Results 1 to 13 of 13
  1. #1
    Join Date
    Jan 2005
    Posts
    144

    Unanswered: Controlling Database Distribution

    Having completed 75% of my current project, an issue has come up regarding it's distribution. Ideally, I want to be able to control the distribution and limit availability and functionality of the database to only those who are preapproved to use it. In other words, I'm trying to identify a way to "license" copies of the database so that it can't simply be copied and used by those are not approved to use it. The ability to generate keys or licenses for individual machines would be perfect, but I'm not sure how to implement it into the database. Basing the key on a hard disk serial number or something similar would be great since it would greatly decrease the likelihood of someone copying the database illegally. Does anyone have any suggestions, advice, or previous experience implementing a concept like this in an Access database?
    *››DaVinci
    "Simplicity is the ultimate sophistication"

  2. #2
    Join Date
    Mar 2003
    Location
    The Bottom of The Barrel
    Posts
    6,102
    Provided Answers: 1
    This is one of my favorite issues because there are SO many ways to do it.

    For starters, do you have access to a website you can use for authentication? If not, does the authentication need to be self-contained within the application or is there some sort of intervention required, such as calling you personally for a valid key?

    How do you see the process working in general is what I'm getting at... IF you have access to a webserver, things get easier because you can automate the entire process. Personally, I've been known to use CAPICOM to generate keys against a hardware serial number, there's A LOT of ways to do it though...
    oh yeah... documentation... I have heard of that.

    *** What Do You Want In The MS Access Forum? ***

  3. #3
    Join Date
    Jan 2005
    Posts
    144
    For starters, do you have access to a website you can use for authentication? If not, does the authentication need to be self-contained within the application or is there some sort of intervention required, such as calling you personally for a valid key?
    I guess what I would most prefer is the automated web validation approach, but I'm not familiar with using a webserver to accomplish this. Ideally, I want a validation code generated from a hardware serial on the user end. On the validation end, the code should be run against a calculation to determine if the user is authentic and if so, return the necessary key to unlock the application. Now whether this is done by a webserver or manually by myself is not a big deal, so long as it works. I can probably handle the user/validation end calculations and key generation with no problem. My shortfall is in grabbing the serial number from the hardware for these subsequent calculations. Is this generally a simple process or an involving one?
    *››DaVinci
    "Simplicity is the ultimate sophistication"

  4. #4
    Join Date
    Dec 2002
    Location
    Préverenges, Switzerland
    Posts
    3,740
    caution: i believe that drive serial gets screwed each time the user formats the drive - this can be a good thing or a bad thing depending on your plans. getting the manufr serial (not screwed on format) has not worked for me so far, despite several examples on the web.

    possible directions for your google research:
    CAPICOM, as says Teddy, saving licence & hash(saved-machineID & licence) and comparing with hash(current-machineID & licence)
    WMI (maybe .SerialNumber from Win32_BIOS?? or whatever)
    other thoughts:
    ...if these are domain/login machines, maybe WSH for domain &/or login and include in the hash.
    a single record table (not recordset as i said first time round) to hold the licence and hash.

    sorry that my toys in this arena are not for sharing. the very last thing i want is a bunch of code-monkeys from here trying to crack my licencing scheme.

    izy
    Last edited by izyrider; 01-23-06 at 05:27.
    currently using SS 2008R2

  5. #5
    Join Date
    Jan 2005
    Posts
    144
    No problem about the sharing. Afterall, we are talking security here and it wouldn't be very secure to explain your licensing scheme now would it? I like the concept of "saving licence & hash(saved-machineID & licence) and comparing with hash(current-machineID & licence)" as I hadn't really thought of it. This is an idea that I'll be googling after concluding this post.

    In terms of the hard drive serial, I was under the impression that there was a hard-coded, burn-in serial on all drives. I know that the volume serial changes with each new format, but I wasn't aware that the hardware serial changed as well. Thanks for bringing that to my attention. This is the type of scheme used by current distributions of Windows XP, correct?

