Penetration Testing mailing list archives
Re: How secure are dongles for copy-protection?
From: "Ryan Permeh" <ryan () eEye com>
Date: Tue, 5 Jun 2001 16:40:19 -0700
certainly. this is what i commented about earlier("This is all assuming a "perfect" implementation, of course, where breaking the algorithm/key on the dongle is the easiest way in, and not just subverting control of the application. "). the most correct/optimal way of handling this is as follows: 1. Take a key issued by vendor. This is the "liscence" key offered in most scenarios. 2. Pipe this key to the dongle. 3. perform cryptographic transformation on the issued "liscence key". this cryptographic transform could be a hash/crypt/decrypt depending on situation. Potentially this could be multiple transformation. The closer to hardware configured the better. 4. return the value of the transformation(s) from the dongle to the program. 5. use this as a key to uncrypt the codesegment of the executeable(the .text segment of the pe or whatever format you need). There are other tricks you can do, ie use runtime decoding of code at use, using different bit patterns as checks for features to be enabled,disabled, etc. But basically, if the code is crypted, and the key comes from a transformation on the fob, you really don't do "compares". it's key info, not compare info. do not use fobs for handling yes/no issues. use them to generate keys as appropriate to decode stuff. This forces an attack on the crypto transforms on the key, which makes softice worthless, and makes the attacker use more traditional methods (real ice, anti hardware tactics, etc). this has to be implemented in a executeable wrapper around a binary(or built as part of the binary itself), and the wrapper has to be keyed to the key fob you use. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer ----- Original Message ----- From: <shampster () mail 3xT org> To: "Ryan Permeh" <ryan () eEye com> Cc: "Penetration Testers" <PEN-TEST () securityfocus com> Sent: Tuesday, June 05, 2001 2:50 PM Subject: Re: How secure are dongles for copy-protection?
On Tue, 5 Jun 2001, Ryan Permeh wrote:the only types of dongle protection that don't completely suck are those that take information from the machine and perform a specific set of operations on the dongle(prefereably a cryptographic operation, a hash
or
crypte/decrypt) purely in hardware on the dongle. This means that the cracker either has to reverse the entire crypto algorithm(using black
box
techniques like known plaintext attacks), including finding the keyed
value
on the dongle, or use a hardware lab to actually reverse the hardware.. . . Not if all this trickery ends in a function returning a 0 for failure and a 1 for success . . . What does the software do with the hash once it's passed back to the application? Compare it to a constant? Hopefully not. Use the returned value as a pointer to the next code segment? Better, but usually still not very difficult to break. To completely emulate the dongle, the cracker does have to reverse the
dongle.
But a cracker does not need to reverse the dongle to break the protection. [snip]Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer ----- Original Message ----- From: "Felix Huber" <huberfelix () webtopia de> To: "Penetration Testers" <PEN-TEST () SECURITYFOCUS COM> Sent: Tuesday, June 05, 2001 4:05 AM Subject: Re: How secure are dongles for copy-protection?Hi, of course - the most dongle checks were cracked. I have seen 3DSMax
and
other... For more information: http://www.google.com/search?q=3Ddongle+cracked Regards, Felix Huber ------------------------------------------------------- Felix Huber, Web Application Programmer, Webtopia Guendlinger Str.2, 79241 Ihringen - Germany huberfelix () webtopia de (07668) 951 156 (phone) http://www.webtopia.de (07668) 951 157 (fax) (01792) 205 724 (mobile) ------------------------------------------------------- ----- Original Message -----=20 From: Harold Thimm=20 To: pen-test () securityfocus com=20 Sent: Monday, June 04, 2001 9:43 PM Subject: How secure are dongles for copy-protection? I'm looking for any information on incorporating dongles into a = software package for copy protection. In particular, I'm looking for = information on the Rainbow Technologies Sentinel, but advice on = dongle-based copy protection in general is appreciated. How easy/difficult is it to break this kind of copy-protection? Are
=
there any known weaknesses in the dongle-type systems themselves (as = opposed to implementation weaknesses?)=20 Are there any dongle-based protection schemes that have been
cracked, =
and if so, how?=20 (A pointer to a URL would be appreciated, if you have it.) Thanks in advance. HAL--------------------------------------------------------------------------
-----
shampster / 3xT.org
Current thread:
- Re: How secure are dongles for copy-protection?, (continued)
- Re: How secure are dongles for copy-protection? shampster (Jun 05)
- Re: How secure are dongles for copy-protection? Ben Meghreblian (Jun 05)
- RE: How secure are dongles for copy-protection? Jonah Kowall (Jun 05)
- Re: How secure are dongles for copy-protection? Victor A. Rodriguez (Jun 05)
- Re: How secure are dongles for copy-protection? Felix Huber (Jun 05)
- Re: How secure are dongles for copy-protection? Ryan Permeh (Jun 05)
- RE: How secure are dongles for copy-protection? Pedro Hugo (Jun 05)
- RE: How secure are dongles for copy-protection? c0ncept (Jun 05)
- Re: How secure are dongles for copy-protection? Jordan Frank (Jun 06)
- Re: How secure are dongles for copy-protection? shampster (Jun 05)
- Re: How secure are dongles for copy-protection? Ryan Permeh (Jun 06)
- Re: How secure are dongles for copy-protection? Daniel Roethlisberger (Jun 06)
- Re: How secure are dongles for copy-protection? Ryan Permeh (Jun 06)
- Re: How secure are dongles for copy-protection? Ryan Permeh (Jun 05)
- Re: How secure are dongles for copy-protection? Maximiliano Caceres (Jun 06)