A Secure Software Distributon SDK

转载 2004年09月17日 12:41:00

Index

Description

SSD SDK stands for "Secure Software Distribution SDK", and it offers several tools and code which will stop most cracking activities over your software. But first, we'll have a look on the most typical shareware schemes:

X Days/Uses trial scheme:

This scheme prevents your software to be used more than a defined number of days (usually 30) or executions. This kind of protection is easy to defeat because your software has to store the number of remaining days or uses in a secure place, and there is no secure place in any computer. These values can be encrypted or stored in "strange" locations, but it will only delay the inevitable, your trial period will be reset or extended to infinite.

Incomplete software releases:

It is very common to release two versions of the software, the full and the incomplete version. The full version is the one given to every user who has paid for the software. The incomplete version is freely released to the world, without caring about crackers, because they can't do anything against an incomplete software (well, they can write the absent pieces of code, but it would be a bit stupid...). Another issue is that malicious registered users can "lend" it to other users, violating the one-license-one-user distribution concept.

Unlocking software:

This kind of software has all the full-version characteristics but they are not available to the user, unless the user pays for an unlock code which unleashes all the power of the software. Under the commercial perspective, this is great, you only have to distribute a copy of the software, and wait till the unlock requests arrive. One simple e-mail with the unlock code will be enough to deliver your full software to any part of the world. Under the security and programming perspective, this is a hard problem... advanced tools such as low level-debuggers and disassemblers can be used to trace and analyze your applications and get the unlocking code generation algorithms, and also patch your application code to avoid the unlocking code protection.

SSD SDK has been developed to enhance the security of the applications using the third technique. It encrypts the non-public parts of your programs using strong cryptographic algorithms, and prevents the key sharing via asymmetric encryption.

Workflow

Well, you have in your hands the result of a lot of programming and debugging months... the final version of your software is ready, and you want to release it across the world through the World Wide Web. But you will not give it for free, what you want to do is to release it with a reduced functionality, and allow users to extend this functionality if they consider (after testing your program) that it is useful for them.

It's time to think a bit... when you create a software which unlocks itself, it only allows access to portions of code which have been there in every moment, so anybody can patch your software to avoid the security issues and run that code as usual. No matter if you use an external packer-compressor-protector... the program data and code will be in memory when it executes, so it can be dumped and rebuilt by an experimented cracker in a relative small amount of time. But... how can I protect my code in that case?!?!?!. The solution is to encrypt the code making it available only to registered users.

The encryption algorithms should be very carefully chosen. This will be discussed in the Algorithms and key lengths section.

Let's return to the first step, you have the software in your hand, for example, a MPEG compressor. This compressor features high speed compression and a fine audio/video quality, due to it's variety of compression algorithms, based on multiple hardware acceleration tricks, such as MMX, 3dnow! and SSE extended instruction sets.

You want to release your software allowing the user to take advantage of the MMX-based algorithms, but those who want to accelerate the compression using 3dnow! and SSE should upgrade to the full version. What you have to do, is to release your software with the extended algorithms encrypted. I will discuss later (in the Tools included section) about how to create a secure private key and encrypt your code using it.

Once your users have tested your software and know that they *need* 3dnow! and SSE extended algorithms, they should get the key to decrypt the code. This can be done in many ways, but the most common takes advantage of the public cryptography scheme, which allows to share private data between users without using secured channels to transmit private keys. Resuming, your user contacts you, sending a public key, which will be used to transmit the unlocking key. Finally, his "license file" is installed in the program directory and the security code verifies it and decrypts the code in memory. Every user has a different random public/private key pair. This ensures that your license will not be shared between different computers.

Compatibility

Your code is protected from the moment in that the executable file is processed and the code is encrypted. This step is done by an external tool which opens your executable file and looks in its section table for a section called .secure; this section contains your "protected" code and is fully encrypted.

This means that your compiler/linker should be able to place any code you want in a separate section with any name you want. At the moment of writing this article, only a compiler with this ability has been found, and it is Visual C++. If your know other compilers which can do this, please notify it to me.

Due to export restrictions, some encryption algorithms will not work in determinate countries. For example, a computer located in France using Windows 95, 98 or NT 4 will not encrypt data under some circumstances.

The API used (CryptoAPI 2.0) is available in Windows 95 OSR2 and later, so this code must work in "any" Microsoft 32-bit operating system.

Package contents

  • Command line tools: keygen.exe, licgen.exe and protect.exe. These tools help you create keys, protect your application and generate licenses.
  • Dynamic Link Library stub: ssdstub.dll. The file which should be carried out with your application. It looks for the license file and validates it every time your software is loaded.
  • C++ code files: ssdhelper.h and ssdhelper.cpp. Files including the functions defined in the Reference section.
  • C++ code sample: sample.cpp. Code including a simple application. You can use it to practice before protecting a "serious" project.

Tools included

The SSD SDK contains three tools. Quotes are required only when using spaced paths (i.e. c:/my docs/target.exe).

  • keygen.exe

    Creates a file with a random software key. The file must be securely stored in a safe place (i.e. CD-ROM, floppy, or an encrypted HD file). The command line arguments of this file are quite simple:

    keygen.exe "keyfile_path"

    If no file is specified, a file called private.key is created in the current working directory. Example:

    keygen.exe "c:/softwarekey.dat"
  • protect.exe

    Protects the specified executable using the specified key.

    protect.exe "executable_path" "secretkey_path"

    Example:

    protect.exe "c:/coding/project/project.exe" "c:/softwarekey.dat"
  • licgen.exe

    Creates the corresponding user license to the specified user public key and software key.

    licgen.exe "secretkey_path" "userkey_path" "output_path"

    Example:

    licgen.exe "c:/softwarekey.dat" "c:/userkeys/john.key" 
                                                   "c:/licenses/john.lic"

Reference

There is a final question to answer: How do my software create user keys, and validate licenses?... Don't worry about it, all this stuff is coded in a separate .dll file, you only have to call one of its simple functions to verify the security context. The functions are declared and implemented in a file contained in the same SDK package, so you only have to add these files to your project and include the header file everywhere you need it. The function specs are the following:

  • bool Initialize(const char *lpszApplicationName);

    Must be called as soon as possible in your program execution timeline (from the main function or the InitInstance CWinApp's member). This function verifies the licenses, if present, and decrypts the code if necessary. lpszApplicationName should be the same always for your application, if two different applications (or versions of the same application) use the same name, a key container conflict will occur and the result may be unpredictable. This function always checks for the license.key file, so do not use other names to the user license file.

  • void ExportKey(const char *lpszFilename);

    Creates a user public key file which should be sent to de developer to get the license key. You can send this file compressed using e-mail, or attach to the beginning (or the end) some user-related information, but remember that the license generator will not work if the header of the file has been corrupted, so strip its additional information before attempting to create any license from a given file. lpszFilename specifies the file to create the key.

  • bool IsUnlocked();

    Returns true if a license has been found and the software has been decrypted with it. Returns false if there is no license file or it is invalid.

Finally, you should know how to store your protected code in a separate section with a specified name. In the Visual C++ compiler/linker, this is done through the #pragma code_seg sentence, let's have a look on an easy example.

#pragma code_seg(push, r1, ".secure")
void CMyApplication::DoExtendedFunction() {
    // Do something cool ;)
}
#prgama code_seg(pop)

You can also store all the protected code in a separate file to avoid redundancy of #pragma code_seg declarations. This can be used also with non class member functions.

