There has been a great deal of effort made to prevent the unauthorized transfer or use of software. The efforts are often directed toward three main areas of concern for software developers. The first concern is to create a security means that cannot be easily determined or circumvented by end users. The second concern, is to create a security system that can be inexpensively manufactured and yet operate on a software program that has many identical copies. A third concern, is to create a security system that offers protection for software that is sold or distributed through computer networks.
Prior methods of protection from unauthorized software use, have involved supplying the user with a set of passwords, that are designed to respond to specific queries from the software, prior to use. If the user has the proper answer to the query, then use is authorized. These methods are easily circumvented, by simply transferring the set of passwords, and to which query they respond, on to unauthorized users.
Sophisticated methods have also been implemented, in an effort to restrict software access. U.S. Pat. No. 4,683,968 (Appelbaum et al) described a system in which a portion or all of the software was encrypted in code form. When a user requested access to the software, the computer underwent several steps, including communicating with a software protection module, to determine if the proper access code was available. The software protection module contained a unique code that allowed the computer to perform a decryption procedure on the protected software. Each module was preprogrammed with a unique code, and constructed in such a manner, so that any physical tampering would irrevocably damage it. One of the drawbacks to this system, was that the unique code was placed into the module at the time of manufacturing, which made the process more difficult and costly. Also, there was an undesired time delay while the application was decrypted.
Using software encryption as a means of keeping the software protected, was also used in U.S. Pat. No. 4,187,140 (Chandra). In this invention, the software was broken down into an encrypted form, and the decryption could only take place when a physically secure token transferred the key to the computer. The user could make as many backup copies of the program as they wanted, but since the software remained encrypted, the copies were unusable unless the decrypt token was also present.
Hardware devices continue to play an important role in protecting software, but the hardware devices must have the security code placed in the hardware unit prior to shipping. This creates higher production costs. In U.S. Pat. No. 5,081,676 (Chou), a hardware device was used, in which a permanent first key was placed. A second key, contained in either the same hardware or the software was used, in conjunction with the first key, so that a control key could be established.
In U.S. Pat. No. 5,182,770 (Medveczky), a system was disclosed, in which two separate identification codes were used. One of the codes was associated with the application program, and the other code associated with a hardware unit. The various codes were derived from the software serial number, and a code placed into a connecting hardware unit. Using both of these different codes, a security access code was able to be verified.
A similar approach was done in U.S. Pat. No. 5,222,133 (Chou), in which a plug-in hardware device contained a single or set of unique first keys. A second key was used with the first unique key to derive a control key. Identical copies of software were protected together with the hardware devices, with each software application having its own hardware protection device.
The problems with the prior art is that unique codes or keys had to be placed into various hardware devices, prior to their distribution. The method of protection was ensured, only if each permanent key was unlike any other, or was designed so as to work with only one type of program. Previous hardware devices, while interacting with the software, have been required to be physically connected to the computer system, such as a communications port of a computer. These unique codes had to remain intact, with regard to any codes included in the software, since software was generally copied at the point of manufacture, and sold to the end user on a diskette or other memory storage media. If the hardware did not have a unique code, then the protection would be easily circumvented.
Further use of the hardware was generally limited by the number or type of permanent codes it had. Update programs had to be anticipated, at the time of the hardware unit's manufacture, or a new hardware unit would have to be included with unanticipated updates and new applications.
Efforts have been made, to have codes that were preselected, and assigned a specific unit of time in which the code would operate as an access code. In U.S. Pat. No. 5,168,520 (Weis), a hardware device contained a set of codes that were individually selected as access codes, according to a specific time interval given in the hardware programming.
Other methods have used a personalized identification number (PIN) that the user obtained from the manufacturer, similar to a number used to gain money from a bank machine using a credit card. The overriding problem with this type of method was that the protection obtained from the use of a PIN was lost, once the PIN was disclosed to others.
As the "information highway" continues to grow, computer services and sales of software are now able to be accomplished using modems and communication network computers. One of the benefits of increased computer/modem activity, is that sales and transfer of information can be accomplished without the need to inject physical storage devices, such as program disks into commerce. The middleman is rapidly becoming a network computer, rather than a physical store.
With so much information available through network systems, it is common practice for users of various services to download programs from a network system, and be able to use the software without paying for anything more than phone time and log on time with the computer network system. The software designers lose profits, and there is a decrease in incentives to create more software. Use of a PIN to give protection has obvious shortcomings, since network users are able to transfer both the software and the PIN along to other users of the computer network.
The protection necessary for software distributed over network computer systems, requires an access key, that can be individually mass produced, but is linked to a single software program at the time of the software's installation. In addition, communication between the computer and the access key should include a means whereby the user cannot easily ascertain all of the information being transferred.