Home
/
SafeNet
/
Sentinel
/
Developer'S Manual

SafeNet Sentinel, Developer'S Manual, Page: 271 / 282

Share

256 pages before
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282

Page: 271 / 282

SafeNet Sentinel Developer'S Manual Download Page 271

W

Sentinel Hardware Keys Developer’s Guide

253

the Toolkit. See page 140 for more information on generating update codes.

USB

Short for Universal Serial Bus. A technology that features one “universal”
plug type for all USB peripheral-to-PC connections. USB replaces all the dif-
ferent kinds of serial and parallel port connectors with one standardized
plug and port.

USB simplifies the connection of peripherals to computers by providing an
instant, no-hassle way to connect USB peripherals. With USB-equipped PCs
and peripherals are automatically configured and ready for use.

Sentinel Keys are USB 2.0 compliant.

User limit

A soft limit that restricts the number of users allowed by the hard limit. Oth-
erwise, the number of users allowed is equivalent to the hard limit.

W

Write Password

A hexadecimal value that allows writing a feature. It is applicable to all the
features except AES, ECC, and Counter.

You can provide a write password at the time of creating a feature, depend-
ing on the attributes you choose. For example, if you selected the Read-only
attribute, the write password will be ignored.

Working Folder

A directory on your system where the Toolkit writes the protection strategy-
related files.

■

On a supported Windows system, the default working folder is:

<Personal folder>\My Documents\Sentinel Keys <version>

.

«
...
269
270
271
272
273
...
»

Summary of Contents for Sentinel

Page 1: ...1 2 0...

Page 2: ...es Linux is a trademark of Linus Torvalds in the United States and other countries Mac and the Mac logo are trademarks of Apple Computer Inc registered in the U S and other countries All other tradema...

Page 3: ...nia U S A and Rotterdam The Netherlands facilities are certified to the latest globally recognized ISO 9001 2000 standard The certificate number is CERT 02982 2003 AQ HOU RAB Rev 3 Sentinel Hardware K...

Page 4: ...ns natively on both PowerPC and Intel based computers from Apple Sentinel Hardware Keys comply to the USB 2 0 standards The Sentinel System Driver for Windows is certi fied by Windows Hardware Quality...

Page 5: ...cular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equip ment off and on the user is encouraged to try to corr...

Page 6: ...vi Sentinel Hardware Keys Developer s Guide...

Page 7: ...s xviii We Welcome Your Comments xviii Part 1 Sentinel Key Basics 1 Chapter 1 Introduction 3 Software Piracy Hurts Your Business 3 Sentinel Keys Protect Against Software Piracy 4 License Models to Inc...

Page 8: ...and Licensing Strategy 41 About Features Templates and Groups 41 Planning Application Protection and Licensing Strategy 50 Frequently Asked Questions 58 Part 2 Designing and Implementing Protection 63...

Page 9: ...ote New License Addition 127 Remote Update Codes 131 Remote Update Methods 132 About Remote Update Actions 136 Generating Update Codes 140 Frequently Asked Questions 142 Chapter 7 Implementing Secure...

Page 10: ...Key Programming APIs 184 Frequently Asked Questions 188 Part 4 Distributing Protected Applications 195 Chapter 10 Redistributables for Customers and Distributors 197 Checklist for Customers And Distr...

Page 11: ...238 E 239 F 241 G 242 H 243 K 244 L 244 M 246 N 246 P 246 Q 247 R 247 S 248 U 252 W 253 Appendix C Sentinel Keys Hardware Specifications 255 Appendix D Migration from SuperPro and UltraPro 257 Stage 1...

Page 12: ...Contents xii Sentinel Hardware Keys Developer s Guide...

Page 13: ...Find Information The Sentinel Keys SDK documentation is for the following users You Could Be a Recommended References Manager or New User You want to understand the product installation features and...

Page 14: ...key and the redistributables like the Sentinel System Driver Sentinel Keys Server configuration file System Administrator s Help FAQs included in the Sen tinel Keys Toolkit Help You Could Be a Recomme...

Page 15: ...t_sentinel sentinel_keys version Personal folder The default path for the Personal folder on Windows 2000 XP 32 bit and x64 Server 2003 32 bit and x64 systems is OS Drive Documents and Settings user n...

Page 16: ...safenet inc com France Telephone 0825 341000 Germany Telephone 01803 7246269 United Kingdom Telephone 44 0 1276 608000 1 410 931 7520 Intl Pacific Rim E mail support safenet inc com Australia and New...

Page 17: ...alia 61 3 9882 8322 Brazil 55 11 6121 6455 China 86 10 88519191 Finland 358 20 500 7800 France 33 1 41 43 29 00 Germany 49 1803 7246269 Hong Kong 852 3157 7111 India 91 11 32980377 30980641 Japan Toky...

