Java Security

I've noticed that the topic of Java Software licensing has come up a few times on this list recently. I am, like a few others also attempting to implement a software licensing and protection scheme.

I was thinking of doing something along the lines of..

1. Make the license key a hash of the license details and symmetric key which is used to open the encrypted class files. Encrypt the hash and symmetric key with a private key.

2. The program on starting reads the license details from a plain text file. It creates a hash and compares it with the license hash by decrypting the license using an inbuilt public key.

3. If the hash compares ok it starts the class loader with the key also stored in the license string. The class loader loads the encrypted classes.

There are TWO major holes in this scheme:

1. Comparing the Hash from the locally generated one to the encrypted one is a weak point. It wouldn't take much for someone to nop the function. If we were to provide a time expired license the user would have the key to unlock the class files.

2. The java class loader is another weak point. We can create a class loader which decrypts class files using a key; however it is very easy to extract the class files during loading. See link below on class capture tool.

http://www.sys-con.com/java/article2a.cfm?id=1308&count=8097&tot=11&page=6

Can anyone suggest any methods to make the above weak points a little stronger?

Thanks,
David.

PS We would also like the obsfucate the class files, however I need to check how obsfucaters handle reflection and picking up class names in strings. etc. Anyone else had experience with this?