Confidential Property of Handango, Inc.

3/17/06

How to Use the Handango HTTP Post Registration Model HTTP Post Registration will allow you to specify the registration key given to customers at the time of purchase (on the confirmation page) by allowing our server to call a URL you provide with customer data in order to obtain the appropriate registration code. Please read the instructions below CAREFULLY, as a misuse of this model could result in product deactivation.

DOCUMENT CONTENTS: A. General Requirements to Use the HTTP Post Registration Method

B. Overview: How HTTP Post Registration Works C. Technical Instructions and Example
D. Security Validation E. HTTP Post Implementation Testing F. Process and Penalties for Failure to Retrieve Registration Codes G. How to Activate HTTP Post (After Testing)

Confidential Property of Handango, Inc.

3/17/06

A. General Requirements to Use the HTTP Post Registration Method

1) Dedicated server space or ISP server side scripting capabilities 2) Registration Code Generator that will generate a code based on one or more pieces
of information that Handango passes (see below for HTTP Post information passed)

3) Ability to build a JSP, ASP, or PHP page to reply to the Handango HTTP Post request
within 5 seconds

B. Overview: How HTTP Post Registration Works

1)

When a customer submits an order, Handango will pass the following information to the URL you provide in the format of an HTTP Post request. a. Customer First Name b. Customer Last Name c. State d. Country e. Email Address f. Reference Number g. Order ID h. Device ID (Hotsync, IMEI, PIN, etc. depending on device model.) i. Product ID j. Quantity

2)

Based on the information passed, you will generate a code and reply within 5 seconds via HTTP Post with the following information: a. Registration Code(s), one for each copy purchased

3)

The registration key(s) sent back to Handango will appear instantly on the customer confirmation of purchase page at the time of purchase, and in their instant confirmation email.

4)

Please note that real-time CSVs and sales reports will continue to be sent to you normally at your selected frequency. There will be no changes to the CSV format, data, or frequency. The instant, nightly and monthly CSV sales reports will contain the registration key that you returned in the appropriate field.

Confidential Property of Handango, Inc.

3/17/06

C. Technical Instructions and Example: In this example, RegCodes.jsp provides registration code(s) to Handango. Your page that will provide unlock codes should work exactly like RegCodes.jsp in this example. Please note that this is a JSP example, but you may use JSP, ASP, or PHP. You can rewrite the JSP into ASP or PHP if you wish. RegCodes.jsp is the action of the following form (values in no particular order): <form method=post action=RegCodes.jsp> <input type=text name=country value=US> <input type=text name=deviceId value=palm1> <input type=text name=firstName value=John> <input type=text name=lastName value=Doe> <input type=text name=emailAddress value=joe@handango.com> <input type=text name=orderId value=12345678-9012-ABCD-EF12123456789012> <input type=text name=productId value=1567> <input type=text name=qty value=3> <input type=text name=refId value=9876543> <input type=text name=signature value=57ca8971dae876bcd3489da> <input type=text name=state value=TX> <!state abbreviation <input type=text name=ts value=1130245892> <input type=text name=test value=true> </form>

Input Definitions:

Country - Country abbreviation for the customer country deviceId - One of the following (if applicable based on product platform): IMEI (Symbian), Blackberry PIN, Pocket PC owner name, Windows Mobile Smartphone owner name, or Palm HotSync ID. (NOTE: For all Symbian devices, IMEI numbers are reported to you containing the dashes.) firstName - Customer first name lastName - Customer last name email Address - Customer email address

Confidential Property of Handango, Inc.

3/17/06

ordered - Unique Handango order ID which will always contain 36 digits, appearing like the following example: 12345678-9012-ABCD-EF12-123456789012 productId - Handango product ID for the product purchased on the order

qty - Number of copies of product purchased refId - Unique Handango order reference number signature - This input will pass an encrypted checksum (summary) of data passed for the unique order, which will allow you to verify that the HTTP Post request was generated and sent by Handango and not a fraudulent party. The encrypted checksum is generated based on all information within the HTTP Post request, and no two checksums will be exactly alike unless the requests (customer data) are exactly identical. Handango has created a certificate file containing a public key that you may use to verify that the checksum matches the HTTP Post request sent. This file can be used for verification purposes only; no checksums could be generated by fraudulent parties, even if they are able to view this file. Please see the Security Validation section below for more information. Ts - timestamp, seconds after Jan 1, 1970 UTC Test This parameter will indicate if the request is a test order request made through the HTTP Post Testing Tool. It will appear as test=true for a test order. No test parameter will be passed if the request is from a real customer order.

Output Instructions: RegCodes.jsp returns no html tags, and the page must look exactly like the example below. To signal the beginning of your list of registration codes, please place HGO_BEGIN_REG CODE on one line exactly as it is shown below. Each registration code issued should be on a separate line after that (no HTML line break tags needed). The identifier HGO_END_REG_CODE should follow the last unlock code returned on another separate line. This will tell our system that there are no more registration keys. Any text that a web server or internet hosting company may insert will be ignored as long as it appears does not appear within these identifiers. Below is sample registration key output. Do not use <br> (or any HTML code) to create line breaks for the registration key list. Our system will format the display of the registration keys correctly on the pages and information that will appear to customers. Only the identifiers surrounding the registration keys in the format below on your JSP, PHP, or ASP page will allow us to send the appropriate key or keys to the customer. Please use single spacing between begin and end identifiers and registration keys.

Confidential Property of Handango, Inc.

3/17/06

Please note that the registration key output should look like this when you view source in the browser; it wont appear this way within the browser window itself. See below: <!this is my registration code page. <!my comments here <!the line containing HGO_BEGIN_REG CODE signals the start of my single spaced registration code list <!and the line containing HGO_END_REG_CODE signals the end of my single spaced registration code list HGO_BEGIN_REG_CODE regCode1 regCode2 regCode3 HGO_END_REG_CODE <!end of my unlock code page 3 registration codes appear in this example because the customer bought 3 copies of productId #1567. Please note that if you use the user ID to create registration keys, only one user ID will be sent, regardless of the quantity purchased per product ID. For further information, click here to download an example .jsp page. D. Security Validation Handango offers several security validation models for HTTP Post requests to prevent piracy. Please read below for more information. 1) Signature Encrypted Checksum The signature input, as described in the documentation above, will pass an encrypted checksum (summary) of data passed for the unique order, which will allow you to verify that the HTTP Post request was generated and sent by Handango and not a fraudulent party. The encrypted checksum is generated based on all information within the HTTP Post request, and no two checksums will be exactly alike unless the requests (customer data) are exactly identical. Handango has created a certificate file containing a public key that you may use to verify that the checksum matches the HTTP Post request sent. This file can be used for verification purposes only; no checksums could be generated by fraudulent parties, even if they are able to view this file. Please read below for more detailed information:

a. How Handango creates the signature input

To generate the signature input value, Handango uses the SHA1 algorithm with RSA encryption. The steps Handango takes to create the signature input value are detailed below.

1. First, we sort the HTTP Post input parameters by parameter name, in

ascending alphabetical order.

Confidential Property of Handango, Inc.

3/17/06

2. Next, we form a URL query string out of the parameters being sent,
sorted by parameter name in ascending order. An example of such a query string would look like this: ? country=US&delay=7000&deviceId=bounceppc&emailAddress=keep94 %40yahoo.com&firstName=f&lastName=f&orderId=9259A59F-61724D86-967F4B878B7F95D3&productId=184296&qty=3&refId=10250806&state=A L&ts=1142010602. Please notice how the country= input parameter appears first and the ts= input parameter appears last.

3. Next, we compute the 160-bit SHA1 checksum of the URL query

string.

4. Next, we use the RSA public key encryption to encrypt the checksum
using the Handango private key to get a 1024-bit cipher text.

