安全 - 阻止人们未经授权使用我的程序

发布于 2024-08-15 03:16:53 字数 401 浏览 5 评论 0原文

我正在开发一个程序,我想与某些人共享,但是如果我改变了对这些人的想法,我希望能够“撤销”他们对该程序的访问权限。

理想情况下,这将基于每个用户,而不是仅仅阻止程序的所有实例。与用户帐户类似,但目前我实际上无法访问可以对这些帐户进行身份验证的服务器,因此可能需要更简单的方法。

我是不是太有野心了?

(如果相关的话,我正在使用 Java。)


抱歉,我错过了一些相关细节:

该应用程序将几乎完全在线使用。我不期望用户群远远超过 100 个(这是雄心勃勃的),如果有超过 100 个用户,我会在某种身份验证服务器上投入大量资金,但是目前我拥有的最接近的东西是我可以在上面存储文件的基本 FTP 服务器。


感谢您的所有答案,遗憾的是只让我选择一个最佳答案。 :) 谢谢你们。

I am developing a program that I want to share with certain people, however if I change my mind about these people I want to be able to 'revoke' their access to the program.

Ideally this would be on a per-user basis rather than just blocking all instances of the program. Something along the lines of user accounts, but at the moment I don't really have access to a server where these accounts could be authenticated so a simpler method is probably in order.

Am I being too ambitious?

(If it is relevant I am using Java.)


Sorry, I missed a few relevant details:

The application will be used almost entirely online. I don't expect the userbase to be far over 100 (and that is ambitious), if there were more than 100 users I would splash out on an authentication server of some sort, however the closest thing to this I have at the moment is a basic FTP server that I could store files on.


Thanks for all the answers, its a shame that SO only lets me choose one best answer. :) Thank you guys.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(10

別甾虛僞 2024-08-22 03:16:53

没有办法 100% 保证做到这一点。除了硬件解决方案(也可以解决)之外,软件是可操作的。

举一个非常简单的例子,使用一个 Windows 程序(Java 更容易)检查日期以查看它是否可以运行(想想试用软件)。即使不将时钟调回,您也可以击败它 - 弄清楚它正在调用什么来检查日期,然后提供一个备用 DLL 来更改该调用以始终返回有效的日期。

如果您使用客户端必须连接到的服务器,那么效果会更好,因为您可以在服务器端进行所有有效性检查。但是您不能简单地返回真/假,因为您可以在网络级别更改事物以将假更改为真。要解决这个问题,您需要使用 SSL 来加密网络流量。

“更好”(超出我的想象)是让服务器完成程序的工作,然后让程序显示结果。然后,对于无权访问的客户端,服务器只是拒绝将结果返回给他们。

There is no way to do this with a 100% guarantee. Except for a hardware solution (which can also be worked around) the software is manipulatable.

As a very simple example, take a Windows program (Java is even easier) that checks the date to see if it can run (think trial ware). Even without setting the clock back you can defeat it - figure out what calls it is making to check the date and then provide an alternate DLL that changes that call to always return a date that will work.

If you go with a server that the clients have to connect to that will work better, since you can do all validity checking server side. But you cannot simply return a true/false thing since you can then change things at the network level to alter the false to a true. To work around that you would need to use SSL to encrypt the network traffic.

The "better" (off the top of my head) is to have the server do the work of the program and just have the program display the results. Then for clients that do not have access the server just refuses to return results to them.

·深蓝 2024-08-22 03:16:53

如果您的程序依赖于通过网络服务或某些其他机制对信息进行网络访问,您可以简单地将您希望关闭的用户帐户列入黑名单。

据我所知,如果它是一个完全离线的应用程序,那么你就是 SOL。部署后您对应用程序拥有的唯一控制权是通过对您仍然控制的资源的网络请求。

编辑

远非完美,但再想一想,在离线应用程序中,并且仅对于技术不太熟练的用户,您可以尝试通过更新机制来控制对应用程序的访问,该更新机制将通过用户名的加密列表等使应用程序无效尽管这很容易被规避,并且可能会被逆转,因为所有这些信息都存储在客户端计算机上。它依赖于它们允许您更新软件。

If your program relies on network access to information via web services or some other mechanism you could simply black list the user accounts that you wish to shut off.

