[jsword-devel] Locked Modules

DM Smith dmsmith555 at yahoo.com
Fri Jul 21 07:02:03 MST 2006 

Please provide feedback:

Within the last few months and over the course of the near future we are 
seeing locked modules coming available (NET, NASB, ...). In each of the 
cases the publisher will be selling the unlock key. In some cases the 
publisher will be hosting the module on their website.

In BibleDesktop, when a module is locked it is shown with a small lock 
overlay icon in the Book Installer. When the user selects a locked 
module, the "Install" button is greyed out. This leaves the user with 
manually downloading the module, unzipping it in the correct location, 
finding the module's conf and editing it, entering the unlock key.

I would like to change this so that at a minimum, the user can download 
and install the module. Further, ideally the application should allow 
the user to enter the unlock key at download time and also later. The 
key would then be checked for validity*. I'm kinda working against a 
deadline of the next SWORD CD being created. It would be nice to get 
this done before the CD is mastered. So at a minimum, instructions 
should be given to the user to manually insert the unlock key.

The unlock key represents an asset that the user owns. I am wondering 
where and how we should store the unlock key. In order to maximize 
sharing with other SWORD applications it needs to be in the module's 
conf. I'm wondering if it should be double stored in a file that is not 
deleted when the module is deleted? (A simple properties file should 
suffice.)

*WRT a unlock key validity check there has been much discussion on 
sword-devel on how this should be done.

The best solution was to change the locking process to encode a random 
sequence of bytes in two known locations in the module before 
enciphering. Then a check would to have been to decipher the module and 
compare the random sequence at the beginning and the end. If they 
matched the key was valid. This solution is not be used because it was 
deemed as being too intrusive. (There are locked module already created 
that would have to be relocked.)

So this leaves us with guessing. Turns out that we can guess fairly 
well. There are certain characters that should not be in a module, 
namely most 7-bit ASCII unprintable, control characters. If any of these 
control characters are found any deciphered chunk of text, then the 
unlock key is bad.  The accuracy of the test increases with the length 
of the text being deciphered. (The fundamental nature of the cipher 
algorithm is that of a random byte generator, seeded with the unlock key 
and all input prior to the current byte.)

More information about the jsword-devel mailing list