We've consedered making our own. But first we started to brain-storm how many ways a dongle can be defeated. A Dongle without much protection in the communication/driver/dll interface will only "inconvenience" (limit the number of copies they can run for free) the legit end-user and make it a rather simple challenge for the cracker. Here are the highlights: - USB analyzer. Log and emulate the dongle communications via cloned hardware or software driver. (There used to be quite a few companies that did this for popular packages at a fraction of the cost of the original software). - Man in the middle attack. Log the communications between the app and the driver. Create a "proxy" between the driver and app to respond correctly, or replace the dll/driver altogether. - Patch the software to negate any tests against the dongle. Even if you sprinkle the routines all over, copy-paste, inline, etc. A search and replace can easily defeat this. Solution highlights: - Have secure, encrypted communications between the dongle and the end-software, not using a DLL, but a linked library. - Have the driver validate itself and the dongle via "pseudo random" or encrypted signature that can't be easily duplicated, challenge-response with random seeds, etc. - The software (both driver and user app) should employ an anti-debugger check to make it difficult to trace through the software for dongle checks. - Have another app encrypt the software and add a bootstrapper to decrypt the app via dongle. Cannot execute the program without a valid dongle. Cannot even disassemble software as it is encrypted. Now that we had a list of security issues, we decided to look for 3rd party hardware dongles instead. As we were not going to resell the dongles and the dongle project would be quite involved. Another issue to keep in mind when selling your own dongle is that if the developer API is available, crackers will experiment and find ways around it. Unfortunately the dongle prices are not <$20. If don't know what the cost of the application will be, or how popular it will be (niche market versus generalized app), but the cost of having a certian number of packages pirated instead of paid for may make the cost worthwhile. I know there's always the argument of "I really had no intention of purchasing this package but..." or "I don't really need this many copies but...", or "You don't trust me to use your software legitimately?", etc. But in the end it comes down to return on investment in developing the software and helping companies/people do "things" more efficiently, or at least better!, or, ok how about differently?? -----Original Message----- From: piclist-bounces@mit.edu [mailto:piclist-bounces@mit.edu] On Behalf Of James Newtons Massmind Sent: January 16, 2007 2:26 PM To: 'Microcontroller discussion list - Public.' Subject: [BUY] USB Dongles My main client is transitioning from a hardware to a software based system (my fault ). He is not at all comfortable with standard software licensing (and in this specific case, I can see why) and so wants to include a hardware locking key to control the use of the software. His clients won't mind since they are used to the current hardware anyway. Other comments regarding how evil dongles are should be tagged [OT], please. The problem is that I can't seem to find any company that offers them in medium small quantities ( low hundreds ), for reasonable prices ( e.g. < $20 each ) and releases source code samples for how to connect to them. I had assumed there would be a DLL you include in your installation and you would call if from your application, but everything seems to be much more complex and secretive. We aren't trying to stop hackers here, just keep the users honest. Has anyone had any good experiences with this? I'd sure appreciate a referral. Thanks! --- James. -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist