Open Collections

UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

Evaluation of activation based software license enforcement Afonin, Oleg 2002

Your browser doesn't seem to have a PDF viewer, please download the PDF to view this item.

Item Metadata

Download

Media
831-ubc_2002-0327.pdf [ 2.97MB ]
Metadata
JSON: 831-1.0051445.json
JSON-LD: 831-1.0051445-ld.json
RDF/XML (Pretty): 831-1.0051445-rdf.xml
RDF/JSON: 831-1.0051445-rdf.json
Turtle: 831-1.0051445-turtle.txt
N-Triples: 831-1.0051445-rdf-ntriples.txt
Original Record: 831-1.0051445-source.json
Full Text
831-1.0051445-fulltext.txt
Citation
831-1.0051445.ris

Full Text

EVALUATION OF ACTIVATION BASED SOFTWARE LICENSE ENFORCEMENT by  Oleg Afonin B.Sc. Krasnoyarsk State University, 1998 M . S c . Krasnoyarsk State University, 2000  A THESIS  SUBMITTED IN PARTIAL F U L F I L L M E N T O F T H E REQUIREMENTS FOR T H E D E G R E E OF M A S T E R OF SCIENCE  in  T H E F A C U L T Y OF G R A D U A T E STUDIES D E P A R T M E N T OF C O M P U T E R SCIENCE  We accept this thesis as conforming to the required standard  T H E UNIVERSITY OF BRITISH C O L U M B I A  September 2002 © Oleg Afonin, 2002  In presenting this thesis in partial fulfilment  of  the requirements  for  an advanced  degree at the University of British Columbia, I agree that the Library shall make it freely available for reference and study. I further agree that permission for extensive copying of this thesis for scholarly purposes may be granted by the head of department  or  by  his  or  her  representatives.  It  is  understood  that  copying  my or  publication of this thesis for financial gain shall not be allowed without my written permission.  Department The University of British Columbia Vancouver, Canada Date  DE-6 (2/88)  11  Abstract Software piracy, software licensing and license control are all important issues to software developers. Small software developers did not have access to a system available to control a number of installations of licensed software products. A company could obtain a single license and use in among the network, or there could be a breach of security allowing multiple users to use fully licensed software on many different computers.  Tying software installation to hardware is the most common way to prevent or restrict those illegal activities. Hardware tying, however, has a drawback to software publishers: a user has to pass a Hardware ID to the software manufacturer at the time of ordering, which might affect his willingness to purchase that product at all.  With the development of the Internet it became important to control software licensing and distribution online to protect revenues from losses incurred by both intended and casual software piracy. A n online license management system helps reduce both forms of piracy by ensuring that each copy of the software product being installed is legal and has been installed on a P C in compliance with its license terms. Installations beyond those allowed in the license agreement w i l l fail to activate, thus preventing both casual and intended piracy.  The main question of this research is whether or not online software license activation is a effective solution of reducing software piracy. It was interesting to figure out i f its direct or indirect benefits prevail over its disadvantages.  This research presents an in-depth evaluation of ActivateSoft.NET, a software activation system. It describes software activation policies as sets of parameters that allow precise control on how software end-user license agreements are enforced.  Finally, an experiment is designed and run, and raw data is collected on the usage of real-world software. Collected data is analyzed to find out how online license management can affect software usage patterns, providing a hint to answering the key question: whether or not the use of software activation reduces software piracy.  Table of Contents Abstract Table of Contents List of Tables List of Figures 1. Introduction 2. Background 3. ActivateSoft.NET  ;  3.1. Activation System - The Software 3.1.1. Basics of Activation 3.1.2. Cryptography Software 3.1.3. Database 3.1.4. Online Interfaces and Developer's Control Panel 3.1.5. C++ S D K 3.1.6. Developers of ActivateSoft.NET 3.2. Activation Policies 4. Problems and Questions 4.1. K e y Question 4.2. Intermediate Questions 4.3. Assumptions 4.4. Data Collected by the Activation System 4.5. Limitations of Study 5. Evaluation 5.1. Experiment Setup 5.1.1. User's Technical Support Inquiries 5.2. Products Used for Evaluation 5.2.1. Products 5.2.2. Upgrade Users 5.2.3. N e w l y Purchased Users 5.3. Data Collected During the Experiment 5.3.1. Number of activations per license  iv 5.3.2. Users' Technical Support Inquiries  33  5.4. Summary of Evaluation  34  6. Related W o r k  36  7. Conclusion  38  Bibliography  :  40  Appendix 1. Microsoft Windows Product Activation F A Q  43  Appendix 2. Our Cryptography Implementation and Its Security Analysis  46  V  List of Tables Table 1 : Activation Policies  17  Table 2 - Upgrade users' activation figures  25  Table 3 - New users' activation figures  25  Table 4 - Number of activations per license: Successful New Activations  27  Table 5 - Product A : activations per license, percentage  28  Table 6 - Product C : activations per license, percentage  28  Table 7 - Monthly Successful Activations  29  Table 8 - Monthly Product Activations, Percentage  29  Table 9 : Number of activations per license: Failed - License Is B l o c k e d Permanently  32  vi  List of Figures Figure 1 - A Concept of Product Activation  3  Figure 2 - Activation Process  6  Figure 3 - Generation of Product K e y and Activation Code  8  Figure 4 - Verification of Product Keys and Activation Codes  9  Figure 5 - Developers Control Panel  11  Figure 6 - Activation A P I  14  1  1. Introduction Software piracy, software licensing and license control are all important issues to software developers. People who use illegal software not only hurt themselves, they also contribute to a problem that cumulatively can hurt job creation locally and regionally in the software industry and related businesses. Software piracy also has a significant impact on the high-tech industry, resulting in lost jobs, decreased innovation and higher costs to consumers.  A t the time of this research there was no system commercially available to independent software developers that would control number of installations of licensed software products. A company could obtain a single license and use it among the network. Users would break terms of their license agreement by using software on multiple computers without purchasing additional licenses.  There are certain ways to prevent or restrict those illegal activities. One way is tying software installation to hardware. Hardware tying, however, has a huge drawback to software publishers: a user has to pass a Hardware ID to the software manufacturer at the time of ordering, which might his willingness to purchase that product at all, playing its role in the decision of getting this or competitor's product. Additionally, a user w i l l have to manually obtain a Hardware LD and pass it to the ordering system, which is usually implemented as a SSL-encrypted Web order form.  Product Activation is an anti-piracy method to verify a software license and limit the spread of software piracy. Product Activation ensures that the users install each software license on as many computers as it is permitted by a software license agreement. Every time a product is installed on a new P C or i f there is a change in hardware of the P C on which it was installed, the user has to activate his copy of the software product by obtaining an Activation Code from the activation server. If a product is not activated within 14 days, it w i l l cease working, and only the activation functionality w i l l be available.  More companies are developing software activation systems. Searching for "software activation" on Google.com did not provide any meaningful links in M a y 2002; in September 2002 the same search returned around 20 companies requiring their users to activate a copy of a product they've  2 just purchased.  The key question of this thesis is whether or not license enforcement with online software activation reduces software piracy by enforcing the number of PCs on which a software license can be installed. In order to answer this question I am going to try to evaluate how many users violate software license agreement by installing their software licenses on multiple P C s . I met several issues doing this research. M y sample is fairly small due to the time and resource constraints, and it is hard to explain several patterns in the users' behaviour.  To answer the key question, I developed a software activation system ActivateSoft.NET. The system was used to log customers' purchasing activity and control the number of installations. I summarized and analyzed these logs, answered intermediate questions, and suggest the answer to the key question.  3  2. Background This chapter presents a background of software activation, including a concept and overview of Microsoft Product Activation. Installed Product: First run  License Management Server  (or up to 14 day grace period)  Product: Subsequent executions  Figure 1 - A Concept of Product  Activation  Microsoft was not the first company that implemented activation-based license enforcement. It was, however, the first company that did it for well-known products, Office X P and Windows X P . They have performed user studies and created an extensive list of answers to the most frequent questions their users had about the product activation. Their studies helped me a lot to develop the activation system.  Microsoft defines Product Activation as an "anti-piracy technology designed to verify that the product has been legitimately licensed".  Microsoft Product Activation works by validating that the software product key, required as part of product installation, has not been used on more P C s than is allowed by the software license.  4 Product key information is sent along with a "hardware hash" (a non-unique number generated from the PC's hardware configuration) to Microsoft's activation system during activation.  Activation is completed either directly via the Internet or by a telephone call to a customer service representative. Microsoft allows unlimited number of activations on a single P C with the same product key. Product Activation discourages piracy by limiting the number of times a product key can be activated on different P C s .  