Amir Herzberg
Abstract
One of the overwhelming problems that software producers must contend with is the unauthorized use and distribution of their products. Copyright laws concerning software are rarely enforced, thereby causing major losses to the software companies. Technical means of protecting software from illegal duplication are required, but the available means are imperfect. We present protocols that enable software protection, without causing substantial overhead in distribution and maintenance. The protocols may be implemented by a conventional cryptosystem, such as the DES, or by a public key cryptosystem, such as the RSA. Both implementations are proved to satisfy required security criteria.
- 1 ADAPSO. Proposal for software authorization system standards. ADAPSO, 1300 N. 17th St. Arlington, Va., Oct. 1985.Google Scholar
- 2 ALBERT, D. J. AND MORSE, S.P. Combating software piracy by encryption and key management. Computer (Apr. 1984).Google Scholar
- 3 DANCOTEC COMPUTER. Copybook User Guide. Dancotec, Bakkefaldet 36, 2840 Holt, Denmark, Mar. 1986.Google Scholar
- 4 DOLEV, D., EVEN, S., AND KARP, R.M. On the security of ping-pong protocols. Inf. Control 55 (1982}, 57-68.Google Scholar
- 5 DIFFIE, W., AND HELLMAN, M. New directions in cryptography. IEEE Trans. Inf. Theory IT-22 (1976).Google Scholar
- 6 HERZBERG, A., AND KARMI, G. On software protection. In Proceedings of the 4th Jerusalem Conference on Information Technology. (Jerusalem, Apr. 1984). North-Holland, Amsterdam, 1984.Google Scholar
- 7 HERZBERG, A., AND PINTER, S. S. The transaction system model and security engineering. To be published.Google Scholar
- 8 JONGE, W., AND CHAUM, D. Attacks on some RSA signatures. In Advances in Cryptology-- CR YPTO 85 (1985). Springer Verlag, New York, 1985, pp. 18-27. Google Scholar
- 9 KENT, S. W. Protecting externally supplied software in small computers. Tech. Rep. 255. Massachusetts Institute of Technology/LCS, Cambridge, Mass., Sept. 1980. Google Scholar
- 10 MERRITT, M. J. Cryptographic protocols. GIT-ICS-83/06. Ph.D. dissertation, The Georgia Institute of Technology, Atlanta, Ga., 1983. Google Scholar
- 11 NATIONAL BUREAU OF STANDARDS. Data Encryption Standard. FIPS Publication 46, National Bureau of Standards, U.S. Department of Commerce, Washington, D.C. Jan. 1977.Google Scholar
- 12 RIVEST, R. L., SHAMIR, A., AND ADLEMAN, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 2 (Feb. 1978), 120-126. Google Scholar
- 13 SIMMONS, G.J. How to (selectively) broadcast a secret. In Proceedings of the 1985 Symposium on Security and Privacy (Oakland, Calif., Apr. 1985). IEEE, New York, 1985, pp. 108-113.Google Scholar
- 14 SIMMONS, G. J., PURD~, G. B., AND STUDIER, J.A. A software protection scheme. In Proceedings of the 1982 Symposium on Security and Privacy (Oakland, Calif., 1982). IEEE, New York, 1982, pp. 99-103.Google Scholar
Index Terms
- Public protection of software
Recommendations
Public Protection of Software
CRYPTO '85: Advances in CryptologyOne of the overwhelming problems that software producers must contend with, is the unauthorized use and distribution of their products. Copyright laws concerning software are rarely enforced, thereby causing major losses to the software companies. ...
Securely combining public-key cryptosystems
CCS '01: Proceedings of the 8th ACM conference on Computer and Communications SecurityIt is a maxim of sound computer-security practice that a cryptographic key should have only a single use. For example, an RSA key pair should be used only for public-key encryption or only for digital signatures, and not for both.In this paper we show ...
Applying Software Protection to White-Box Cryptography
PPREW-5: Proceedings of the 5th Program Protection and Reverse Engineering WorkshopWhite-box cryptography sits at the intersection of software protection and cryptography. Software protection is aimed at preventing attackers from modifying software or extracting secrets from it through reverse-engineering or other means. Software ...
Reviews
James P. Anderson
This paper is about a serious problem of modern computing, that is, protecting widely distributed programs from being copied and used by individuals who have not paid for them. The authors present a number of different protocols for secure distribution of encrypted software to end-users both directly and through distributors. In this approach to protecting widely distributed software, the producer distributes the product in encrypted form. The paper is concerned with the way that the program gets to the end-user in a secure (enciphered) state such that no intermediary attacker can obtain constructive use of the program no matter what he or she does. The paper addresses the subissues of user (host) identification and authentication, the secure transmission of cryptovariables, and the robustness of the protocol in an environment where the attacker is, in principle, part of the system. The protocols are presented in considerable detail and their security properties are proved using a transaction system as a model of the protocols and their properties. As indicated above, the protocols cover direct and indirect distribution of software and the replacement of keys damaged in a failed computer. Protocols based on both asymmetric (public) and symmetric (conventional) keyed cryptosystems are presented, along with proof of their security properties for the direct distribution of software. The overall scheme hinges on making the computers store and execute encrypted programs. To accomplish this, the processor part of a computer must be modified to let it decrypt the encrypted program as it is being used. The authors briefly discuss the architectural changes that must be made to a computer to permit it to decrypt an encrypted program. Two architectures are presented, a pipeline architecture and a cache architecture. In the former, the instructions are decrypted as they are fetched from program storage. Buffers are employed to compensate for any speed mismatches that may occur. In the cache version, the entire program is decrypted as it is loaded into a protected execution storage that is mapped onto the computer's main storage for execution but is otherwise not accessible to the user. The authors indicate that a prototype version of the cache architecture is being constructed for an IBM PC with an expected total cost of less than $100. Quite clearly, the cost effectiveness of such storage schemes hinges on the ability to protect the cryptofunction and/or the execution storage of the modified system. This paper does not deal with any of the severe engineering issues that are raised by this requirement. The interested reader should consult the recent papers by White and Comerford [1] and Weingart [2] for more detail on what a “protected CPU” entails. Overall, this is quite a good paper. The part comparing the author's scheme with other schemes is written as though the reader is familiar with all of the details of those other schemes. In spite of this, the paper is readable and is recommended to individuals interested in protecting software as well as in the considerable problems of secure distribution of cryptographic variables.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments