By John Frame
The interesting aspect of using dongles for software licensing is that most Independent Software Vendors view them as providing portability, not necessarily more security. Licensing systems allow the software to attach the entitlement rights to a specific machine or user. The core question is, how do you identify the machine and/or user in such a way that is reliable (reduces revenue leakage) but at the same time does not create a negative user experience (reduce customer acceptance and drive up costs). Dongles play a role in this balancing act and it is this balance between revenue and customers satisfaction that independent software vendors and high-tech manufacturers should explore when evaluating a software licensing and protection solution.
There are two general classes for this license identification process, the traditional certificate file based and the more recent license activation style. In the certificate file based systems one or more identifying characteristics are listed in the file, along with a description of the entitlement rights that the customer has. The file is then digitally signed so that it can’t be altered. The licensing system reads the file and checks to see if the signature is valid and then makes a determination if the identifying characteristics listed in the file are the same that it finds in the environment. If so, then the licensing system serves out the entitlements as they are described. The identifying characteristics that are commonly used are items such as the Ethernet MAC address, the host name, the display name, or in some cases the ID from a dongle.
A MAC address or host name can easily be modified by a malicious party. A dongle is stronger but not that much stronger since dongle emulators have been in existence just about as long as the dongles themselves. What a dongle gives the independent software vendor and the customer is greater portability. Unlike an Ethernet MAC address, the dongle is easily disconnected from one machine, transported to a second, where the licenses are easily served from that second machine. The dongle is as strong an identifying factor as any other single characteristic so the entitlement rights are not significantly more secure but they are much more portable. To increase security independent software vendors and high-tech manufacturers should look at an activation style licensing system.
Using a single identifying characteristic presents an easy method for a malicious person to defeat. If an independent software vendor increases the number of characteristics then the solution must account for a concept called “machine drift”. Over time any given machine will change. Hardware is replaced, components are upgraded, and configurations are modified. When that happens if the machine drift is not accounted for the licensing system simply refuses to work until new license rights are issued. Activation style licensing accounts for machine drift by providing a much higher level of confidence on securing the entitlement rights but also by delivering a strong customer experience.
Activation style systems keep a record of both the current machine configuration and past configuration. The independent software vendor or high-tech manufacturer does not specify any characteristics, it is handled entirely by the licensing system. If the configuration has changed a little bit but has not changed too much over the past several days, weeks or months, then the drift of the machine is allowed to occur and the license rights continue to be accessible without issue. Only if the machine drifts too far, too fast does the licensing system require the entitlement to be “repaired”. In the activation style licensing, dongles don’t play a role since the activation style licensing is looking at the overall machine.
There are several vendors, each with their own twist on the above concepts but the concepts are consistent in what you will find in both commercial solutions and home-grown implementations. If you are looking for portability, Dongles might be good for you. But if you are concerned about revenue assurance, high customer satisfaction and low cost, an activation style licensing solution should be considered.
What is your experience with Dongles? Do you use Dongles or other methods for software licensing and protection?