Software License Management using the Polymorphic Encryption Algorithm White Paper



Similar documents
Visualisation of potential weakness of existing cipher engine implementations in commercial on-the-fly disk encryption software

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

UPGRADE. Upgrading Microsoft Dynamics Entrepreneur to Microsoft Dynamics NAV. Microsoft Dynamics Entrepreneur Solution.

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

Pipeliner CRM Phaenomena Guide Sales Target Tracking Pipelinersales Inc.

Windows Small Business Server 2003 Upgrade Best Practices

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Enable File and Folder Auditing

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

2007 Microsoft Office System Document Encryption

MBAM Self-Help Portals

Windows Scheduled Tasks Management Pack Guide for System Center Operations Manager. Published: 07 March 2013

Microsoft Dynamics GP. Electronic Signatures

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

TOPS Internet Backup Service User Guide

Apache: Analyze Logs for Malicious Activities & Monitor Server Performance

Office Language Interface Pack for Farsi (Persian) Content

Quick Install Guide - Safe AutoLogon For First-time Users - Installing and Running the Software. Published: February 2013 Software version: 5.

Windows Embedded Security and Surveillance Solutions

How To Set Up A Load Balancer With Windows 2010 Outlook 2010 On A Server With A Webmux On A Windows Vista V (Windows V2) On A Network With A Server (Windows) On

Overview of Microsoft Office 365 Development

Hyper-V Server 2008 Setup and Configuration Tool Guide

RedBlack CyBake Online Customer Service Desk

How To Use Pretty Good Privacy (Pgp) For A Secure Communication

Product Development. Using Critical Path EVM for the Microsoft Project Desktop Application Readme

Centrify Mobile Authentication Services for Samsung KNOX

Hyper-V Server 2008 Getting Started Guide

Microsoft Dynamics GP. Pay Steps for Human Resources Release 9.0

Windows BitLocker Drive Encryption Step-by-Step Guide

FLoader User's Manual

Techniques of Asymmetric File Encryption. Alvin Li Thomas Jefferson High School For Science and Technology Computer Systems Lab

BMC s Security Strategy for ITSM in the SaaS Environment

Intellectual Property

ORACLE CRM ON DEMAND DEVELOPMENT ADDENDUM TO THE ORACLE PARTNERNETWORK AGREEMENT

What Are Certificates?

SCADA SYSTEMS AND SECURITY WHITEPAPER

Microsoft Solutions for Security. Delivering the Windows Server 2003 Security Guide

Deploying the Workspace Application for Microsoft SharePoint Online

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

Microsoft Dynamics GP. Bank Reconciliation

How to Secure a Groove Manager Web Site

Content Teaching Academy at James Madison University

Princeton University Computer Science COS 432: Information Security (Fall 2013)

The 2007 R2 Version of Microsoft Office Communicator Mobile for Windows Mobile: Frequently Asked Questions

Insight Guide. Encryption: A Guide

Company Profile. Dhyey Consulting Services Pvt. Ltd. Directors. Solutions. Partners. June 18 th Nilesh Mandani Nilesh Panchal Sahil Amin

WINDOWS 7 & HOMEGROUP

How To Create An Intelligent Infrastructure Solution

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Credit Card Extension White Paper

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step

Module 1: Introduction to Designing Security

Windows Azure Pack Installation and Initial Configuration

New VoIP Solutions in Windows Embedded CE 6.0 R2

The Misuse of RC4 in Microsoft Word and Excel

ZIMPERIUM, INC. END USER LICENSE TERMS

CINSAY RELEASE NOTES. Cinsay Product Updates and New Features V2.1

Understanding Automotive EDI Automating and Integrating EDI for Increased Efficiency and Improved Delivery Performance

Product Information about. GEDO-TEC ContactManager

One Time Pad Encryption The unbreakable encryption method

Microsoft Dynamics GP. Bill of Materials

Sage CRM Connector Tool White Paper

Hardware & Software Requirements for BID2WIN Estimating & Bidding, the BUILD2WIN Product Suite, and BID2WIN Management Reporting

Microsoft Dynamics GP. Payroll Connect

HP ProtectTools Embedded Security Guide

Installation and configuration guide

best practices for encryption in android

Business Portal for Microsoft Dynamics GP. Requisition Management User s Guide Release 10.0

Centrify Mobile Authentication Services

Windows Embedded Compact 7: RemoteFX and Remote Experience Thin Client Integration

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Compter Networks Chapter 9: Network Security

Lecture 12: Software protection techniques. Software piracy protection Protection against reverse engineering of software

Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide

Veeam Cloud Connect. Version 8.0. Administrator Guide

ICOM 5018 Network Security and Cryptography

IMPLEMENTATION GUIDE. API Service. More Power to You. May For more information, please contact

SafeNet MSSQL EKM Provider User Guide

ACER ProShield. Table of Contents

EventTracker: Configuring DLA Extension for AWStats Report AWStats Reports

SmoothWall Virtual Appliance

A Microsoft U.S. Public Sector White Paper by Ken Page and Shelly Bird. January government

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

Microsoft Dynamics GP. Check Printing

Microsoft Dynamics GP. Electronic Signatures

DISCLAIMER, TERMS & CONDITIONS OF USE

Securing Host Operations with a Dedicated Cryptographic IC - CryptoCompanion

Dell NetVault Backup Plug-in for Advanced Encryption 2.2. User s Guide

Canon USA, Inc. WEBVIEW LIVESCOPE SOFTWARE DEVELOPMENT KIT DEVELOPER LICENSE AGREEMENT

Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations

Transcription:

pmc-ciphers.com Software License Management using the Polymorphic Encryption Algorithm White Paper Published: May 2007, first published in January 2003 PMC Software License Management 1

Software License Management using the Polymorphic Encryption Algorithm White Paper Published: May 2007 For the latest information, please see http://www.pmc-ciphers.com Introduction Software piracy is a serious threat to software companies. The Software and Information Industry Association publishes on May 24, 2000: Business Software Alliance (BSA) has found that global average software piracy rate in 2006 was 35%, virtually unchanged from 2005. This amounted to nearly US$40 billion in losses to software companies, according to BSA. Existing software based piracy protection schemes are obviously inadequate; many are also quite intrusive into the end-user system, which is an aspect that no one appreciates. Hardware protection devices (dongles, etc.) are also a failing attempt; an expensive hassled one at that; these devices have been in existence for more than 15 years, yet such protected software sells on the street in China for less than $2; at least slightly below what the software manufacture had intended and not even to mention the fact that they see 0% of profits generated at this point. The bottom line: current fixed-parameter license management systems are a violation and insult to the honest end user and a false sense of security to the software manufacturer; there are no benefits to anyone. PMC Software License Management self-compiling crypto code makes reverse-engineering impossible Our first customer/implementation of this protection scheme actually had the idea to protect their satellite data broadcasting system with our PMC crypto engine. A hacker had been able to crack the conventional licensing system that was previously employed and had published a cracked version of the data decoding software on the internet; this obviously created a professional disaster for the company The key to protect the system is a piece of software which creates an infeasibility in terms of reverse-engineering procedure; the creation of indiscernible variations of PMC Software License Management 2

the code itself. Each individual copy of the decoding software has to be personalized with an activation key which consists of the user-specific information, which represents constant data of the target computer. This key is used to yield a set of predefined results; as all users receive the same source code, consequently all licenses must execute the very same instructions in order to decode the data properly. This applies to digital rights management, software installation, licensing schemes, and virtually any other related procedure designed to control and protect data distributions. A good security software specialist must already have cracked one or more programs; knowledge truly is nothing more than experience. Cracking a piece of software is sometimes quite easy to do; often, it is only necessary to change a JNZ command into JZ (jump if accumulator is zero). It is only a single bit of the machine instruction code which must be toggled! After entering the correct licensing code, this cracked software refuses to run, but when total rubbish is entered, one can play the game - without paying. In order to prevent hackers from analysing our original customer s satellite data decoding software, a very clever approach had to be taken; an original an unconventional approach. Little is more vulnerable than a data stream which is decoded by all users in the very same way; or any other broadcast for that matter. The only feasible way is in merging the licensing system with the key functionality of the software itself. In addition, the machine instructions which are analysed by hackers have to be different on every target computer. Therefore, even if one system is compromised by a genius hacker after what would definitely have been a very frustrating and time consuming task to say the least, he would have to start from scratch for another computer...such a concept states the level of protection achievable with PMC and the PMC Software License Management incorporation thereof. PMC Software License Management supplies programmers with the possibility to merge the licensing system with the source code of the application and it makes the software unique for each target computer or end customer or both. The implemented scheme is variable and only depends and the licensing strategy of our customers; much is left to application specific customization. Operating principle of PMC Software License Management In 1949 C.E. Shannon describes the principles of data encryption as confusion and diffusion. He describes confusion as being the use of enciphering transformations that complicate the determination of how the statistics of the ciphertext depend on the statistics of the plaintext. Diffusion simply means spreading the influence of individual pieces of plaintext data over the full ciphertext or at least over big areas of ciphertext. By doing this, the statistics which might be inherent in the plaintext can be hidden. For a licensing engine, this means that a licensing system is good if a hacker faces a lot of operations which cannot be classified properly as relevant or irrelevant for his task (to crack the software). Diffusion is maximized when a large number of operations influence some other operations which are executed by the PMC Software License Management 3

