Software protection: Success against piracy
Software protection is becoming more and more important. Because in the course of the digitalisation, the use of software to optimise work processes is increasing rapidly. Even in everyday life, hardly an area can manage without software. Whether at work as office applications, on mobile phones, as gaming software or in the control of machines in production - the trend is rising. No wonder software protection has become as important for manufacturers as the technology used in their products.
Table of Contents:
Definition: What is software protection?
Legal and technical measures against software piracy
Cryptography is the basis for copy protection
The use of dongles as a software protection module
In a publication by the Industrial Internet Consortium and the Industrial Internet Security Framework on the common security strategy and an approach for the assessment of cyber security in industrial Internet of Things systems, the term ‘software protection’ is defined as follows:
"Software protection includes measures by a software development organisation to protect a software product and the associated critical data from vulnerabilities, internal and external threats, critical errors or incorrect configurations that can affect performance or make data available."
No matter where software is in use: Software development and marketing are challenging and extremely expensive. The risk of copying, reverse engineering and the manipulation of software solutions to the enterprise can threaten the continued existence of software manufacturers. Because of this, these companies are increasingly investing in software protection for applications, machines and controls. The more software contributes to the creation of value, the more important software protection is. Because it is the only way applications can be protected against industrial espionage. Encryption software also ensures that applications are tamper-proof and cyber sabotage has fewer opportunities.
From the point of view of the software manufacturer, software protection secures its position in an increasingly competitive market. Only the developer who convinces with innovative products and resolutely protects these against piracy can stay ahead of the game. Software piracy has many faces: Often, software is sold at a significantly cheaper price on the net, licenses are falsified or sold multiple times or the buyer uses one license for several users. Last but not least, software versions are cracked. One thing is sure: The damage caused by pirated copies is immeasurable and, in some cases, even existential. A recent 2018 study by BSA, the Global Software Alliance, assumes that 43 percent of the software used worldwide is pirated.
A ray of light: The use of unlicensed software has slightly decreased. It has fallen by two percent in comparison to 2017. The reason for this according to the industry experts of the Global Software Alliance is the use of subscription models such as Steam, as well as fear of malware and cyber attacks. So the likelihood of a malware infection after installing pirated software is around one third. According to Accenture Security, the average annual cost of cybercrime in the United States increased by 29 percent in 2018 to reach 27.4 million dollars.
Before we introduce you to various software protection procedures, a brief history of software piracy: The electronic distribution of pirated copies did not begin with the advent of the World Wide Web in the 1990s. For a whole decade prior to this, people used dial-up modems to connect to private mailbox systems (BBS), which in many respects were not only a precursor to the Internet, but also to the illegal and widespread electronic distribution of copyrighted materials.
Three decades of rapid growth have made the Internet a ubiquitous commodity. Its potential as a vehicle for piracy is currently at a record high. The contents are distributed in various forms - the most widely used is the shared use of BitTorrent peer-to-peer files, which are responsible for half of the data traffic. The rest is shared by other peer-to-peer networks, cyberlocker sites and Usenet newsgroups, which are dedicated to piracy.
The electronic distribution of pirated copies is increasing at an alarming rate. More and more independent software vendors are deciding in favour of hardware or software-based protection against software piracy. Depending on how it is implemented, it has been shown that software protection is, by and large, keeping the problem in check.
Digital copyright infringements became the focus of attention for the first time with the Digital Millennium Copyright Act of 1998 (DMCA), a US copyright law that made activities such as the circumvention of copy protection and license controls (DRM) criminal offences. With the PRO-IP Act of 2008 (Prioritizing Resources and Organization for Intellectual Property Act), further changes were made in areas such as civil and criminal enforcement as well as the coordination and financing of the efforts of the federal government for the protection of intellectual property. This law served as the basis for numerous proceedings against infringers, including the seizure of counterfeit products and resources used to facilitate the dissemination of pirated copies. Other anti-piracy initiatives followed.
However, it was difficult for the industry to agree on a number of best practices and common development standards. Several organisations, including BSIMM, OWASP and the National Institute of Standards and Technology, presented documents setting out their proposals for development standards. On the industrial side, the Industrial Internet Consortium and the Industrial Internet Security Framework published a joint security strategy and an approach to the assessment of cyber security in industrial Internet of Things systems.
In this context, this refers to pirated copies of computer programs and databases. The user uses them but does not pay for them. Even if the making of copies for private use is permitted in Germany (Section 53 of the Copyright Act) and Austria (Section 42 of the Copyright Act) under certain circumstances, the distribution of copies is prohibited by law in almost every country in the world. In the course of progressive digitalization in all areas of life, illegal copies are causing increasingly greater damage. The fact that private individuals have also been able to make copies more easily since the 1990s is particularly critical.