Page 18: ...ulations Please note that the regulations are subject to change We rec ommend that you obtain your own legal advice when attempting to export any product that uses encryption In addition some countrie...

Page 19: ...Part 1 Sentinel Key Basics Software piracy problem and its solution Sentinel Keys SDK components Planning application protection and licensing strategy...

Page 20: ......

Page 21: ...any forms varying from malicious counter feiting to unintended violations of the license agreement by users who may be unaware they are doing so for example more than permissible number of users using...

Page 22: ...he Key Pro gramming APIs The Toolkit provides two basic methods to protect your applications Shell Protection The method in which protective wrappers are put around the application1 quickly and easily...

Page 23: ...pulated licensing conditions are met For example the users may be able to freely copy your application but will not be able to execute it beyond the number of users allowed You can see the diagram bel...

Page 24: ...inel Keys or non RTC tokens with Sentinel V ClockTM RTC based Sentinel Keys contain an internal real time clock to track the exact date and time of the leased applications The real clock keeps track o...

Page 25: ...tion Provides secure communication using the Secure Communication Tunnel The tunnel is an end to end secured session between the client and the Sentinel Key The communication packets are encrypted usi...

Page 26: ...pplication is used to prepare important and confidential license policies Hence it is important to restrict the unauthorized access to the Toolkit To control this you are provided with a developer key...

Page 27: ...ally used in enterprises Lease your software for certain time periods Allow license sharing for each seat3 user Allow terminal clients Robust Protection Options The Sentinel Keys SDK provides robust m...

Page 28: ...he utility is a console based program that protects executables and DLLs using the Shell method via command line For more information please refer to the section Command Line Shell Utility Under the A...

Page 29: ...process as per the different roles seen in real life Typically the license designing and implementation part is done by the developers while the license management and hardware key programming is han...

Page 30: ...cess is enforced without being inconvenient Easy to carry small and durable tokens Hardware based licenses unaffected by application crashes uninstallations Self guided license installation updates us...

Page 31: ...y ISV file Only a Developer along with a Developer Key can generate the ISV file using the Sentinel Keys Toolkit Once generated this file is programmed into the end user token in association with a De...

Page 32: ...e AES algorithm for which the session key is generated using ECC based key exchange ECKAS DH1 It provides maximum protection against the following types of attacks that can foil the security of your p...

Page 33: ...licensing Given below are a few examples of verifying the Sentinel Key s presence Use the SFNTReadString API function to read a string written on the Sentinel Key Use the SFNTEncrypt API function to...

Page 34: ...uide Please do not try implementing the licensing scheme incompletely or directly such as by just calling the Business Layer API functions and linking libraries Refer to the Sentinel Keys Toolkit Help...

Page 35: ...ent company that uses the Sentinel Keys SDK to protect and license their applications Distributor An individual organization authorized by the developer to distribute the protected application along w...

Page 36: ...creating update packets Please refer to the Key Programming API Help for more information Developer Key The hardware key that must be attached to the system where the Toolkit is run Compiler Interfac...

Page 37: ...stomer s site can monitor track and cancel licenses Sentinel Protection Installer An installer that can be either run directly or integrated with your application installer to redistribute the Sentine...

Page 38: ...bit and x64 Installed at the following path on a Windows 32 bit NT based system OS Drive Program Files Common Files SafeNet Sentinel Sentinel System Driver Installed at the following path on a Window...

Page 39: ...pgrade the existing Sen tinel System Driver KEXT Framework Sentinel UltraPro SDK Sentinel SuperPro SDK Sentinel Protection Installer In addition the Sentinel System Driver KEXT will be installed Senti...

Page 40: ...indows you may also associate the Secure Update Wizard here for remote activation License Manager In the License Manager screen you can package the licenses and program hardware keys Groups are create...

Page 41: ...loper distribu tor and Sentinel hardware keys attached to the system You can select the hardware key using the left and right arrow buttons Key Status Panel Note The Key Status panel behaves different...

Page 42: ...refer to Shell Protection Using the Command Line Utility on page 78 Key Programming APIs Key Programming APIs include the API functions used for Programming the Sentinel Hardware Keys Provides a Tool...

Page 43: ...Incrementing or Detaching Execution Count Setting new Expiration date Detaching Lease Integer String Raw Boolean Modifying value Changing Write Password Counter Overwriting and Incrementing the Count...

Page 44: ...ed into the distributor keys These seeds are unique for each developer As a result a license created using your developer key will not match with that of any other developer Uniquely Matched Hardware...

Page 45: ...9 9 Borland C Builder 5 0 and 6 0 9 Borland Delphi 5 0 and 6 0 9 COM object Microsoft Visual C 6 0 9 Microsoft Visual BASIC 6 0 9 Microsoft C NET 2002 2003 and 20052 9 Microsoft VB NET 2002 2003 and...

