Floating license server for TC

[misiekt]

Hello,

I would like to ask to consider creating some kind of floating license server, which would hold main wincmd.key and lend to users some kind short term (ie. for day, up to week) temporary license keys.

One would set license server connection, user and password, and it would be requested once short term license expired. It would easily control number of concurrent licenses in use, which is TC policy as i saw in FAQ.

I'm asking this because I'm corporate admin, and my company bought 100 licenses for TC. For about 3 years it was working just fine, but finally with new version i found out that my key was leaked to public.

So I'm planning to upgrade it, since old one is no longer valid. But if its going to stay the way it is now - unlimited key on every computer, with free access to copy - then it's only matter of time when next disgruntled employee is going leak it again.

Please consider my suggestion. Thank you.

[Sir_SiLvA]

So you fail to control your IT Security and want Chris to fix your problem?
How about stoping the "free access to copy"?

I doubt Chris will ever do what you propose cause it makes no sense at all - how should TC see wich license it should look for?
It would mean more work then use...

[misiekt]

So you fail to control your IT Security and want Chris to fix your problem?
How about stoping the "free access to copy"?

I wrote response to that, but then i discarded it, because solution seems more important. In a nutshell, you're wrong on few levels. And for sake of rest of the text, i don't deal with workstations, just servers.

I doubt Chris will ever do what you propose cause it makes no sense at all

I've got few license servers f.e. FlexLM or HASPLM, which allow me to control licenses. It's common practice, not something i pulled from nowhere. Unless, of course, those developers make it just for kicks, since apparently it makes no sense at all...
I'm sure it's more useful feature than different colour of icon for TC, in the topic i saw earlier.

how should TC see wich license it should look for?

Just let define server/user/pass in TC options and put checkbox that it should be used. Dunno whats complicated about that.

There is already HTTP protocol implemented, so it could be used as authentication/transport layer easily. Not much work here too.

Server side is bit more complicated, but can be based on simple HTTP server (like nginx with FastCGI). It would keep master key which allows f.e. 10 licenses and CGI script/program. When TC requests license CGI generates temporary one valid for a week, and substracts one from license pool. TC receives that over HTTP and saves to local machine.
After a week provided license is void, and server increases number of available ones. Of course there should be early return possible too, because renewal should be attempted at each startup if server is available at the time.

On final note. Most important is program that just generates temporary licenses based on valid multiuser key. Best if program is portable to run server under *nix. And of course version of TC that respects those time limited keys.
One can deal with client/server architecture part with other means. Althou integrated solution would be nice since most of it is there already.

Best regards.

[Sir_SiLvA]

One can deal with client/server architecture part with other means. Althou integrated solution would be nice since most of it is there already.

Sorry in Case of TC this would be complete OVERKILL...

[theosdikaios]

2Sir_SiLvA What is your solution for this problem: you haved payed a great number of licences and every user should work with a licenced version. But you cann't supervise every user that he will not leak the licence to public?

[umbra]

Yes, the "license server" idea would be an overkill. But a simple command line utility, that would generate temporary keys based on a master key, does sound as a reasonable solution. However I'm not sure how much work it would be for the author to implement it.

[MVV]

Private key is required to generate license key so it is absolutely unsafe to share tool that generates keys. But I think some web service may be used for such task: you send your key file and get temporary ones (e.g. weekly; maybe even e-mail service), or you simply download encrypted archive with temporary key using dynamic link (real key's hash is used as a password). But this will require TC support for temporary keys and adding such web service... And, all clients will need to update keys time to time (some script may be used to copy new keys to user computers within network).

[HolgerK]

28.04.10 Added: Store key also in registry (binary value "key" under Total Commander key) - must be set via keypath=$ in wincmd.ini

Should make it significantly more difficult for the normal user to copy the key.

I've got few license servers f.e. FlexLM or HASPLM

And the software protected with this "expensive" solutions is shareware?

But a simple command line utility, that would generate temporary keys based on a master key

And in consequence a lot of keyfile generators or temporary keys with expire date 2099 would float the internet....

Regards
Holger

[umbra]

And in consequence a lot of keyfile generators or temporary keys with expire date 2099 would float the internet....

The generator would be freely available, since it would need a normal (valid) key to create temp keys. Also why should those keys contain an expiration date? A creation date would be enough and TC would be hardcoded to ban them after 7 days from that date (just an example).

Also let's see the weak links of this solution.
1. Cracking the generator - useless, there is nothing to gain.
2. Cracking the TC - already possible today (however not used very often since there are easier ways).
3. Stealing the main key - already happens today. But this way, companies could store it in just one safe place instead of hundreds of computers.
4. Stealing temp keys - hardly useful, since they expire in a week after their creation (unless you crack the TC which would make this redundant anyway).

edit:
Ok, now when I'm reading it again, there might be some problems with security of the generator. MVV's solution seems to be better.

[Sir_SiLvA]

2Sir_SiLvA What is your solution for this problem: you haved payed a great number of licences and every user should work with a licenced version. But you cann't supervise every user that he will not leak the licence to public?

Easy: let them use a TC without an access to a key if you cant trust your employes....

[MVV]

Sir_SiLvA, and how do you suggest to use TC w/o access to a key? As unregistered version?

[Sir_SiLvA]

2MVV, ofc and I dont think that Chris would see that as illegal use...

[misiekt]

And the software protected with this "expensive" solutions is shareware?

Of course not, and i realize its not an option for TC, because its too expensive to licence, just gave an known example.
But thats why i propose simpler solution.

Easy: let them use a TC without an access to a key if you cant trust your employes....

As I said before. I dont want to turn this into sec discussion. I know there are ways to do that. But maybe for a while you may consider that not everyone is living in perfect Windowsland, with only Office to worry about.
For start I have few programs used in production, that require admin access under XP or W2K, nothing i can do about it. And that is just tip of an iceberg.

You can dazzle us with elaborate sec proposal, which we will poke holes in, and I dont want to go there. People care about getting their job done, and they couldnt care less about their PC being sec tight.

Private key is required to generate license key so it is absolutely unsafe to share tool that generates keys.

Again one key idea. Its obvious that original TC private key, used for generating keys now, wouldnt be shared with customers.

But they can get their own private and public key (public or both encrypted with original master key, as its is with wincmd.key now) which would allow TC recognize keys generated with private customer keys.
Key.gen would generate temporary keys based on info on customer private key.

Rest of sec concerns is mostly pointed out by Umbra.Nothing to add there. And you can always invalidate customer public key aswell, if private half should leak.

As for overkill argument. As I said before. Most facilities are in TC already, it just have to be aware of possibility getting key from HTTP server. You can do it now already manually entering URL in TC.

It could be done with current key. But then again it wouldnt be perfect since user/password had to be stored inside TC instalation.
Hence temporary keys, since they resolve problem. Even if someone would gain acces, they wouldnt steal master key, just temp one.

And what MVV mentioned about TC support facility. I aware of that posibility, but I intentionally skipped that idea, as i imagine constant service is too much to ask. Only one shot effort into coding some feature is feasible. And selling key to customer, but is obvious.

My proposal wouldnt add to mr. Ghislers licence management effort, just improve on current bad "one key to rule them all" idea. And we all know how that ended...

[siealex]

I think this is a wrong way... TC must not be shareware, it must be a component of Windows.

[ghisler(Author)]

I have already considered to offer such a licence server. But what would prevent anyone from putting it on the public internet, so everyone could use it for free? This would most certainly happen if the network of a company would be hacked and the server stolen...