1. Field of the Invention
The present invention relates to processes for distributing computer software and in particular, to measures to ensure software integrity and prevent software piracy during software distribution.
2. Background Information
Software can be distributed using a wide variety of techniques. For example, users may download software over the Internet or buy packaged software on mass-produced pre-recorded computer media at a retail store. The wide variety of distribution mechanisms for software coupled with the ease with which it can be copied, makes software extremely susceptible to piracy. Software developers incur substantial losses on account of the distribution and sale of unauthorized or illegal copies of software.
Modern software packages typically consist of several different components. A main executable program may call any one of a set of executable component programs at run-time that are targeted to perform specific tasks. Such component programs can form part of a library of programs that can be called by the main program. Some of these library component programs, also called Dynamic Linked Libraries (DLLs), may be shared between several different software packages, obviating the need to rewrite programs for specific, repeatedly used tasks that may be common to the group of software packages. DLLs are not executable by themselves but must be called by other programs. DLL files allow for more efficient use of computer random access memory (RAM) because they are only loaded into RAM when called.
To thwart software pirates and counterfeiters, DLLs are typically digitally signed by their creators. A digital signature is an encrypted electronic signature that can be used to authenticate a document and the identity of the document's creator. A digital signature can be used to ensure that the document originated with the entity signing it and that it was not tampered with after the signature was applied. When a DLL is called, its digital signature is first decrypted and authenticated by the calling program. If the authentication fails, the calling program may abort or return an error condition. If the authentication succeeds, the calling program can proceed to a subsequent stage.
Software companies generally use a wide variety of rights management models that range from perpetual licenses with no expiration date to trial or evaluation licenses that may expire within a relatively short period after activation. The existence of a valid license is generally determined whenever the software is started by a user. For example, a “licensing DLL” may be called following the start of a main program to determine whether a valid license is present. Upon authentication of the licensing DLL's digital signature, the main program may send a license validation request to the licensing DLL. If the license is determined to be invalid the main program can be aborted. If the DLL determines that a valid license exists, it can communicate the existence of a valid license to the main program before exiting. The main program may then continue with the remainder of its tasks.
The use of digital signatures with DLLs prevents tampering with the DLL and/or its substitution with a counterfeit pirate-created DLL. However, it does not prevent a software pirate, for example, from substituting a DLL created by a software company for a software package and using it with a different version of the same software package. For example, a pirate could take the entire licensing DLL for a product with a perpetual license, and use this DLL in a version of the same product that has a much shorter license period. The substituted licensing DLL will be authenticated correctly by calling programs because it was created by the software company, has not been altered in any manner and bears the correct digital signature. Thus, the substitution of the original DLL of a software package with a DLL taken from a different version, destroys the integrity of the software package and has the effect of defeating the licensing mechanism for the software package with the shorter licensing period. Moreover, such a substitution of DLLs would also allow software pirates to circumvent the rights management policies of the software company and sell unauthorized versions of products which could have a significant financial impact on the company in terms of lost sales and revenue.
Therefore, there is a need for systems to ensure the integrity of software components associated with a software package or software product family and to support the rights management models practiced by software companies.