Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Cracking HASP HL / SafeNet SHK (https://forum.exetools.com/showthread.php?t=12252)

Jackula 04-30-2009 14:33

Cracking HASP HL / SafeNet SHK
 
Greetings,

I work for a company currently evaluating the HASP HL and SafeNet SHK dongles for protecting our intellectual property. We have very high profile customers around the world who have vast amount of resources and sophistication.

If one of our customers is prepared to spend one million US dollars on breaking our protection, what is the likelihood that they can succeed if we choose to go with either dongles?

Thanks in advance.

Sabor 04-30-2009 14:57

hm
 
They wont have a problem. See semiresearch or flylogic. Also, they probably wont even need to break the dongle itself to break your implementation.

Git 04-30-2009 17:54

100% certainty. SHK will be harder than HASP HL because HL solution is free but you may have to pay $500 for SHK solution.

Absolute security is absolutely impossible.

Git

sope2001 04-30-2009 19:26

Remember, if an RE's have dongles in hand its matter of hours.

Cheers, Sope!

souz 05-01-2009 19:01

HaspHl and SHK dongle both can provide good protection, if talented programmer will implement at least 30% of developer\s recommendations.

If you want to improve your protection, contact me in PM.

CyberGhost 05-02-2009 03:11

Jackula,
your question is somehow obsolete since both keys (HASP & SHK) are owned by the same company - Safenet. Soon there will be a single key with common drivers & SDK. Your research is meaningless unless you are working for safenet and now you are deciding which solution should be phased out :) I would throw away both solutions :) Or I would have looked for a firmware modification of the keys that makes them execute a hidden user defined code (I mean the part of the user software itself) in the dongles themselves.

On my opinion HASP SRM is better (HL is firmware updated to SRM as you probably know so it would be wiser to compare HASP SRM to SHK) because:

1. HASP is more mature key and has been available (to hackers also) for almost 6 years. It's motorola/freescale MCU is more mature compared to that of the SHK. This MCU has no separate code protection fuses and its code protection flags are incorporated as an ordinary bits in the user flash memory, so erasing them optically would eventually ease the whole flash memory of the chip. HASP's AES encryption is a true 128-bit version of the standard.

2. SHK was released 2 years ago or so. Despite custom ordered PCB from microchip with MCU and eeprom packaged directly on the PCB there are some evidence that reverse engineers have found a comfortable pads on the pcb which are connected to the programming pins of the SHK's MCU PIC 18F2455 (RB6,RB7,-MCLR, VDD,VSS). It's fuses are separated aside from the main flash memory and are clearly visible on the die and also can be reset separately regardless the fact they are covered by a protective layer. The firmware should have been extracted just 1 year after releasing the key and generally you could ask IC specialists that it is suicidal to use microchip PICs for a security device. There are rumors that AES implementation of SHK does not conform to the standards and uses weak shorter keys and algorithms that in theory are extractable...During the years of sentinel's existence the approach of rainbow/safenet companies was and is more "security through obscurity" than that of aladdin. For instance AFAIK there is no demo kit for SHK unlike for HASP SRM/HL...

To be exact all available software emulators(for HL(SRM) and SHK) are partial and use look-up tables to provide responses corresponding to the encryption algorithms. These emulators can easily be defeated in the consecutive versions of the protected software. Presently there are no third-party "dumpers" for both HASP HL/SRM & SHK that could retrieve the encryption keys from the dongles. All dumpers sniff communication between the dongles and the application to fill their tables with challenge-response pairs...

Sabor 05-02-2009 05:20

nice summary cyberghost.

davo007 05-02-2009 15:34

well that should have successfully answered the question.

CyberGhost 05-02-2009 17:44

No, not so nice, since it is obvious that Jackula works for safenet...And this doomed company constantly sends threats to sites which offer emulators for their "security" devices (pathetic). They've spent US$180 million or so to suffocate some of the competition (acquiring aladdin). Now they are trying to establish interactive feedback from a forums like this one (for free). The future will show what will they come up with. I wouldn't bet on safenet :)

P.S. At least they've bought a better design for their clumsy SHK :) :)

Sabor 05-02-2009 19:10

hmm
 
The summary was nice, nothing to do with the posters intention. Also im positive the poster does not work for safenet. And it would be just ridiculous using this approach. Just imagine how bad this looks on seo when someone finds this post "can it survive blah" followed by a barrage of "emulate for 500" its like asking to beat the hell out of it publicly and leave it to die forever in the internet archives.

davo007 05-07-2009 10:28

the whole if it's crackable part of it aside...wouldn't you have to be protecting something worth cracking in order for a "customer" to spend a million dollars breaking the protection? i mean really, it would have to be magical software to warrent spending that much money. and secondly it would have to be the only one of it's kind otherwise i'm sure the "customer" would shop elsewhere for a cheaper option since the protection is going to come at a price.

orchid88 05-31-2009 02:07

Either the HaspSRM(including HL) or SHK are both garbage.It only takes me less than 5 minute to crack these dongles if the dongles are available.

toro 05-31-2009 03:21

Quote:

There are rumors that AES implementation of SHK does not conform to the standards and uses weak shorter keys and algorithms that in theory are extractable
i am not agree, just check packet encryption method, you will find full aes used. so why they don't use full aes for query functions? also as i know they used a commercial implementation of AES and ECC.

Quote:

To be exact all available software emulators(for HL(SRM) and SHK) are partial and use look-up tables to provide responses corresponding to the encryption algorithms. These emulators can easily be defeated in the consecutive versions of the protected software. Presently there are no third-party "dumpers" for both HASP HL/SRM & SHK that could retrieve the encryption keys from the dongles. All dumpers sniff communication between the dongles and the application to fill their tables with challenge-response pairs...
for many years these kind of emulators work successfully.

Quote:

And this doomed company constantly sends threats to sites which offer emulators for their "security" devices
i got many emails even from safenet vice president :D maybe i will attach it here soon, funny letter.

Quote:

P.S. At least they've bought a better design for their clumsy SHK
better design but very very bad implementation.;) i can count at least 10 hole in their protection.

Quote:

Either the HaspSRM(including HL) or SHK are both garbage.It only takes me less than 5 minute to crack these dongles if the dongles are available.
just check wilcom software (hasp hl protected) i think you will need 3 mounts for it.;) in my opinion dongle is a tool which its benefit is depend on the method you will choose to use it.

Syoma 05-31-2009 18:08

Quote:

Originally Posted by toro (Post 63719)
i am not agree, just check packet encryption method, you will find full aes used. so why they don't use full aes for query functions? also as i know they used a commercial implementation of AES and ECC.

As I know they use standard AES for ShkCellEncryption / ShkCellDecryption. The ShkCellQuery seems based on ShkCellDecryption, but have additional transform over it.
Quote:

Originally Posted by toro (Post 63719)
i can count at least 10 hole in their protection.

Which sort of holes?

CyberGhost 06-03-2009 01:17

Quote:

Originally Posted by toro (Post 63719)
just check wilcom software (hasp hl protected) i think you will need 3 mounts for it.;) in my opinion dongle is a tool which its benefit is depend on the method you will choose to use it.

A clone can be done within 24 hours (an access to the original dongle is a must) but the service is expensive :) There are other ways that you don't know of and have nothing to do with the debugging of the software and sniffing the communication to the dongle -- the methods you (and not only you) obviously use to fight protections and these methods are not very productive sometimes :).


All times are GMT +8. The time now is 23:30.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX