From glynn.clements@virgin.net Wed Sep 4 18:58:43 2002 Return-Path: Delivered-To: yyyy@localhost.example.com Received: from localhost (jalapeno [127.0.0.1]) by jmason.org (Postfix) with ESMTP id 05A9216F1F for ; Wed, 4 Sep 2002 18:58:42 +0100 (IST) Received: from jalapeno [127.0.0.1] by localhost with IMAP (fetchmail-5.9.0) for jm@localhost (single-drop); Wed, 04 Sep 2002 18:58:42 +0100 (IST) Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id g84H7dZ11753 for ; Wed, 4 Sep 2002 18:07:40 +0100 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 9FE27A30F4; Wed, 4 Sep 2002 10:40:56 -0600 (MDT) Mailing-List: contact secprog-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list secprog@securityfocus.com Delivered-To: moderator for secprog@securityfocus.com Received: (qmail 21503 invoked from network); 3 Sep 2002 22:43:53 -0000 From: Glynn Clements MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <15733.15859.462448.155446@cerise.nosuchdomain.co.uk> Date: Tue, 3 Sep 2002 23:55:47 +0100 To: Yannick Gingras Cc: secprog@securityfocus.com Subject: Re: Secure Sofware Key In-Reply-To: <20020903192326.C9DA533986@LINPDC.eclipsys.qc.ca> References: <20020829204345.91D1833986@LINPDC.eclipsys.qc.ca> <15733.3398.363187.572002@cerise.nosuchdomain.co.uk> <20020903192326.C9DA533986@LINPDC.eclipsys.qc.ca> X-Mailer: VM 6.94 under 21.4 (patch 9) "Informed Management (RC2)" XEmacs Lucid X-Spam-Status: No, hits=-14.2 required=7.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,KNOWN_MAILING_LIST, QUOTED_EMAIL_TEXT,REFERENCES,SIGNATURE_SHORT_DENSE, SPAM_PHRASE_03_05 version=2.41-cvs X-Spam-Level: Yannick Gingras wrote: > > What do you mean by "CD-Key or the like" (I presume that "of" was a > > typo)? And what do you mean by "unbreakable"? > > "of" was a typo > > Unbreakable would mean here that no one, even previously authorised entity, > could use the system without paying the periodic subscription fee. > > > You need to be far more explicit about the problem which you wish to > > solve, and about the constraints involved. > > It could be an online system that work 95% offline but poll frequently an > offsite server. No mass production CDs, maybe mass personalised d/l like Sun > JDK. > > Nothing is fixed yet, we are looking at the way a software can be protected > from unauthorized utilisation. > > Is the use of "trusted hardware" really worth it ? Answering that requires fairly complete knowledge of the business model. But, in all probability: no, it isn't usually worth it. So, it comes down to how difficult you want to make the cracker's job. If the product requires occasional authentication, simple copying won't work; the product has to be cracked. In which case, the issue is whether you're actually going to enter into battle with the crackers, or just make sure that it isn't trivial. A lot of it comes down to your customer base. Teenage kids tend to be more concerned about cost and less concerned about viruses/trojans, and so more willing to use warez. Fortune-500 corporations are likely to view matters differently. > Does it really make it more secure ? Yes; software techniques will only get you so far. Actually, the same is ultimately true for hardware, but cracking hardware is likely to require resources other than just labour. Almost (?) anything can be reverse engineered. But it may be possible to ensure that doing so is uneconomical. > Look at the DVDs. IIRC, CSS was cracked by reverse-engineering a software player; and one where the developers forgot to encrypt the decryption key at that. -- Glynn Clements