EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #91  
Old 04-25-2013, 19:19
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,650
Rept. Given: 801
Rept. Rcvd 1,280 Times in 558 Posts
Thanks Given: 208
Thanks Rcvd at 417 Times in 127 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Quote:
Originally Posted by mcp View Post
That's obviously not true.
LOL
Yes it is.
For me the argue is over.
Reply With Quote
  #92  
Old 04-25-2013, 21:39
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 72
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 19 Times in 11 Posts
mcp Reputation: 12
Quote:
LOL
Yes it is.
Is that supposed to be an argument? Since you disagree with my statement

Quote:
By your logic you should be able to break any instance of it. That's obviously not true.
you must be able to break any problem instance in that domain. How about I give you a RSA4096 public key and you factor it for me?
Quite obviously, you won't be able to do so, and I don't think anyone can arguably disagree with that (without trolling).

Last edited by mcp; 04-25-2013 at 21:44.
Reply With Quote
  #93  
Old 04-25-2013, 21:49
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 48 Times in 27 Posts
Syoma Reputation: 77
@mcp
You can not proof it because nobody knows which attacks appear tomorrow. Just suppose in 10 years quantum computers appear. And almost all current crypto would be trash.
Years ago DES looks uncrackable. Nowadays it is weak.
The same to RSA. Ten years ago RSA-512 was strong. Now it is weak.
Could you make the RSA less or equal to 512 bits which we can not crack? Sure, you cant. Most algos add more rounds to be stronger or increase key sizes or other params.

HE libraries are very rough. Limited in the operations to Add and Mul in most. Also, it is hard to imagine the use cases which help to protect applications. Could you describe any?
To operate in HE you need both numbers encrypted with private key. To decrypt result you need also public key. Would you store both keys in the software? Or how do you plan to make protection?
Reply With Quote
  #94  
Old 04-25-2013, 22:11
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 72
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 19 Times in 11 Posts
mcp Reputation: 12
Quote:
You can not proof it because nobody knows which attacks appear tomorrow. Just suppose in 10 years quantum computers appear. And almost all current crypto would be trash.
Years ago DES looks uncrackable. Nowadays it is weak.
The same to RSA. Ten years ago RSA-512 was strong. Now it is weak.
Could you make the RSA less or equal to 512 bits which we can not crack? Sure, you cant. Most algos add more rounds to be stronger or increase key sizes or other params.
Of course there is exactly one crypto scheme which is provably secure against any attack (OTP) but I was just arguing against the claim of being able to break any instance of those problems. And that's obviously not true.

Quote:
HE libraries are very rough. Limited in the operations to Add and Mul in most. Also, it is hard to imagine the use cases which help to protect applications. Could you describe any?
To operate in HE you need both numbers encrypted with private key. To decrypt result you need also public key. Would you store both keys in the software? Or how do you plan to make protection?
Yap, there's a reason why not "everything" just simply switches to (F)HE schemes. There are multiple reasons: a) it is slow as hell b) full HE isn't trivial, most libraries limit themselves to addition and/or multiplication as you said.
Take for example the use case that you want to compute something which must not be revealed to the public, still the computation has to be made on every consumer's device, and the consumers must not know how the computations inner workings look like.
Then again, the weak points of FHE are the input and output values: if these are to be used in other non-HE parts of the program, these clearly must be decrypted.

As always in security, you have to be aware of the "attacker model": FHE per se cannot be used to create any kind of "unbreakable" protection, and no sane person would ever claim that. On the other hand, I strongly disagree with the statement that "everything made by man can be broken". That's too broad of a statement and is simply not true in general.
Reply With Quote
  #95  
Old 04-25-2013, 22:51
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 48 Times in 27 Posts
Syoma Reputation: 77
Lightbulb

Quote:
Originally Posted by mcp View Post
I strongly disagree with the statement that "everything made by man can be broken".
Sure, it can be. But nobody guarantees it will work after that or even be valid.
Reply With Quote
  #96  
Old 05-08-2013, 20:08
Squidge's Avatar
Squidge Squidge is offline
Drunken Squirrel
 
Join Date: Oct 2002
Posts: 408
Rept. Given: 4
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Squidge Reputation: 9
Quote:
Originally Posted by mcp View Post
How about I give you a RSA4096 public key and you factor it for me? Quite obviously, you won't be able to do so, and I don't think anyone can arguably disagree with that (without trolling).
Whilst I agree, I don't see how that is relevant to software protection. Your analogy is like saying I let anyone download the fully registered version and say its uncrackable as the executable is encrypted by a 4096-bit RSA private key. Sure, it will take many years (maybe longer) to 'crack'.

However, make a piece of software runnable only with a license file, protect the license file with an RSA 4096-bit private key and I guarantee you it will be broken and fully registered versions available within 24 hours.

Same goes for if the license checking is built into a dongle. If you have access to the dongle, the software be made to work without it. I have done this many times for people who worry about the security of their software dongles.
Reply With Quote
  #97  
Old 05-09-2013, 14:35
WRP WRP is offline
Family
 
Join Date: Nov 2010
Posts: 113
Rept. Given: 12
Rept. Rcvd 36 Times in 21 Posts
Thanks Given: 52
Thanks Rcvd at 134 Times in 48 Posts
WRP Reputation: 36
Quote:
Originally Posted by Squidge View Post
If you have access to the dongle, the software be made to work without it. I have done this many times for people who worry about the security of their software dongles.
How about Senselock and other dongles which are built on smart card technology?
Reply With Quote
  #98  
Old 05-12-2013, 20:36
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 72
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 19 Times in 11 Posts
mcp Reputation: 12
Quote:
Originally Posted by Squidge View Post
Whilst I agree, I don't see how that is relevant to software protection. Your analogy is like saying I let anyone download the fully registered version and say its uncrackable as the executable is encrypted by a 4096-bit RSA private key. Sure, it will take many years (maybe longer) to 'crack'.
If you read my answer in the context of the original claim that "anything made by man can be broken by man", then my answer makes sense again. It was simply a counter example to that claim, not necessarily related to copy protections in generl.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
When use "vendor defined encryption routines", how to set daemon related part? bridgeic General Discussion 6 01-22-2015 11:35
Wlscgen: Are "Vendor Id" and "Developer Id" different ? Numega Softice General Discussion 6 02-12-2007 18:12


All times are GMT +8. The time now is 17:12.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX