Software License Protection Solution

As for the protection of software, usually it doesn’t require much knowledge of assembly language or low leve system understanding to master the skills and tips in protecting their software, but these skills and tips can significantly increase the protection grade of the software if they are used properly and reasonably:

More encryption points and auxiliary means in shells

It is very easy to understand and it is just like that we add one more lock to the door. However the amount of encryption point is not necessarily proportional to the time and efforts spent.

In programming, most software developers make the encryption part a separate module so that they call be called in any location in the software; which is the right choice but in terms of software protection it is not so good.

This is because, if all encryption points are centralized on a single code module, it turns out that the encryption intensive of several encryption points is almost the same as that with one encryption point.

Most shell encryption software has functions of anti-tracking, API redirecting, anti-dump and anti-patch functions, which can protect the software from quite a large part of crackers.

However, the software can not rely on the shell for protection, because such shell encryption tools are all general-purpose encryption tools and adopts some stylized encryption methods. Therefore, as a general-purpose encryption tool, it may well be cracked by a general purpose decryption tool.

Static links and interface hiding

For sake of secondary development, dongle producers will provide APIs which are all intuitive.

However, while an intuitive interface brings much convenience to developers, it also brings convenience to crackers. That is because each DLL has an export function table, and crackers guess the meaning and purposes of the interface functions from their names without the needs for tracking the process. Therefore, if the APIs provided by dongle providers are to be used, it is important to use static links, which links the resources directly into the software so that the interface will not be exposed.

If the APIs provided by dongle providers can not meet the needs and therefore repackaging is required, then when the interfaces are named, it is preferred not to follow the programming standards and to name them casually. But the purposes of each function must be specified in the interface description document.

Do not use public key algorithm

We know that the so-called public key algorithm is used to protect the data while software encryption aims to protect the software itself, which are quite different concepts in nature. In order to protect data,the algorithm needs sufficient intensity so that the data will not be restored;while in terms of software protection, the key is to hide the algorithm,because even though the algorithm is very simple, if it is hidden and can not be found and may only be analyzed on basis of output, it will be much more difficult to crack in comparison with RSA algorithm.

Therefore, customized algorithm is preferred, and if the developer worries that the algorithm is not strong enough and wishes to use a public key algorithm, then it is preferred to make some changes to the public key algorithm before it is used.

Add random factors when calling algorithm in the dongle

There is a general-purpose decryption method, which is called port simulation. The working principle is that the crackers intercepts all communication between the software and the dongle and then make a driver or a fake hardware device which sent the same data to the software as the dongle does. This method is based on that the software protected by the dongle and the content between the software and the dongle are finite sets.

To know about about our solution implementation, please contact us

Digital Certificate

What is a digital certificate?

In public key cryptography, one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this.

A digital certificate is a digital form of identification, much like a passport or driver’s license. A digital certificate is a digital credential that provides information about the identity of an entity as well as other supporting information. A digital certificate is issued by an authority, referred to as a certification authority (CA). Because a digital certificate is issued by a certification authority, that authority guarantees the validity of the information in the certificate. Also, a digital certificate is valid for only a specific period of time.

Digital certificates provide support for public key cryptography because digital certificates contain the public key of the entity identified in the certificate. Because the certificate matches a public key to a particular individual, and that certificate’s authenticity is guaranteed by the issuer, the digital certificate provides a solution to the problem of how to find a user’s public key and know that it is valid. These problems are solved by a user obtaining another user’s public key from the digital certificate. The user knows it is valid because a trusted certification authority has issued the certificate.

In addition, digital certificates rely on public key cryptography for their own authentication. When a digital certificate is issued, the issuing certification authority signs the certificate with its own private key. To validate the authenticity of a digital certificate, a user can obtain that certification authority’s public key and use it against the certificate to determine if it was signed by the certification authority. For more information, see Digital Signature and Wireless PKI.

Other Information

What is a certification authority (CA)?

Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.

Feedback and Support

You can provide feedback by completing the Longmai Feedback form, or contact us directly through our Contact Us Page.

How does a Digital Signature Certificate work?

What is Digital Signature Certificates?

Digital Signature Certificates (DSC) is the electronic format of physical or paper certificate like a driving License, passport etc. Certificates serve as proof of identity of an individual for a certain purpose; for example, a Passport identifies someone as a citizen of that country; who can legally travel to any country. Likewise, a Digital Signature Certificate can be presented electronically to prove your identity, to access information or services on the Internet or to sign certain documents digitally.

How it Works?

A Digital Signature Certificate explicitly associates the identity of an individual/device with a pair of electronic keys – public and private keys – and this association is endorsed by the CA. The certificate contains information about a user’s identity (for example, their name, pincode, country, email address, the date the certificate was issued and the name of the Certifying Authority that issued it). These keys complement each other in that one does not function in the absence of the other. They are used by browsers and servers to encrypt and decrypt information regarding the identity of the certificate user during information exchange processes. The private key is stored on the user’s computer hard disk or on an external device such as a token. The user retains control of the private key; it can only be used with the issued password. The public key is disseminated with the encrypted information. The authentication process fails if either one of these keys in not available or do not match. This means that the encrypted data cannot be decrypted and therefore, is inaccessible to unauthorized parties.

What is the difference between a Digital Signature and a Digital Signature Certificate?

A digital signature is an electronic method of signing an electronic document whereas a Digital Signature Certificate is a computer based record that Identifies the Certifying Authority issuing it. Has the name and other details that can identify the subscriber. Contains the subscriber’s public key. Is digitally signed by the Certifying Authority issuing it. Is valid for specified period of time.

Why should Developers use mLock?

