Spehro Pefhany wrote:
> >> The system needs to be as cheap as possible and still offer some fair level
> >> of protection.
> >
> >Cheap/effective. You can have only ONE <G>.
>
> You do have to keep in mind that no matter how great an encryption algorithm
> you use in the dongle, a hacker can always bypass the checks in the PC
> program
> so it doesn't even look for the dongle!

Of course. Which is why you CRC the executable code. Then he has
to patch that too. If you have enough calls to test the dongle, it gets
old really fast. A determined hacker will of course get through.

I've never been a fan of dongle protection because it is just TOO easy
to patch around the tests (ask me how I know?).

> >I better idea may be to make the dongle a necessary part of the software.
> >If you are writing your software in C++, for example, put a routine that
> >isn't too processor intensive ONTO the PIC.
>
> Good idea, preferably the most tricky algorithm in your system, so as to
> make it difficult to reverse engineer. Then you'd have to be up against
> a multi-disciplinary adversary, a lot less likely.

Didn't stop the DSS hackers did it? The decryption of the video
keys happens inside the 'Access card'. News Datacom figured that they'd
made it secure, but the hackers found a way around it because the
payoff (millions of dollars of untaxable revenue) was worth it.

Requiring a key from the dongle in order to decrypt the executable
is a simpler way. Putting key algorithms into the dongle is even better
if you can afford the overhead and performance hit.

It still comes down to cost/security tradeoffs, and what amount
of effort the hacker will need to expend to steal your product.

And copywrong legislation means bugger all to China and other 3rd
world countries. You basically have to get in, saturate the market,
and get out before the clones arrive.

Robert

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics