Howto: Web Serial Authentication

[dwayne12]

I've started on this project slowly in my spare time again. The feature-set has changed, and things seem to have gotten way advanced from the original idea it was.

Features

1. Secure licencing client and server side through the use of encrypted values
2. Online invoicing and integrated payment gateway system
3. Online software download tracking and management
4. Individual license code tracking and unique user serial code tracking.
5. Ability to add your software products, assign quotas and limits to the amount of licences given out.
6. Customer client area where they can login in and change their personal details, purchases new products and request new serial codes for their products
7. Administration panel for the administrator to add new users, edit and remove them. Add, edit and delete products. Change site settings
8. Version checking(optional) - Every time a user tries to install a product you own, you can enforce whether or not they have to be using the latest version of your software to continue installation
9. Automated software deployment. Allow iSecurePHP to automatically send the software installation to the end user once they have successfully made a payment through your site
10. Ability to integrate with Wordpress, Joomla!, PHPBB, vBulletin, MyBB, Vanilla and more
11. Time limited licenses and expiration installations, plus more

I'll try to update this topic as much as possible.

[Shide]

Hi, I got around the web-serial activation problem by;

1. Using the FTP plugin and downloading an ini file from the FTP server.
This file has the number of allowable installations in it.

2. The values inside it are blowfish crypto-values and

3. using SF8 to unencrypt those values to validate the install. Subtract one from the allowable installs variable

4. re-crypt the values and

5. put the file back on the server.

simple, crude but it works

[dwayne12]

Hey Shide,

iSecurePHP is something along those lines, but it offers far more advanced customisation features. I've since added a lot of code to it in the last couple of days.

In your SUF project file you define an encryption key which will encrypt and decrypt encoded data sent to and from the iSecurePHP server.

Data is sent encrypted with blowfish to the server where it is then unpadded, base64 decoded and then unencrypted. The details are then searched through the use of precise SQL queries.

I am offering the option of version checking. This means that the version number of the users software is sent to the server and checked, and if you decide that you want to force users to use your new version, they must upgrade to install.

After everything is verified a result is sent back to the install which is blowfish encrypted and then the installation will decrypt it and move forward if the result is true. The encryption keys are also matched to ensure that iSecurePHP sent the data.

This will be hostsfile spoof proof unless someone knows your encryption key and makes a PHP script to fake the server, very unlikely unless you choose a poor encryption key.

There is also a client area where clients can login and change their details, purchase new products and request help.
(http://www.exampledomain.com/client)

The administration panel allows you to modify every aspect of iSecurePHP. Add, edit and delete users. IP banning, product banning, version banning and more.

Automated product delivery system: Allow your clients to purchase software automatically via payment gateways (paypal, moneybookers) and have a product serial number sent to them automatically along with a link to the install file directly to their email address.

Pirate alert mode: Through the use of a custom algorithm, iSecurePHP will detect whether or not a particular user id or product serial is being used a lot and from multiple countries and different names. It will do comparison checks and alert you if it suspects that your software has been distributed onto the Internet.

SUF project file generation: Not sure how to implement iSecurePHP into your SUF project? iSecurePHP will generate a base project file for you to modify and change to get started making your installations secure.

I am going to be offering paid and free versions of iSecurePHP, obviously a paid version because of my hard work and time spent creating this script.

[dwayne12]

Here's an update of what the administration panel is going to look like. I swear I've designed like 25 different layouts for the admin panel, I think this one will stick.




More to come people.

[dwayne12]

Hello everyone,

It seems as though iSecurePHP has been slowly in development for what nearly 3 or so years now? Funny thing is I am still slowly developing it and making it completely awesome.

The expectations will no doubt be high for something that has been in development for so long. I am a perfectionist and it'll be out sometime soon, hopefully by early 2010.

The idea is simple, but creating something that works securely is another priority that can be dealt with in a lot of ways. I am making it so it is pretty impenetrable.

Much like anything, it can't be 100% secure and hack-proof, but even if it's 95% hack-proof, it's good enough. Rather than saying a beta will be ready, but then discovering the code isn't ready for beta, I'll stick to the mantra of releasing it when it's ready to be released.

The authentication part is done, but I'm going to go through all of my code and remove, optimise pieces of code that I wrote back in the early stages of iSecurePHP.

I do promise that it will be worth the wait. I know a lot of you are looking for something like this, so I want it to work properly for you.

iSecurePHP will have:

* Licensing system - Time expiring licences, IP restricted licences and pretty much any type of licence restriction you can come up with. It'll have a custom licence creator.

* Useful widgets that will help track and protect your software from illegal distribution. Intelligent tracking will be able to detect if a serial is being used illegally through the use of some pretty heavy algorithms that I have coded for iSecurePHP.

* Completely OOP. The whole entire iSecurePHP package is written in OOP PHP code.

* API System - I'm hoping to have a decent and functional API for iSecurePHP allowing you to do cool things with its data.

* Invoicing & File Distribution System - Automatically sell and distribute your software with integrated payment gateways and automatic file delivery to your users.

Plus way more... Thanks for your support over the years, I look forward to the feedback once it's done.

[dwayne12]

iSecurePHP now has a new name, "Wolf PHP". It deserved a rename primarily because iSecurePHP could have been at the centre of a lawsuit from other companies using isecure in their names.

I think Wolf PHP has a bit more personality to it, sounds way better and less Apple "i" like. I have purchased a domain name, http://wolfphp.com which is not currently built yet, but there is a forum where you can post your idea's and keep up with developments relating to the project.

This gives you the chance to let me know what you want, as well as test releases amongst other things.

The forums: http://wolfphp.com/forum/

[dwayne12]

Wolf PHP is now using the Codeigniter PHP framework and is coming along surprisingly faster compared to previous development. The encryption / decryption and installer communication part of it has been completed and works really well and is pretty hack proof, obviously not 100% as nothing is. I've written an updated post on the Wolf forums relating to it.

Now onto the admin backend and porting over all old code and making it work better / work with Codeigniter's MVC structure.

[Pandit]

in One Word........................

GREAT

[lelapinvert]

Hello

I would like to encrypt/decrypt the user name/password : So If I use the Crypto.encryptString from Setupfactory 8 to connect to my php script on server, will the Crypto module from php work?
Is it the same crypto encoding module? thank you.

[lelapinvert]

Hello SO I tested it and changed it to work on https server it's a bit more secure and used a mysql database that counts activation failed and succeeded. but problem is during server request it shows the name/ip of the server it's contacting.. How can we hide any details like that. I dont want the user to know the name of the server it's trying to reach.. just imaging if he sees " contacting something.com.." then he will do a change in his host file ( /sytem32/drivers/etc) and put something.com 127.0.0.0.1 and send a 1 through a local apache ...so any idea to hide those information?
it's here :
-- Show a dialog box while the persons details are being checked
StatusDlg.Show();
StatusDlg.ShowProgressMeter(false);
StatusDlg.SetTitle("En cours...");
StatusDlg.SetStatusText("Veuillez patienter");
-- Presto Send to the web and hide the activation dialog box
sResult = HTTP.SubmitSecure(sCheckScriptURL, tValuesToPass, nSubmitMethod, nTimeout, nPort, tAuthData, tProxyData);
local strResult = HTTP.SubmitSecure(strURL,tblValues,SUBMITWEB_POST) ;
StatusDlg.Hide();

the status hide doesnt seem to work.. it shows datas...

thanks.

[lelapinvert]

well Ok I removed the statusdlg lines and so it's working..