The pirated license fee savings is greatly under estimated. Software developers are constantly looking for cost effective copy protection solutions. mLock is simple to integrate and work with yet powerful solution to save you time and energy when protecting (with high level of strength and security) the sales / distribution of software from piracy!
Longmai mLock models based on unique fully programmable smartcard chip technology offer strong copy protection for software publishers at much lower costs than any other dongle in the market.

Do your dongles contain their own real-time clock?

Yes. Our SmartTime dongle supports real time clock. You can use it to securely set an expiry date limit on the issued software license.

Which operating systems do you support?

All our products (including cards, token and dongles) are compatible with major operating systems like Windows, Mac, and Linux and even Mobile OS (for the Bluetooth product models)

How to integrate software with dongle?

Reserving API function interfaces during software developing, invoke the interfaces when developers integrates software with dongle. When software is running, dongle will verify on visitors’identity, only legal visitors can get accessed. Dongle offers multiple interfaces,software developers are free to define their custom interfaces and integrate our products to fit their needs.

Can I brand or customize Longmai products?

Absolutely. Take advantage of our low prices and customizable product series. We can even help you with your clients’ color of preference of for your purchase. We offer a variety of different product models. Click Contact us to find out more.

What is the difference between Authentication and Authorization?

Authentication and Authorization

Code security protects the normal, day-to-day operations of an app, tool, or daemon. But what happens when your code is under siege? It is often essential to know not only what the user is doing but also who the user is and whether the user is allowed to do that. This is where authentication and authorization come into play.

Authentication

“If you know yourself but not your enemy, for every victory gained you will also suffer a defeat.” — Sun Tzu, The Art of War

When securing software, the first thing you must do is find a way to distinguish friend from foe. This process is called authentication.

In computer security, authentication verifies the identity of a user or service. Authentication usually serves one of two purposes:

As a precursor to authorization, identifying the requesting entity to determine whether that entity should have permission to perform an operation
For producing an audit trail by logging who performed an operation so that blame can be cast when something breaks

Three types of authentication are most common:

Local user authentication. Verifying a user’s identity is usually performed by the operating system as the first step in authorization. If your code is running as a normal user, the operating system limits what your code can do based on that user’s permissions. Your code can also ask the operating system for the identity of the user for auditing purposes.
Network host authentication. Verifying the authenticity of a remote server is often necessary—for example, to determine whether it is safe to send credit card information to a specific website.
Remote user authentication. Users are often authenticated by remote servers when performing certain tasks. Authenticating a user remotely requires that your code send credentials in some form, such as a password, a cookie, or a digital certificate.

Authorization

Authorization is the process by which an entity such as a user or a server gets permission to perform a restricted operation. The term is also often used to refer to the right itself, as in “The soldier has authorization to enter the command bunker.”

The difference between authentication and authorization is somewhat subtle. Often, the mere fact that a user has an account means that the user is authorized to do something, in which case authentication and authorization are the same thing. However, in more complex systems, the difference becomes more obvious.

Consider a computer with two users. Each user is known to the system. Therefore, both users can each log in to the computer, and it authenticates them. However, neither user is authorized to modify the other’s files, and as a result, neither user can do so.

Third-Party Documentation

There are a number of excellent books on computer security that you should consider reading. Here are just a few of them, grouped into subject areas.

Threat Modeling

Howard, Michael, and David LeBlanc. Writing Secure Code (second edition), Microsoft Press, 2003.
Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems, 2d ed. John Wiley & Sons, 2001.

Fuzz Testing

Sutton, Michael, Adam Greene, and Pedram Amini. Fuzzing: Brute Force Vulnerability Discovery, Pearson Education, 2007.

Cryptography

Schneier, Bruce. Applied Cryptography. 2d ed. John Wiley & Sons. 1996.
Brands, Stefan. Rethinking PKI and Digital Certificates: Building in Privacy. The MIT Press. 2000.

Other Secure Networking Protocols

The authentication model for HTTP is described in RFC 2617, HTTP Authentication: Basic and Digest Access Authentication.
For information on the SSL protocol for secure networking, see the IETF SSL Version 3.0 Draft Specification. For the TLS protocol, see the TLS Working Group website and RFC 5246.
Documentation of the AES encryption algorithm used for FileVault is available on the National Institute of Standards and Technology (NIST) website.

What is the effect complex algorithm in the mLock Dongle on application performance?

Not really.
According to our internal testing results, performance difference when using a simple and complex algorithms vary within just few milliseconds. The end user can’t even notice the difference at all (optimize by limiting frequent calling of the algorithm function)

How can obtain firmware/software updates for Longmai devices?

Technical Support

Keeping your firmware or software up-to-date is one of the most important things you can do to maintain your Longmai product’s security. For technical support or instructions on how to update our products firmware or software, please contact us. Most of Longmai product models are sold with limited warranty. We keep our customers informed on latest software updates or bug fixes via email or phone. We provide sFTP or Website links to obtain the latest product firmware upgrades.

How can obtain resale/distribution authority?

First of all, we would like to thank you for your interest in Longmai’s Partner Program.

Your application for registration to distribute LONGMAI eligible products will be considered once we have received your completed request form and authorized signature:

Please complete Distribution and Resale Application Form providing details in all fields, attach product testing report or solution demo and submit it via email or fax eFAX to: +8610-62313636, attn: Longmai Partner Distribution Request; Email to info@longmai.net Subject: Longmai Partner Distribution
Your application will be reviewed, and Distribution and Resale Application Form will either be accepted or declined within 5 working days.
Century Longmai will contact you to progress your application and Sign Partner Agreement

For more information on how to proceed, please send us Email feedback or checkout our Partner related Links below:

Click to access Distribution and Resale Application Form, fill and send back to Century Longmai.