HISE Logo Forum
    • Categories
    • Register
    • Login

    Different Encryption Types in HISE?

    Scheduled Pinned Locked Moved Scripting
    59 Posts 8 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • LindonL
      Lindon @Christoph Hart
      last edited by

      @Christoph-Hart said in Different Encryption Types in HISE?:

      @ustk But when is this becoming a problem? Encoding a license key with a few hundred bytes is completely trivial and will never be a bottleneck and for big data you can use Blowfish?

      it becomes a problem when the plugin wants to use a simple dont-call-home serial number system - we need to encrypt this in some way, and RSA 512 is too weak (apparently) so we use RSA 2048 - which yields a very long string for the user to enter...so any system that is as capable as RSA2048 but offers a smaller string for the end user to work with would be nice.

      HISE Development for hire.
      www.channelrobot.com

      1 Reply Last reply Reply Quote 0
      • ustkU
        ustk @Christoph Hart
        last edited by

        @Christoph-Hart On my end I use the PHP script you posted a while ago on the juce forum to encrypt the license. Using a 2048bit key takes approx. 10-15sec for the server to perform this task which seems a wee bit long.

        Is the server too weak? I don't think so
        Is the PHP script not optimised? Maybe...

        Can't help pressing F5 in the forum...

        Dan KorneffD 1 Reply Last reply Reply Quote 0
        • Dan KorneffD
          Dan Korneff @ustk
          last edited by

          @ustk said in Different Encryption Types in HISE?:

          10-15sec for the server to perform this task

          That sounds inane. I have a PHP script that took .3 seconds to execute, and it destroyed my server at scale.

          Dan Korneff - Producer / Mixer / Audio Nerd

          ustkU orangeO 2 Replies Last reply Reply Quote 1
          • ustkU
            ustk @Dan Korneff
            last edited by

            @Dan-Korneff 😢

            Can't help pressing F5 in the forum...

            1 Reply Last reply Reply Quote 0
            • ustkU
              ustk @Christoph Hart
              last edited by

              @Christoph-Hart Just ran some tests:

              2048 -> 10sec
              1024 -> 3sec
              512 -> 1.5sec

              Of course, these are the total times from plugin license manager demand to license file reception. But seeing the timing at 512bit, the transaction time is negligible.

              Can't help pressing F5 in the forum...

              LindonL 1 Reply Last reply Reply Quote 0
              • LindonL
                Lindon @ustk
                last edited by

                @ustk could you also list the size of your generated key? Interested to find out if the encrypted key you send is bigger or smaller for each bit size...

                HISE Development for hire.
                www.channelrobot.com

                ustkU 1 Reply Last reply Reply Quote 0
                • ustkU
                  ustk @Lindon
                  last edited by

                  @Lindon
                  2048 bit-> 2048 chars
                  1024 bit -> 1790 chars
                  512 bit -> 1658 chars

                  But I guess it's dependant on the size of the data you want to encrypt in the first place

                  Can't help pressing F5 in the forum...

                  1 Reply Last reply Reply Quote 0
                  • orangeO
                    orange @Dan Korneff
                    last edited by orange

                    @Dan-Korneff said in Different Encryption Types in HISE?:

                    @ustk said in Different Encryption Types in HISE?:

                    10-15sec for the server to perform this task

                    That sounds inane. I have a PHP script that took .3 seconds to execute, and it destroyed my server at scale.

                    Considering that we are giving free products (even for a limited time, for the launch for example), hundreds, maybe thousands of users will attack the server for authentication. The server is fucked then :)

                    develop Branch / XCode 13.1
                    macOS Monterey / M1 Max

                    d.healeyD 1 Reply Last reply Reply Quote 1
                    • d.healeyD
                      d.healey @orange
                      last edited by

                      @orange Yup, I just see everyone trying to put bigger locks on a half open door. If someone wants in they don't care if it's 512 or 2048, they can get in anyway.

                      Libre Wave - Freedom respecting instruments and effects
                      My Patreon - HISE tutorials
                      YouTube Channel - Public HISE tutorials

                      LindonL 1 Reply Last reply Reply Quote 1
                      • LindonL
                        Lindon @d.healey
                        last edited by Lindon

                        @d-healey said in Different Encryption Types in HISE?:

                        @orange Yup, I just see everyone trying to put bigger locks on a half open door. If someone wants in they don't care if it's 512 or 2048, they can get in anyway.

                        yeah, thats not really understanding the problem or the proposed solution.

                        You are right the door is half open.
                        You are not so right regarding 512 vs 2048

                        2048 - means they have to modify the code base
                        512 - means they can reverse engineer the private key and build a keygen

                        Any system that requires modifying and shipping a "hacked" version is better than one that only requires shipping a small key gen program and pointing the hackers thief-friends at our servers to download the demo version

                        BOTH these solutions remove the scriptless-kidddies who just steal any un-serialised versions in the first 1-2 days..so they are out of the picture

                        ..so yes both bit sizes requires the hacker to be at least reasonably competent, but 2048 means more work for them (always a good thing) - not in the hacking effort - but in the shipping effort.

                        HISE Development for hire.
                        www.channelrobot.com

                        d.healeyD 1 Reply Last reply Reply Quote 1
                        • d.healeyD
                          d.healey @Lindon
                          last edited by

                          @Lindon said in Different Encryption Types in HISE?:

                          BOTH these solutions remove the scriptless-kidddies who just steal any un-serialised versions in the first 1-2 days

                          You guys must be doing something I'm not. I've been selling open source sample libraries without any kind of copy restriction for 5 years and I haven't seen anyone giving away copies. I'm feeling left out now that my stuff isn't turning up on these "pirate" stores.

                          Libre Wave - Freedom respecting instruments and effects
                          My Patreon - HISE tutorials
                          YouTube Channel - Public HISE tutorials

                          LindonL 1 Reply Last reply Reply Quote 0
                          • LindonL
                            Lindon @d.healey
                            last edited by

                            @d-healey said in Different Encryption Types in HISE?:

                            @Lindon said in Different Encryption Types in HISE?:

                            BOTH these solutions remove the scriptless-kidddies who just steal any un-serialised versions in the first 1-2 days

                            You guys must be doing something I'm not. I've been selling open source sample libraries without any kind of copy restriction for 5 years and I haven't seen anyone giving away copies. I'm feeling left out now that my stuff isn't turning up on these "pirate" stores.

                            I'd guess it's your audience Dave, try doing a DubStep/Grime synth and see how far you get...

                            HISE Development for hire.
                            www.channelrobot.com

                            Christoph HartC 1 Reply Last reply Reply Quote 0
                            • Christoph HartC
                              Christoph Hart @Lindon
                              last edited by

                              @Lindon I think dave is right with his bigger lock on a half open door though. The attack vector is most likely not reverse engineering the private key but simply remove that check or replace the public key in the plugin with another one that matches the private key of the keygen.

                              In order to reverse engineer the private key you have to extract it and then run brute force stuff for a certain amount of time, but as soon as you know where to find the public key in the binary application file, you can as well just modify it and save the CPU cycles required for brute forcing that private key.

                              ustkU 1 Reply Last reply Reply Quote 0
                              • ustkU
                                ustk @Christoph Hart
                                last edited by

                                @Christoph-Hart said in Different Encryption Types in HISE?:

                                In order to reverse engineer the private key you have to extract it and then run brute force stuff for a certain amount of time…

                                But a 512 bit key could be cracked under one hour a few years back. I don’t know what solution a hacker is most likely to investigate…

                                Can't help pressing F5 in the forum...

                                d.healeyD Christoph HartC 2 Replies Last reply Reply Quote 0
                                • d.healeyD
                                  d.healey @ustk
                                  last edited by

                                  @ustk Does the hacker know it's a 512 key without opening the code?

                                  Libre Wave - Freedom respecting instruments and effects
                                  My Patreon - HISE tutorials
                                  YouTube Channel - Public HISE tutorials

                                  1 Reply Last reply Reply Quote 0
                                  • Christoph HartC
                                    Christoph Hart @ustk
                                    last edited by

                                    @ustk I haven't done this process myself (lol), but I would imagine that in order to run the brute force reverse engineering, you need the public key (that you somehow need to find and strip from the binary app) and a message that you then run through random private keys until the decoded message is the correct thing. If you can't "isolate" the public key like this you would have to run the activation check for each private key pair, and this would be orders of magnitude slower so the protection still holds (I would say for this naive approach a 64bit RSA key would be enough).

                                    So even if that takes an hour to do with a 512 RSA key, you can just not do that but modify the app to use a public key that you fabricated and know the private key and I think this is the main route that crackers go.

