We are currently developing an application with much sensitive information embedded in it (proprietary software). In any case, we cannot change that! This is running in a single board computer (Beaglebone Black).
What we want to provide is a way to complicate the process of clonation of the hardware and software as much as possible, to avoid piracy. How could we use nitrokey and which product? Maybe store the license key in it or another method…?
You can use the public key to encrypt a piece of your software (or a portion of the configuration, or a license file) in the plant. On user side, the application will try to decrypt the previously encrypted piece using the private key stored on the nitrokey.
The software will continue only after a successful decrypt.
You can easily script this calling gpg or using libgcrypt directly.
As far as I know, handing both the lock and the key to the potential attacker and hoping they don’t figure out how to put them together is what I’m aiming for. The only secure method I’m aware of to protect software (to a certain degree) is not giving it to the user (SaaS), but we wont be able to do that, as most sold devices will be offline.
Until now our protection was fairly easy…We provided each box with a license file generated from the device hardware serial number and both available mac addresses. The software would validate the license file at startup.
So if I’m correct you procedure adds one more step in this chain, by encrypting the license file with its own public key. At startup it would decrypt this license file with the private key.
But from a cracking point of view (reverse engineering), by running strace we would be able to see the location of this unencrypted license file, going back to the basic protection we were already enforcing in the first place.
Does this also means that by using a USB sniffer you could also get the private key?
You are right.
Anyway depending if you trust or not on your customers. The best is SasS approach.
For firmware applications, in the past when I was a firmware dev, we used to check capabilities using a signed “manifest” contained into the flash memory of the device and checking the signature with an internal usb token.
But I assumed that the user never will modified the hw.
Hmm, to be honest : While I understand your trouble, I personally hate dongles. They often made more trouble than SW without a dongle. And also I was often - by reading the serial data flow - to hack the dongles fast. I agree with you: best solution (in case of a copy protection ) is a licence server where you could do a better and different. But when you look at the gaming industry , you also see that this could be hacked fast.
From a HW point of view, how about a FPGA or a programmed micro controller where the security bit protects the IP and makes it also hard to copy the HW.
It was many times discussed theme. Your software should has balanced price to make hack not attracted. NK is not software protection tool. If you want to protect license with encryption this is not an option(better to fill some work structures). Anyway you’ll find a lot of bumps before build good protection. My advise do not invent a wheel, use it. Try commercial protectors - Armadilo, Themiada.