microprocessor in the far future. When these two principles are combined, an unbreakable licensing engine can be realized! In 1999 C.B. Roellgen invented a data encryption algorithm which uses a compiler to generate the actual encryption algorithm out of a passphrase. After being declassified as state secret, it is now possible to develop commercial applications based on this algorithm. The underlying method is called the Polymorphic Encryption Algorithm, or PMC. PMC is very useful for applications which need a piece of software to be customized for every user or every target machine. Registration data or simply the name of the user can be compiled into a useful piece of machine code at runtime. An incorrect username compiles into totally different machine code. A microprocessor which executes this machine code at some point of time yields completely different results. Here s a brief explanation of a simple PMC licensing engine: Passphrase (user info, registration key, etc.) Crypto Compiler Compiled Crypto Code Building block 1 Building block 2 Building block 3 Building block 2 Data Array for the internal state. It contains a number of variables which are used by the application which is to be protected Building block 3 propagated internal state Fig. 1: Structure of a PMC implementation for use in a licensing engine A passphrase consisting of registration information which is known to the software manufacturer is compiled into machine code. The compiler simply assembles standardized pseudo-random number generators, the so-called building blocks, adjust addresses as well as entry and exit points to generate a piece of machine code which acts like a huge pseudo-random number generator that is working on the Internal State. The Internal State is a data array which is used throughout the complete operation of the software application. A powerful implementation will combine a set of global variables used by the application software (which is to be protected) in this data array. After initializing the history data array with part of the passphrase, the instruction pointer of the microprocessor on the target machine is set to the start of the Compiled Crypto Code. After finishing the execution of the Compiled Crypto Code, the bit pattern stored in the history data array consists of near-random data. Without being noticeable by a hacker, the Internal State array can even be set to some predefined bit pattern. PMC Software License Management 4

The Compiled Crypto Code can be pretty long. If necessary, the crypto compiler generates megabytes of machine instructions within a fraction of a second; the average hacker gets lost when he tries to analyse this code. Professionals go beyond that point they look at the results which are returned by the software. However, as the crypto code affects several variables, but more importantly vital ones for yielding a correct result, and because the crypto code doesn t return anything, even professionals are thwarted. As the whole system avoids using yes/no decisions, it s easy to locate the machine instruction which is responsible for displaying the message invalid license code, but not the others which strike any time and which just change data in a way that makes the software obviously useless. Considerations for the implementation of PMC Software License Management Every copy protection and licensing system should be different. Otherwise, hackers get used to a certain class of algorithms and methods; this is why PMC Software License Management is defined in a different way for each customer. Even the complete mode of operation can be adapted! A good example and available demonstration model is our hierodrive full volume encryption software. This disk encryption software can be downloaded from the internet or it can be distributed as CD shareware; this is perfect because the demo version can be distributed freely! Users then are more willing to install it, test it and then are more likely to purchase a license. All they have to do is to enter a code number which is specific for each target computer, customer ID, IP address, etc. Each user reads a different registration code on the screen and sends it to the distributor, along with his credit card any other relevant purchase details as defined by our customers pre-defined parameter sets. Subsequently this information is then processed to compute the corresponding registration code number. This code number is then passed to the customer. After entering the code number and re-launching the application, the customer has a full version up and running; immediately. There s nothing more to install and if an update is available, we grant our users the right to download it and to use it as a full version. This technique can as well be used for licensing the very same software for a number of different levels (e.g. Demo version, Private Edition and Professional Edition); this obviously simplifies the distribution process even further, while for the first time, maintains intellectual property safeguards. The licensing engine in hierodrive uses compiled crypto code to influence a number of vital variables and writes undefined results to them. Unless an attacker has the required registration key, the results remain undefined and the software will not be able to run correctly. After some time, the license level is finally identified by the application software. An attacker has a tough time to figure out which variable is good for what. As there is no single yes/no response, it s extremely difficult to crack this system. For each customer the licensing system is different; what is good for one application can be disadvantageous for another application. PMC Software License Management 5

A crypto compiler can be an overwhelming obstacle to an attacker, provided that it is implemented correctly; imagine that there is an intangible piece of software that isn t present on the hard disk, but which is compiled during runtime of the application program and then decides whether the software will later run correctly or not. Privacy statement Customer data is kept secret for at least 15 years on our standard non-disclosure policy procedure. This is especially true for the company name and for the products which are protected by using some or all of the features of PMC Software License Management. In return, we expect our customers to keep all information which is not publicly known about PMC Software License Management undisclosed for at least 15 years after signing a non-disclosure agreement with us. PMC Ciphers, Inc reserves the right to adopt improvements and new features of PMC Software License Management, which are being conceived or invented in the course of a running development for one customer, in PMC Ciphers, Inc products including PMC Software License Management. PMC Software License Management 6

For more information: http://www.pmc-ciphers.com This is a preliminary document and may be changed substantially prior to final commercial release. This document is provided for informational purposes only and PMC Ciphers, Inc makes no warranties, either express or implied, in this document. Information in this document is subject to change without notice. The entire risk of the use or the results of the use of this document remains with the user. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of PMC Ciphers, Inc. PMC Ciphers, Inc may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from PMC Ciphers, Inc, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2000 2002 ciphers.de, 2002 2007 PMC Ciphers, Inc., All rights reserved. Company and product names mentioned herein may be the trademarks of their respective owners. PMC Software License Management 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information