pirating would be cut off from the update.
>
> Please let me know if this works, and how I could implement such a
> scheme. I would be grateful for any examples there are, to save myself
> some time.
>
> Thanks,
>
> Thomas Werthmann-Auzinger
JDK 1.2 (in beta right now) sounds like it may fit your needs.
with 1.2 you may specify specific security policies based on WHO signed
the code.
check out http://java.sun.com/products/jdk/1.2/docs/guide/security/index.html
for more information on this new architecture.
please feel free to ask additional questions as they arise.
thanks,
charlie