From: Clk on
This is my scenario
- I have an appliance which is installed at customer sites.
The appliance always has internet connectivity. The customers
pay a periodic subscription to use the box.

I want to disable the appliance if the subscription isn't upto date.
So this is what I am planning.

When the appliance is first installed at the customer site, it would
come with a SSL certificate which expires on the date till which his
subscription is paid for.
I would also have a remote server which would have the subscription
details of all my customers. When the customer renews his subscription,
this remote server database would be updated with the new subscription
expiry date.

Everyday, a cron job on the appliance checks the expiry date on the
appliance's
certificate. If the subscription is near expiry, it contacts the remote
server,
checks if the expiry details have changed on the remote server. If it has
changed
send the certificate over the wire to the remote server for renewal & would
get a certificate with the new expiry date.
Past the expiry date on the certificate, the appliance do some action
which would
make it useless for the customer.

Does this sound doable - any gotchas? Any better & tested methods I can use
to achieve this?

I have a webserver running Apache - can I use this same server as my
remote server.
If I do use this as my remote server, is it OK to do this though the
Apache Webserver
itself, or is it better/secure to have a separate program running on a
different port
to serve this subscription needs?
From: robertwessel2 on
On Jul 15, 10:14 pm, Clk <a...(a)a.org> wrote:
> This is my scenario
> - I have an appliance which is installed at customer sites.
> The appliance always has internet connectivity. The customers
> pay a periodic subscription to use the box.
>
> I want to disable the appliance if the subscription isn't upto date.
> So this is what I am planning.
>
> When the appliance is first installed at the customer site, it would
> come with a SSL certificate which expires on the date till which his
> subscription is paid for.
> I would also have a remote server which would have the subscription
> details of all my customers. When the customer renews his subscription,
> this remote server database would be updated with the new subscription
> expiry date.
>
> Everyday, a cron job on the appliance checks the expiry date on the  
> appliance's
> certificate. If the subscription is near expiry, it contacts the remote  
> server,
> checks if the expiry details have changed on the remote server. If it has  
> changed
> send the certificate over the wire to the remote server for renewal & would
> get a certificate with the new expiry date.
> Past the expiry date on the certificate, the appliance do some action  
> which would
> make it useless for the customer.
>
> Does this sound doable - any gotchas? Any better & tested methods I can use
> to achieve this?
>
> I have a webserver running Apache - can I use this same server as my  
> remote server.
> If I do use this as my remote server, is it OK to do this though the  
> Apache Webserver
> itself, or is it better/secure to have a separate program running on a  
> different port
> to serve this subscription needs?


Ignoring the general distaste for that sort of thing, in basic
outline, that's a fairly common approach. The AV package we use does
just that - the server running it checks for definition updates every
five minutes or so, and also updates the license information at that
time. Many pay one-way broadcast services (satellite radio, for
example), regularly transmit the license keys for all licensed
devices.

The problem is what you're using to time the expiration. Using an SSL
cert's expiration for that would certainly be unusual, if not unique.
Typically you would have an encrypted (and signed) license file that
contained not only the date, but the status of any options (assuming
there are any). Include the device's serial number (or whatever you
use to identify the device in question) in the license file, so that
you can validate that the license belongs to that device
(alternatively hash the devices serial number into the encryption
key).

While it may not apply in your case, something to consider is what
happens when certain types of hardware upgrade occur. For example,
let's say you're using the MAC address on the Ethernet card in the
device as the device's serial number, and the Ethernet car gets
swapped out for some reason. Having the device keel over at that
point is seriously unkind. A grace period is often a good idea, and
not only for that reason. Just because the customer is a bit slow
getting the bill paid is a bad reason to put them out of service - at
the very least the disruption will cause considerable ill will. It's
probably a much better idea to continue to run for (say) 30 days,
while making frequent obnoxious noises through the speaker, or
something else hard to miss.

And, of course, since the device is in possession of the customer, the
license checking code is ultimately hackable.
From: Tom St Denis on
On Jul 16, 3:51 am, "robertwess...(a)yahoo.com"
<robertwess...(a)yahoo.com> wrote:
> Ignoring the general distaste for that sort of thing, in basic
> outline, that's a fairly common approach.  The AV package we use does
> just that - the server running it checks for definition updates every
> five minutes or so, and also updates the license information at that
> time.  Many pay one-way broadcast services (satellite radio, for
> example), regularly transmit the license keys for all licensed
> devices.

As an XM subscriber (yuk... another story for another day) I know that
they only broadcast your key when you renew or sign-up for about an
hour or so at most. If you miss the window (e.g. radio is off) you
have to either call up or hit the website so they send it again.

I suspect they have something fairly simple based on the timestamp
from the source (they get their clock time from the satellite). Given
my experience with homebrew crypto I bet it's some sort of simple
cipher with an embedded key or something as opposed to something more
rigorous like a proper signature...

Tom
From: robertwessel2 on
On Jul 16, 5:25 am, Tom St Denis <t...(a)iahu.ca> wrote:
> On Jul 16, 3:51 am, "robertwess...(a)yahoo.com"
>
> <robertwess...(a)yahoo.com> wrote:
> > Ignoring the general distaste for that sort of thing, in basic
> > outline, that's a fairly common approach.  The AV package we use does
> > just that - the server running it checks for definition updates every
> > five minutes or so, and also updates the license information at that
> > time.  Many pay one-way broadcast services (satellite radio, for
> > example), regularly transmit the license keys for all licensed
> > devices.
>
> As an XM subscriber (yuk... another story for another day) I know that
> they only broadcast your key when you renew or sign-up for about an
> hour or so at most.  If you miss the window (e.g. radio is off) you
> have to either call up or hit the website so they send it again.
>
> I suspect they have something fairly simple based on the timestamp
> from the source (they get their clock time from the satellite).  Given
> my experience with homebrew crypto I bet it's some sort of simple
> cipher with an embedded key or something as opposed to something more
> rigorous like a proper signature...


I have XM too, but an hour seems implausibly short. Basically it
would cause almost all automatic renewals to fail (how would you know
when to have the radio turned on?), and that's never happened to me.
Perhaps for a new subscription or a manual renewal, where you can end
the session with a popup that says "turn on the radio in the next 30
minutes and then leave it on for at least 10," it's possible for the
interval to be that short, but for automatic renewals, you'd want at
least a few days.