Winboard Forum

[Onno Garms]

Hello,

as everybody knows all commercial software gets hacked and there is no way to avoid that. There are different levels of hacking:

1. removing license testing and putting a modified binary on the web
2. publishing keys on the web
3. publishing key generators on the web
4. reverse engineering entirely and stealing the ideas

1. cannot be avoided. It is not so harmful for the author, because people should think twice before downloading a hacked version. It might be an older version and might be malware.

The cost of avoiding 2 is binding the keys to a specific hardware id. That is inconvenient for both the user and the author (who has to offer license moving etc.). You have to think twice before you decide to do that. Binding the license to a specific user real name will not avoid 2., but at least you know which customer did it. (He might have used a faked identity or live in Siberia or China, so that does not help much.)

Apart from 4, which I don't want to discuss again, the worst thing that can happen to the author is the apperance of a key generator on the web. There seems to be a key generator for at least one commercial engine on the web. ("seems" because I did not test it.)

I wonder why 3 is possible. I think it can be avoided by creating a file with the user name and signing this file with a public key method. The engine should have the public key compiled in (not in a file because this could be exchanged more easily) to check the signature. But the key generator needs to have the private key.

So there isn't any chance for hackers to write a key generator, is there?

How much efford is it to write a reliable public key generator? Are there ready-to-use public key generators availble which can be used in commercial software (i.e. non-GPL)?

EDIT: I would only trust a solution if the sources are available.

Onno

[Ron Murawski]

So there isn't any chance for hackers to write a key generator, is there?
Onno

Anything can be hacked!

How much efford is it to write a reliable public key generator? Are there ready-to-use public key generators availble which can be used in commercial software (i.e. non-GPL)?

EDIT: I would only trust a solution if the sources are available.

Onno

You can look at the java source code here:
http://www.java2s.com/Code/Java/Securit ... licKey.htm

A Google search for 'public key generator' will find many sites with more information. Your desire for non-GPL source code is difficult. Almost all of the available code is protected under some form of license.

My own understanding (which may be overly simplistic and faulty) is that key pairs are large prime numbers. It would take too long to calculate these pairs from scratch so you randomly choose pairs from a pre-calculated table. The verification step is that the multiplication of two large primes is equal to what it should be. You need to build a special multiplication function that can handle very large numbers. Take a look how others have implemented this idea (even if it is GPL code) and then you should be able to write your own version. The weakness with any key-pair system where the user only has to have one of them is that once any of your 'secret numbers/strings' is discovered (usually through a single purchase) the hackers can share this knowledge.

There are other protection systems that are more secure. Like dongles, or insert your CD once a month and check for something you put on that CD that won't duplicate properly or require a once-a-month online verification -- stuff like that.). But nothing you do will be totally hacker-proof.

Ron

[Onno Garms]

Anything can be hacked!

But not without hacking into my computer and stealing the private key, can it?

A Google search for 'public key generator' will find many sites with more information.

Sure but most of them don't lead to the source code or lead to GPL'ed source code.

Your desire for non-GPL source code is difficult. Almost all of the available code is protected under some form of license.

But there are BSD, mozilla and boost licenses.

There are other protection systems that are more secure. Like dongles, or insert your CD once a month and check for something you put on that CD that won't duplicate properly or require a once-a-month online verification -- stuff like that.). But nothing you do will be totally hacker-proof.

These solutions cannot be shipped electonically. In addition, dongles are too expensive for a chess engine. Some of the so called professional protection schemes can be worked around fairly easily without having to disassemble the protected software.

[Ron Murawski]

Anything can be hacked!

But not without hacking into my computer and stealing the private key, can it?

If you were encrypting a one-time message, I would say no. But when you issue an activation key based on key pairs no one needs your private key. All a hacker needs is a single public key that works...

If enough messages (activation keys) are known it becomes easier to break a code. It would take a substantial amount of time to guess your private key, but not an infinite amount of time.

A Google search for 'public key generator' will find many sites with more information.

Sure but most of them don't lead to the source code or lead to GPL'ed source code.

I suggest you look at the source code to PuTTY. It is a MIT license, which is very similar to BSD.

Your desire for non-GPL source code is difficult. Almost all of the available code is protected under some form of license.

But there are BSD, mozilla and boost licenses.

Yes, that's why I said they were "protected under some form of license". I thought you were looking for code with no license attached. I misunderstood you. Since BSD license is okay with you, the PuTTY code may be what you are looking for.

There are other protection systems that are more secure. Like dongles, or insert your CD once a month and check for something you put on that CD that won't duplicate properly or require a once-a-month online verification -- stuff like that.). But nothing you do will be totally hacker-proof.

These solutions cannot be shipped electonically. In addition, dongles are too expensive for a chess engine. Some of the so called professional protection schemes can be worked around fairly easily without having to disassemble the protected software.

You are right that dongles are expensive. Some of them are very secure and others are not.

I disagree that all the proposed ideas cannot be shipped electronically. Once-a-month online verification does not require your program to provide anything physical. You may have some other objection to this idea, but it *can* be shipped electronically.

Good luck with your chess program!

Ron

[Tord Romstad]

You need to build a special multiplication function that can handle very large numbers.

All decent programming languages have built-in support for arbitrary-precision integer arithmetics (limited only by the available memory).


As an example, here is how I compute the factorial of 100 in my three current favorite programming languages:

Code: Select all

product [1..100]

Code: Select all

(iter (for i from 1 to 100) (multiply i))

Code: Select all

1 100 [ 1+ * ] each .

All of these print the correct answer:

Code: Select all

93326215443944152681699238856266700490715968264381621468592963895217599993229915608941463976156518286253697920827223758251185210916864000000000000000000000000

I would need at least 20 lines to do the same in C, and I bet even HGM would need at least 2 lines.

Tord

[H.G.Muller]

The challenge is to do it in fewer characters than the intended output, or you might as well write it as a string literal.


OK, here it is:

Code: Select all

main(){int i,j,k,A[99]={1};i=101;while(--i)for(j=k=0;j<80;j++)k=i*A[j]+k/100,A[j]=k%100,i-1?0:printf(j-79?"%02d":"\n",A[78-j]);}

[Tord Romstad]

The challenge is to do it in fewer characters than the intended output, or you might as well write it as a string literal.

Yes, or perhaps the challenge should be to write a general factorial function:

Code: Select all

factorial n = product [1..n]

Code: Select all

(defun factorial (n)
  (iter (for i from 1 to n) (multiply i)))


Code: Select all

: factorial 1 swap [ 1+ * ] ;

A little competition: Which are the three programming languages used above? The first person to correctly identify all three languages will win a free copy of the next version of Glaurung, including the complete source code!

OK, here it is:

Code: Select all

main(){int i,j,k,A[99]={1};i=101;while(--i)for(j=k=0;j<80;j++)k=i*A[j]+k/100,A[j]=k%100,i-1?0:printf(j-79?"%02d":"\n",A[78-j]);}

I would say that this would be five lines or so if formatted in a readable way, but it's nevertheless impressive. Thanks for posting!

I still think

Code: Select all

product [1..100]

is simpler and more readable, though.

Tord

[Teemu Pudas]

Haskell, some sort of Lisp, Forth.

[Tord Romstad]

Haskell,

Yes!

some sort of Lisp,

Close enough. It's Common Lisp.

Forth.

Not quite close enough. In Forth, I think it would be something like this (untested, because I have no Forth installed on this computer):

Code: Select all

: factorial 1 swap 0 do i 1+ * loop ;

But this really isn't quite correct, because the multiplication would probably overflow (as far as I know, no Forth implementations support true integers, but I could be wrong).

Tord

[Teemu Pudas]

some sort of Lisp,

Close enough. It's Common Lisp.

Strange. I have LispBox with Allegro Common Lisp, and it complained about iter being an undefined function.

[Tord Romstad]

some sort of Lisp,

Close enough. It's Common Lisp.

Strange. I have LispBox with Allegro Common Lisp, and it complained about iter being an undefined function.

Sorry, my mistake. The ITERATE macro is a very popular looping construct which for some strange reason wasn't included in ANSI Common Lisp, but which can be installed and used in all modern Common Lisps. The first thing I and many other Lispers do when faced with a Lisp which does not ship with this macro pre-installed is to download and install it.

The general-purpose looping constructs in vanilla ANSI Common Lisp all leave something to be desired. DO and DO* tend to look a bit cryptic and low-level:

Code: Select all

(defun factorial (n)
  (do* ((i 1 (+ i 1))
        (j 1 (* j i)))
       ((= i n) j)))


LOOP is more powerful, but has a very non-Lispy syntax, is not extensible, and has a very limited set of accumulator keywords:

Code: Select all

(defun factorial (n)
  (loop for i from 1 to n
        for j = 1 then (* i j)
        finally (return j)))


For the factorial function, it would of course also be possible to use the less general DOTIMES macro:

Code: Select all

(defun factorial (n)
  (let ((i 1))
    (dotimes (j n)
      (setf i (* i (+ j 1))))
    i))


In my opinion, neither of these solutions are nearly as readable as the one with ITER.

On the other hand, given a reasonably intelligent compiler, there is another very compact and readable way to do it with LOOP:

Code: Select all

(defun factorial (n)
  (reduce #'* (loop for i from 1 to n collect i)))

The problem with this version is that creating a list is an expensive operation, but an intelligent compiler should be able to see that building a list is not really necessary (because the elements of the list are just multiplied together, and the list is thrown away).

Tord

[H.G.Muller]

I would say that this would be five lines or so if formatted in a readable way, but it's nevertheless impressive. Thanks for posting!

It was only possible to get this in one line because your previous post set a new standard for the line length!

[Onno Garms]

If you were encrypting a one-time message, I would say no. But when you issue an activation key based on key pairs no one needs your private key. All a hacker needs is a single public key that works...

But this amounts to hacking approach 1 or 2 then, which is not quite as bad for the author.

If enough messages (activation keys) are known it becomes easier to break a code.

Really? So all I need to retrieve the private pgp key is a large number of signed messages?

I suggest you look at the source code to PuTTY. It is a MIT license, which is very similar to BSD.

Thanks. That the sort of hint I was looking for.

Yes, that's why I said they were "protected under some form of license". I thought you were looking for code with no license attached. I misunderstood you. Since BSD license is okay with you, the PuTTY code may be what you are looking for.

"License file missing" is very different from "freeware" or "public domain". If the author fails to provide information on the license, you have to ask him. The default is that you must not reuse other people's sources. Otherwise the GPL would not work because you could simply reject it.

You are right that dongles are expensive. Some of them are very secure and others are not.

Do you have detailed information on security differences beween different kind of dongles? Please send pm.

Good luck with your chess program!

I'm not yet sure what to do with it. It's already very strong for a single CPU engine but currently it definitely cannot go commercial. Possible I will publish as freeware, but definitely not open source.

I was just asking some things that I had in my mind to revive the forum.

[Ron Murawski]

If enough messages (activation keys) are known it becomes easier to break a code.

Really? So all I need to retrieve the private pgp key is a large number of signed messages?

Breaking a code becomes easier as more messages are known. If a hacker obtains keys and each original user's submitted registration information, you can be sure that there is a correlation between the registration information and the activation keys. If you have access to 1,000s of these name/key pairs it becomes easier (but *not* easy!) to guess your private key. This is all "Cryptography 101" stuff. The only unbreakable method is a one-time pad (as long as the pad remains a secret).

Encryption is not about making an unbreakable code. It is about delaying a determined hacker from breaking the code for the longest possible time. In your circumstance of protecting a chess program, it is very unlikely that someone brilliant enough is going to work long enough and with enough resources to break your encryption system. This is true no matter what method you use. The exception to this is if you use a commercial system that has already been broken and it leaves a recognizable signature in your product.

I suggest you look at the source code to PuTTY. It is a MIT license, which is very similar to BSD.

Thanks. That the sort of hint I was looking for.

Good. I'm glad it was helpful.

You are right that dongles are expensive. Some of them are very secure and others are not.

Do you have detailed information on security differences beween different kind of dongles? Please send pm.

Look in your pm box! There is also lot of encryption information there for you.

Good luck with your chess program!

I'm not yet sure what to do with it. It's already very strong for a single CPU engine but currently it definitely cannot go commercial. Possible I will publish as freeware, but definitely not open source.

I was just asking some things that I had in my mind to revive the forum.

Yes, and I was just answering your question to revive the forum as well!

Does your chess program have a name?

Ron

[Tord Romstad]

Do you have detailed information on security differences beween different kind of dongles? Please send pm.

I will never buy any piece of software which requires a dongle, or which uses similar copy protection schemes (like requiring a CD to be inserted at regular intervals). Such copy protection schemes are extremely unfriendly and annoying.

Actually, any kind of copy protection scheme makes it much less likely that I will buy a computer program. This is not because I am a software pirate (I don't have a single pirated program or illegally copied or downloaded music file on my computer), but because of the frequent problems when switching to a new computer (yes, contacting the developer usually solves the problem, but if you have to do this for a big number of programs, it's a major annoyance), and because of the implicit "I don't trust you" message which accompanies any copy protected software.

I prefer to give my money to people who trust me rather than to people who don't. If I could choose between paying 50 euros for a copy-protected 2900 rated chess program and paying 100 euros for a non-protected 2800 rated, but otherwise similar program, I would definitely choose the latter.

Tord

[Onno Garms]

Does your chess program have a name?

Not yet. And is not available for download yet. Though the program is most likely to weak to attract reverse engineers now, I got caucious due to the Rybka-Strelka-Story.

BTW, currently not having access to an own computer and hence not to my own code, I started to "kill some time" by reading the Strelka sources yesterday. IMO they are clearly a result of reverse engineering. Nobody could write in this style from scratch without introducing a huge number of bugs.

[Roman Hartmann]

A chess engine is kind of a niche product which won't be used by too many people anyway so I think that implementig a simple protection sheme is more than enough. A dongle is ok for a CAD-workstation but is an overkill for a chess engine.

Something like personalising the binary might be ok though. But creating too many hurdles will turn off customers rather than crackers.

best regards
Roman

[Russell Reagan]

Code: Select all

: factorial 1 swap [ 1+ * ] ;

A little competition: Which are the three programming languages used above? The first person to correctly identify all three languages will win a free copy of the next version of Glaurung, including the complete source code!
Tord

That's cute Tord, using Factor to write factorial

[Tord Romstad]

Code: Select all

: factorial 1 swap [ 1+ * ] ;

Oops, I've forgotten an 'each' above. It should have been like this, of
course:

Code: Select all

: factorial 1 swap [ 1+ * ] each ;

If I had known about the 'product' function when I wrote my previous
post, I would have done it in a simpler way:

Code: Select all

: factorial [ 1+ ] map product ;

A little competition: Which are the three programming languages used above? The first person to correctly identify all three languages will win a free copy of the next version of Glaurung, including the complete source code!

That's cute Tord, using Factor to write factorial

Factor is indeed the right answer! I'm feeling generous today, and will
award both of you (Russell and Teemu) the prize of a copy of the next
Glaurung version (when it's ready) with full source code.

I have only used Factor (and Forth) for little toy programs so far, but I
love the way it provides a simple, logical and elegant, yet completely alien
way to perform and think about even the most basic types of
computations.

Tord