Microsoft Product Activation is designed to be "transparent" and unobtrusive for customers who legitimately acquire a software license. Customers are able to delay activation for several uses of the product or a certain period of time, until a time that is convenient for them. For those who obtain a copy of the software illegally, Product Activation makes their inappropriate use of the product more difficult.  Microsoft fights piracy aggressively, increasingly strengthening license enforcement [15]. In early days of W P A , which stands for Windows Product Activation, Microsoft did not send Windows product keys to their activation servers during the activation (this was done to reduce possible privacy concerns). However, in Windows X P Service Pack 1 they changed their mind and now include a complete product key in the Installation ID that is necessary to activate a copy of Windows X P . Our system was finished in A p r i l 2002, almost half a year before SP1 arrived, yet we implemented the same approach, and use a Product K e y as a part of our Installation LD.  RealNetworks (www.real.com)  is another big company that requires activation of its product,  RealOne Player. Both free and paid versions of the latest RealOne Player must be activated over the Internet after 3 uses, otherwise it w i l l stop working except showing the activation dialog.  Besides Microsoft and Real there are many small companies that require their users to activate software licenses. Examples include: Bourse Data (www.boursedata.com.au), (www.kidasa.com),  Ericom Software (www.ericom.com),  Trading Solutions (www.tradingsolutions.net),  DataCube  Kidasa Software  (www.datacube.com),  MindSoft (www.mindsoftweb.com),  and many  others that can be found by performing a simple search on Google.com for "activate product".  5  3. ActivateSoft.NET This chapter describes a theory of software activation, and explains activation technology.  It  presents the activation system software developed to collect data and perform the study.  3.1. Activation System - The Software 3.1.1.  Basics of Activation  I propose a solution similar to Microsoft Product Activation in its concept: a software activation system. A system like that was implemented by Microsoft in its Office X P and Windows X P . Our system is similar to Microsoft Windows Product Activation ( W P A ) in that it uses the same Product K e y format, and has a license management center implemented as an online server.  Our implementation differs from the Microsoft one in that we designed ours to support multiple developers and multiple products. Currently Microsoft W P A supports Microsoft products only, as they never opened their system for third parties; they do the opposite thing by keeping most technical details a secret. W e allow developers to control the strength of enforcement for each of their products. Our system is less technically advanced and less secure than Microsoft W P A , but it is open to other software developers, expandable and customizable.  Software activation happens in two steps. First, a user purchases arid installs a product. A valid Product K e y is required for the installation. T o use the product after the installation the user will have to activate it by obtaining an Activation Code from the server. A n Activation Code is a cryptographically strong digital signature of a combination of a Product K e y and Hardware ID. The activation process is implemented by acquiring a digital certificate from a centralized license manager (a server connected to the Internet).  6 License Management Server  User PC  User enters product  Choice of activation method:  key  Internet Automatic activation  License server looks up for the  or  product key 36JJW-XYAZ7-L4UP7-ABUJG-TQBA  User prompted to  Browser  activate (up to 14  User manually submits hardware ID  days of grace period)  "FCV62" and product key 36JJW-XYAZ7-L4UP7-ABUJG-TQBAR  Activation  counter and stores the hardware ID  successful Internet  An off-line certificate is automatically  Verifies number of installations allowed by EULA, increases the  Activation key is automatically applied The server returns activation  created; the  number to the user  activation wizard will no longer show up  Browser  24M4X-NX3SQ-CL3WC-AVL7C-6AKA  The user enters activation key into the activation wizard  Figure 2 - Activation  Process  Product activation will help reduce casual copying by ensuring that the copy of the software product being installed is legal and has been installed on a P C i n compliance with the license terms. Installations beyond those allowed in the license agreement w i l l fail to activate. Use of the activation system provides developers with invaluable statistics on their customers' software usage patterns. Each transaction is recorded and stored in the database, available for later research.  The system consists of the following parts: 1. Cryptography software (Product K e y and Activation Code generation and verification) 2.  S Q L database (stores issued Product Keys, Activation Codes, and user activity logs)  3.  Online interfaces for registering and activating software products, and Developer's Control Panel  4. C++ S D K included to ActivateSoft.NET enabled products.  7  3.1.2. Cryptography Software It is very important to have strong Product Keys and Activation Codes that could not be broken. One of the worst problems experienced by software developers is a possibility of appearance of so called 'key generators', or 'keygens'. K e y generators are created by hackers or hacker teams, and produce fake software licenses that are positively validated by the products they target.  For weak key generation schemes the hackers use reverse engineering in order to figure out an algorithm of validating a software license. After that they reverse the algorithm, and obtain the ability to produce fake license keys.  In order to counter this type of attack, we used a strong open key cryptography for license key generation. W e implemented strong open key crypto software based on the H F E algorithm that uses a private key to generate license keys, and a public key to verify them. This is the opposite of the classical open crypto, with private keys used for decryption and verification, and public keys for encryption and signing. Our approach guarantees [Appendix 2] that it is impossible to reverse the license key verification algorithm to make a key generator, or produce a valid license code without knowing a private key.  Our Product Keys are generated as cryptographic signatures of a customer's name (all characters are converted to capitals, spaces and punctuation removed). Such a signature is a one-way function of a string, also known as a 'hash function'. A private key is required to generate a signature, and a public key is required to verify it. W e only generate Product Keys on the ActivateSoft.NET server. A Product K e y can be verified from the product executable file by using a non-secret public key.  Activation Codes are generated in a similar fashion, except that they sign a string formed as a concatenation of a Product K e y and Hardware ID.  8  Customer Name:  Private K e y  JOHNSMTTH  XT  1  Product Key: 4SCQH-Q6W9X-QAB4M-YB3DY-Z682C  Generating Product Key  Product Key:  Hardware ID:  4SCOH-06W9X-OAB4M-YB3DY-Z682C  FCV8U  Private K e y  Generating Activation Code  I  V  Activation Code: HJ5QK-PPVCX-2A44M-FM5DU-5F2VE  Figure 3 - Generation of Product Key and Activation Code  In order to verify a Product K e y it is necessary to have the customer's name, its matching signature (the Product K e y itself), and a public key that is stored in every copy of a product's executable. In order to verify an Activation Code, a Product Key, Hardware ID, and the same public key are necessary. A n Activation Code w i l l not be positively validated i f a Hardware ID is not the same that was used to generate it, which means that either a product was transferred to another P C , or P C hardware was modified. In this case the product w i l l require re-activation; our server w i l l issue a limited number of Activation Codes per license, depending on a developer selected policy.  Customer Name: JOHNSMTTH  Product K e y : 4SCQH-Q6W9X-QAB4M-YB3DY-Z682C  Public K e y  Y E S or N O  Validating Product Key  Product K e y : 4SCOH-06W9X-OAB4M-YB3DY-Z682C  I  Activation Code:  HJ5QK-PPVCX-2A44M-FM5DU-5F2VE  Hardware LD: FCV8U  Public K e y  IS Y E S or N O  Validating Activation Code  Figure 4 - Verification of Product Keys and Activation Codes  10  3.1.3. Database W e made a decision to use Microsoft OS as an underlying platform for our system. Thus our natural choice of a database was Microsoft S Q L Server 2000.  The first version of our system, developed in January - February 2002, did not include strong enough security measures; in particular, we allowed registered software developers to download their private keys; the idea was to allow developers to create licenses for their own software products locally on their own P C s . That turned to be a security flow that was once exploited. W e made some other bad design decisions, such as using files to store private keys instead of encrypted memory streams. A s a result, our system was hacked, and our registered developer's product key stolen by a malicious person. A key generator appeared for that product shortly.  The system used for this research was finished in A p r i l 2002. The bugs found in the first implementation were fixed, and the system design was changed to a multi-layer security model: we use registered C O M objects as the only way to access a S Q L database that physically resides on a server different from the one that has access to the Internet.  The database stores product keys, activation codes, and all developers' information; it contains encrypted private and public keys that are used for license generation; it also contains layers of code that enforce activation policies.  3.1.4. Online Interfaces and Developer's Control Panel  It was important to provide customers with a handy tool for activating their products. It was also considered a priority to have instant display and delivery of a Product K e y at the time of ordering. Most other services provide a Product K e y by e-mail; sometimes it takes a few days to get one after paying for a product. W e added convenience by instantly displaying a Product K e y on the Order page immediately after the customer placed an order and his credit card has been authorized. W e can afford to do this because a key can be blocked online easily i f the order turns to be fraudulent.  11 Our system uses SSL-encrypted connections with password authentication to produce Product Keys (passwords are unique for each entity authorized to issue Product Keys for a product, such as resellers and O E M distributors; in case one password is compromised, it will not affect other developers, products, or other issuing authorities).  