I have a license system which currently locks licenses to a physical computer using CryptProtectData
(with CRYPTPROTECT_LOCAL_MACHINE) and CryptUnprotectData
. This is of course not the entire license system, it's just the part that confirms if the license can run on this computer (the license itself is encrypted with another encryption method).
Currently I take something like a string "allowed" and encrypts it on the client machine with CryptProtectData
. This is then sent together with other data as a "license request" to a license server. A license is then returned with this data untouched and saved on the client machine. If the client license system then runs CryptUnprotectData
and gets "allowed" back when using that license on that machine it knows it's a valid machine.
However I've come to the conclusion that it would be better if the license could follow the user instead of the machine. This can be done with CryptProtectData
but only on a roaming profile which I don't think is very common.
So what I'm looking for is some method other than CryptProtectData
where a Windows user can encrypt data on computer A and then successfully decrypt it on computer B (A and B being in the same Windows domain) without any roaming profiles. Maybe some user id can be requested from Windows and used as a key for encryption?
I was looking around and came across the Windows domain user SID. Could this be used to securely identify a user or can it be manipulated? Perhaps it's not unique over separate networks?
Best Answer
This is a fundamental problem for licensing: there is simply no way to enforce that it is the same user once you allow multiple machines, because there is no credential to verify identity.
It is also a heavily studied problem. It is unlikely that you are going to improve on the solutions that major software companies have invested millions in. I would just survey existing solutions and pick one that meets your needs best (none is going to be perfect).
A couple of examples of fairly heavyweight solutions that allow software to follow a user: