Path: utzoo!mnetor!uunet!cbmvax!rutgers!sunybcs!bingvaxu!leah!uwmcsd1!ig!agate!ucbvax!mitre-bedford.ARPA!jhs
From: jhs@mitre-bedford.ARPA
Newsgroups: comp.sys.atari.st
Subject: Re: Software copy protection
Message-ID: <8801270359.AA00508@mitre-bedford.ARPA>
Date: 27 Jan 88 03:59:51 GMT
Sender: usenet@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 38

Several ideas (patents and actual products) have appeared in recent years
that enforce copy protection not by appeal to honesty or the legal system
but by providing a physical "doohickey" that has to be plugged in for the
software to work.  Such a device can be serial numbered and can use crypto-
graphic techniques based on the serial number to enforce access to the
software.  It must perform a necessary function, so that the software
actually *HAS* to access it, and get the right answer, which is a function
of -- among other things -- the user's ID or serial number, in order for
the program to function correctly.  If "public key" cryptographic techniques
are used, it should be feasible to make the contents of the "doohickey",
including the cryptographic key, insensitive to discovery.  I.e. the factory
knows how to encrypt critical data and the doohickey knows how to decrypt
it to get the necessary data values (branch addresses or whatever).

I suggest that what the industry needs is a standard for just such a doohickey
that can then be routinely sold to computer buyers.  Some enterprising company
could sell the things and maintain the registry of users, charging a fee to
the software vendors.  Software dealers could be given the wherewithal to
customize a program to run with a given individual's doohickey.  I.e. a
sealed-up PC type workstation with a magic ROM in it, or whatever.  Some
details would need to be worked out, but what I am proposing is that the
necessary thinking and haggling be done to select a workable standard and get
it accepted by the industry.  Then everybody who wants their software
protected against ripoff could subscribe to the standard and anybody who
wanted to run their software would have to buy the doohickey and give the
dealer their serial number in order to get a working program.

I think it would even be possible to sell programs that check the date and
work only for, say, a month.  Thus "evaluation" copies could be given away.
This would probably require that the doohickey contain a realtime clock,
but that should not add more than a couple of dollars to its cost.

In my opinion, adoption of such a standard would solve all of the problems
being lamented here, at relatively small cost to the consumer.  Does anybody
know if one of the standards-loving bodies such as IEEE or ANSI is in fact
working on a software protection standard?

-John Sangster / jhs@mitre-bedford.arpa