    Well, I'm going to explore the above mentioned concept and get creative with it. I appreciate the road map for what I need to be googling. Thanks again.
    *››DaVinci
    "Simplicity is the ultimate sophistication"

  6. #6
    Join Date
    Dec 2002
    Location
    Préverenges, Switzerland
    Posts
    3,740
    couldn't resist it!

    here is a demo of a simple (?? simplistic!) licencing scheme.
    it's in MDB so you can see what is going on, but in real life your application would be a tightly locked-down MDE.

    the scheme uses a SHA1 hash of serial and licence number as the licence check. it is simplistic because any fool can generate a licence once he works out what the code is doing. sending the serial in cleartext gives a generous hint to a potential hacker.

    as-is, this sort of scheme in a locked-down MDE should keep user-level people out forever but wont stop a decent hacker for more than a few minutes.

    improvement 1
    hash the serial before sending (hacker has to work out what got hashed)

    improvement 2
    bury a secret in the generator and in the application - include the secret in the hash.
    gotcha: the big problem is to hide your secret - it's amazing what a simple hex-editor can see in the MDE.


    requires:
    A2K or later
    CAPICOM on the machine
    WMI on the machine


    don't trust your crown jewels to this simple scheme - it just a demo for giggles!


    izy


    LATER:
    Oooops - forgot to set a startup form: start with frmStartup to run the demo
    Attached Files Attached Files
    Last edited by izyrider; 01-23-06 at 13:15.
    currently using SS 2008R2

  7. #7
    Join Date
    Apr 2006
    Posts
    20

    Problem

    Hello
    Whenever i run the sample database , frm startup , it gives me
    -2147024770 - Automation error , The specified module can not be found
    What can i do?

  8. #8
    Join Date
    Nov 2003
    Posts
    1,487
    Quote Originally Posted by ashrafmsr
    Hello
    Whenever i run the sample database , frm startup , it gives me
    -2147024770 - Automation error , The specified module can not be found
    What can i do?
    Hmmmmm....

    Be sure you get and reference the CAPICOM.DLL from Microsoft.

    .
    Environment:
    Self Taught In ALL Environments.....And It Shows!


  9. #9
    Join Date
    Dec 2002
    Location
    Préverenges, Switzerland
    Posts
    3,740
    you need both WMI and CAPICOM functioning on your machine.

    simplest way to check:
    in any MDB
    Alt+F11
    menu: Tools / References
    scroll down the list and make sure that
    CAPICOM Type Library (mine is v2.0)
    Microsoft WMI Scripting (mine is v1.1)
    appear in the list.
    checked or unchecked makes no difference ...the demo uses late binding.

    if one or the other does not appear in the list, look in MS for a download.

    izy


    PS
    think i tracked down the getting the manufr serial (not screwed on format) has not worked for me so far issue: it appears that this only works in Vista and WinXP, not in my Win2K
    Last edited by izyrider; 04-21-06 at 03:20.
    currently using SS 2008R2

  10. #10
    Join Date
    Nov 2003
    Posts
    1,487
    Personally, I've always used the good old MD5 Hash Alogorithm against acquired users install drive hardware serial (if a SMART complient drive is available) or install drive volume serial (if not Smart complient) along with other specific system, user and application data. It can't be broke but like everything else and a little time...it can be bypassed.

    .
    Environment:
    Self Taught In ALL Environments.....And It Shows!


  11. #11
    Join Date
    Apr 2006
    Posts
    20

    capicom missing

    capicom was not there , got it from microsoft , registered it through active-x in ms access , now error message is gone , frm startup runs but it does not show the activation code below

  12. #12
    Join Date
    Apr 2006
    Posts
    20

    anyone

    any ideas?

  13. #13
    Join Date
    Apr 2006
    Location
    Huddersfield, UK
    Posts
    154
    i've been dabbling with ways to use access to do something like this..

    just a thought, it may not be on the ball, but i know you can get freeware for install creation, which have product licensing & serial requests before it will install the software, however, i don't know how you would get around people copying it from program files and pasting it elsewhere.

    You could maybe create a login system, that only registered users can log into. They can on say frmlogin either click Register or use thier login details.

    If they click register, they could be directed to a seperate login screen that instead of asking for username & password it asks for a serial. It checks them against some in a table, and if correct forwards to a screen where they can add themselves into the user lists that powers the log on screen at the start. If it is failed the script can redirect to the login/shut the db down??

    Just a thought anyway...

    Dan

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •