Vulnerability Development mailing list archives
Re: spoofing the ethernet address (license managers)
From: Michael.Wojcik () MERANT COM (Michael Wojcik)
Date: Mon, 27 Mar 2000 13:20:21 -0800
From: Eric Sherrill [mailto:sherrill () ti com] Subject: Re: spoofing the ethernet address (license managers)
Many UNIX license managers (e.g. FlexLM, the most common) use a license
file
with an encrypted string, hostname and Ethernet MAC address or "hostid"
[...]
IMHO the Ethernet MAC is not a reliable security or identity provider,
Agreed.
and the license managers are stupid to rely on them
I disagree. This comes up all the time on sci.crypt, comp.security.unix, and other newsgroups, and the consensus is always the same. Software licensing is a best-effort procedure; you're raising the piracy bar to something above "trivial" but well below "impossible". You try to make idle license violations too difficult to be worthwhile. Any software licensing scheme ultimately depends on the software detecting that it doesn't have a valid license. It's always possible to track the software under a debugger, find the point at which validation is done, and branch around it. License keys, "key disks", dongles, and all the other copy-protection technologies are grounded in a threat model that says that the user won't modify the software to simply skip the license check entirely. Yes, people have proposed arcane, byzantine schemes like encrypting portions of the program, scattering license checks through it, etc. Sooner or later, though, the software has to decide to trust something that's under the user's control. Software licensing is mostly about keeping honest customers honest; the target is the customer who's just going to install on another machine temporarily for whatever reason, and never gets around to taking it off. That's still a huge area for price recovery; when we went to software licensing with one of our products, we found a big customer with twice the workstation installations they had actually purchased. (What's more, they were paying maintenance on more copies than they had purchased, but fewer than they were actually using.) They simply hadn't bothered to keep very good records of who had installed the software. That's only one example - we found many. When the error was pointed out, they were perfectly willing to make amends. Similarly, we have usage-based licensing for some of our products, which allows customers to purchase the amount of throughput they need, in a fair manner - they know other customers are also getting what they pay for. So a trivial identification scheme is fine. That's not the weak link in the chain anyway.
(although I can't think of a better replacement off the top of my head, maybe X.509 certificates or something).
Plenty of people have considered using asymmetric encryption for software licensing. It's just not worth the effort.
Plus one of these days distributed.net might start cracking away at license strings.... ;^)
License keys generally don't need distributed.net. Ours are a 64-bit cryptographic hash, for example (and a 32-bit hash would have been plenty; I just used 64 bits to reduce the possibility of a collision, so we could use the keys as probably unique identifiers for searching the license database). By the Birthday Paradox, finding a collision is a work factor of 2^32. The difficulty is slightly greater than with a MAC or other general-purpose cryptographic hash application, because the input is forced into canonical form that reduces the degrees of freedom for varying the preimage a bit. But not by much. In any case, with a license key the attacker generally has the algorithm (by analyzing the software), the preimage or plaintext, and the image or cyphertext. That makes cracking the system pretty easy. If there's a symmetric key in the system, it has to be embedded in the algorithm implementation, so the attacker can find it. If the system uses asymmetric keys, then perhaps some cracking horsepower would be required; but again this is the wrong place to attack, unless the attacker wants to be able to generate keys in bulk. *That* is a possible goal of software pirates, but since they also have the opportunity to distribute modified software with the license checks pulled... Michael Wojcik michael.wojcik () merant com MERANT Department of English, Miami University
Current thread:
- Re: spoofing the ethernet address (license managers) Michael Wojcik (Mar 27)
- Re: spoofing the ethernet address (license managers) Forrest W. Christian (Mar 27)
- Re: spoofing the ethernet address (license managers) Eric Sherrill (Mar 29)
- Re: spoofing the ethernet address (license managers) Forrest W. Christian (Mar 29)
- Re: spoofing the ethernet address (license managers) Eric Sherrill (Mar 29)
- Explorer crashes when it sees this .lnk file Parity Error (Mar 28)
- Re: Explorer crashes when it sees this .lnk file Vladimir Dubrovin (Mar 29)
- Re: Explorer crashes when it sees this .lnk file Mike Furr (Mar 29)
- TCP Sequence Prediction Dean Michael Dorman (Mar 29)
- Re: TCP Sequence Prediction H D Moore (Mar 29)
- Re: TCP Sequence Prediction Seth R Arnold (Mar 29)
- Re: TCP Sequence Prediction Vladimir Dubrovin (Mar 30)
(Thread continues...)
- Re: spoofing the ethernet address (license managers) Forrest W. Christian (Mar 27)