Activation codes are delivered through a plain, non-encrypted H T T P connection that does not involve any authentication. This design decision was made because we do not consider any part of the information necessary for activation to be private or security sensitive. Only a Product K e y along with Hardware ID is required to obtain an Activation Code; the Product K e y can not be used to register software without customer's name in exact spelling. The customer's name or other personal information are never transmitted except at the time of ordering (order page is S S L protected).  sk Software Activations Service File  Edit  I^Back ••  Vjew  Favorite*  i^j  |*j  Microsoft Internet f xplorer  p. j T !  Ioois fcfeip [£]  1  Seardi v^* Favorite .Jjg)  £pj-  El  https:/iBCfiv»tesoft-net,.''dev/defauit.asp?  ActivateSoft.NET - Control Panel 1>OCII men ration  t*l Add New  Kev  £*l List Product Keys PI Add Batch ffl Ust Batches  s « j n Out  I Developer Shortcuts User: j > First Last <emai@server.com> copy & Paste user informatton from email [ First Last <ema@sefver.net> 3 to the above box. I It wl! resuit in autornaticaliy fling Che following boxes: First M a e [  Activation Codes  Last Name: [  BB Add New Code  E-mail:  @ ifet Acavatioo Codas  Product:  \ Actvaton Test Add Product Key  Account Detail S  Add New Pmdyct  IB Ust. Products  m  I Manage Product Keys Product Key: [ Sear* |  (Block) 1 Unblock |  Account Setup 1/4/2802  AcOtfatesoft.NET, 3 software actfvaeon service, is started. Products  Hstatstics (Seine.  product; id  HBUO Report  Activaacn Test 8-1 Add Product  product name  I  status  regstratlcns  actwatiocis ^ ^  reariovano ^  EnabW  15  40  26  22  Recently Added Product Keys Activations Product Key Fret Last Valid Fated Product Uoits E-ma* [ 7/14/2002 NJN4F0MT4.., Andrey Mamitko 1 1 Lwaaon Test 1 unit(s) sabOirk.ru 7/14/2002 THTXD-S7S3... Andrey Mamitko 1 Actratlon Test 1 unK(s) sabiQirk.ru 6/24/2002 tfTMSX-RRKH... Brian Lock wood ctivabor Test l unit(s) briar®-ockwoodtech .com 6/9/2002 6KX7-L5ZX... AJexey Vaiman 1 MMttOfi Test 1 unites) aiexey_vaiman ©ozero. net 5/23/2002 6TKSG-Z5MT... Brian Lock wood M M H W T«*t 1 unit(s) bnar15iockwoodtech.com I M<1 Reostraton PrevOuS { 1 ] Next Date  17  Figure 5 - Developers Control Panel  9 •„  Reactivations VaSd Fated  ) Click on a product key to view details on that: Product Key. ContentConyHifH<S ActtvataSoft.NET.  blocked  f  '^^^'f'^^m^^<*MfcrowftCcrifc  Merchant Product ID  • 1  X i  12  The Developers Control Panel allows registered software developers to add and modify products, create Product Keys and Activation Codes, manage (block, unblock, change number of licenses and expiration dates, etc.) licenses, re-send Product Keys and Activation Codes to customers via e-mail, see statistics, and perform additional service functions. 3.1.5. C++  SDK  Modification of a product source code is required i n order to enable the use of activations. In order to simplify and automate the process I have developed a S D K . The ActivateSoft.NET S D K is a set of C++ classes that should be added to a software project. The S D K allows recognizing our Product Keys and Activation Codes, activation over the Internet or without the Internet connection by entering an Activation Code manually.  The S D K contains verification module, our implementation of an open crypto algorithm described in section 3.1.2. It is necessary that a public key is built into a product; that public key must match a corresponding private key for that product. Private keys are stored on the ActivateSoft.NET server and used for Product K e y and Activation Code generation.  The current version of the S D K only supports M S Visual C++. W e are developing versions of the S D K for Borland Delphi and M S Visual Basic now. W e also plan developing a 'wrapper' style S D K that w i l l require no modifications to source code, and w i l l protect any executable file in conjunction with a compatible third-party software protection tool such as ASProtect, www.aspack.com,  or E X E C r y p t o r ,  www.softcomplete.com.  The S D K contains four layers of APIs. A developer can use any number of low levels of this A P I , and not use higher levels, i f he prefers. Even the lowest layer contains all functions necessary to verify licenses and connect to the activation server. Higher levels add convenience, and include a default implementation of a G U I .  The first layer contains plain C functions that validate Product Keys and Activation Codes, load and store Product Keys and Activation Keys, store the date of product installation, and connect to the activation server. A l l information is stored in the Windows Registry under the  13 H K E Y _ C U R R E N T _ U S E R key, which is the only key that is write-enabled for non-administrative users. If there are multiple users on the same P C , all of them w i l l have to go through the activation process. The activation system will provide Activation Codes to all of them as these requests are coming from the same P C .  The product installation date is used to check whether a non-activated copy can be used the day it is started, or i f it must be activated in order to continue functioning. This date is encrypted with a hardware-dependent password to prevent tampering.  The second and all subsequent layers are implemented as C++ classes. The second level A P I calls the previous layer functions. It contains simple C++ calls used to check i f the product is registered and/or activated, and a function that connects to the activation server, transmits license information and performs activation.  The third layer contains graphical user interface functionality: an activation reminder dialog, a dialog for entering a Product Key, and an Activation Wizard (a set of dialogs guiding the user through the activation process). This layer uses the Microsoft Foundation Classes ( M F C ) library for G U I elements programming.  The fourth level has a single function D o A l l W o r k () that handles everything from checking whether the product is activated or not to calling the Activation Wizard.  14  Layer I V A P I DoAllWork()  EnterProductKeyDlg ()  Layer i n API  A c t i v a t i o n W i z a r d ()  Layer II A P I GetActivationDays() GetlnstallDate()GetCurrentDate() ActivateProduct() GetProductKey() GetHardwarelD() V e r i f y A c t i v a t i o n ( ) SetActivationCode()  ConnectServer()  IsActivated() [ VerifyActivation(GetProductKey()  GetActivationCode())  ]  IsRegistered() [ VerifyProductKey(GetUserName()GetProductKey()) ]  GetlnstallDate()  ConnectServer()  Layer I A P I  Get/SetUserName(] Get/SetProdiictKey() Get/SetActivationCode()  VerifyActivationCode(;  GetHardwarelD()  Windows Registry  Product Executable  PC Hardware  HKEY_CURRENT_USER\  Productname.EXE  H D D O + M A C ID  Company\Product\ Product Key, User Name, Activation Code, Install Date  Figure 6 - Activation A P I  Crypto Public Key  Hardware ID  15  3.1.6. Developers ofActivateSoft.NET  The software activation system was developed by three parties: Pinrgam Marketing, a Vancouver based company; Indegro, an Irkutsk (Russia) based company; SoftComplete, a Ukrainian company.  Pingram Marketing (Oleg Afonin, M i k h a i l Dyachkov) provided the concept, funding, and requirements specifications.  Indegro (Anton Baranchuk, M i k e Granin and T i m Loginov) developed an S Q L database, A S P scripts and Web access to all the data, including Developer's Control Panel. A l l Web and server side programming is done by that company.  SoftComplete (Andrey Belokon) has developed a strong open-crypto algorithm for 25-characters secure Product K e y and Activation Code generation, and implemented cryptography software for the system.  I created hi-level specifications, developed C++ S D K for developers, designed Developer's Control Panel that was then implemented in the system, participated in system deployment and testing, created usability specifications, and performed usability tests. It was my idea to create the service, ventured by Pingram Marketing.  3.2. Activation Policies  This section presents activation policies, preset types of system behaviour in relation to whether or not a user is allowed to activate.  The section contains all technical details on how the system  works during the experiment.  The system was designed to give all developers full control on activation policies. Initially we allowed each of the following selections for every software product supported by the activation system:  16  1. Monitor only mode. In this mode the system does not block any activation requests. It simply logs the requests to collect usage statistics. 2. Massive fraud prevention only. This mode only refuses to produce an activation code after a certain number of activation attempts are made from different computers. The product developer sets the number. A product key that was attempted to activate multiple times is marked as used illegitimately. 3. License terms enforcement - fair use. The system allows two activations per license purchased. Examples of 'fair use' are business and home P C s , a desktop and a laptop, and so on. 4. Strict license terms enforcement. This policy is targeted to expensive products. Number of permitted activations matches number of licenses; re-activations on the same P C are allowed.  If a user attempts to activate more licenses than were purchased, the system puts a temporary block on that license key. If a lot of activities happen such as multiple activation requests from different P C s , or overwhelming number of re-activation requests from the same P C , the system puts a "permanent block" on that license key.  The system controls activation policies of every product with a set of variables.  The "Activation Period" parameter controls the number of days after which the system clears temporary activation blocks from a license key, resets a list of P C s on which a license was activated, and resets all activation and re-activation counters. Permanently blocked licenses remain blocked.  The "New Activations" parameter controls the number of activations per license allowed during the activation period. If the system detects an attempt to activate the license, and the number of activations exceeds the number of "New Activations", the system w i l l not produce an Activation Code.  The "Re-Activations" controls the number of activations allowed that originate from the same P C . It works similar to the "New Activations" parameter, except that it counts activation requests from  17 P C s that activated a license in the past. The only reason to use this parameter was to prevent server flooding by malicious users, thus avoiding extra C P U load and reducing number of writes to the database.  " F r a u d u l e n t Use T h r e s h o l d " controls the number of failures such as failed activation requests, after which the system permanently blocks a license for fraud. This condition occurs i f a user tries to re-activate the same product multiple times with a short delay (one day or less), or the system registers a large number of activation requests from different P C s .  The "Monitoring only" policy is implemented easily by setting the "activation period" to 0 days, in which case an activation counter w i l l reset immediately after the activation. W e implemented "Strict license term enforcement" policy by setting the "activation period" to 365 days and "new activations" to match the number of purchased licenses. Setting "activation period" to 30 and "new activations" to 2 per every purchased license conducts the "License term enforcement - fair use" policy.  The table demonstrates how different policies work. # Activations  # Reactivations  Period, days  # Threshold  unlimited  unlimited  0 days  unlimited  Massive Fraud Prevention  10  50  30 days  50  Fair Use  2  10  30 days  10  30 days  ;-.^ '10;..-. >T:  30 days  5  Monitor only  Evaluated-Policy Strict Enforcement  1  5  v  ;  i ;  Table 1 : Activation Policies  I collected data for this research with the "Fair Use" policy, except that I allowed 3 activations per month instead of the default number of 2. I did it with research purposes in order to count the number of single-license users activating more than two licenses. "Fair use" was selected as a first estimation of the most convenient license enforcement policy based on a typical office software license that allows using the product on a home P C and at work, or on a desktop and a laptop.  18  4. Problems and Questions This section describes problems and questions targeted in the thesis. The section lists assumptions made for conducting this research. It presents the main question of the research, and describes why this question is important to a group of software  companies.  There are many different license control and license enforcement schemes. The one evaluated in this research is based on the online software activation technique. Our interest is whether this particular scheme gives any value to software development companies.  4.1. Key Question  The key question of this thesis is whether or not license enforcement with online software activation reduces software piracy by enforcing a number of PCs on which a software license can be installed.  I am going to try to shed light on this question by evaluating a license enforcement system and collecting data about how people use it.  The question is important because there are many small software companies that w i l l benefit from this research, which allows them to make better decisions selecting the software activation parameters for their products, thus, on one hand, maximizing the degree of software license protection, and, on the other hand, reducing the number of complaints and technical support inquires from their customers, and increasing customer satisfaction.  4.2. Intermediate Questions  In order to answer the main question and make a final conclusion on whether or not the system can be profitable to small software developers, a better understanding of user behaviour must be achieved. T o better understand the problem, I set three intermediate goals:  19  1. Determine how many different machines on which users attempt to activate the software. It is important to figure out whether a common practice is installing a single license on a single machine, or it is a common practice to regularly install on more machines than the number of license installations.  Question #1 gives better understanding of the habits of legitimate customers who can in theory purchase additional licenses when they are denied activation.  2.  Determine how the system affects legitimate users. It is important to figure out i f the customers trying to activate more licenses than they have purchased w i l l purchase additional licenses or not, and i f a significant number of customers w i l l be annoyed by the fact they have to activate to a degree that they refuse using the product in favour of a similar product that lacks activation.  Question #2 provides better understanding of possible disadvantages of activation license enforcement, measured as the number of annoyed customers who w i l l not use the product or purchase additional licenses solely because of the license enforcement.  3.  Determine a number of users illegally passing their product keys to other users. This number includes pirates who publish license codes on the Internet on a variety of crackers' Web sites. B y comparing information collected answering questions #1 and #3 I w i l l try to estimate the ratio of legitimate and illegitimate installations of a software product.  Question #3 allows to see those users who are not legitimate customers; I assume this category of users not only will never pay any money for a license (their purchases often turn into charge backs), but also distribute their licenses over the Internet, making a software development company lose potential customers and increasing expenses on Web site traffic.  20  4.3. Assumptions  T o answer the questions I make several assumptions.  First, I assume that new and upgrade users are discriminated (we sent them license for a product with a different name, such us "Product A Upgrade"). "Upgrade users" are those who purchased and used one of the previous versions of a product, with no software activation, and upgraded or did not upgrade to the new version with software activation. In order to have bigger sample we offered them a free upgrade by emailing messages containing their new Product K e y , and instructions on how to upgrade.  M y second assumption is that neither upgrade nor new users know a priori about license enforcement in the new version of the product they are offered to upgrade to. A s our test company is small, "word of mouth" is negligible in this case. This may be important not to affect their decision to upgrade to a new version. If they knew about the activation before upgrading, it might've affected their decision on whether they want to upgrade because they do not like products tying itself to hardware, no matter how simple the process may be. This way I tried to reduce at least one factor preventing existing customers from upgrading, and increase sample size.  4.4. Data Collected by the Activation System  This section explains what data our system has access to.  ActivateSoft.NET monitors and stores all user activity. This data can be processed later. W e were collecting the following data from A p r i l 15, 2002 to September 25, 2002.  1. Whether or not this is a new purchase or an upgrade 2. A l l registration and activation details are collected a. Date of transaction b. User's name and email c.  IP addresses  21  3.  d.  Originated from Web or application  e.  User's Hardware LD  f.  Number of new activations and reactivations  Statistics: a.  Number of successful new activations.  b.  Number of successful re-activations.  c.  Number of failed new activations.  d.  Number of failed re-activations.  e.  List of successfully activated Installation IDs  f.  List of failed new activations (Installation IDs)  g.  List of failed re-activations (Installation IDs)  4. Support enquiries regarding the activation (e-mail messages)  User's name, email, date and time of purchase, and the Product K e y are collected at the time of ordering. The rest of the information is collected during the activation.  This data is necessary in order to find an answer to the key question.  4.5. Limitations of Study There are several things that must be taken into consideration while performing this research.  First, our sample is fairly small. Due to the time constraints and the fact that the system had to be developed prior to collecting the data, we were able to collect data on software activations 15 A p r i l to 25 September, with two products on sale. During the experiment a total of 997 licenses were issued, including 359 newly purchased ones and 638 distributed for free as an upgrade to existing users. Out of those, 544 licenses were activated; the reasons why other users preferred not to activate are beyond our knowledge.  I collected customer's feedback from A p r i l 15, 2002 to September 24, 2002, and received 112 messages with different comments on the activation process, out of which 23 were complaints.  22 The main limitation is that with the data we are able to collect we do not know the reasons of several customer behaviour patterns. W e are only able to collect a limited set of data due to commercial issues, design faults and technical limitations. For example, we could technically ask customers attempting to activate a product on an additional P C for the reason they do that by providing a multiple choice questionnaire or free text input field, and make this a requirement in order to get an additional activation code.  Our data does not provide answers to behavioural questions; neither has it provided information on the reasons why they do one thing or another. The data, however, contains information on the numbers: how many users, how many PCs, how many activations, and so on.  When customers get an upgrade license (upgrade licenses were distributed for free) but never activate it, the customers may not actually use the product, or they w i l l activate only when they are forced to by the activation timer (in our implementation there is a 14-day allowance), or they w i l l revert to a previous version of the product (which is also possible and happens regardless of whether or not an activation scheme is used).  When a customer purchases one license and tries to activate on multiple machines, it may be either illegitimate behaviour (trying to install on a number of machines greater than allowed by the license agreement), or legitimate behaviour (upgrading a machine fairly often). Chances of the second case are low because our system uses a Hardware ID that is least likely to change during the upgrade.  Most of the questions could be answered by conducting a targeted survey among the registered users. However, I do not have skills and resources for successfully conducting such survey.  23  5. Evaluation This chapter explains how the experiment was run, describes two software products on which activation performance was evaluated.  5.1. Experiment Setup  The experiment was run from 15 A p r i l to 25 September 2002. I decided to evaluate a policy that is as close as possible to Microsoft policy on their Windows X P activation (even i f it is not optimal, it's good to begin with). The default activation policy is "Fair Use", activations allowed on 2 different P C s per month. I modified the default "Fair Use" policy to allow 3 unique activations per month instead of 2; I did that to learn more about the number of unique P C s users install their licenses on.  The experiment w i l l answer the first question of this research, about the number of copies of the program a legitimate user, who purchased one license, installs on different machines. I propose evaluation of the "fair use" licensing policy to shed light to the third question of this research, the number of users who illegally pass their product keys to other users. This policy assumes two computers to be a 'fair use' (such as home and work computers, or a workstation and a laptop). The second question, about how the system affects our legal users, is to be answered by analyzing customers' feedback, particularly problem reports.  In order to collect and analyze this data we have all raw data appropriately analyzed. A t the end of our test period all necessary data was collected. After that I analyze the data in order to figure out answers to the questions asked earlier in this research.  Using this "fair use" policy and data collected I also hope to determine what/aj> use in case of shareware is in terms of number of licenses a majority of legitimate users need when purchasing a single license. I run the experiment under assumption that a 'fair' user needs two licenses per  24 activation period (i.e. home and work PCs, or desktop and laptop computers). I also suggest that it is fair enough to reset activation data every 30 days as the user may change or upgrade P C s .  5.1.1. User's Technical Support Inquiries W e received 112 messages from the users of our programs who encountered problems with or had comments about the activation system. 23 of these messages were complaints. For each of those users we have complete information about when they've purchased the product, whether they are upgrade or new customers, and so on.  5.2. Products Used for Evaluation  This section presents details about the experiment: participating company and two of its software products as it was prior to using the activation system and after the company started using it.  5.2.1. Products During the experiment I analyzed statistical data of the evaluated company (which name is not disclosed), a software development company that has two products: Product A and Product C.  P r o d u c t A ($49.95 U S new license, $14.95 additional license, free upgrades from previous version) is fairly old and popular. It was originally targeted to home users only, yet later some functions for home offices and business use were added. The majority of its purchasers are private users and home offices (about 85% according to our data), and only about 15% are companies. Unfortunately, we are unable to distinguish between the home offices and private users at the moment.  P r o d u c t C ($29.95 U S new license, $9.95 additional license, free upgrades from previous version) was designed later and was targeted mainly to small businesses and home offices. About 30% of those who purchased Product C are businesses; another 70% are home offices and private individuals.  25  5.2.2. Upgrade Users Attempts to Licenses  Licenses  Licenses  Issued  Blocked  suspended  Activations  Reactivations  (re)activate blocked licenses  ProductA  461  5  0  296  67  ProductC  177  0  0  93  161 *  -45 0  Table 2 - Upgrade users' activation figures  Table 2 contains numbers of licenses issued to upgrade users.  5.2.3. Newly Purchased Users Attempts Licenses  Licenses  Licenses  Issued  Blocked  Suspended  Activations  Reactivations  (re)activate blocked licenses  ProductA  274  11  1  341  106  79  ProductC  85  4  0  101  78 *  15  Table 3 - New users' activation figures  Table 3 contains number of new customers who purchased the products, and number of times the licenses were activated.  Note that Product C has an abnormally high number of reactivations. It happened because initially the product was released with an older version of the Activation S D K that contained a bug preventing it from saving an activation code on the local machine, requiring re-activating every time the product was started. The bug was fixed in about a week. The bug only affected the number of reactivations, and did not affect the number of activations and blocked keys; I considered that it is still possible to use this data to answer the questions of this research.  26  5.3. Data Collected During the Experiment  This section presents data in the form of tables that was collected by the activation server during the experiment. This data is used to answer our intermediary  questions.  5.3.1. Number of activations per license  This chapter contains multiple tables with data on the use of licenses. The left column of each table contains the number of activations per license key. The right column contains the number of licenses that were activated the number of times shown in the left column.  A l l products are licensed with a modified 'fair use' enforcement policy that allows for 3 activations during the 30-day period. Once every 30 days they can activate a product on 3 more PCs. I issued additional activation codes i f a user asked for it in order to figure out the best 'fair use' or 'common use' practices.  5.3.1.1. S U C C E S S F U L N E W A C T I V A T I O N S  This section provides information that leads us to the answer to the first and second intermediate questions of this research, as well as provides a hint to answering the key question.  Table 4 shows the number of licenses that were successfully activated on multiple machines. The number of activations on different P C s is represented by the value of the first column in the table (N). The second column contains the number of licenses that were activated N times. This table gives a good hint on how many P C s an average user installs a product.  27 Product C - New Users  Product A - New Users # activations (N)  # licenses activated N times  # activations (N)  # licenses activated N times  0 1 2 3 4 5 6  41 164 46 12 7 3 1  0 1 2 3 4 5 6 7 Total Licenses Activated Licenses  18 49 9 6 1 1  Total Licenses Activated Licenses  274 233  Product A - Upgrade Users 0 1 .2 3 4 5 6 7 Total Licenses Activated Licenses  262 130 51 9 7 1 1 461 199  1 85 67  Product C - Upgrade Users 0 1 2 3 4 5 6 9 Total Licenses Activated Licenses  132 28 3 5 6 1 1 1 177 45  Table 4 - Number of activations per license: Successful New Activations  The licenses that were never activated are represented with '0' in the left column. This number is larger for upgrade users, which means that either they abandoned the product or that they use an older version and refuse to switch to the newer one. Besides the licenses that were never activated, the total number of licenses activated at least once is 100%; then w e ' l l get the following normalized tables.  28 New Users (233 activated  Upgrade Users (199  licenses)  activated licenses)  Activated once  70.39%  65.32%  Activated 2 times  19.74%  25.62%  Activated 3 times  5.15%  4.52%  Activated 4 or more times  4.72%  4.54%  Product A  Table 5 - Product A : activations per license, percentage  New Users (65 activated  Upgrade Users (45 activated  licenses)  licenses)  Activated once  73.13%  62.22%  Activated 2 times  13.43%  6.66%  Activated 3 times  8.96%  11.11%  Activated 4 or more times  4.48%  20%  Product C  Table 6 - Product C: activations per license, percentage  21.18% of all customers have never activated Product C after purchasing. This again might be explained by suggesting that the customers do not run this product every day.  Out of those who have activated their licenses, a majority have only done it once. Some number of users activated 2 times, and a few did it 3 times or more on different machines. A "fair use" policy that allows 2 activations a month would satisfy 68.88% of Product C users and 86.56% of Product A users. The test policy that I used for this evaluation, which allows 3 activations per month, would satisfy 95.5% of all customers.  The picture changes, however, for a one-month case. The following two tables compare M a y , June, July, August and September (numbers represent activations combined for new users of Product A and Product C ) as the only months we have complete data for. A p r i l is excluded because I only have data for 2 last weeks of the month.  29  # Activations (N)  licenses activated N times  licenses activated N times  0  10  7  1  44  2  licenses activated N times  licenses activated N times  licenses activated N times  10  13  14  30  43  46  43  10  8  11  10  5  3  3  3  4  4  2  4  2  5  1  •  2 1  >5  1  # Product Keys  70  49  71  73  64  # Keys Activated  60  42  61  60  50  MAY  JUNE  JULY  AUGUST  SEPT  Table 7 - Monthly Successful Activations  This data demonstrates the number of different computers on which a single license was activated during a 30 day period.  May (60  June(42  July (61  Aug (60  Sep (50  activated  activated  activated  activated  activated  licenses)  licenses)  licenses)  licenses)  licenses)  Activated once  73.33%  71.43%  70.49%  76.66%  86%  Activated 2 times  16.66%  19.05%  18.03%  16.66%  10%  Activated 3 times  5%  7.14%  6.56%  6.66%  4%  Activated 4 or  5%  2.38%  4.92%  0%  0%  more times Table 8 - Monthly Product Activations, Percentage  Data in this table demonstrates that users tend to use their software licenses on more machines over time (September data shows that). Table 8 shows that there is a significant number of customers who install software licenses on multiple P C s .  30 Data from this table leads us to the answer to the first question of our research: determining number of P C s a typical customer may need to use a single license on. The table allows me to conclude that, while many the users are only activating it on a single P C , some significant number (13% to 17%) of customers use it on 2 P C s , and around 5% - 1 0 % uses it on 3 or more PCs. From this data I also suggest that the numbers of customers who use our test software on more than 3 P C s are negligible.  5.3.1.2. F A I L E D : A C T I V A T I O N L I M I T E X C E E D E D ( T E M P O R A R Y B L O C K )  This subsection gives a lead to answering the second question on system's influence to the customers.  "Temporary B l o c k " condition is set when a user attempts to activate the license more times than he or she is allowed to do according to the terms of agreement. This condition is very different from the "Permanent B l o c k " ; temporary blocking w i l l be removed at the end of the accounting period (in our test case this period is 30 days), while the permanent block won't be removed.  