CodeMeter SmartBind & Microsoft Azure
Virtual environments make it difficult for activation-based licenses to be securely bound to the machines they are meant for. The properties that would normally be used as a fingerprint of the target system are often generic in virtual machines, and a change to these properties (often happening in bulk in data centers) has the potential to break an entire collection of licenses in one fell swoop. Wibu-Systems has worked with Microsoft to develop a much better approach for virtual systems running in Microsoft Azure.
CmActLicenses are activation-based licenses that need no separate hardware, as they employ a signed and encrypted license file. The unique encryption technology allows the license file to contain symmetric and asymmetric keys on the user’s computer itself, which can then be used for the various cryptographic operations happening in CodeMeter.
CodeMeter SmartBind is Wibu-Systems’ patented solution for binding CmActLicenses to their target devices. CodeMeter SmartBind creates a fingerprint of the user’s computer by referencing different traits and properties, each with their own specific weighting, like the hard drive, motherboard, or CPU. A special and similarly patented tolerance mechanism makes sure that the CmActLicenses and the keys stored in them remain valid even if the user replaces parts of their computer’s hardware. The fingerprint evolves automatically to match the environment and operating system preferred by the user.
Creating such a unique and uncopiable fingerprint for binding licenses to virtual machines still remains a tough proposition. After all, freedom and flexibility to experiment with simulated hardware properties is part of the raison d’être of virtualization. Wibu-Systems has continued to refine the inner workings of CodeMeter SmartBind to enable strong binding for CmActLicense even in virtual environments.
Teaming up with Microsoft in a project for a shared client offered important new insights. Microsoft Azure data centers have the opportunity to use a web service to access certain parameters of the Azure environment. For the project, a volume license for the client was given a custom binding by reading out the licensing details of Microsoft Azure itself. This makes the same binding work for all installations of the client’s software operated under the same subscription in the Microsoft Azure environment.
To bind licenses directly and individually to virtual machines, Windows systems operating in Microsoft Azure now use a separate ID provided there. This ensures that the binding remains intact even if the virtual machine’s properties are changed. The system would recognize a cloned machine (or, more precisely, the integration of a new disk image in a virtual machine), and the license would be broken.
The new recipe for fingerprints using the special Microsoft Azure ID is employed for all CmActLicenses on Windows systems first created with CodeMeter Version 6.90 or later. All CmActLicenses created by earlier versions of CodeMeter 6.90 continue to use the established format. In order to benefit from the new system’s advantages, the CmActLicenses would have to be replaced; to do so, the activated licenses could be returned to CodeMeter License Central, the empty CmContainers deleted, and new licenses activated.
The next version of CodeMeter is expected to bring the new type of fingerprint to Linux systems in Microsoft Azure upon its release in December 2019.
This solution makes CodeMeter SmartBind more robust than ever before and safe from misuse and manipulation in Microsoft Azure.
KEYnote 38 – Edition Fall 2019