                                    If that was the procedure, the cracked release will contain a modified binary (which is most often the case, because otherwise the "crack release" will contain only a 200kb keygen which I've never encountered in my life so far).

                                    CasmatC LindonL 2 Replies Last reply Reply Quote 1
                                    • CasmatC
                                      Casmat @Christoph Hart
                                      last edited by Casmat

                                      @Christoph-Hart Well that’s the problem, once they put the exe through a decompiler, they see all the basic assembly code, from their they can find the public key with some prowling through the code. Then they can just remove all the code related to copy protection and ship that as a crack software, that’s possible with any software that exists, there’s no way we can stop that. But the thing is, that crack exists for a certain version of the software (ex. 1.3.1) something like @Lindon said in
                                      https://forum.hise.audio//post/73652
                                      Once we release a new version, they’ll need to make a new crack for the updated version, and this somewhat discourages them as it’s one more software on their plate they have to crack. The major problem are keygen. Once a keygen is made, you’ll be screwed. This is because a keygen is a replica of the code you use to generate keys and it produces valid license keys that are real, and in the world of piracy, softwares with keygen are often the most pirated. A keygen can be used for multiple versions and even future versions. The thing is, changing an encryption scheme is hard once you already have it running and if there is a keygen, you need to find a way to migrate all your users and their licenses, even the ones with illegitimate keys and set up a new solution. Having a very unkeygenable system from the get go is much better than having to change the system. A single hacker may not take time to crack a 512 key now, but if your software reaches various cracking groups who have the proper hardware and experience, it’ll be pretty trivial for them to crack a 512 key, and that’s when your encryption system gets in shambles

                                      i make music

                                      1 Reply Last reply Reply Quote 1
                                      • A
                                        aaronventure
                                        last edited by

                                        would a checksum validation be a good idea? the abillity of the plugin to verify its own hash. You would first declare it as a set of zeroes, compile, check manually, then hardcode that in. i see that JUCE has the MD5 class but beyond that have no idea if it can check the hash.

                                        If you don't have any debug symbols, how would you know where to look and what to set an instruction to? If you have a single long boolean check and of these is regarding a successful license validation, it's not like it spells it out like that in x64dbg.

                                        I think HISE encodes all the strings from the script, no? I just tried compiling something with hardcoded strings, opened the app in x64dbg and while there are 66700 strings, none of them are the ones I hardcoded in.

                                        Maybe TeamR2R and co are very clever and there's nothing that can stop them, but your overall primary concern should be whether your payment processor cares about stolen credit cards i.e. how good its fraud detection is. The pirates aren't buying your expensive instruments with their own money.

                                        The actual problem is/was sales to Russia and India and always via PayPal. I suppose Paypal + cards from these countries are somewhat of a security hole. it's also harder to vet PayPal than a direct credit card. Once you see a purchase with a weird name come through, it's over. Next week your instruments are all over the "cheap kontakt libraries" websites being sold for pennies. Beyond a certain price point, sales to Russia and India become so insignificant (below 0.2%) that it's probably a good idea just to block them altogether, or at least block PayPal usage from these countries.

                                        Of course having any sort of online validation invalidates this threat, until someone who can open up your file and find then bypass security measures.

                                        d.healeyD 1 Reply Last reply Reply Quote 0
                                        • A
                                          aaronventure
                                          last edited by

                                          how do you even store a "validation successful" file on the computer? it is a mix of the license and the machine ID encoded, and the plugin then checks that on load? how would you bypass the need to call back home for a check like that?

                                          CasmatC 1 Reply Last reply Reply Quote 0
                                          • d.healeyD
                                            d.healey @aaronventure
                                            last edited by d.healey

                                            @aaronventure said in Different Encryption Types in HISE?:

                                            If you don't have any debug symbols, how would you know where to look and what to set an instruction to?

                                            HISE scripts show up as plain text in the binary.

                                            Link Preview Image
                                            How to make Trial Plugins for 10 days

                                            A few things: A RSA key in HiseScript doesn't make sense. The scripting code is not encrypted in any way - it's base64 encoded plain text embedded into the...

                                            favicon

                                            Forum (forum.hise.audio)

                                            Libre Wave - Freedom respecting instruments and effects
                                            My Patreon - HISE tutorials
                                            YouTube Channel - Public HISE tutorials

                                            Christoph HartC 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post

                                            15

                                            Online

                                            1.7k

                                            Users

                                            11.8k

                                            Topics

                                            103.0k

                                            Posts