Windows – How to Decrypt Data on Any Windows Computer by the Same User

encryptionwindows

I have a license system which currently locks licenses to a physical computer using CryptProtectData (with CRYPTPROTECT_LOCAL_MACHINE) and CryptUnprotectData. This is of course not the entire license system, it's just the part that confirms if the license can run on this computer (the license itself is encrypted with another encryption method).

Currently I take something like a string "allowed" and encrypts it on the client machine with CryptProtectData. This is then sent together with other data as a "license request" to a license server. A license is then returned with this data untouched and saved on the client machine. If the client license system then runs CryptUnprotectData and gets "allowed" back when using that license on that machine it knows it's a valid machine.

However I've come to the conclusion that it would be better if the license could follow the user instead of the machine. This can be done with CryptProtectData but only on a roaming profile which I don't think is very common.

So what I'm looking for is some method other than CryptProtectData where a Windows user can encrypt data on computer A and then successfully decrypt it on computer B (A and B being in the same Windows domain) without any roaming profiles. Maybe some user id can be requested from Windows and used as a key for encryption?

I was looking around and came across the Windows domain user SID. Could this be used to securely identify a user or can it be manipulated? Perhaps it's not unique over separate networks?

Best Answer

This is a fundamental problem for licensing: there is simply no way to enforce that it is the same user once you allow multiple machines, because there is no credential to verify identity.

It is also a heavily studied problem. It is unlikely that you are going to improve on the solutions that major software companies have invested millions in. I would just survey existing solutions and pick one that meets your needs best (none is going to be perfect).

A couple of examples of fairly heavyweight solutions that allow software to follow a user:

  • Require a physical USB key for use of the software. This is probably the strongest way to do it, but obviously expensive and a pain for you and users.
  • Encryption based on machine, but allow multiple machines in a managed way. The user is required to register with you online for each new machine. You can limit the number of machines per user. Or you can revoke access to old copies (requiring them to move the software rather than just unlock a new copy) if you are willing to require internet connectivity for license verification on an ongoing basis.
Related Topic