Home page logo

pen-test logo Penetration Testing mailing list archives

Re: How secure are dongles for copy-protection?
From: "Ryan Permeh" <ryan () eEye com>
Date: Tue, 5 Jun 2001 16:40:19 -0700

certainly.  this is what i commented about earlier("This is all assuming a
"perfect" implementation, of course, where
breaking the algorithm/key on the dongle is the easiest way in, and not just
subverting control of the application.  ").
the most correct/optimal way of handling this is as follows:

1. Take a key issued by vendor.  This is the "liscence" key offered in most
2. Pipe this key to the dongle.
3. perform cryptographic transformation on the issued "liscence key".  this
cryptographic transform could be a hash/crypt/decrypt depending on
situation.  Potentially this could be multiple transformation.  The closer
to hardware configured the better.
4. return the value of the transformation(s) from the dongle to the program.
5. use this as a key to uncrypt the codesegment of the executeable(the .text
segment of the pe or whatever format you need).

There are other tricks you can do, ie use runtime decoding of code at use,
using different bit patterns as checks for features to be enabled,disabled,
etc.  But basically, if the code is crypted, and the key comes from a
transformation on the fob, you really don't do "compares".  it's key info,
not compare info.  do not use fobs for handling yes/no issues.  use them to
generate keys as appropriate to decode stuff.  This forces an attack on the
crypto transforms on the key, which makes softice worthless, and makes the
attacker use more traditional methods (real ice, anti hardware tactics,

this has to be implemented in a executeable wrapper around a binary(or built
as part of the binary itself), and the wrapper has to be keyed to the key
fob you use.

Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: <shampster () mail 3xT org>
To: "Ryan Permeh" <ryan () eEye com>
Cc: "Penetration Testers" <PEN-TEST () securityfocus com>
Sent: Tuesday, June 05, 2001 2:50 PM
Subject: Re: How secure are dongles for copy-protection?

On Tue, 5 Jun 2001, Ryan Permeh wrote:
the only types of dongle protection that don't completely suck are those
that take information from the machine and perform a specific set of
operations on the dongle(prefereably a cryptographic operation, a hash
crypte/decrypt) purely in hardware on the dongle.  This means that the
cracker either has to reverse the entire crypto algorithm(using black
techniques like known plaintext attacks), including finding the keyed
on the dongle, or use a hardware lab to actually reverse the hardware.

. . . Not if all this trickery ends in a function returning a 0 for
failure and a 1 for success . . .
What does the software do with the hash
once it's passed back to the application?  Compare it to a constant?
Hopefully not. Use the returned value as a pointer to the next code
segment? Better, but usually still not very difficult to break.

To completely emulate the dongle, the cracker does have to reverse the
But a cracker does not need to reverse the dongle to break the protection.


Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: "Felix Huber" <huberfelix () webtopia de>
To: "Penetration Testers" <PEN-TEST () SECURITYFOCUS COM>
Sent: Tuesday, June 05, 2001 4:05 AM
Subject: Re: How secure are dongles for copy-protection?


of course - the most dongle checks were cracked. I have seen 3DSMax
other... For more information:

Felix Huber

Felix Huber, Web Application Programmer, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix () webtopia de     (07668)  951 156 (phone)
http://www.webtopia.de     (07668)  951 157 (fax)
                                         (01792)  205 724 (mobile)
  ----- Original Message -----=20
  From: Harold Thimm=20
  To: pen-test () securityfocus com=20
  Sent: Monday, June 04, 2001 9:43 PM
  Subject: How secure are dongles for copy-protection?

  I'm looking for any information on incorporating dongles into a =
software package for copy protection. In particular, I'm looking for =
information on the Rainbow Technologies Sentinel, but advice on =
dongle-based copy protection in general is appreciated.

  How easy/difficult is it to break this kind of copy-protection? Are
there any known weaknesses in the dongle-type systems themselves (as =
opposed to implementation weaknesses?)=20

  Are there any dongle-based protection schemes that have been
cracked, =
and if so, how?=20

  (A pointer to a URL would be appreciated, if you have it.)

  Thanks in advance.


shampster / 3xT.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]