Offline licenses and clock tampering

[DRoberts532]

Hi Zeke,
I'm just now getting started with Keygen and one of the licensing scenarios I have to handle is computers running our software offline. My question is, how can I keep a user from spoofing the license by setting their computer's clock ahead by five years? If the license carries an encoded expiration date and I just compare that date to the system clock date, then it seems that a bit of clock tampering could get around the license.
Thanks!
Dave

[ezekg]

This is covered here: https://keygen.sh/docs/api/security/#security-clock-tampering. The gist of it is: you can't really prevent this attack vector, because what the offline device says is the time, frankly, is the time. However, you can make clock tampering harder to pull off. But the more defenses you add, the more complexity you add as well.

For example, you could assert the following for a License File (or signed key):

• That issued date is not greater than the current UTC system time, indicating the user has set their system clock to the past, also known as clock tampering.
• That expiry date is not less than the current UTC system time, indicating an expired license file.

Of course, the bad actor could set their system clock to a time between issued and expiry, and that'd be accepted. Again, there's not really any way to know the "real" time for an offline device, because what they say goes.

Outside of these assertions, there are more complex options, like writing an inconspicuous config or log file to disk and then periodically checking the file's created (and modified) timestamps to loosely keep track of the clock. You would update the modified at value each time the file is checked, giving you a last "good" time.

Then, if a timestamp for the file is ever in the future more than some threshold (note: timezone changes during travel, and daylight savings time), then it may be safe to assume that the clock has been tampered with. You could also do the same thing by writing a timestamp to a secure system registry, for example, instead of a file.

[DRoberts532]

Thanks for the rapid response! I'll try writing a timestamp to a file. The users aren't terribly sophisticated (it's an industrial instrument), but might as well try to head things off at the pass as early as possible!