Choosing Between Read-only and Writable License Files
Cached license files can fundamentally work in two different ways. They can be something your application may only read (a read-only license file), or they can be something your application can read, create, and update (a writable license file). Each approach has its own advantages and disadvantages, and choosing the right one helps you match your licensing to the needs of your users and the environments where they run your software.
A cached license file is simply a file your application uses to cache the status of a software entitlement, so it does not need to contact a server every time the application runs. This improves the application's availability, reliability, and performance.
Read-only versus Writable: Advantages and Disadvantages
Your application can read a read-only license file, but it cannot create or update that file.
- The benefit of enforcing this limitation is that it better prevents attackers from replacing license files with ones they created in an attempt to bypass your licensing.
- The drawback is that the application cannot manipulate its own license. As a result, your application must obtain any license updates from a trusted source, such as a central licensing server (for example, SOLO Server) or a customer service representative.
A writable license file is one that your application can create and update itself.
- The benefit is that your application can update its own license files freely. You might need this flexibility if your application updates license parameters such as incrementing or decrementing counter values for consumption-based licenses, or date fields for license or feature expiration. In some strictly regulated environments (for example, hospitals or government agencies) where communication with a central licensing server is not allowed, a writable license file may be required.
- The drawback is that there is a higher chance an attacker could write their own license file and potentially bypass your licensing.
Some licensing toolkits, including Protection PLUS 5 SDK, allow you to use a mix of both read-only and writable license files, so you can leverage the strengths of each approach in the same application.
A Glimpse Under the Hood
Labeling license files as "read-only" or "writable" is a simplified way to describe the outcome of different choices around cryptography. The underlying topic can get complex, so the summary below covers what matters most when you select a licensing system and when you make choices within its features and options.
Two key concepts help explain the difference:
- A symmetric algorithm is a cryptographic algorithm where a single key is used to both encrypt and decrypt information.
- An asymmetric algorithm is a cryptographic algorithm where a key pair (two cryptographic keys) is used to encrypt, decrypt, digitally sign, and verify information. Each key in the pair has its own public key data and private key data.
For read-only licenses, an asymmetric algorithm is used, which means two keys are involved. One key (the "Client Key") is fully known to the licensed application. The private key data of the second key (the "Server Key") is known only to a trusted source, such as a central licensing server or an application that only you or your staff can access. Because the licensed application lacks the Server Key's private key data, it can only read and verify digital signatures. It cannot generate them.
For writable licenses, either a symmetric algorithm is used, or an asymmetric algorithm is used with only one key from the key pair fully known to the application (the "Client Key"). In this case, any digital signature is generated using key data the application already knows. Because the application knows everything needed to generate these signatures, it can write any data into license files freely. The trade-off is that an attacker who finds this information in the application could also use it to write whatever they want into a license file.
Choosing the Right Approach
Understanding the difference between read-only and writable licenses helps you make a choice that best suits your users and the environments in which they run your applications. The SoftwareKey System lets you use a combination of both read-only and writable license files, so you are not limited to a single model across your product line.
If you need more guidance on which approach fits your application, the SoftwareKey team is happy to help.