copy protection with javakey

Platibus (platibus@platibus.com)
Wed, 07 Jan 1998 15:38:03 -0500

Date: Wed, 07 Jan 1998 15:38:03 -0500
From: Platibus <platibus@platibus.com>
To: java-security@web1.javasoft.com
Subject: copy protection with javakey

This is a multi-part message in MIME format.
--------------94DD68CA47D08C3476A7A788
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hello,

I have a jar file Iris.jar (or Iris.zip, depending on java/jre),
containing a class IrisManager. I want to sign this archive and let
IrisManager only execute if it was loaded from the jar/zip file and if
there exists a certificate that matches the signature. How can I do
that, both in applications and applets? I already know how to use
javakey and create keys, certificates, and signed archives, but I don't
know how to verify any of these programmatically.

Background:

Iris is a class library for accessing Rose models that I want to sell
for $50 in high volumes. I want to protect the software from
unauthorized use, but I want to make that protection non-intrusive at
the same time.

At least I want to be able to create distinguishable instances of my
software, assigned to the respective user. As far as I understand that
can be done with javakey signatures.

I also want to be able to check at runtime whether a particular class
was loaded from the signed archive (jar or zip). Right now it seems that
nothing prevents a user to extract files from the jar archive and
recreate an unsigned archive of his own, hence making an unauthorized
copy.

Most of the email messages I've seen so far refer to applets and their
security restrictions, but I am also interested in creating applications
that are digitally signed.

Can that be done with certificates? Can I use the end date of a
certificate to create a time limited demo version of my software?

I understand that this is a weak protection, since nothing prevents a
user to proliferate his certificates along with a pirated copy of the
software. However, at least it would provide some kind of traceability.
Furthermore, updates for expired certificates could be sent to only the
original user, such that anyone else having obtained the software by
pirating would be cut off from the update.

Please let me know if this works, and how I could implement such a
scheme. I would be grateful for any examples there are, to save myself
some time.

Thanks,

Thomas Werthmann-Auzinger

--------------94DD68CA47D08C3476A7A788
Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Thomas Werthmann-Auzinger
Content-Disposition: attachment; filename="vcard.vcf"

begin: vcard
fn: Thomas Werthmann-Auzinger
n: Werthmann-Auzinger;Thomas
org: Platibus Software Factories, Inc.
adr: P.O. Box 3719;;;Princeton;NJ;08543-3719;U.S.A.
email;internet: platibus@platibus.com
title: President
tel;work: (609) 716 8486
note;quoted-printable:World Class Solutions With Java For Your Business:=0D=0A=
http://www.platibus.com ******=0D=0A=
Iris - a Java Engine for Rational Rose Model Files:=0D=0A=
http://www.platibus.com/iris
x-mozilla-cpt: ;0
x-mozilla-html: FALSE
version: 2.1
end: vcard

--------------94DD68CA47D08C3476A7A788--