Despite the above-mentioned legal and institutional measures against software piracy, it seems that for every piracy website or file sharing tool that is shut down, several new ones pop up. This shows that law enforcement alone is not an option. Hardware or software-based copy protection (digital rights management) seems to be the only solution, whereby cloud-based licensing is the latest and most promising form of access barrier for manufacturers. Whether this will finally eliminate software piracy is doubtful, but it certainly makes it much more difficult.
Any kind of copy protection has its origin in cryptography (‘crypto’: Ancient Greek for "hidden, secret” and ‘graphy’: "to write, writing"). It is a subfield of cryptology and deals with encrypting information. 3000 years ago, it was already being used in ancient Egypt. The then simple encryption procedures became increasingly refined and their complexity grew with the available means - from pencil and paper, to mechanical calculators and cipher machines such as the Enigma, to the computer. Whereas cryptography was mostly used by the military and secret services in the past, today it is also to be found in the private sector, for example, to encrypt an e-mail before sending it via the Internet.
One of the most important rules of modern cryptography, Kerckhoffs' Principle, states that the security of a system should not depend on keeping the algorithms secret but rather on keeping a key secret. Thus, a system built according to this method requires that the mechanism is known, because the security is based solely and exclusively on the variable key. Many encryption methods are based on this principle.
Software can be protected using various encryption methods such as symmetric encryption (AES - Advanced Encryption Standard) and asymmetric encryption (ECC - Elliptic Curve Cryptography or RSA - Rivest, Shamir, Adleman). The cryptographic key together with license conditions and other options are stored in a container. The container can be a dongle or a software-based activation file. Part of the solution package is applications and an API for encryption, decryption and signing.
A dongle is usually a USB stick, which is connected to a port on the computer in order to authenticate the license. Software that runs using a USB dongle sends a request to the I/O port for authentication, initially when started and then at regular intervals. As soon as the expected validation code cannot be retrieved, the program is automatically terminated or only limited functions remain accessible. In particular, the dongle protects against unauthorised reproduction. The principle is essentially quite simple: No dongle, no access to the software.
Modern hardware dongles use public-private key and symmetric encryption procedures. Then, the encryption keys are not contained somewhere in the application, but safely stored on the flash-ROM where they cannot be read out and used for encryption/decryption only. In addition to this, there are dongles with network support which can be attached to any computer or server in the network. A license server application is running on this computer and makes licenses available in the network. The protected application now checks either for a locally attached dongle or the license server in the network. Furthermore, the software licenses can be bound to a certain computer by generating a special license key based on the hardware (CPU, mainboard, harddrive) and store it in the dongle.
Even if dongles cannot provide 100% protection against software theft, they significantly reduce software piracy and can be particularly effective in digital rights management. Because: It is very difficult to generate an illegal copy of a dongle.
A flexible software licensing strategy is the key to successful monetisation and the profitability of software vendors. In the past, hardware-based license dongles were the means of choice for ultimate software protection against unauthorised use or illegal manipulation of high-end proprietary applications. Together with the trend toward subscription licenses and software-as-a-service in many areas of business however, end users now feel significantly more comfortable with software-based license activations or cloud implementations.
But dongles are still widely used in the license mix, as many software manufacturers are reluctant to abandon the strengths of hardware-based licensing - not least because their customers still ask for features such as portable licenses. Not all customers are interested in the implementation of cloud-based activation solutions.
5 reasons why dongles are still in the race as security methods:
Recently, dongles with flash memory options and smart card chips have been available, which significantly improve the safety factor. In addition, dongles are available in different forms, in order to meet industry-specific requirements. Examples include microSD or Compact Flash cards, which were developed for use in industrial installations and controllers and are also able to withstand the stresses of harsh environments.
The biggest advantage: Licenses for different program modules can be stored on a single dongle. So the user only needs one single USB stick in order to manage licenses from multiple vendors. This is particularly attractive for providers of plug-ins and extensions. A larger license storage volume, driverless installation, secure offline license transfer and updates - i.e. no direct Internet connection is required to update the licenses on the dongle as the update file can also be transmitted by e-mail - as well as additional mass storage mass storage (flash memory) are further reasons why many software manufacturers still rely on dongles today.
Regardless of whether you decide to go with a hardware or software-based protection system, software protection usually provides you with effective protection against more than just software piracy. Licenses can also be extended easily online, additional features or workstations can be activated and updates provided, which allows constantly changing security measures to be kept up-to-date at all times.
A good software protection solution includes a flexible system for license management and monetisation. So software manufacturers or distributors have the opportunity to generate follow-up sales and long-term customer loyalty.