Algorithms and key lengths

All the tools and stub code described in this article have been coded using CryptoAPI 2.0. This API offers symmetric and asymmetric encryption routines, and also features key management, hashing and signing techniques. Used algorithms and key lengths are described in the following table:

Task Algorithm Key length
Code encryption RC4 Stream encryption algorithm 128 bits
Key sharing RSA Public-key exchange algorithm 1024 bits

As described in the excellent book "Handbook of applied cryptography", a secure encryption system bases its security in the key used to encrypt the message, and not in the privacy of the algorithm. In other words, no matter if the chosen algorithms have been published and tested for the scientific community around the world, its security resides in the extensive number of keys which can be used when encrypting. This ensures that it is necessary a large amount of resources (computer memory and clock cycles) to find a key which decrypts the message correctly.

Notes

This small SDK has been developed to show that it is not necessary to spend a lot of money to distribute our software under a good protection scheme. It is not perfect, but minor (or major) leaks and bugs will be covered in the future with other users' help.

About Emilio Guijarro

Android系统的SDK Version code

frameworks\base\core\java\android\os\Build.java /** * Enumeration of the currently known...
  • su749520
  • su749520
  • 2018年01月23日 15:41
  • 242

用Python发邮件,QQ邮件,解决(Error: A secure connection is requiered(such as ssl))

用Python发邮件,QQ邮件 之前查的网上的代码 都有 503 ‘Error: A secure connection is requiered(such as ssl)’之类的Bug. QQ...
  • zl87758539
  • zl87758539
  • 2016年11月27日 12:31
  • 4137

weblogic10 部署 spring+cxf ,调用时报:cannot create a secure XmlInputFactory

一个cxf webservice项目部署到tomcat能正常运行,客户端也能正常调用。 然后我部署到weblogic,同样能成功访问wsdl,但是客户端请求就报错cannot create a sec...
  • editcue
  • editcue
  • 2013年11月12日 17:12
  • 9609

530 A secure connection is requiered(such as ssl)

织梦自动发邮件测试时,用qq邮箱提示错误530 Error: A secure connection is requiered(such as ssl). More information at ...
  • viqecel
  • viqecel
  • 2016年03月14日 12:36
  • 18261

weblogic下部署cxf服务端Cannot create a secure XMLInputFactory

最近做了一个cxf远程调用的接口,开发好了服务端和客户端,在Tomcat7运行一切正常。要部署的时候,产品经理说只能用weblobic,没办法下载了weblogic11g,我对这个是小白,不太懂,就一...
  • qq_38410147
  • qq_38410147
  • 2017年05月31日 18:52
  • 531

在Ubuntu17.10的系统升级中遇到内核升级问题,导致各种软件不能安装和卸载的解决方案(尝试结果,不喜勿骂)

因为电脑的配置只能安装Ubuntu17.10这个新系统,各种乱七八糟的问题一大堆,尤其是不小心系统升级过程中内核出现问题,导致任何软件的安装和卸载都会卡住,在安装和卸载的过程中会遇到诸如: Ex...
  • jessican_uestc
  • jessican_uestc
  • 2018年02月06日 15:34
  • 59

java.lang.RuntimeException: Cannot create a secure XMLInputFactory解决方案

今天在使用cxf调用webservice时报了这个错,
  • fengcheqidong
  • fengcheqidong
  • 2014年10月24日 10:25
  • 8593

Cannot create a secure XMLInputFactory --CXF调用出错

http://www.th7.cn/Program/java/201604/839945.shtml 百度之后网上流传了两种解决办法: 缺少了两个jar包 stax2-api-3....
  • bidelinqi12
  • bidelinqi12
  • 2017年02月25日 14:16
  • 1908

javax.mail.AuthenticationFailedException: 530 Error: A secure connection is requiered(such as ssl).

javax.mail.AuthenticationFailedException: 530 Error: A secure connection is requiered(such as ssl). ...
  • qq_29011851
  • qq_29011851
  • 2017年03月29日 15:17
  • 2468

Cannot create a secure XMLInputFactory cxf写的服务端 客户端调用出异常

十一月 07, 2014 5:23:23 下午 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFrom...
  • u011191574
  • u011191574
  • 2014年11月07日 17:24
  • 3224
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:A Secure Software Distributon SDK
举报原因:
原因补充:

(最多只允许输入30个字)