5. Next, we consider the 1024-bit value to be an integer in 2s

compliment, big endian format, and we convert this to a hexadecimal value. Note that this hexadecimal value will be close to 256 digits excluding the minus sign.

6. Finally, we report the value as the signature input parameter in the

HTTP Post request. b. Signature Verification To verify the signature input value that we pass via HTTP Post request, please follow the steps below. We have already provided a pre-written JAR file to verify the signature input value by completing the process detailed below. Please click here to download the hgorequestverify.jar file. If you are developing in ASP or PHP, you can use the steps below as a template to create your own verification file for the signature input parameter.

1. First, extract Handangos public key from the provided certificate file. 2. Second, sort the input parameters received from Handango by input
parameter name in ascending order.

3. Next, form a URL query string including the question mark. 4. Next, extract the value of the signature parameter and remove it from
the query string. The value of the signature parameter will be a large hexadecimal number possibly with a minus (-) sign. The remaining query string will look something like this:

Confidential Property of Handango, Inc.

3/17/06

? country=US&delay=7000&deviceId=bounceppc&emailAddress=keep94 %40yahoo.com&firstName=f&lastName=f&orderId=9259A59F-61724D86-967F4B878B7F95D3&productId=184296&qty=3&refId=10250806&state=A L&ts=1142010602. Please notice that there is no signature= input parameter.

5. Next, compute the 160-bit SHA1 checksum of the query string. 6. Next, convert the value of the signature parameter into a big endian
2s compliment binary value.

7. If the first bit in the value is a 1, left pad with 1 until you get 1024
bits. If the first bit in value us 0, left pad with 0 until we get 1024 bits. This is consistent with 2s compliment

8. Now, encrypt that value with the Handango public key contained in the
certificate file.

9. Finally, verify that the value obtained matches the SHA1 checksum
computed in step #5.

2) HTTPS Post Security

a. If your servers are SSL secured and are able to handle HTTPS, you may also want to enter an HTTPS Post URL for your products instead of an HTTP Post URL. Please test this appropriately using the HTTP Post code tester in the Resources section of your Handango Account. E. HTTP Post Implementation Testing An HTTP Post testing tool is provided under the Resources section of your Handango Account that can be used to see how Handango passes data to your page as well as what the your page will return and the registration codes that Handango will extract. It is imperative that implementations of HTTP Post are tested before going live; please read below for information about penalties for failures to pass the requested registration codes. F. Process and Penalties for Failure to Retrieve Registration Codes At the initial time of purchase, Handango will send the customer information to you two times to obtain the registration key. If there is no response, we will alert the customer on their order confirmation page that The registration key will be sent to you within 48 hours. At the same time, an email will be sent to you to notify you that we could not reach your server. If you receive this message, please correct the server issues. We will continue to send the customer information to your server every 3 hours for the next 24 hours to retrieve the registration key. If we fail after 24 hours, an email message will be sent to you

Confidential Property of Handango, Inc.

3/17/06

containing a URL to a page through which you must manually provide the appropriate registration code(s). Handango will capture the registration code(s) you input and send them to the customer via email. By choosing the HTTP Post registration model, you must maintain a server response up-time of 99% per month to ensure customer satisfaction. You will receive one written warning the first month that your server does not maintain 99% uptime. For any following month that your server does not maintain 99% uptime, Handango reserves the right to deactivate the product(s) in question from our channels unless an alternate registration model is selected. G. How to Activate HTTP Post (After Testing) If you would like to select the HTTP Post registration model for your products, please test the system first using the HTTP Post tester located in the Resources section of your Handango Account. After testing, you may add this registration model by clicking Modify for any product in your account and viewing the Registration Information Section. It is a good idea to launch HTTP Post during a time when you will be able to monitor it closely for the first 24 hours to ensure everything is working correctly. Choose Shareware Registration Type, and HTTP Post as the Registration Method. A popup will appear and ask you to input the URL you would like to use for that products HTTP Post registration key generator. Make sure that you save changes to the registration section! After selecting HTTP Post, it will immediately become live for that product through all Handango channels.