By Martin Heller

Vendors protect VBX and OLE Controls via a license file. When the file is properly installed on a system, the control can be used in a development environment. Without the license file, the control functions only as a runtime object.

The drawback of putting controls into HTML documents-at least as I saw things at the time-is that you don't need a development environment to author with them. HTML is self-documenting and always available for inspection. If you use an ActiveX Control on a Web page and I view the page, I'll have everything I need to put the control on one of my own Web pages, license file or no license file.

So what's the solution? Authenticate the parameters used to instantiate the control. You can pass an authentication code as an additional parameter, and it should be computable from the other parameters and some key in a heavily encrypted manner. The authentication can be as simple as an encrypted checksum or cyclic redundancy code of the data, or as complicated as an encrypted hash of the data that is then digitally signed.

You need two more pieces to make authentication useful for protecting controls. You must use the control to generate the authentication code in the development environment, and you need to require that the license file be present for authentication-code generation. With all three pieces in place, you do need a license file to author HTML pages that use the control; the control's original developer can continue selling the product to other developers, and end users are not inconvenienced.

You could come up with lots of refinements to a scheme like this. The license file or the parameters could include an expiration date, again protected from tampering by the authentication code. One of the authenticated parameters could be the URL of the Web page hosting the control; another could be the Web server's IP address, or a specific client network's IP address and mask. In addition, you could provide the license file, updates of the control and the control's help file on a secure Web server. This would make breaking the control's security scheme for development much harder and more expensive than simply buying the control.

To compute the authentication code, concatenate all the parameter strings, and pass that string plus some key strings or long integer seeds to an encrypted checksum, encrypted cyclic redundancy checking (CRC) or encrypted hash engine. You could compute the checksum or CRC with the same sort of algorithm used to validate packet transfers over a network or over serial communications protocols such as Kermit or Zmodem. Either the string encryption prior to checksum computation or the final checksum encryption could use any reasonably strong encryption algorithm. DES, the symmetric block-cipher algorithm banks use for electronic currency transmission, would be more than adequate. A simple XOR algorithm would probably be too weak to protect the control for long.

In ActiveX controls, there's more to the licensing scheme than meets the eye. A little-known token-passing scheme verifies at instantiation time that a licensed development environment has placed a control in a container. I don't have much in the way of details, apparently because Microsoft doesn't want to tell crackers where to look for the tokens. On the other hand, there's nothing stopping control vendors from implementing my authentication scheme, either instead of or in addition to Microsoft's licensing scheme. For that matter, Microsoft is supplying just the tools you'd need to implement my scheme effectively.

Microsoft provides strong RSA hash and digital signature algorithms in the Cryptographic Application Program Interface (CryptoAPI) to be included with Windows NT 4.0 and a future version of Windows 95. So, you may not need to waste space in the control for an encryption routine if you're willing to limit your audience to these new operating-system versions.

In the CryptoAPI scheme of things, your program starts an encryption session by getting the handle to a cryptographic service provider using CryptAcquireContext. The default or base provider is Microsoft's implementation of RSA Data Security's public-key encryption methods. These use the RSA algorithm for key exchange and digital signature, the RC2 or RC4 algorithms for encryption and the MD5 or SHA algorithms for hashing. RSA, RC2 and RC4 are all ciphers. RSA is a reasonably strong but computationally intense public-key cipher, RC2 is a 64-bit symmetric block cipher and RC4 is a symmetric stream cipher. Both MD5 and SHA produce hash values from a data block, MD5 a 128-bit and SHA a 160-bit.

To generate a unique hash code from a data block, first create a hash object using CryptCreateHash, and then generate the hash with CryptHashData. Next, validate an existing digital signature against the hash object and its public key using CryptVerifySignature, or create a new digital signature using CryptSignHash and your private key. You always sign hash codes and never data, because the public-key digital signature algorithms are so slow. Finally, to clean up, destroy the key used and the hash object, and release the provider handle.

If you'd rather do your own encrypted checksum, you can find working source code for the DES algorithm in many books and at several ftp sites. My personal favorites are Numerical Recipes in C (Cambridge Univ. Press) and the Lucifer source code found at any of the mirrors for the old Simtel 20 ftp site.

One hitch: Exporting encryption software from the U.S. requires a license, and the penalties for doing so without one can be significant. But if you're only doing signature validation and not enabling the end user to encrypt data, you should be able to get a license.

On that tepid note, I'd like to move on to my favorite source of heat and hype, the Java language. Microsoft is incorporating Java runtimes into Internet Explorer 3.0, which is free for the downloading. This means Java is becoming incorporated into Windows 95 and Windows NT, so it's fair game for a Programming Windows column. In addition-and perhaps more significantly for now-Java is already part of Netscape Navigator, the most prevalent Web browser.