A temporary block is put on a license when a customer attempts to activate it on one more P C than he is allowed to. Temporary blocks are removed once every 30 days; however, i f the number of activation attempts exceeds the value of "Fraudulent Threshold" parameter, the system permanently blocks this license.  Our system only provides information on licenses that were temporarily blocked in the current time period.  7 users of Product A were denied activation after exceeding their activation limit in the period of 25 A u g - 25 Sep. 3 Product C users were denied activation and put on temporary block.  I noticed a frequent pattern when users try activating a license key on an additional P C , and the activation system fails to produce an activation code with a "Number of allowed activations exceeded" message and its comprehensive explanation. The users still try to activate the license some more times in hope that there was a technical problem, but the system still does not return an activation code. They usually try 2-7 times before giving up. After that they have several choices:  31 contact us to ask for an additional activation or report a 'technical problem' with the activation system; purchase an additional license paying the low upgrade fee; or just waiting 30 days and attempting activation again.  During the study we received 7 requests to issue additional activation codes for Product A and Product C . The customers argued: "I have a third (fourth, etc.) P C at home and need your product to run on it". In all cases we preferred to issue an activation code without arguing, although we didn't have to according to the terms of our end-user license agreement.  3 times the users who were denied activation purchased upgrade licenses immediately, one for Product A and one for Product C .  5.3.1.3. F A I L E D : L I C E N S E IS B L O C K E D ( P E R M A N E N T B L O C K )  This section contains data that is necessary to answer the third question of this research on the number of customers who illegitimately pass their licenses to other users.  Blocked licenses represent attempts of massive software theft. If a license was blocked by our system, then there were multiple attempts of unsuccessful activations from different machines. This may mean that a license was purchased with a stolen credit card and then uploaded to a 'warez' Web site; or that a license was purchased with a legitimate credit card, and then shared with several other users or installed on multiple machines in violation of the terms of license agreement; or some other violation of license terms.  32 •  •  •  Product A , New Users o  1 license blocked, 25 activation attempts from unique P C s  o  1 license blocked, 11 activation attempts  Product A , Upgrade Users o  1 license blocked, 44 activation attempts from unique P C s  o  1 license blocked, 35 activation attempts  Product C , N e w Users o  1 license blocked, 4 activation attempts from unique P C s  o  1 license blocked, 11 activation attempts  Table 9 : Number of activations per license: Failed - License Is Blocked Permanently  There are 4 Product A licenses and 2 Product C licenses that were blocked, which corresponds to the products nature: Product A is marketed primarily to home users, while Product C is designed for small business and home office use.  Each license was placed on a temporary block first (after 3 unsuccessful activation attempts), and then put to a permanent block (after another 10 unsuccessful activation attempts, according to our policy).  One license was blocked with a total of 25 activation attempts made from 25 different computers; another one received 44 activation attempts from different machines.  I assume that all licenses that were blocked were used illegitimately. W e have never received complaints from those who purchased these licenses. In any case, this data leads us to the answer to the third question of this research, about how many customers are passing their licenses illegitimately to other users.  A s can be seen from the data shown in Table 2 and Table 3, there are more blocked licenses than listed in Table 9. A n explanation is simple: some licenses were blocked manually by the developers of Product A and Product C for various reasons, such as: a license was issued but a  33 customer never paid; an order was turned fraudulent, and a charge back was issued; or an order was refunded.  5.3.2. Users' Technical Support Inquiries  This subsection presents information necessary to answer the second question about the system's influence to users who we consider to be legitimate.  I collected customer's feedback from A p r i l 15, 2002 to September 24, 2002, and received 112 messages with different comments on the activation process, out of which 23 were complaints.  A l l complaints report different problems activating the software. The company received 23 complaints from the customers. Most of the messages were related to products developed with earlier versions of Activation S D K that contained a bug preventing activations in certain conditions. Once the S D K was fixed, we stopped getting this kind of complaints from the users.  A very common reason for activation failure is a presence of some local proxy server or firewall. In that case we advise the users to use a Web browser in order to activate a product. Some minor problems (mostly connected with initially poor G U I and lack of documentation) were expected and happened (there were people who tried to activate their products 15 times before contacting support). This kind of problems had not occurred since last month, when some G U I changes were made in the system, and better help was added to the Activation Wizard.  Another reason for a failed activation is exceeding the maximum number of allowed installations. M a n y users use software they buy on more than one machine. The company tolerates one or two additional installations with the "Fair Use" activation policy; however, some customers require more than that, and usually are denied activation. There were 4 support requests of this kind.  During the test period, the company provided 7 users with additional licenses for free. 3 customers paid for additional Product C licenses, and one additional upgrade license was sold for Product A .  34 W e did not receive any 'privacy concern' feedback, despite the fact we expected it. Those concerned about their privacy on the Internet do have some kind of firewall blocking Internet access to applications like Product A . They usually open a Web browser manually, and enter all required information. A s we do not ask for any personal information in order to activate a product, they are usually satisfied with our privacy commitment.  5.4. Summary of Evaluation  This subsection summarizes results of the experiment.  A total of 997 licenses were issued during the experiment, including 359 newly purchased ones and 638 distributed for free as an upgrade to existing users. 544 of these licenses were activated; the other users preferred not to activate for an unknown reason. Most were distributed for free as an upgrade to existing customers; and thus the most likely explanation is that they never wanted to update. 59 licenses were never activated by 359 new customers who paid for a license, while 394 never-activated licenses were abandoned by 638 upgrade users who received it for free.  Averaging data collected during M a y , June, July, August and September 2002 (a total of 327 licenses, 273 of which were activated at least once), -75.45% of those who activated a product did it on a single P C during one month since their first activation; few users (-16.12%) installed it on two machines during the same month; a number of customers (-8.43%) installed it on three or more P C s during the same month.  Analyzing a larger sample (period of A p r i l 15 to September 2 5 , 2002, 359 total new licenses and th  th  300 activated licenses), 7 1 % of customers activated a product on 1 P C , 18.3% - on 2 P C s , and 10.66% activated on 3 or more P C s (data for new customers buying their first license). Similar numbers for upgrade users who got their licenses as a free upgrade: 64.75% of customers activated a product on 1 P C , 22.13% - on 2 P C s , and 13.12% activated on 3 or more P C s .  2 licenses were blocked and believed to be tampered with / illegally distributed (which counts to 0.45% of pirated licenses) to the day of August 2 5 , 2002, and 4 blocked tampered licenses (0.74%) th  to September 2 5 , 2002. th  35  1 license was blocked with 25 unsuccessful activation attempts from different P C s ; another one received 44 activation attempts from different PCs. 2 more licenses received 35 and 11 unsuccessful activation attempts, making a total of 125 possible illegitimate users trying to violate the terms of a license agreement. The number looks significant in relation to the total of 544 active users.  W e received 23 complaints about issues, all of which positively resolved during the period of 15 A p r i l - 25 September 2002.  Referring to our key question about the effectiveness of software activations to reduce software piracy, about 10% to 13% of all customers use more licenses than they are allowed to by 'Fair Use' software license ('Fair U s e ' policy allows 2 installations on different PCs), and about 4.5% of customers would violate the policy that was used for the research that allows 3 installations of a license. Approximately 30% of Product A and 37% of Product C customers would violate conditions of the 'Strict' enforcement policy (allowing a customer to install a product on a single PC).  It is difficult to estimate an exact value of the fact that the four licenses were blocked. Those users who were denied activations are unlikely to purchase a legitimate license. Those license codes, however, might have been widely distributed on some cracker's site, and, based on our previous experience, result in thousands of people downloading that codes and using them illegitimately with the products.  The company had experienced exactly same situations several times. First time it happened the sales were down significantly (about 30% down during the month when a stolen license was published) because the company did not know how to react properly. Later on they managed to block licenses in the program itself (uploading a modified version to the W e b site), thus minimizing the effect of those stolen keys.  36  6. Related Work This chapter describes references to related work, and compares them to this research.  Microsoft Corp., as a developer of Windows Product Activation, is naturally the primary source of information about the activation.  Microsoft Piracy Basics [8] contains general information on what software activation is, and explanation of how it works, including the technical details, frequently asked questions about activation, their Privacy Policy on activation, and more. Their Frequently Asked Questions [12] was so useful that I included some quotations from there to my thesis in order to explain the concept of activation.  Microsoft Technical Bulletin on Activation [9] was the source of information for designing a system for this evaluation. The article provides detailed description of Microsoft's product key, Installation I D , and activation codes format, with an overview of corresponding digital certificate and cryptography technologies. "Microsoft believes that product activation will be successful at deterring the casual copier, thereby reducing the piracy of Windows XP. Product  activation  achieves this goal by implementing a technology solution that deters the casual copier [...]" [9], they conclude.  V o n M i k e Hartmann in [5] reverse engineered Microsoft's W P A implementation, described the technical details he found out, and published C source code as a sample of technologies used for the W P A implementation. "The Windows Product Activation (WPA) that is implemented in the current RC1 of Windows XP shows some serious bugs which will open the way for hackers to avoid the whole system" [5], he claims. The paper concentrates on low-level analysis of the system code.  Joe W i l c o x , a CNet editor, discusses in [23] issues of privacy and fair use connected to this new technology. "The company's new product-activation  technology, which locks Office XP or  Windows XP to a particular PC hardware configuration, can deactivate unexpectedly, rendering the software useless until a code number is obtained from Microsoft. The feature could present the  37 biggest headache to people that frequently upgrade or change components on their PCs" [23], he argues. H e collected and published negative feedback of some users who were turned down by Windows Product Activation and decided to switch to an alternative platform because of that. M a n y similar articles are published regularly on the Web.  John C . Dvorak discusses in P C Magazine article [16] copy protection issues, and criticizes the Microsoft approach to copy protection via software activation. The author points out that it is unknown how many times one can install Windows X P , or whether it can be remotely disabled: "How many times can you actually activate XP? The number three comes up a lot when I look for answers on this topic, although there is no definitive answer on Microsoft's Web site." [16]  Issues he discusses i n the article were the reason why we disclose and precisely describe our activation policies to all users of our activation system. "XP is a marvellous OS—a workhorse that everyone should use. But it hasn't set the world on fire and the muddy and vague information about how activation works and its limitations are why the sales have not been stellar. " [16]  38  7. Conclusion I designed ActivateSoft.NET, an online software license enforcement system that enforces terms of a product's end-user license agreement, which was implemented by developers from several companies [section 3.1.6]. I developed "fair use" policy for that activation system, a policy that allows customers to install a product on 2 different machines during a 30-day period, and performed a study on system behaviour using real world software products for 6 months (15 A p r i l to 25 September 2002).  The activation system made it possible to monitor and control the way the customers use their software licenses. I determined a 'fair use' policy that allows installations on 3 different PCs per month would fit the products used for the research better than other policies because it satisfies approximately 95.5% of all customers.  The research answered the first question about a number of copies of a product a legitimate user with a single license installs on different machines. Averaging data collected during M a y , June, July, August and September 2002 (a total of 327 licenses, 273 of which were activated at least once), -75.45% of those who activated a product did it on a single P C during one month since their first activation; few users (-16.12%) installed it on two machines during the same month; a number of customers (-8.43%) installed it on three or more P C s during the same month.  Analyzing a larger sample (period of A p r i l 15 to September 2 5 , 2002, 359 total and 300 th  th  activated licenses), 71% of customers activated a product on 1 P C , 18.3% - on 2 P C s , and 10.66% activated on 3 or more P C s (data for new customers buying their first license). Similar numbers for upgrade users who got their licenses as a free upgrade: 64.75% of customers activated a product on 1 P C , 22.13 % - on 2 P C s , and 13.12% activated on 3 or more P C s .  This research provided the answer to the second question regarding the effect of the system on average users. W e received 23 complaints about the activation; the low number of complaints allows me to conclude that the system does not negatively affect legitimate customers.  39 A number of users who illegitimately shared their licenses and made their product keys accessible to other users are 6. I do not consider this to be a big enough sample, thus can not give a definitive answer to the third question. The number of 6 tampered licenses can only give a hint to answering the question.  Direct effect on piracy is measurable and significant. 6 licenses were stolen; 139 attempts were made to activate them on unique machines by non-authorized users. Indirect effect on piracy is significant: based on our previous experience, uncontrolled distribution of illegally obtained licenses hurts sales. This impact is more significant for home-user oriented products, and less significant for business-user oriented products. I believe that the use of the activation system alone has prevented those stolen licenses from being published on crackers' W e b sites.  A n important hint to answering the key question of this research referring to the effectiveness of software activations in reducing software piracy, that about 10.66% of customers are using more licenses than they are allowed by the 'Fair U s e ' policy that allows installing a product on 2 different P C s . It is also significant that approximately 29% of customers would violate conditions of the 'Strict' enforcement policy allowing them to install a product on a single P C only, which creates potential of making additional sales to these customers. Due to the small sample size the numbers lack precision.  I provided a good hint answering the key question of this research. The research allows each software developer to decide whether or not using online activation technique w i l l be cost effective and commercially profitable to their particular products, and provides information on the effect that such a system has on the customers.  40  Bibliography [1] Digital-Ticket-Controlled Digital Ticket Circulation Ko Fujimura, Hiroshi Kuno, Masayuki Terada, Kazuo Matsuyama, Sekine,NTT Information Sharing Platform  Yasunao Mizuno, and Jun  Laboratories  http://www. usenix. org/publications/library/proceedings/sec99/fujimura.  html  USENIX Technical Program - Abstract - Security Symposium 1999 [2] Detecting and Countering System Intrusions Using Software Wrappers Calvin Ko, Timothy Fraser, Lee Badger, and Douglas Kilpatrick, NAI Labs, Network Associates,  Inc.  Abstract - Security Symposium - 2000 http://www. usenix. org/publications/library/proceedings/sec2000/ko.  html  [3] Bitwise Operator: The Plain Truth About Piracy. B y fprefect http://www.ambrosiasw.com/cgi-bin/ubb/newsdisplay.cgu  action-topics  1  &number=14&articl  e=000052 [4] W h y D o People Register, Does Crippling Work, Does Anybody Really K n o w ? B y Colin Messitt http://hackvan.com/pub/stig/articles/why-do-people-register-shareware.html [5] Windows Product Activation compromised (Inside the W P A ) VON MIKE  HARTMANN  http://www. tecchannel. de/betriebssysteme/746/index.  html  [6] Microsoft Product Activation Overview M a y 30, 2001 http://www.microsoft,  com/office/evaluation/indepth/activation,  asp  [7] Technical Details on Microsoft Product Activation for Windows X P http://www. microsoft, com/technet/prodtechnol/winxppro/evaluate/xpactiv.  asp  [8] Piracy Basics: Microsoft Product Activation Overview http.V/www. microsoft,  com/piracy/basics/activation/  [9] Technical Market Bulletin on Product Activation in Windows X P http://www.microsoft.com/piracy/basics/activation/windowsproductactivationtechnicalmarke tbulletin.doc August, 2001  [10] Deloitte & Touche product activation audit report http://www.microsoft.com/piracy/basics/activation/microsoftj3pinionjreport  October 3, 2001 [11] Windows X P Product Activation http://www. microsoft, com/windowsxp/pro/evaluation/overviews/activation.  asp  June 29, 2001 [12] Microsoft Product Activation: Frequently Asked Questions http://www. microsoft, com/piracy/basics/activation/mpafaq.  asp  [13] H o w X P W P A w i l l squeeze more money out of businesses http://www. theregister. co. uk/content/4/20912. html 09/08/2001 [14] Software protection for shareware developers Steve L o w e r - C h e m l W a r e Ltd. - steve@cheml.com, Educational Software Cooperative Newsletter, (Volume 9 No.7), December 2000. http://www. sfu. ca/person/lower/MISC/softprot.  html  [15] Piracy Basics - Microsoft Product Activation: Windows X P Service Pack 1 Changes to Product Activation http://www. microsoft, com/piracy/basics/activation/window  sxpspl. asp  [16] Straight Talk on X P Activation B y John C . Dvorak P C Magazine, August 12, 2002 http ://www.pcmag. com/a rticle2/0,4149,462414,00.  asp  [17] The Wrong Approach to Copy Protection B y Michael J. M i l l e r P C Magazine, A p r i l 2, 2002 http://www. pcmag. com/article2/0,4149,6312,00.  asp  [18] Discrete logarithms in finite fields and their cryptographic significance. A . M . Odlyzko [19] Discrete logarithms: The past and the future. Andrew Odlyzko [20] A Study on the Proposal Korean Digital Signature Algorithm. Chae H o o n L i m , P i l Joong Lee  [21] Lattice Reduction: a Toolbox for the Cryptanalyst. Antonie Joux, Jacques Stern [22] A K e y recovery Attack on Discrete Log-based Schemes using a Prime Order Subgroup. L i m & Lee, Crypto '97 [23] "Microsoft's X P : Hardware changes a turnoff' by Joe W i l c o x published on CNet News (http://news. com. com/2100-1001-269085.html  ?legacy=cnet)  43  Appendix 1. Microsoft Windows Product Activation FAQ What is Product  Activation?  Microsoft Product Activation is an anti-piracy technology designed to verify that the product has been legitimately licensed.  How does Microsoft  Product Activation  work?  Product Activation works by validating that the software's product key, required as part of product installation, has not been used on more PCs than is allowed by the software's license. Product key information, in the form of the product ID, is sent along with a "hardware hash" (a non-unique number generated from the PC's hardware configuration) to Microsoft's activation system during activation. Activation is completed either directly via the Internet or by a telephone call to a customer service representative. Activations on the same PC using the same product key are unlimited. Product Activation discourages piracy by limiting the number of times a product key can be activated on different PCs.  Will Product Activation  make it more difficult  for customers to install and use the  software?  Product Activation is designed to be simple and unobtrusive for customers who legitimately acquire the software license. Customers will have the choice of activating via the Internet or by telephone. Customers will also be able to  delay activation for several uses of the product, until a time that is convenient for them. For those who obtain a copy of the software illegally, Product Activation will make their inappropriate use of the product more difficult. Millions of customers have used Product Activation to date with little or no difficulty.  How will Microsoft  Product Activation  help thwart  piracy?  Product Activation will help reduce casual copying by ensuring that the copy of the software Product Ceing installed is legal and has been installed on a PC in compliance with the End User License Agreement (EULA). Installations beyond those allowed in the license agreement will fail to activate.  Haven't  companies tried to implement  anti-piracy  technologies  before and  failed?  Anti-piracy technologies that have been used in the past have not been easy for customers to use and were generally viewed as unacceptable by customers and the industry. For example, some early PC products required specialized hardware components or boot diskettes that were cumbersome for the user. Product Activation is a breakthrough technology in that it makes activation a natural part of setting up the software and avoids the pitfalls of anti-piracy methods used in the early days of the PC industry.  How does the customer benefit from  this  approach?  Over time, reduced piracy means that the software industry can invest more in product development, quality and  support. This ensures better products and more innovation for customers. Ultimately, customers will benefit from th  economic impact of reduced piracy through more jobs and higher wages. Customers will also receive the best value  44 for their software investment by being able to receive product updates and other product information. Product Activation also helps prevent unsuspecting customers from purchasing counterfeit software. Customers who purchase counterfeit products could find they are missing key elements, such as user manuals, product keys, certificates of authenticity and even software code. They may alsofindthat the counterfeit software contains viruses or does not work as well as the genuine product does.  What were some of the key lessons learned by Microsoft  from the pilot of activation  with Office  2000?  Customers generally found activation to be easy and unobtrusive. Telephone calls average two to three minutes, with hold times of two to three minutes or less. On average, over 70 percent of the activation requests are through the Internet and approximately 2 percent of activation requests are due to hardware changes or other reactivations.  Won't hackers and pirates just crack this like they did earlier copy-protection  attempts?  Will this really help stop  piracy?  Product Activation is not a single "silver bullet" solution to global piracy. It is, however, significantly more sophisticated than past methods and is not easy for would-be pirates to circumvent. At the same time, it is a simple and unobtrusive process for legal customers. It will help prevent casual copying of software, which is by far the most prevalent and damaging type of software piracy. It is not designed to target sophisticated and organized criminal counterfeiters.  Won't Product Activation  be easy to crack? Pve heard on the Internet  released. I also heard you can buy Office XP final product  that it will be cracked before the product is  on the street in Asia. Doesn't this mean the code has  been cracked?  Product Activation has yet to be cracked. The so-called "crack" now being passed around the Internet contains a set of instructions for setting a registry key that disables activation. Microsoft made the existence of this registry key public to its technical beta testers in early February and included it as a testing tool, telling them where it was and how to set it to disable activation. That said, the intellectual property protection arena is a cat-and-mouse game. All IP protection technologies will be cracked at some point; it is just a matter of time. The measure of success is not completely stopping software piracy. Success is more likely measured in increased awareness of the terms of the license agreement and increased license compliance.  Is there rechecking  of the activation  done after initial  activation?  Is there any secret data transfer  to  Microsoft?  The product does check itself from time to time to see if it is activated and if it is still on the same PC on which it was originally activated, but at no time whatsoever is information transferred to Microsoft as a result of Product Activation except while the user is actually in the process of activating the system. There absolutely is no "secret" data transfer.  Will Microsoft  use activation  codes for any of the products  to force me to upgrade? In other words, will Microsoft that require  activation?  ever stop giving out  activation  No, Microsoft will not use activation as a tool to force people to upgrade. Activation is merely an anti-piracy tool, nothing else.  Microsoft will also support the activation of Windows XP throughout its life and will likely provide an update that  turns activation off at the end of the product's lifecycle so users would no longer be required to activate the produ  Appendix 2. Our Cryptography Implementation and Its Security Analysis Mathematical Aspects  System and key parameter generation 1) Define N K e y = 1024 2) Generating big prime numbers M , P; M < P 3) A random vector is generated SK[i] i=[l..NKey] - a private key 4) Public key P K [ i ] = M S K [ i ] mod P A  5) Constants M , P , P K [ ] are hard-coded into the program  Signature (user key) 1) H[] = Hash(RegistrationName) 2) K = random 3) R = D H H ( M K + H[0]) A  4) S = K - (SK[1]*(H[1] xor R ) + SK[2]*(H[2] xor R ) + ... + S K [ N K e y ] * ( H [ N K e y ] xor R)) 5) A pair of R , S is transmitted to the user as a key for the RegistrationName.  Signature verification 1) H[] = Hash(RegistrationName) 2) Y = P K [ 1 ] ( H [ 1 ] xor R)) * (PK[2] (H[2] xor R)) * ... * ( P K [ N K e y ] ( H [ N K e y ] xor R ) A  A  A  3) Check R == D H H ( ( M S ) * Y + H[0]) A  *) Hash() - hash function, D H H ( ) - very slow hash function (30 op/sec) *) all arithmetical operations are performed by modulo P  Security Analysis  Public K e y Brute Force Attack  47 A system w i l l be broken in case of recovery of a private key. T o recover a private key it is necessary to solve N K e y equations M X mod P = P K relative to X . In case of a brute force attack A  searching X on a P C like PIII-800 M H z (3*10 3 modular exponent operations per second), we'll A  get the following table to solve one equation. SizeOffX), bits  Break days  31  8  32  16  34  66  36  265  38  10 3  40  4*10 3  45  1,5*10 5  50  4*10 6  55  1,5*10 8  60  4*10 9  A  A  A  A  A  A  Parallel brute force attack on a system of 1024 equations increases required time by 10% per equation. Currently we use 62 bit integers.  Public Key Pollard-rho Attack  Solving the M X mod P = P K can be significantly accelerated by using the Pollard-rho method. A  This method allows solving the equation for S q r t (3, 1 4 * 2 ^ / 2 )  ~= 1 . 7 7 * 2 ^ ( ( N - l ) 12 )  operations (where N - is a width of X in bits, and an 'operation' is modular exponent). Assuming the speed of 3*10 3 operations per second we'll get 31 days for solving equation with SizeOf(X) = A  62 bits. For a public key attack it is necessary to solve N K e y equations. The time of breaking the system of N K e y equation w i l l be 3*10 4 days. A  N o method currently exists that allows finding a discrete logarithm for time better than Sqrt(2 N) A  = 2 (N/2). Note that some faster methods of solving the discrete logarithm problem may require A  up to 2 (N+3) bytes of memory. A  48 Long Signature Brute Force  The purpose of this attack is to generate a valid signature using brute force.  1) H[] = Hash(RegistrationName) 2) take some R 2) Y = PK[1] (H[1] xor R)) * (PK[2] (H[2] xor R)) * ... * ( P K [ N K e y ] ( H [ N K e y ] xor R) A  A  A  3) searching S until R == D H H ( ( M S ) * Y + H[0]) A  A s a D H H hash is calculated very slowly (approximately 30 operations per second on PIII-800), the attack time can be estimated as follows.  SizeOftR), bits  Break days  24  13  26  55  28  220  30  10 3  32  3,5*10 3  A  A  In current implementation R is assumed to be 31bits for registration key and 35 bits for activation key.  The foregoing results conclude that attacks weaker than Pollard-rho are pointless. This, however, requires a certain mathematical groundings from the attacker.  

Cite

Citation Scheme:

        

Citations by CSL (citeproc-js)

Usage Statistics

Share

Embed

Customize your widget with the following options, then copy and paste the code below into the HTML of your page to embed this item in your website.
                        
                            <div id="ubcOpenCollectionsWidgetDisplay">
                            <script id="ubcOpenCollectionsWidget"
                            src="{[{embed.src}]}"
                            data-item="{[{embed.item}]}"
                            data-collection="{[{embed.collection}]}"
                            data-metadata="{[{embed.showMetadata}]}"
                            data-width="{[{embed.width}]}"
                            async >
                            </script>
                            </div>
                        
                    
IIIF logo Our image viewer uses the IIIF 2.0 standard. To load this item in other compatible viewers, use this url:
http://iiif.library.ubc.ca/presentation/dsp.831.1-0051445/manifest

Comment

Related Items