If it is a completely offline application you are SOL to the best of my knowledge. The only control you have over the application after deployment is through network requests to resources you still control.

EDIT

Far from flawless, but as a second thought, in an offline application, and only for less technically proficient users you could attempt to control access to the application through an update mechanism that would invalidate the application through an encrypted list of user names, etc. Though that is easily circumvented, and possibly reversed since all that information is stored on the clients machine. And it relies on them allowing you to update the software.

嘿嘿嘿 2024-08-22 03:16:53

由于您无法访问某种独立资源供用户进行身份验证,因此我能想到的唯一答案是“死人开关”,即您在指定的时间间隔向用户发送许可证文件。应用程序在此时间间隔内“过期”,并且必须有新文件才能运行。不希望用户使用该软件?不要向他们发送新文件。

由于多种原因,这不是最佳方案:

  1. 您的所有用户都必须按计划收到此文件,这将导致大量支持工作。
  2. 由于该系统完全驻留在用户的计算机上,因此规避措施的范围从微不足道到“麻烦”,但始终是可能的。这将根据您选择的加密和文件传输算法而有所不同。
  3. 一些非零数量的用户将是“误报”,并且他们的安装将由于过程中的一些错误而停止工作。
  4. 如果您不在文件中内置用户特定信息,用户将能够相互共享。

Since you don't have access to some kind of independent resource for the user to authenticate against, the only answer I can think of is a "dead man's switch", whereby you send the user a license file at a specified time interval. The application "expires" at this interval and must have a new file in order to run. Don't want the user to use the software? Don't send them a new file.

This is sub-optimal, for a number of reasons:

  1. All your users will have to receive this file on schedule, which will make lots of support work.
  2. Since the system lives entirely on the user's machine, circumvention measures will range from trivial to "hassle", but will always be possible. This will vary with the algorithm you choose for encryption and delivery of the file.
  3. Some non-zero number of users will be "false positives" and their installations will stop working because of some mistake in the process.
  4. If you don't build in user-specific info in the file, users will be able to share it with each other.
心的憧憬 2024-08-22 03:16:53

通常的方式是提供允许在一定期限内使用的许可证文件。在此期限之后,用户将必须请求新的许可证文件。如果您想允许在不直接连接到服务器的情况下使用,这是唯一的方法。但这对各方来说都很烦人 - 用户被迫请求新的许可证文件,而您被迫创建和分发它们。

针对服务器的身份验证是可能的,但是,只要您使用 java,就不太安全。即使您混淆了代码,也可以从应用程序中删除身份验证部分,或者嗅探身份验证流量,然后构建一个模拟服务器来永久启用该软件。你可以用加密方法来阻止它,但它变得越来越复杂。

保持密切控制的最简单方法是将应用程序的至少一部分作为服务提供 - 但这当然需要服务器。

The usual way is to provide a license file that allows the usage for a certain period. After that period, the users would have to request a new license file. To that's the only way if you want to allow usage without direct connection to a server. But it is annoying for all parties - the users are forced to request new license files and you are forced to create and distribute them.

Authentication against a server is possible, but, as long as you're using java, not too secure. Even if you obfuscate the code, it's possible to remove the authentication part from the application or to sniff the authentication traffic and just build up a mock server to permanently enable the software. You can prevent it with cryptographic methods, but it's getting more and more complicated.

The easiest way to keep close control is to provide at least parts of the application as a service - but that of course requires a server.

紫南 2024-08-22 03:16:53

根据 CPU 硬件 ID 生成序列号。定期更新您的程序,并将某些 CPUS id 硬编码到黑名单中。当然,如果没有收到定期更新,您就必须让您的程序过期。

Generate serials based upon CPU hardware IDs. Have periodic updates to your program and hard code blacklisting of certain CPUS ids into it. Of course, you'd have to make your program expire if a periodic update has not been received.

