Device Locked Software Activation
By: Casey Potenzone, CIO, Uniloc USA, Inc.
Since first gaining significant market traction in 2003, device locked
software activation (DLSA) has emerged as the copy control method of
choice for leading software publishers. Currently six of the top ten
software publishers use DLSA on the majority of their products. In 2006
well over $40 billion of software will be activated with device
locking. Today, a majority of computer users have already had exposure
to DLSA and understand its value to the license management process. The
primary benefit of DLSA is its ability to provide a simple, highly
hack-resistant end user authentication foundation on which to build
fair, flexible and enforceable end user license models. DLSA can be
integrated with virtually any standard license management back end.
When implemented properly, DLSA has been shown to dramatically curtail
unauthorized software use, delivering significant revenue increase with
minimal additional operational or product cost.
The popularity and apparent simplicity of DLSA encourages many software
publishers to pursue development of a “Homebuilt” solution in order to
minimize costs. Any publisher considering such a development should
first understand the requirements and costs to successfully implement
and maintain DLSA. Potential benefits are only realized if
hack-resistance is cost effectively achieved and sustained long term.
The financial profile of an outcome in which security is sub-par will be
disastrous because of low return and high cost. To meet business
objectives and to minimize the risk of failure, the software publisher
has to achieve sustainable security while managing the levels of
investment.
Requirements
A copy control solution is a necessity for software publishers, a
necessity that almost always distracts publishers away from their core
competency. An ideal solution provides user-convenient, hack-resistant
user authentication with a minimum of publisher effort and cost, and is
easily adapted to address emerging business models. The growing
dominance of embedded DLSA provides a multitude of real world examples
demonstrating its ability to yield these benefits, putting authority
firmly in the hands of publishers to politely enforce end user
licenses. To realize value of DLSA solution, publishers must get
several critical elements “right” or risk frustrating users, creating
customer service issues and failing to curb piracy.
Successful copy control throughout a product’s lifecycle maximizes
product ROI and politely conditions users to a reliable and fair product
and brand experience. Such success depends significantly on the quality
of the end-user experience. The willingness of end-users to accept
security rather than try to find a way around it is directly related to
the solution’s ability to provide a convenient and problem-free end-user
experience. A well conceived DLSA system supports the fair use
users want, and does so simply, reliably and politely. Whenever
possible, a DLSA solution should empower users to easily self-manage
their rights within the publisher’s fair use parameters.
A DLSA solution that optimizes the end-user experience virtually
guarantees similar benefits to the publisher. A highly reliable and
flexible system that gives users what they want and enables them to
self-manage their needs will minimize the publisher’s customer support
activities.
The most advanced DLSA solutions feature new powerful features such as
“polite auditing”, “fair use throttling” and “smart tolerance” allow
publishers to audit user behaviors and optimize license terms to
maximize the value of their DLSA investment.
The Key to Sustainable Anti-hacking: Advanced
Device Fingerprinting
Device recognition, the process of uniquely identifying a user device,
is the secure foundation of DLSA. The hack resistance of a DLSA system
depends primarily upon its ability to uniquely and consistently identify
a device using its “device fingerprint”. A device fingerprint is
created by sampling a range of non-personal information about a user’s
device and then hashing that information into an encrypted code string.
Early software activation systems used readily accessible device
information such as Volume Serial Number, Network Name or Hard Drive
Serial Number to generate the device fingerprint. The problem with
using such readily accessible information is that they are easily
spoofed and susceptible to license key generators. Advanced DLSA
systems do not rely on component information that is easily changed, and
instead sample a wide range of “non-user-configurable” device sampling
points such as hard drive damage map, chip benchmarking, bios and
firmware versions, manufacturer serial numbers and many others. The
most advanced DLSA systems sample over 10,000 unique points of data in a
typical PC and reliably distinguish one PC from another with more
accuracy than DNA can distinguish human beings. The larger the pool of
device information, the higher the integrity and more hack resistant the
device fingerprint. Also, the wider the range of component targets, the
more tolerance for change in a user’s device before requiring
re-authentication, enabling higher system reliability and overall
efficiency. Lastly, a large selection of device anchors enables
publishers to tailor hardware anchor importance to those components most
applicable to their applications.
To accomplish the business objectives of the software publisher and
realize the value of a DLSA implementation, a high quality device
fingerprinting technology must be the foundation. The integrity of the
device fingerprint depends on the number and range of the sampling
targets and the ability to include non-user-configurable targets. In
addition, the ability to sample components using a combination of
interfaces, such as high level OS calls and low level driver interfaces,
further increases the integrity of the system.
Managing
Risk
Managing the risks associated with the failure of a copy control system
is a prudent strategy. As anyone in the security field knows: given
enough computing power and time, any security schema can be broken.
While embedded DLSA challenges this notion to extraordinary levels (and
will significantly limit the damage from any single crack), anything is
possible. In addition to cracking, it should also be considered a copy
control system failure if the number of users driven away due to
inconvenience is greater than the number unauthorized users
“converted”. No matter how carefully planned the project, no matter how
passionately supported by top management, no matter how obvious the
benefits, success is not a sure thing. The benefits and the payoff
depend on the quality of the design and implementation of the solution.
There are the usual challenges to any organization: rushing to meet
market deadlines, conflicting internal priorities, corporate
reorganizations. All of these realities can interfere with achieving
the targeted result. Aside from creating potential security holes, a
sub-par implementation can easily result in an unacceptable user
experience.
The Security Provider approach is inherently more financially
conservative. It requires relatively small startup costs and time
investment from in-house development staff. Costs are only incurred as
protected product revenue is realized, so a “high cost / low benefit”
result is virtually impossible. Total cost for the Security Provider
solution is considerably less than the Homebuilt approach.
The risk of failure is lower with the Security Provider because
expertise and focus enhances the likelihood of sustainable
hack-resistance and total end user acceptance. The publisher
experiences no disruption to the ongoing product development process.
Internal staff is not burdened with acquiring off-competency,
specialized expertise, or the ongoing efforts to sustain it. Instead,
development staff can stay focused on making better applications for the
publisher’s target customers.
All in all, device locked software activation is a prudent strategy. It
can maximize ROI and improve the overall brand experience.
