Cached license files can function in two different ways. They can be something that your applications may only read (this is called a read-only license file), or they can be something your application can read, create, and update (called a writable license file). Each approach has its advantages and disadvantages.
In a previous blog article, we outlined 3 reasons why you should use cached license files, which you may find helpful if you are wondering what cached license files are and why you should use them. In short, a cached license file is simply a file your application uses to cache the status of a software entitlement so as to avoid the need to contact a server every time your application is used (thus improving the application’s availability, reliability, and performance).
Advantages and Disadvantages of Read-only versus Writable
To begin, your application can read a read-only license file, but the app cannot create the file or update it.
- The benefit of enforcing this limitation is that it better prevents hackers from replacing license files with ones they created in an attempt to bypass your licensing.
- The drawback is that the application cannot manipulate its own license, which means your application will need to get any updates to its license from a trusted source (such as a central licensing server or customer service representative).
Next, a writable license is one that your application can create and update itself.
- The drawback here is that there is a higher chance that a hacker could write their own license file and potentially bypass your licensing.
- However, the benefit is that your application can update its own license files freely. You might need this extra flexibility if your application needs to update license parameters such as incrementing/decrementing counter values for consumption-based licenses, date fields for license or feature expiration, etc. In rare cases, some strictly regulated environments (e.g. hospitals, DoD agencies) may require the use of a writable license file when communication with a central licensing server is not allowed.
Additionally, some licensing toolkits (such as Protection PLUS) allow you to use a mix of both read-only and writable license files so you can leverage the best of both worlds.
A Glimpse Under the Hood
Labelling license files as being “read-only” or “writable” provides a simplified description of the outcome when you make different choices with regards to cryptography. This is inevitably a subject that can get quite complicated, so we’ll summarize what’s important to know when selecting a licensing system and when making choices within a licensing system’s features and options. Here are a few key concepts to start:
- A symmetric algorithm is a cryptographic algorithm where a single key can be used to encrypt and decrypt information.
- An asymmetric algorithm is a cryptographic algorithm where a “key pair” (or two cryptographic keys) are used to encrypt, decrypt, digitally sign, and verify information (via the digital signature). The two keys in the pair each include their own public key data/parts and private key data/parts.
In the case of read-only licenses, an asymmetric algorithm is used, which means two keys are involved. One of the two keys (which we call the “Client Key”) is entirely known to the licensed application. However, the private key data/parts of the second key (which we often refer to as the “Server Key”) is only known to a trusted source, such as a central licensing server, or an application that only you or your staff can access. In a nutshell, the licensed application can only read and verify digital signatures, it will not be able to generate digital signatures since it lacks the knowledge of the Server Key’s private key data/parts.
In the case of writable licenses, either a symmetric algorithm is used, or an asymmetric algorithm is used with only one key from the key pair that is fully known to the application (the “Client Key” as noted above). Even if a digital signature is generated in this case, it is generated using private key data known to the application. Since your application knows all the data needed to generate these digital signatures, it is able to write any data into license files freely. However, this means it is also possible for a hacker to find this information in the licensed application, and use it to write anything they desire in the license file.
Understanding the difference between read-only and writable licenses is important for making a choice that best suits the needs of your users and the environments in which they intend to use your applications. The SoftwareKey System gives you the ability to use a combination of both read-only and writable license files. If you’d like more guidance on what choice is best for you, rest assured the SoftwareKey team is always just a click or a call away.