1

We have to do a licensing system. It would be someting like A Ready To Use Software Licensing Solution in C# [CodeProject]

But our client is worried about the SHA/SHA1 "weakness".

I've searched the web about this, but the only thing I found is the Schneier estimated cost to break it.

But I do not know what is needed to break it.

  • Does attacker need the public key?
  • Are message and signature enough?
  • If code will be broken, what would attacker get? (I supose he would get the private key and he could create new signatures.)
JMA
  • 113
  • 5
  • See Also: https://www.schneier.com/blog/archives/2005/02/sha1_broken.html – CaffeineAddiction Jul 12 '16 at 15:02
  • 3
    How are you using SHA1? In an HMAC? What public key are you talking about as SHA1 is a keyless algorithm? – Neil Smithline Jul 12 '16 at 15:26
  • 2
    It's probably a non-issue, because altering the binary itself would probably be easier than finding a hash collision. – Alexander O'Mara Jul 12 '16 at 15:44
  • @NeilSmithline you are wright. I will update the title because it's a RSA-SHA1, not SHA1 only. – JMA Jul 12 '16 at 16:03
  • @AlexanderO'Mara I also think so, or to make constant the input (some HD serial can be changed, MAC can be changed, CPU UID is deprecated and some motherboard doesn't have UID) but the client was convinced it was unsecure. – JMA Jul 12 '16 at 16:13
  • If you want to discourage users from sharing their licenses, issue it as a certificate, and make it clear to the customer that leaking the private key will break their security. – Rob Jul 12 '16 at 17:05

1 Answers1

2

SHA-1 is broken. When you use SHA-1 to verify the signature of your license files then an attacker can generate a license file which will pass your verification algorithm in reasonable time. Anything they need to do that (your verification algorithms and any shared secrets) must be a part of your program, otherwise it couldn't do offline verification.

But there are many other hash algorithms you can use as a simple drop-in replacement. When the hash algorithm has no considerable weakness and your license keys have enough entropy (long enough completely random and unique part) it doesn't even need to be a particularly slow algorithm, because brute-force attacks are unfeasible. You could, for example, use one of the algorithms from the SHA-2 or SHA-3 families. Despite the name they don't have much in common with SHA-1, so the vulnerability does not apply to them.

However, your client should rather be worried about a cracker releasing a patch to remove your license checking code from your programs binary altogether. In practice, copy protection is rarely effective against a determined attacker. When it runs completely on the users machine then it can't be 100% effective, because it runs under the users control. It mostly works by making piracy less convenient than buying, not by making it impossible.

Which brings me to another important consideration: The best copy protection is making the product easy to buy. The more hoops you have your user jump through to get and apply a proper license, the more likely that they will look for "alternative methods" to get it to run. The steps mentioned in the article linked in the question (user tells vendor device-id, vendor replies with license file...) sound far harder than googling "JMA's program crack download".

Philipp
  • 49,384
  • 8
  • 129
  • 160
  • In our case the application runs inside a machine, so it's not a PC application. The CPU inside the machine is a regular CPU, so we prefrer to keep all algorithms as simple as possible. It's a human supervised key generation, so the client just can get as many keys as number of machines has buy, I don't think any client will get more than 10. So with 10 messages and 10 signatures, is enoght to brake a RSA-SHA1 signature? – JMA Jul 12 '16 at 16:34
  • @JMA they don't need a single message or signature to break it. They just need a copy of your program to look at your signature checking algorithm and then use above mentioned vulnerability to generate a license key which will pass it. – Philipp Jul 12 '16 at 16:57
  • 2
    "SHA-1 is broken": Maybe I misunderstood your point, but while I agree with your assertion from a theoretical cryptographic point-of-view, I'm not sure to agree on a practical point-of-view. As Schneier says himself, "Right now, that is just on the far edge of feasibility with current technology.", and even then finding *any* collision is not the same as finding a collision against a fixed predetermined hash. The weak-point here will not be SHA1, but the software code which can be modified to crack the protection. – WhiteWinterWolf Jul 12 '16 at 16:58
  • @JMA also, SHA1 and SHA2 are not very different regarding speed. – Philipp Jul 12 '16 at 17:17
  • 1
    “SHA-1 is broken” No. SHA-1 is broken in a cryptographer's sense, because the cost of finding a collision is less than the theoretical maximum of $2^{80}$. However, SHA-1 is not broken in any practical sense. It's been ten year and nobody has found a collision yet. It isn't as unfeasible as it should be, but it's still infeasible. The second part of your answer is fine but the first part is nonsense. – Gilles 'SO- stop being evil' Jul 12 '16 at 19:25
  • unless it's some really high-cost stuff, it's likely cheaper to buy the software than to find a viable collision... – dandavis Jul 13 '16 at 08:48
  • Thanks all. So to break it attaker need the public key / certificate. In this case we sell the full machine, and the user doesn't have the "key" to get the application. We will efford to protect the application instead of searcho for a more secure algorithm. Because if they get the application I think it will be easier to crack it than to break the RSA1 algorithm. In our case we need to license the software because hardware is imposible to protect. – JMA Jul 15 '16 at 15:29
  • @JMA I would usually expect the hardware to be easier to protect than the software. Copying a hardware device costs money for parts and assembly. Copying software is free. There are also single-chip solutions for cryptographic systems which make it very hard (but not totally impossible) to retrieve the key from. So you could put the software on an encrypted ROM and have the crypto-chip decrypt it on boot. – Philipp Jul 15 '16 at 17:01