EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-30-2009, 14:33
Jackula
Guest
 
Posts: n/a
Answered: Cracking HASP HL / SafeNet SHK

Greetings,

I work for a company currently evaluating the HASP HL and SafeNet SHK dongles for protecting our intellectual property. We have very high profile customers around the world who have vast amount of resources and sophistication.

If one of our customers is prepared to spend one million US dollars on breaking our protection, what is the likelihood that they can succeed if we choose to go with either dongles?

Thanks in advance.
Reply With Quote
Best Answer - Posted by Git
We look forward to you sharing the source code with us.

Git
  #2  
Old 04-30-2009, 14:57
Sabor Sabor is offline
Senior Member
 
Join Date: Sep 2005
Posts: 69
Thanks: 0
Thanked 3 Times in 3 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
Sabor is an unknown quantity at this point
Provided Answers: 2
hm

They wont have a problem. See semiresearch or flylogic. Also, they probably wont even need to break the dongle itself to break your implementation.
Reply With Quote
  #3  
Old 04-30-2009, 17:54
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 950
Thanks: 186
Thanked 235 Times in 141 Posts
Groans: 10
Groaned at 8 Times in 6 Posts
Reputation: 0
Git is an unknown quantity at this point
Provided Answers: 6
100% certainty. SHK will be harder than HASP HL because HL solution is free but you may have to pay $500 for SHK solution.

Absolute security is absolutely impossible.

Git
Reply With Quote
  #4  
Old 04-30-2009, 19:26
sope2001 sope2001 is offline
Senior Member
 
Join Date: Mar 2002
Posts: 47
Thanks: 4
Thanked 21 Times in 5 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
sope2001 is an unknown quantity at this point
Provided Answers: 2
Remember, if an RE's have dongles in hand its matter of hours.

Cheers, Sope!
__________________
Easy: What's Easy to see is Easy to miss.
Reply With Quote
  #5  
Old 05-01-2009, 19:01
souz souz is offline
Senior Member
 
Join Date: Jan 2005
Posts: 81
Thanks: 0
Thanked 7 Times in 4 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
souz is an unknown quantity at this point
HaspHl and SHK dongle both can provide good protection, if talented programmer will implement at least 30% of developer\s recommendations.

If you want to improve your protection, contact me in PM.
__________________
[REQ] hexrays decompiler+arm for 6.5
Reply With Quote
  #6  
Old 05-02-2009, 03:11
CyberGhost
Guest
 
Posts: n/a
Jackula,
your question is somehow obsolete since both keys (HASP & SHK) are owned by the same company - Safenet. Soon there will be a single key with common drivers & SDK. Your research is meaningless unless you are working for safenet and now you are deciding which solution should be phased out I would throw away both solutions Or I would have looked for a firmware modification of the keys that makes them execute a hidden user defined code (I mean the part of the user software itself) in the dongles themselves.

On my opinion HASP SRM is better (HL is firmware updated to SRM as you probably know so it would be wiser to compare HASP SRM to SHK) because:

1. HASP is more mature key and has been available (to hackers also) for almost 6 years. It's motorola/freescale MCU is more mature compared to that of the SHK. This MCU has no separate code protection fuses and its code protection flags are incorporated as an ordinary bits in the user flash memory, so erasing them optically would eventually ease the whole flash memory of the chip. HASP's AES encryption is a true 128-bit version of the standard.

2. SHK was released 2 years ago or so. Despite custom ordered PCB from microchip with MCU and eeprom packaged directly on the PCB there are some evidence that reverse engineers have found a comfortable pads on the pcb which are connected to the programming pins of the SHK's MCU PIC 18F2455 (RB6,RB7,-MCLR, VDD,VSS). It's fuses are separated aside from the main flash memory and are clearly visible on the die and also can be reset separately regardless the fact they are covered by a protective layer. The firmware should have been extracted just 1 year after releasing the key and generally you could ask IC specialists that it is suicidal to use microchip PICs for a security device. There are rumors that AES implementation of SHK does not conform to the standards and uses weak shorter keys and algorithms that in theory are extractable...During the years of sentinel's existence the approach of rainbow/safenet companies was and is more "security through obscurity" than that of aladdin. For instance AFAIK there is no demo kit for SHK unlike for HASP SRM/HL...

To be exact all available software emulators(for HL(SRM) and SHK) are partial and use look-up tables to provide responses corresponding to the encryption algorithms. These emulators can easily be defeated in the consecutive versions of the protected software. Presently there are no third-party "dumpers" for both HASP HL/SRM & SHK that could retrieve the encryption keys from the dongles. All dumpers sniff communication between the dongles and the application to fill their tables with challenge-response pairs...

Last edited by CyberGhost; 05-02-2009 at 03:16.
Reply With Quote
The Following User Says Thank You to For This Useful Post:
arnix (05-02-2009)
  #7  
Old 05-02-2009, 05:20
Sabor Sabor is offline
Senior Member
 
Join Date: Sep 2005
Posts: 69
Thanks: 0
Thanked 3 Times in 3 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
Sabor is an unknown quantity at this point
Provided Answers: 2
nice summary cyberghost.
Reply With Quote
  #8  
Old 05-02-2009, 15:34
davo007 davo007 is offline
Junior Member
 
Join Date: Feb 2009
Posts: 21
Thanks: 1
Thanked 0 Times in 0 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
davo007 is an unknown quantity at this point
Provided Answers: 1
well that should have successfully answered the question.
Reply With Quote
  #9  
Old 05-02-2009, 17:44
CyberGhost
Guest
 
Posts: n/a
No, not so nice, since it is obvious that Jackula works for safenet...And this doomed company constantly sends threats to sites which offer emulators for their "security" devices (pathetic). They've spent US$180 million or so to suffocate some of the competition (acquiring aladdin). Now they are trying to establish interactive feedback from a forums like this one (for free). The future will show what will they come up with. I wouldn't bet on safenet

P.S. At least they've bought a better design for their clumsy SHK
Reply With Quote
  #10  
Old 05-02-2009, 19:10
Sabor Sabor is offline
Senior Member
 
Join Date: Sep 2005
Posts: 69
Thanks: 0
Thanked 3 Times in 3 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
Sabor is an unknown quantity at this point
Provided Answers: 2
hmm

The summary was nice, nothing to do with the posters intention. Also im positive the poster does not work for safenet. And it would be just ridiculous using this approach. Just imagine how bad this looks on seo when someone finds this post "can it survive blah" followed by a barrage of "emulate for 500" its like asking to beat the hell out of it publicly and leave it to die forever in the internet archives.
Reply With Quote
  #11  
Old 05-07-2009, 10:28
davo007 davo007 is offline
Junior Member
 
Join Date: Feb 2009
Posts: 21
Thanks: 1
Thanked 0 Times in 0 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
davo007 is an unknown quantity at this point
Provided Answers: 1
the whole if it's crackable part of it aside...wouldn't you have to be protecting something worth cracking in order for a "customer" to spend a million dollars breaking the protection? i mean really, it would have to be magical software to warrent spending that much money. and secondly it would have to be the only one of it's kind otherwise i'm sure the "customer" would shop elsewhere for a cheaper option since the protection is going to come at a price.
Reply With Quote
  #12  
Old 05-31-2009, 02:07
orchid88 orchid88 is offline
VIP
 
Join Date: Jul 2004
Posts: 156
Thanks: 10
Thanked 3 Times in 3 Posts
Groans: 0
Groaned at 2 Times in 1 Post
Reputation: 0
orchid88 is an unknown quantity at this point
Either the HaspSRM(including HL) or SHK are both garbage.It only takes me less than 5 minute to crack these dongles if the dongles are available.
Reply With Quote
  #13  
Old 05-31-2009, 03:21
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 125
Thanks: 1
Thanked 60 Times in 15 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
toro is an unknown quantity at this point
Quote:
There are rumors that AES implementation of SHK does not conform to the standards and uses weak shorter keys and algorithms that in theory are extractable
i am not agree, just check packet encryption method, you will find full aes used. so why they don't use full aes for query functions? also as i know they used a commercial implementation of AES and ECC.

Quote:
To be exact all available software emulators(for HL(SRM) and SHK) are partial and use look-up tables to provide responses corresponding to the encryption algorithms. These emulators can easily be defeated in the consecutive versions of the protected software. Presently there are no third-party "dumpers" for both HASP HL/SRM & SHK that could retrieve the encryption keys from the dongles. All dumpers sniff communication between the dongles and the application to fill their tables with challenge-response pairs...
for many years these kind of emulators work successfully.

Quote:
And this doomed company constantly sends threats to sites which offer emulators for their "security" devices
i got many emails even from safenet vice president maybe i will attach it here soon, funny letter.

Quote:
P.S. At least they've bought a better design for their clumsy SHK
better design but very very bad implementation. i can count at least 10 hole in their protection.

Quote:
Either the HaspSRM(including HL) or SHK are both garbage.It only takes me less than 5 minute to crack these dongles if the dongles are available.
just check wilcom software (hasp hl protected) i think you will need 3 mounts for it. in my opinion dongle is a tool which its benefit is depend on the method you will choose to use it.
Reply With Quote
  #14  
Old 05-31-2009, 18:08
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 216
Thanks: 28
Thanked 60 Times in 39 Posts
Groans: 4
Groaned at 2 Times in 1 Post
Reputation: 0
Syoma is an unknown quantity at this point
Quote:
Originally Posted by toro View Post
i am not agree, just check packet encryption method, you will find full aes used. so why they don't use full aes for query functions? also as i know they used a commercial implementation of AES and ECC.
As I know they use standard AES for ShkCellEncryption / ShkCellDecryption. The ShkCellQuery seems based on ShkCellDecryption, but have additional transform over it.
Quote:
Originally Posted by toro View Post
i can count at least 10 hole in their protection.
Which sort of holes?
Reply With Quote
  #15  
Old 06-03-2009, 01:17
CyberGhost
Guest
 
Posts: n/a
Quote:
Originally Posted by toro View Post
just check wilcom software (hasp hl protected) i think you will need 3 mounts for it. in my opinion dongle is a tool which its benefit is depend on the method you will choose to use it.
A clone can be done within 24 hours (an access to the original dongle is a must) but the service is expensive There are other ways that you don't know of and have nothing to do with the debugging of the software and sniffing the communication to the dongle -- the methods you (and not only you) obviously use to fight protections and these methods are not very productive sometimes .
Reply With Quote
Reply

Tags
hasp, property, safenet, sentinel, shk

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 10:00.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX