Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I've created a code(C++) that encrypts an file. It generates a key and the encrypted file. But I don't know how good(or bad) is my algorithm. Is there any way that I can test it?
Never count on the secrecy of your encryption algorithm. This would be a big strategic mistake for many reasons. For the least, if ever this algorithm is revealed, it will be very difficult to change it and re-install a patch that uses another algorithm on all the machines that use your software. On the other hand, changing a key is easier and does not require any software modification.
The first step to ensure its robustness is to publish it. Yes, and when you try to assess it, assume that is known to the intruder (Trudy), who only lacks the key.
Having in mind that Trudy knows the algorithm, assess the level of robustness of your algorithm by asking yourself the following questions:
Does it resist Cipher-Only cryptanalysis? If Trudy has a (big enough) set of texts ciphered with the same key, but she has some information, such as the language with which the texts are written, the subject of these texts (i.e financial letters), will she be able to deduce that key? Trudy could do a brute force attack by searching all possible keys (hence the key should be big enough, at least 128 bits in modern cryptography), but she could also reduce the search by making guesses based on some known statistics on the language, the subject and other information.
Does it resist Known-Plaintext cryptanalysis? If Trudy has a set of ciphered texts together with the corresponding plain texts, can she deduce the key?
Does it resist Chosen Plaintext cryptanalysis? If Trudy has open access to a system that can generate for her the ciphertext of any plaintext, can she deduce the key? (notice that this is a requirement for public-key crypto-systems, such as TLS).
As a conclusion, you can see that cryptanalysis is a serious and very advanced science, so, if you are doing this for a serious project and not for fun, it is highly non-recommended to write your private algorithm, but to select off the shelf one of the publicly known algorithms, because they have been validated and their robustness proven throughout years.
When it comes to security: never make your own algorithm. Apply an appropriate combination of existing algorithms using a vetted, easily updatable 3rd party library.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed last year.
Improve this question
I have a string returned from an external C++ lib after saving a record.
This string is a key to be used if you want to retrieve the saved record via the lib.
I would like to hide the specific key format returned by the lib and return something like a hash code to the user, so that the user can use this key string to query the saved record from the system.
The key string transformation should be reversible as I still need the original value to communicate with the external lib. In this case, a Hash code is not appropriate.
The questions I would like to ask:
Is there any existing standard lib to do that?
As it is a key to the user directly, if possible, I would like it to be a string of printable chars.
It seems that encryption and decryption is my best choice? If so, which algo/lib is suggested? A simple code example is enough.
Any help is highly appreciated.
Apart from some encryption or obfuscation (which is essentially an easy-to-break encryption), you could also compress, then stringify (and de-stringify, then decompress the other way around). If your keys are long, this might even be a usability improvement for your users.
A de-facto standard for compression is the zlib library and for de/stringification you could use Base64 or Base85, which are also pretty standard, with several open source library implementations.
It sounds like you want to obfuscate the string so that the user can't use it directly. The question is, how obfuscated does it need to be? If a trivial amount of obfuscation is all that is required, there are any number of simple algorithms that can do that (ROT13, XOR, nybbleizing, etc). You could combine them or come up with your own, although keep in mind that if you release an executable or library containing the algorithm, then any sufficiently determined user could reverse-engineer the algorithm or step through your code with a debugger to figure it out, if they really wanted to.
If it's really important that nobody figure it out, then the best thing to do is to never give the user the obfuscated information or the algorithm at all. For that, you could simply create a unique ID for each string (e.g. by computing a sufficiently large hash code) and store the mapping between generated IDs and their source-strings on a server that you control. Then you only give your user the generated ID, which he later hands back to your server, and your servers looks up the corresponding original string in its database. (That's pretty much the algorithm that sites like TinyURL.com use, FWIW).
Another option would be to use something like OpenSSL's libcrypto to encrypt the string using a secret key, then nybbleize or base64-encode the encrypted output and pass the results back to the user. That would avoid the need to maintain a database, but of course it only remains secure if the secret key is secure, which means it still needs to be done on a computer you control rather than on the user's computer, otherwise the user can simply run a debugger to find out what the secret encryption/decryption key is, and you're back to square one.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I would like to start selling some software I have developed in C++. The first line of protection will be the fact that C++ produces an executable. Within that, I will also apply algorithmic and manual obfuscation techniques to make it very hard to understand even once cracked.
With regards to licensing, my plan is to create an API you can send a request to. The data will include your license key and your device fingerprint. Upon receiving this data, the API will check for the license key in the database, and ensure the device fingerprint matches the fingerprint stored. If it does, it will reply with some sort of cryptographic response that must match a certain pattern. The client will then check if that response matches the pre-determined pattern, and if it does the software will be allowed to be used. If it does not, the user will be locked out. And this response will be empty if the API check failed, so that will also cause the user to be locked out.
I am aware that this is not unbreakable, but I would like to make it as difficult to break as possible without investing a ridiculous amount of time. The reason I wanted to add some cryptographic response is so the user can't just spoof the response from my server. Although I will also be using HTTPS on top of that. If this is a good idea, what sort of cryptographic check would you recommend?
The idea of the fingerprint is to prevent users from using the software on multiple computers at a time. I'm not quite sure what to use for this, but I was thinking of hashing a combination of the MAC address, computer name and something else. Any suggestions?
Is there anything else I should be doing to protect my software?
Thanks.
Don't waste your time. It's impossible to stop everyone, and even if you stop 99.999% of the people from cracking it, it only takes a single person to crack it and upload it to all the pirate sites. And the harder you make it, the more it will annoy legitimate users.
I'm working professionally on creating software licensing system. I can tell you, that's not easy to make software protecting system that will be safe enough to discourage people before they break it.
Yes, all systems are crackable. It's only matter of time before someone finds a way to bypass security. Our job is to make it as hard as possible giving them as few clues as possible.
I will also apply algorithmic and manual obfuscation techniques to make it very hard to understand even once cracked.
The goal is not to understand application, but run it without valid license.
With regards to licensing, my plan is to create an API you can send a request to. The data will include your license key and your device fingerprint. Upon receiving this data, the API will check for the license key in the database, and ensure the device fingerprint matches the fingerprint stored.
What you're describing is called License Server. It holds licenses and makes sure that the system users do not exceed their number.
and ensure the device fingerprint matches the fingerprint stored
Those fingerprints are called hostids and there are many types of them: bios id, harddrive serial number, MAC address, donlge (usb stick with license on it), username running application, etc. Most of them are pretty easy to forge. But as I said. The goal is to slow them as much as possible.
I am aware that this is not unbreakable.
That's very wise of you.
but I would like to make it as difficult to break as possible without investing a ridiculous amount of time
You've cat to be kitten me.
Unless license server will be in the same network as your software, it won't be able to run without internet connection. It might not be an issue for you, but it is for many companies.
I'm not saying it's a bad idea. Writing such a system is great exercise and I very recommend it to every programmer, but that's not an easy piece of bread.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I want to provide a binary-only program written in C or C++ where the user has to pass a valid code via command line to be able to use some extra features of the program itself. The idea is to implement some verification strategy in the program which compares the passed code against a run-time generated code which univocally identifies the system or hardware on which the program is being run.
In other words, if and only if the run-time check:
f(<sysinfo>) == <given code>
is true, then the user is allowed to use the extra features of the program. f is the function generating the code at run-time and sysinfo is an appropriate information identifying the current system/hardware (i.e. MAC address of the first ethernet card, Serial Number of the processor, etc..).
The aim is to make it as much difficult as possible for the user to guess or (guess the way to calculate) a valid code without knowing f and sysinfo a priori. More importantly, I want it to be difficult to re-implement f by analyzing the disassembled code of the program.
Assuming the above is a strong strategy, how could I implement f in C or C++ and what can I choose as its argument? Also what GCC compiler flags could I turn on to obfuscate f specifically? Note that, for example, things like MD5(MAC) or MD5(SHA(MAC)) would be too simple for evident reasons.
EDIT: Another interesting point is how to make it difficult for the user to attack the code directly by removing or bypassing the portion of the code doing the check.
If you are on Windows, a standard strategy is to hash the value of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
If you're worried that a user might "guess" the hash function, take a standard SHA256 implementation and do something sneaky like change the algorithm initialization values (one of the two groups of these uses binary representations of the cube roots of the primes to initialize - change it to 5th or 7th or whatever roots, starting at the nth place, such that you chop off the "all-zero" parts, etc.)
But really if someone is going to take the time to RE your code, it's much easier to attack the branch in the code that does the if (codeValid) { allowExtraFeatures(); } then to mess with the hashes... so don't worry too much about it.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
We have a custom license check method, which is very simple, we just check a registry key(a string, set by another process based on different parameters) and grant license or reject.
I came to know that, anybody can simply crack this, once they get to know which regkey we are looking for. Or by searching for cmp instruction in assembly code.
I just wanted to know better solution for this license check problem. I may not need very complex procedure or any such. But if it should be little better than current one.
I use C++\VC++ with windows 7.
Thanks & Rgds, calvin
The only way to totally prevent cracking is to use a pay as you go based hosted application accessed by users remotely.
That way someone without a valid paid account can not use the application, and anyone handing his account credentials to other will pay for their use as well as his own.
No code (except possibly a stub to allow logging in) is ever sent to the client, let alone stored there, so the client can't ever operate without connecting to your server (which will hopefully not get compromised, but that's a sysop problem, not a coding problem).
Any other system you may adopt will essentially have to rely on the legal clout behind your license to deter people from cracking it.
You need to somehow protect your code against reverse engineering; there are many so-called executable file protectors and I will not name it here. Regardless of what you calculate, just two NOP instructions will push the flow of the protection check in undesired direction.
Of course, it really matters what kind of code you are protecting; for interpreted languages it is almost impossible to protect yourself.
Ah, sorry, I can name one, non-commercial: infamous Yoda's PE Protector.
You could calculate a hash from a hardware-specific value and check for that value in the registry. This way it wouldn't be enough to find which value you are looking for, but also the algorithm.
A mathematically sound way of doing this is would be to turn the computer-specific value (e.g. MAC address) into a prime number, multiply it with your own magic prime number and store the product.
Edit: Note, though, that it usually is not worth bothering with any protection scheme except very simple ones. Even large corporations are struggling with this problem.
Any logic running locally will always be prone to circumvention. With regard to the actual storage of a license depending on your application I would write a web service and run your own server. Get the app to check with your service each time it starts that the license is still valid.
This also gives you much more flexibility for example you could revoke a licence if payment doesn't clear.
You can accomplish this using public/private key encryption. Have local signed file instead of the registry that contains information about the license and having a web server to check the license is valid once in while. This should give you enough protection.
This can be done with LicenseSpot. On the site there's sample code, although only in c#.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
What is the best way to secure the use/loading of a DLL with a license file?
A couple of things you might want to consider:
Check sum the DLL. Using a cryptographic hash function, you can store this inside the license file or inside the DLL. This provides a verification method to determined if my original DLL file is unhacked, or if it is the license file for this DLL. A few simple byte swapping techniques can quickly take your hash function off the beaten track (and thus not easy to reproduce).
Don't store you hash as a string, split it into unsigned shorts in different places.
As Larry said, a MAC address is fairly common. There are lots of examples of how to get that on The Code Project, but be aware it's easy to fake these days.
My suggestion, should be use private/public keys for license generation.
In short, modes of attack will be binary (modify the instructions of your DLL file) so protect against this, or key generation so make each license user, machine, and even the install specific.
You can check for a license inside of DllMain() and die if it's not found.
It also depends on how your license algorithm works. I'd suggest you look into using something like a Diffie–Hellman key exchange (or even RSA) to generate some sort of public/private key that can be passed to your users, based on some information.
(Depending on the application, I know of one case where I wrote the license code on contract for a company, they used a MAC address, and some other data, hashed it, and encrypted the hash, giving them the "key value", if the registration number was correct). This ensures that the key file can't be moved, (or given) to another machine, thus 'stealing' the software.
If you want to dig deeper and avoid hackers, that's a whole 'nother topic....