深府石板幽径 2024-08-22 03:16:53

如果没有服务器端组件,您所要求的将是困难且不可靠的。

保证您可以撤销对软件的访问权限的最佳方法是通过基于互联网的“软件即服务”应用程序。如果您不提供访问权限,他们就不会使用该软件。如果它是基于桌面的应用程序,那么某些关键功能仍然必须位于某处的在线服务器上。

如果用户在其本地计算机上拥有整个应用程序,则可以对其进行逆向工程并以某种方式“破解”。克服这个问题的唯一方法是确保某些功能永远不会出现在他们的机器上。

Without a server-side component, what you are asking for would be difficult and unreliable.

The best way to guarantee that you can revoke access to your software is through an Internet-based "software as a service" application. If you don't provide access, they're not using the software. If it is a desktop-based application, then some key piece of functionality would still have to be on an online server somewhere.

If the user has the entire application on their local machine, it can be reverse engineered and "cracked" in some fashion. The only way to overcome this is to assure that some part of the functionality is never on their machine.

秋风の叶未落 2024-08-22 03:16:53

我猜这是在用户计算机上运行的实际应用程序。

我能想到的最简单的方法是使用 Java Web Start,它可以确保您的应用程序在更新时从互联网下载 jar。这包括每个用户的许可证(即 jnlp 文件取决于下载它的用户,包括正确的 jar),并且该许可证应该允许用户使用您的应用程序工作几天,即使没有互联网访问,之后一个新的许可证必须下载(因为该用户的 JNLP 文件已更改)。注意:一定要更改已更改的许可证文件的 URL,否则 java 缓存可能会损坏。

许可证文件可以只包含一个类,该类查看日期并表示“真/假”以继续。它必须有适当的签名才能创建密封罐子。

存在更先进的方案,但这将起作用,易于维护,并且是允许免费分发和硬核许可方案之间的合理折衷。

I guess this is an actual application running on the users machine.

The simplest approach I can think of is to use Java Web Start which can ensure that your application downloads jars from the internet if you update them. This includes a license which is per user (i.e. the jnlp file depends on the user downloading it including the correct jar) and that license should allow the user to work for a number of days with your application even without internet access after which a new license must be downloaded (as the JNLP file has changed for that user). Note: Be CERTAIN to change the URLs of a changed license file, otherwise the java cache may be corrupted.

The license file can just contain a single class which looks at the date and says true/false to continue. It must be suitable signed to create sealed jars.

More advanced schemes exist but this will work, be simple to maintain, and be a reasonable compromise between allowing free distribution and hardcore license schemes.

云雾 2024-08-22 03:16:53

别打扰。只要您将实际的软件分发给客户,总有一种方法可以解决您能想到的任何方案。最终,它只会让你的软件变得更不可靠、使用起来更麻烦,从而吓跑潜在客户——大家都输了。

Don’t bother. As long as you distribute the actual software to clients there is always a way to work around any schemes you can think up. In the end it will only make your software less reliable and more cumbersome to work with so that prospective customers are scared away—everybody loses.

ゃ懵逼小萝莉 2024-08-22 03:16:53

每个用户都可以有一个唯一的用户名,您可以根据网络服务对其进行检查,以查看该特定用户是否仍在宽限列表中。

Every user could have a unique username and you can check it against a webservice, to see if that particular user still on grace list.

魂牵梦绕锁你心扉 2024-08-22 03:16:53

每个月都要求用户输入与程序中存储的相应月份的用户名相匹配的新用户名。如果您想阻止用户使用您的程序,只需停止向他们发送新用户名,他们将在月底后无法使用该程序。

Each month have the user be required to enter a new user name that matches the user name for the corresponding month that is stored in your program. If you want to stop a user from using your program simply stop sending them the new user names and they will not be able to use the program after the end of the month.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文