防止/检测usb flash克隆/恢复 [英] Prevent/detect usb flash cloning/restoring

问题描述

您好，



我有一个关于为软件应用程序开发许可证的安全方法的问题。该应用程序将允许用户使用离线许可证如何消费，存储在加密文件中。

问题在于主要漏洞是当用户决定破解许可系统时，首先克隆整个usb闪存内容（逐字节克隆）并在消耗掉所有内容之后许可证，他会将克隆恢复到相同的usb棒并重新使用相同的许可证。



所以，问题是：

有没有办法以某种方式知道是否克隆了USB闪存？也许有一些特定的通用USB闪存硬件功能，包括一些计数器或类似的东西？

或者您对安全的离线许可证机制有另一个想法（不需要互联网连接和服务器同步）？



谢谢！

Hi there,

I have an issue regarding developing a secure way of doing licensing for a software application. This application would allow the user the possibility to use some how of "offline licenses" for consuming, stored in an encrypted file.
The problem is that the main vulnerability is when the user decides to hack the licensing system, by cloning at first the entire usb flash contents (cloning byte by byte) and after consuming all of it''s x licenses, he would restore the clone to the same usb stick and re-consume the same licenses.

So, the question to you would be:
Is there a way to somehow know if a usb flash has been cloned ? Maybe with some sort of specific generic usb flash hardware feature including some counters or something like that?
Or do you have another idea on doing the "offline licenses" mechanism safe (without requiring internet connection and server sync) ?

Thank you !

推荐答案

不要使用闪存驱动器来提供许可证。像Ghost这样的开源工具和专有应用程序会让你活着。将拇指驱动器成像并将图像发布到BitTorrent太容易了，或者上帝保佑，将它放入拇指驱动器复制器并一次创建50份。



在初始验证（从不使用加密狗）或获取USB许可证密钥加密狗......这些非拇指驱动器之后，要么寻找支持在离线模式下操作的在线解决方案。它们是具有处理器和加密的设备，通常需要将某种库添加到您的应用程序中。您可以在代码中对库进行简单调用，然后处理其余的内容。很多时候，这些将用于两部分许可方案中，您将USB加密狗交付给客户，并且第一次使用密钥存在运行应用程序时，系统的指纹就会生成并且许可证已激活那个系统。指纹将许可证与硬件联系起来。客户无法将许可证从一台机器移动到另一台机器（除非您选择让它们），并且由于这些是安全的许可证硬件密钥，因此无法克隆它们。



如果您正在尝试自己开发解决方案，您应该认真考虑放弃这个想法，只需购买现成的东西。既然你问这个问题，我会假设你并不精通许可证密钥管理，所以你可能会在尝试推出自己的实现时犯下严重的错误。同样的原因，人们不会写自己的加密......你会惨遭失败。



如果你重视你的应用程序足以用硬件密钥保护它，那么把钱花在真正的许可证制度上。

Don''t use a flash drive for delivering licenses. Open source tools and proprietary apps like Ghost will eat you alive. It is too easy to image a thumb drive and post the image to BitTorrent or, God forbid, put it into a thumb drive duplicator and create 50 copies at once.

Either look for an on-line solution that supports operating in an off-line mode after the initial validation (never using a dongle) or get USB license key dongles... which are NOT thumb drives. They are devices with a processor and encryption that will usually require some sort of library to be added into your application. You make a simple call within your code to the library and it handles the rest. A lot of times these will be used in a two-part license scheme where you deliver the USB dongle to the customer and the first time they run the app with the key present, a thumbprint of the system is made and that license is activated on that system. The thumbprint ties the license to the hardware. The customer can''t move the license from machine to machine (unless you choose to let them) and since these are secure license hardware keys, they can''t be cloned.

If you are trying to develop a solution on your own, you should seriously consider abandoning that idea and just buy something off the shelf. Since you are asking this question I''ll assume you aren''t versed in license key management so you are likely to make a serious mistake in trying to roll your own implementation. Same reason people don''t write their own encryption... you will fail miserably.

If you value your app enough to protect it with a hardware key, then spend the money on a real licensing system.

这篇关于防止/检测usb flash克隆/恢复的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！