0

Two types of problems I want to talk about:

  1. Say you wrote a program you want to encrypt for copyright purposes (eg: denying unlicensed user from reading a certain file, or disabling certain features of the program), but most software-based encryption can be broken by hackers (just look at the amount of programs available to HACK programs to become "full versions". )

  2. Say you want to push a software to other users, but want to protect against piracy (ie, the other user making a copy of this software and selling it as their own). What effective way is there to guard against this (similar to music protection on CD's, like DRM)? Both from a software perspective and a hardware perspective?

Or are those 2 belong to the same class of problems? (Dongles being the hardware / chip based solution, as many noted below)?

So, can chip or hardware based encryption be used? And if so, what exactly is needed? Do you purchase a special kind of CPU, special kind of hardware? What do we need to do?

Any guidance is appreciated, thanks!

Paŭlo Ebermann
  • 73,284
  • 20
  • 146
  • 210
Saobi
  • 16,121
  • 29
  • 71
  • 81

4 Answers4

2

Unless you're selling this program for thousands of dollars a copy, it's almost certainly not worth the effort.

As others have pointed out, you're basically talking about a dongle, which, in addition to being a major source of hard-to-fix bugs for developers, is a also a major source of irritation for users, and there's a long history of these supposedly "uncrackable" dongles being cracked. AutoCAD and Cubase are two examples that come to mind.

The bottom line is that a determined enough cracker can still crack dongle protection; and if your software isn't an attractive enough target for the crackers to do this, then it's probably not worth the expense in the first place.

Just my two cents.

Aaronaught
  • 120,909
  • 25
  • 266
  • 342
  • Interesting. This is what we may be looking for. So how do we produce a dongle? Do we contact dongle manufacturer, and they have to physically manufacture and customize the dongles to fit our software protection requirements? And if we sell 100 copies of the software, we'd have to distribute 100 copies of the dongles to the customers? – Saobi Jan 14 '10 at 00:13
  • @Saobi Is reducing piracy really worth making life significantly harder for all your legitimate users? Because that's exactly what requiring a hardware dongle will do, while the pirates will be fine and dongle-free as soon as someone modifies the code to skip the check. – Nick Johnson Aug 15 '11 at 00:53
1

Hardware dongles, as other people have suggested, are a common approach for this. This still doesn't solve your problem, though, as a clever programmer can modify your code to skip the dongle check - they just have to find the place in your code where you branch based on whether the check passed or not, and modify that test to always pass.

You can make things more difficult by obfuscating your code, but you're still back in the realm of software, and that same clever programmer can figure out the obfuscation and still achieve his desired goal.

Taking it a step further, you could encrypt parts of your code with a key that's stored in the dongle, and require the bootstrap code to fetch it from the dongle. Now your attacker's job is a little more complicated - they have to intercept the key and modify your code to think it got it from the dongle, when really it's hard-coded. Or you can make the dongle itself do the decryption, passing in the code and getting back the decrypted code - so now your attacker has to emulate that, too, or just take the decrypted code and store it somewhere permanently.

As you can see, just like software protection methods, you can make this arbitrarily complicated, putting more burden on the attacker, but history shows that the tables are tilted in favor of the attacker. While cracking your scheme may be difficult, it only has to be done once, after which the attacker can distribute modified copies to everyone. Users of pirated copies can now easily use your software, while your legitimate customers are saddled with an onerous copy protection mechanism. Providing a better experience for pirates than legitimate customers is a very good way to turn your legitimate customers into pirates, if that's what you're aiming for.

The only - largely hypothetical - way around this is called Trusted Computing, and relies on adding hardware to a user's computer that restricts what they can do with it to approved actions. You can see details of hardware support for it here.

I would strongly counsel you against this route for the reasons I detailed above: You end up providing a worse experience for your legitimate customers than for those using a pirated copy, which actively encourages people not to buy your software. Piracy is a fact of life, and there are users who simply will not buy your software even if you could provide watertight protection, but will happily use an illegitimate copy. The best thing you can do is offer the best experience and customer service to your legitimate customers, making the legitimate copy a more attractive proposition than the pirated one.

Nick Johnson
  • 100,655
  • 16
  • 128
  • 198
0

Back in the day I've seen hardware dongles on the parallell port. Today you use USB dongles like this. Wikipedia link.

NA.
  • 6,451
  • 9
  • 36
  • 36
0

They are called dongles, they fit in the USB port (nowadays) and contain their own little computer and some encrypted memory.

You can use them to check the program is valud by testing if the hardware dongle is present, you can store enecryption keys and other info in the dongle or sometimes you can have some program functions run in the dongle. It's based on the dongle being harder to copy and reverse engineer than your software.

See deskey or hasp (seem to have been taken over)

Martin Beckett
  • 94,801
  • 28
  • 188
  • 263