Page 46: ...embles the License Manager screen of the Toolkit However the functionality is limited to programming Sentinel Keys The License Manager Help included with the application describes the For Linux Compil...

Page 47: ...stributor key using which they will import the protection strategy in the License Manager application The details are provided in Chapter 9 Programming Sentinel Hardware Keys on page 179 Each distribu...

Page 48: ...serve any license requests from network Hence these can neither be detected by the Sentinel Keys Server running on the system nor monitored by the Sentinel Keys License Monitor Network Keys A network...

Page 49: ...tiple Clients in LAN WAN Sentinel Keys Models Details about the Sentinel Keys Models Model Name Description Characteristics Sentinel S Stand alone non RTC version Form factor USB Total memory 8KB Hard...

Page 50: ...evelopers and customers Sentinel Dual Hardware Keys for SuperPro Meant for Sentinel SuperPro based developers and customers Sentinel SN Network non RTC version Form factor USB Total memory 8KB Hard li...

Page 51: ...rver is available across platforms For example Sentinel Keys attached to a Windows system can be accessed by a protected application running on Linux and vice versa Sentinel Keys Server provides an HT...

Page 52: ...stem For Linux Daemon Supports the following platforms Red Hat Enterprise Linux ES AS version 3 0 and 4 0 Red Hat Enterprise Linux WS Desktop version 3 0 and 4 0 Fedora Core 4 and 5 SuSe 9 3 and 10 0...

Page 53: ...a convenient way to view and track license activity and analyze application usage For example your customer could use it to determine whether or not enough licenses were purchased based on license de...

Page 54: ...om the Sentinel Key License Information Page clicking Keys will display this page License a list of licenses templates programmed into the Sentinel Key License ID User limit Number of licenses in use...

Page 55: ...on customization Using Sentinel Protection Installer the deployment of redistributables becomes rather simple It offers you the following two choices You can directly ship the Sentinel Protection Inst...

Page 56: ...ot user on the customer site can set these parameters the network protocol Sentinel Keys License Monitor HTTP port Sentinel Keys Server socket port and logging details Remote Update Options You can pr...

Page 57: ...Y ONE developer key If you happen to lose it contact your SafeNet Sales representative for replacement Sentinel Key This will be programmed for your customers without which they will not be able to ru...

Page 58: ...Chapter 2 Sentinel Keys SDK Components 40 Sentinel Hardware Keys Developer s Guide...

Page 59: ...g application protection About Features Templates and Groups This section explains the concepts of features license templates and groups as used in the Sentinel Hardware Keys Toolkit and other compone...

Page 60: ...ion date expiration time and an execution count ECC An ECC algorithm based feature that allows you to Digitally sign content Verify signed content Specify licensing controls like expiration date expir...

Page 61: ...o control the distinct application func tionality such as the compile operation save option print option and so on For example AppSoft Corp wants to protect its three applications WordEd itor App Data...

Page 62: ...Chapter 3 Planning Application Protection and Licensing Strategy 44 Sentinel Hardware Keys Developer s Guide Relating Features Templates and Groups...

Page 63: ...y is always present and all the licensing conditions are met The Shell has multi layer architecture The previous layer if executed suc cessfully only will decrypt the successive layer Multiple layers...

Page 64: ...debuggers like SoftICE and OllyDbg It can also provide reasonable protection against break points targeted at important functions You can choose to deny application execution in the presence of debug...

Page 65: ...it without any hassles It does not require source code of your application It uses the 128 bit AES algorithm for protection It allows implementing the most popular licensing models in just a few click...

Page 66: ...sponse is received is left up to you Generally the more locks you add to your application the more difficult it will be for hackers to break your application s protection You have a little more time a...

Page 67: ...e License Designer screen to add features to it Use the License Designer Wizard to create a license template The Sentinel Keys Toolkit Help provides detailed steps on adding and managing features temp...

Page 68: ...ect your applications using Shell or API features Business Layer API functions The decision to choose the protection method depends on various factors such as time in hand access to the source code wh...

Page 69: ...icensing policy such as whether you want to provide perpetual licenses or demo or try and buy licenses You can create time limited or executions limited demos These can be combined with a suitable rem...

Page 70: ...andard hard limits 3 5 10 25 50 100 and 250 you might want to impose a soft limit known as the user limit The user limit restricts the number of users allowed by the hard limit Other wise the number o...

Page 71: ...de user limit later check box selected Remotely update the user limit by using the Update user limit command see the last row of the table Feature and License Action Type on page 137 for details Note...

Page 72: ...oss LAN WAN In addition you will also need to decide the access mode you want to set in your application For extensive and busy networks you can ship a client side configuration file with your protect...

Page 73: ...s described below Protocol Sets the network protocol for client server communication If a protocol is specified here the same must be set in the server configuration file Tag Values For Windows The fo...

Page 74: ...he license acquired by network applications Please note that any setting in SFNTSetHeartbeat for API pro tected applications or under the Networking tab for Shell protected applications will override...

Page 75: ...Note The terminal clients can access both the network and stand alone Sentinel Keys in a network To allow stand alone keys Sentinel S and ST access set the SP_ENABLE_TERMINAL_CLIENT flag in the SFNTGe...

Page 76: ...low license sharing for seat users call the SFNTGetLicense API function with the SP_SHARE_ON flag Else each instance will consume an individual user limit hard limit Would you like to allow updating S...

Page 77: ...ebug your application Even if the attacker manages to overcome the diffi cult task of removing the Shell the application inside is still protected due to two strong layers of protection Question 3 Wha...

Page 78: ...s using one Sentinel Key each supporting different number of users in a network you need to take care of the following Distribute a network key with your suit of protected applications Set the user li...

Page 79: ...tinel Hardware Keys Developer s Guide 61 Application C has 10 user limit available only three users can run it This is because the hard limit is obtained first then the user limit You may want to shar...

Page 80: ...Chapter 3 Planning Application Protection and Licensing Strategy 62 Sentinel Hardware Keys Developer s Guide...

Page 81: ...Part 2 Designing and Implementing Protection Using the Shell protection Using the Business Layer API protection Designing remote update strategy The best practices for secure licensing...

Page 82: ......

Page 83: ...ion allows you to add a Shell feature to an existing license template The complete steps are covered in this chapter Using the License Designer Wizard This option allows you to create a license templa...

Page 84: ...he Shell layer will be applied to the executables and DLLs all other files will be encrypted at Shell time and can only be decrypted at run time using the protected application 2 Type or browse for th...

Page 85: ...ensing Settings Sentinel Hardware Keys Developer s Guide 67 Add Shell Feature Dialog Box Providing Licensing Settings To provide the licensing settings 1 Click the Licensing tab in the Add Shell Featu...

Page 86: ...on time for the application Else the application will use a perpetual license Not selected Limit executions Select to allow specifying the number of times the protected application will run for Not se...

Page 87: ...e marketing key programming per sonnel can modify it to suit some customer s requirement such as 10 10 07 and program the Sentinel Key This does not require you to apply the Shell protection again mod...

Page 88: ...he interval for which the Sentinel Keys Server maintains the license 120 seconds If you do not modify the default value license time heartbeat interval if specified in the configuration file will over...

Page 89: ...rovides maximum protection and maximum increase in the file size Please note that you must always run the output files protected applications in an environment typical to your product users to experie...

Page 90: ...chapter Selected NET Enhancement NET Enhancements feature provides enhanced security to pure NET applications executables and DLLs The feature performs the following functions Hides original entry poi...

Page 91: ...om the list for modification 3 In the edit box write your message text It can contain up to 200 characters 4 If you are not satisfied with your message text click Restore to accept the original messag...

Page 92: ...accepts up to 80 characters 3 Click OK to return back to License Designer where you find the Shell feature added under the Shell tab To modify the data file encryption settings see the steps below Ch...

Page 93: ...note that if the encrypted data files are shared by multiple applications all the appli cations must use the same encryption seed The seed can consist of two strings of 14 hex characters each forming...

Page 94: ...nding upon the number of files and layers you have added If you had cleared the Change the destination path check box under the Files tab your original files were overwritten during the Shell process...

Page 95: ...tion Sentinel Hardware Keys Developer s Guide 77 same name even if selected from different path are not overwritten during the Shell process and their source path can be tracked easily Output Files at...

Page 96: ...n which the Sentinel Keys software installation has not been performed you must copy certain files components to it Following is a list of all possible files components that you must copy RelLic dll S...

Page 97: ...olkit and programmed using the Developer User key pair Default path of ltm file on a Windows system is System drive Documents and Settings Personal folder My Documents Sentinel Keys 1 2 My License Tem...

Page 98: ...n integrate the utility into your application build process which might be done using a batch file or build script in some environ ments The following options are provided CMDShell S F LicenseTemplate...

Page 99: ...onsole F LicenseTemplateFilePa th Provides the full path of the Sentinel Keys Toolkit license template file to load the license template L1 LogFilePath Provides the full path of the log file to genera...

Page 100: ...escribed in the Sentinel Keys Toolkit Help You can now test your protected application We recommend testing your application to verify that it executes correctly with the appropriate Sentinel Key both...

Page 101: ...ides the import symbols However if the application type is not compatible with this setting Quick Shell automatically disables this security setting For Shell you can allow disallow hiding the import...

Page 102: ...Borland C v2006 Yes Yes MFC 6 0 7 0 7 1 and 8 0 Yes Yes Authorware 6 0 7 0 Yes No Windev 11 Yes No Labview 7 1 Yes No a Only any CPU and x86 target binaries are supported b The NET Framework must be p...

Page 103: ...n under the Security tab cannot be applied to the following file types NET Visual FoxPro Director b The NET Framework must be present on your system for protecting NET DLLs File Types and Application...

Page 104: ...k 1 0 or 1 1 based DLLs and NET Framework 2 0 or later needs to be installed to protect NET Framework 2 0 or 3 0 based DLLs Please note that an exception may occur while executing a 32 bit NET Framewo...

Page 105: ...ese protected files on vista need mui2 files to execute These mui files are stored inside the default language folder for example en US for an English version that must be placed at a location where t...

Page 106: ...ill not be released SDNPro64 dll when NET enhancement option is selected during protection If SDNPro64 dll is not present with the application protected using NET enhancement option then protected app...

Page 107: ...d line shell tool instead of the Make Shell button provided in the License Designer stage of the Sentinel Keys toolkit The command line shell tool uses the licence template ltm file to get the various...

Page 108: ...Chapter 4 Protecting Applications Using Shell 90 Sentinel Hardware Keys Developer s Guide...

Page 109: ...ctions are as follows Prepare a Conceptual Plan In the initial stage you need to decide which software locks to use for pro tecting your application The purpose of a software lock is to verify the pre...

Page 110: ...nding to each function it also generates the usage code for various languages The Senti nel Keys Toolkit Help contains steps on using the API Explorer Re build the License Template if Required In case...

Page 111: ...ys header files and libraries Apply the Shell Protection for Windows Applications Only For extra protection you can apply Shell over your API protected compiled applications However this step is optio...

Page 112: ...Chapter 5 Protecting Applications Using API 94 Sentinel Hardware Keys Developer s Guide Steps for Protecting Applications Using API...

Page 113: ...re covered in this chapter Using the License Designer Wizard This option allows you to create a license template by adding a Shell or API feature to it Refer to the Sentinel Keys Toolkit Help for comp...

Page 114: ...eys Developer s Guide Add Features Dialog Box Adding AES Feature 1 In the License Designer screen load the template to which the AES feature will be added 2 Click the API tab 3 Click Add The Add Featu...

Page 115: ...decryption query response protection Providing a time limited or execu tions limited license for using the application Selected AES based encryption Select to encrypt 16 byte blocks using the AES alg...

Page 116: ...he Secret Key field Not selected Default Feature Instance Item Description Default Setting Secret key The 128 bit AES secret key By default a secret key is generated and shown in the Toolkit You can u...

Page 117: ...ming per sonnel can modify it to suit some customer s requirement such as 10 10 07 and program the Sentinel Key This does not require you to apply the Shell protection again modify the API calls or re...

Page 118: ...se and or Limit executions check box es are also selected the feature can be used for Data signing and verification Providing a time limited or execu tions limited license for using the application Se...

Page 119: ...ected ECC based Key Exchange This is not supported in the current release However please keep it selected Selected Default Feature Instance Item Description Default Setting Private Key The private key...

Page 120: ...nd also selected this check box Later if desired the marketing key programming per sonnel can modify it to suit some customer s requirement such as 10 10 07 and program the Sentinel Key This does not...

Page 121: ...default instance 6 Selecting the Add instances later check box will allow you to add new feature instances later in the License Manager screen This option helps in modifying the licensing values witho...

Page 122: ...dom string will be written as the feature value when the Sentinel Key is programmed You can specify its length in the String Length field The random value is generated by the Sentinel Key itself and i...

Page 123: ...Write random option 8 If you selected the check box described in step 7 specify the maxi mum size It has to be greater than the existing string length and less than 255 ASCII printable characters The...

Page 124: ...1 You may optionally provide comments When done click OK Note You can use the following Business Layer API functions for a String feature SFNTReadString To read the String feature value SFNTWriteStrin...

Page 125: ...se note that this value can be overwritten in the field using the Update value command or by calling the SFNTWriteRawData API function requires the write password you specified Not Selected Read only...

Page 126: ...ng implementation in the application code The option will be disabled if you have selected the Write once and or Write random option 8 If you selected the check box described in step 7 specify the max...

Page 127: ...enerated by the Sentinel Key itself and is not known to you your application However you can call the SFNTReadInteger API function to read the value Please note that this value can be overwritten in t...

Page 128: ...nse Manager screen This option helps in modifying the licensing values without modifying the licensing implementation in the application code The option will be disabled if you have selected the Write...

Page 129: ...Click the API tab 3 Click Add The Add Features dialog box appears 4 Select Boolean Depending on which the other options will be dis abled enabled The attributes are described below Attributes Attribu...

Page 130: ...ite once and or Write random option 9 Provide a name for this feature necessary Read only Select this check box if you do not want to allow writing the feature value by the protected application Howev...

Page 131: ...d However you may modify it if needed 11 You may optionally provide comments When done click OK Note API functions for Boolean feature You can use the following Business Layer API functions for an Boo...

Page 132: ...s Layer API Help provides complete details on each func tion Also do refer to the best practices described in Chapter 7 Implementing Secure Licensing on page 145 Compile your application after includi...

Page 133: ...Counter feature values of the in the Sentinel Key SFNTWriteInteger Updates the Integer and Boolean feature values in the Sentinel Key SFNTWriteRawData Updates the Raw Data feature value in the Sentin...

Page 134: ...I functions that you should incorporate in your source code It is a good refer ence when you are not sure which API functions are relevant for your particular strategy The code sketch is written into...

Page 135: ...tions under the Build Options tab such as specify the development language you want the sample for 3 Build it by clicking Build button The following dialog box will appear on completion of the build p...

Page 136: ...pplications Using API 118 Sentinel Hardware Keys Developer s Guide wherein you can compile the sample application and understand the API functions used Note For more FAQs and troubleshooting tips refe...

Page 137: ...he number of users allowed to run the application Under rare circumstances you might need to update the security settings in the key memory such as revising the cheat counter value deactivating the al...

Page 138: ...inel Keys with feature license updates or new license additions Secure Remote Feature License Update The Sentinel Keys can be updated for features licenses using files or e mails in one of the followi...

Page 139: ...le Note When the request code is loaded in the Update Manager the License IDs of all the licenses are displayed The developer views the licenses by using the arrow buttons or 6 The developer clicks Lo...

Page 140: ...the hardware an update code cannot be used more than once The update code and request code form a unique pair an update code can update only that hardware key whose request code was used to generate...

Page 141: ...ate code without any request code from the end user and broad casts the code to all the end users possessing Sentinel Keys with the same DeveloperID Some exceptions in the unidirectional mode are list...

Page 142: ...ngle target update in the Token Serial Number field 5 The developer selects the actions to be performed on the Key The update actions are listed corresponding to the License Feature Action Types prese...

Page 143: ...veloper clicks the Unidirectional Update option button under the Key Activator tab 3 The developer selects the actions to be performed on the Key The update actions are listed corresponding to the Lic...

Page 144: ...rdware Keys Developer s Guide 5 The developer sends the update code upw file using an e mail to the customer 6 The customers apply the update code to have access to the requested applications features...

Page 145: ...present in the token You can achieve this by first deleting all licenses from the token and then loading the modified L1 Note Do make sure to delete all licenses if you are adding the same license wi...

Page 146: ...ion of NLF file option and clicks Next 4 The developer selects the Bidirectional mode from the Mode drop down and clicks Next 5 The developer browses and selects the request code req file in the Reque...

Page 147: ...s are now generated and exported in the form of nlf file Note The update packets for LKDT packet is also integrated with the nlf file 8 The developer sends the license addition nlf file using an e mai...

Page 148: ...k box for the devel oper to enter the device update counter value required for formatting the token 5 The developer clicks Next to continue further in the wizard After defining a destination path in t...

Page 149: ...update codes to allow secure remote update Note An update codes can also be generated using the SFNTCreateUp datePacket API function of the Key Programming library The update packets created using th...

Page 150: ...pdate Wizard with your custom graphics and text while associating it with your Shell API protected applications The wizard collects product and publisher information to process a license acti vation r...

Page 151: ...ating the Secure Update Wizard with your Shell or API protected application Also Chapter 10 Redistributables for Customers and Distributors on page 197 describes what to ship along with your protected...

Page 152: ...ile upw or a new license addition file nlf in response which can be applied by the customer distributor using the same utility Note Since the upw file generated by Sentinel Hardware Keys version 1 2 w...

Page 153: ...Utility Wizard based and graphical You can customize the user interface instruc tions and include custom graphics like a splash screen Localization ready Best suited for try and buy applica tions tha...

Page 154: ...is entered in the Secure Update Wizard or Secure Update Utility the actions and commands are applied to the key Note The task of adding remote update actions is not a part of license designing stage...

Page 155: ...tion Applies to Update value Updates the existing feature value String Raw Data Integer Boolean Change write password Changes the existing Write Password String Raw Data Integer Boolean Increment coun...

Page 156: ...the value specified AES ECC Set expiration time Adds the specified Expiration Time in minutes to the existing value AES ECC Detach lease control Detaches the expiration date and expiration time contro...

Page 157: ...ble to Sentinel Keys 4 Provide a name for the action in the Action Name field It can consist of up to 20 characters The name should be concise yet descriptive so the people generating update codes can...

Page 158: ...optionally include comments for the action in the Com ments edit box 6 Click OK to add the action Generating Update Codes You can generate update codes to activate features applications or new license...

Page 159: ...ires the common Developer ID for all the Sentinel Keys targeted for a unidirectional broadcast update Note In all of the above modes the cheat counter value can be specified in the Cheat Counter only...

Page 160: ...lf file The update packets for LKDT packet is also integrated with the nlf file Frequently Asked Questions Question 1 Why cannot I use telephone or fax to exchange request code and updates codes Since...

Page 161: ...file Updating cheat counter value Updating Last known date and time LKDT value once the lease operation has been performed Updating user limit value Now consider a scenario wherein you applied the req...

Page 162: ...lue in removing all licenses from the token In what scenarios its value is updated Device Update Counter is the global update counter in the end user token which is incremented every time all licenses...

Page 163: ...re protection system available today However like the auto manufacturer you must take the time to properly implement the system or it will be bypassed The goal of any software protection strategy is t...

Page 164: ...ires you to under stand the API functions described in the Toolkit Help Vulnerability Assessment Basic Types of Attacks Before you can plan a good protection strategy you need to understand the type o...

Page 165: ...see Hardware Key with Cutting edge Security Technology on page 7 Attack the Communication Between Parties The communication between the various parties involved in licensing the developer customer and...

Page 166: ...to 30 days excluding the daylight savings Cheat counter decrements by one The application will run successfully till cheat counter has reached zero After which the AES ECC algorithms are disabled and...

Page 167: ...you can combine your API elements based cus tom protection with Shell and add an extra layer of protection The Shell encrypts your final executable which makes it difficult to disassemble or debug yo...

Page 168: ...plication to issue a nearly infinite amount of unique challenges This mechanism becomes the backbone of your protec tion strategy since it is extremely difficult to duplicate the correct responses You...

Page 169: ...r protection Another potential problem with querying only once is that a user could remove the Sentinel Key after starting the application The key could then be used to run another copy of the applica...

Page 170: ...software Specify Cheat Counter Value You can specify a cheat counter value only for non RTC Sentinel Keys The cheat counter value is global to the Sentinel Key It applies to all the fea tures having l...

Page 171: ...Senti nel Key not accessible to any debugging or memory dumping program You need to Call the SFNTEncrypt API function to send the plain data and have it encrypted Call the SFNTDecrypt API function ob...

Page 172: ...ta files or constants used by your program so it will only operate properly with the Sentinel Key attached Verify Data Integrity Using ECC Signing and Verification ECC is a public key algorithm uses p...

Page 173: ...ca tion to run without the key Restricting them to a few places can lead to easy detection and elimination subsequently Given below are more tips Use In line Functions in Place of a Centralized Functi...

Page 174: ...plicated This makes debug ging the code very difficult Use Returned Values as Variables One effective technique to hide security checks in a high level language is to use returned values to control ap...

Page 175: ...ith Dealing With Missing Sentinel Keys If no Sentinel Key is attached to the computer or in network when a pro tected application is run an error is returned by the SFNTGetLicense API function If a co...

Page 176: ...ation to detect a hardware key problem Since these are almost always innocent events you should design your strategy to be as forgiving of them as possible while still maintaining protection integrity...

Page 177: ...pply the deactivation remote update commands Deactivate AES algo rithms and Deactivate ECC algorithm However under the following conditions they appear disabled because the licensing functionality ass...

Page 178: ...Chapter 7 Implementing Secure Licensing 160 Sentinel Hardware Keys Developer s Guide Sample Conversion of Hexadecimal into ASCII...

Page 179: ...Part 3 Grouping Licenses and Programming Hardware Keys License grouping and management Programming Sentinel Hardware Keys using Sentinel Keys Toolkit and the Key Programming APIs...

Page 180: ......

Page 181: ...llows you create inno vative licensing models in the most straight forward manner Using groups you can Program multiple licenses into a single Sentinel Key in just a few clicks Because each license is...

Page 182: ...typically unrelated and occur at different stages in a product life cycle For example the AppSoft marketing team can now roll different editions of their applications at different times without engine...

Page 183: ...reen to build all of the templates you plan to use Make sure that both the developer key and Sentinel Key are attached to the system 2 In License Manager click the first icon beside the license group...

Page 184: ...late is worked upon If the original license template is updated its copy in the License Manager screen must be updated as well 1 Build the updated template in the License Designer screen 2 Remove the...

Page 185: ...Click OK Removing Groups To remove a group 1 In License Manager click the first icon beside the license group name The Group Management dialog box appears 2 Select the group you want to remove 3 Click...

Page 186: ...appears 4 Specify a path to write the file 5 Provide the same File Encryption Key FEK used earlier when you programmed the distributor key see page 180 6 Click OK Viewing Group Layouts The group layo...

Page 187: ...required after a protected application is complied protected already To modify default feature values 1 Load a group from the Group Management dialog box 2 In the group layout select the default feat...

Page 188: ...at only the Add button is enabled all other options remain disabled 3 Modify the values as desired You cannot override the maximum lim its specified 4 When done click Add Add Templates to Groups You c...

Page 189: ...export the license group files 1 Using the Group Management dialog box load the group from which the license group files are to be exported 2 In License Manager click the Export File Manager icon to...

Page 190: ...16 ASCII characters 4 In the Confirm Password field enter the same password for confir mation 5 Click OK Note Do not forget the password to unlock the group If you forget your pass word there is no b...

Page 191: ...icens ing values right before programming hardware keys without having to change the protection strategy created in the License Designer screen The FAQs below provide more information Question 2 What...

Page 192: ...on zero value in the License Designer screen To modify the user limit select the license template in the group layout to view its existing user limit see the screen shot below Click OK after modifying...

Page 193: ...e keys being programmed you can create multiple feature instances each with different set of licensing values Select the feature name top most item in the feature node in the group layout If you had s...

Page 194: ...ked Unlock a group using the steps described in the Sentinel Keys Toolkit Help Question 5 Can my distributor also create groups and modify licensing settings No A distributor can only receive the grou...

Page 195: ...e to Group dialog box I am unable to select a license template what could be the reason This could happen when the license template was updated in the License Designer screen but was not built to refl...

Page 196: ...Chapter 8 License Grouping 178 Sentinel Hardware Keys Developer s Guide...

Page 197: ...ing APIs Programming Sentinel Keys using Sentinel Keys Toolkit Given below are the steps for programming Sentinel Keys in the Toolkit 1 Load the group for which you want to program the Sentinel Key wi...

Page 198: ...lates that you want to allow them to program Corresponding to every group is a distributor key that contains a metering count optional to track how many licenses they programmed Note The group file lg...

Page 199: ...an be programmed by your distributor Metered Specify a value between 1 to 65535 The metering count will be decremented by one for each license programmed 5 Specify a File Encryption Key FEK Make sure...

Page 200: ...ility while his distrib utor key is connected to his system to generate a request code 2 Tell your distributor to send the request code to you using an e mail or file 3 Create a distributor key action...

Page 201: ...from the Group Management dialog box 2 In the layout select the required licenses templates using the check boxes You can create a file containing multiple licenses having one instance per feature 3 C...

Page 202: ...he Key Pro gramming API Help Steps for Using the Key Programming APIs Given below are the three major steps involved in programming Sentinel Keys using the Key Programming APIs 1 Generate a License Gr...

Page 203: ...d then program it onto the end user token DIS Distributorb The DIS file contains information related to licenses and features to be programmed in the end user token using the Key Programming API libra...

Page 204: ...on RTC keys field The default is 0 Note You may also define view additional comments by clicking the Add comments to the file hyperlink DIS Specify the File Encryption Keya as programmed on the Distri...

Page 205: ...file informa tion using the Key Programming API library Please refer to the Key Programming API Help for more information on implementing the Key Programming APIs into your solution Step 3 Compiling y...

Page 206: ...Linux and Macintosh system you can program up to 32 USB keys at a time However the time taken will be according to the number of hardware keys attached Please also make sure of the following Do not at...

Page 207: ...ase make sure that you use cold plastic or conductive plastic to avoid any further damage Question 4 Is it possible to reprogram the already programmed hardware keys Yes Question 5 Are there any log f...

Page 208: ...uide Question 6 Is Sentinel Keys Toolkit the only utility using which I can program my Sentinel Keys No You have several other options for doing so Sentinel Hardware Keys offer different interfaces fo...

Page 209: ...rs Utility Executable developed out of the Key Programming APIs Developer Developer Key ISV file Only a Developer along with a Developer Key can generate this file and then program it onto the end use...

Page 210: ...n interface designed by you Question 9 How to create an update packet using the Key Pro gramming APIs For information on how to create an update packet please look for the SampleUpdate folder located...

Page 211: ...used by either the Key Programming APIs or the Secure Update Library define SP_PACKET_TYPE_ONE Creates a license image for the Key Programming API define SP_PACKET_TYPE_TWO Creates a license image fo...

Page 212: ...Chapter 9 Programming Sentinel Hardware Keys 194 Sentinel Hardware Keys Developer s Guide...

Page 213: ...Part 4 Distributing Protected Applications Checklist of redistributables for customers and distributors Information on deploying the redistributables...

Page 214: ......

Page 215: ...ustomers Please make sure that you are familiar with your application s licensing and protection strategy so that you can choose the appropriate items for deployment Checklist for Customers And Distri...

Page 216: ...y for Windows when you associated the Secure Update Wizard for remote updates 9 Sentinel Data Protection Driver only Windows Required only when you have either of the following in Shell Encrypted data...

Page 217: ...including related items like the Sentinel Keys Server configuration file and Sentinel Keys License Monitor For Windows The Sentinel Protection Installer provides various installation options includin...

Page 218: ...he Sentinel System Driver KEXT Sentinel Keys Server Daemon and Sentinel Framework1 You need to ship the complete contents of the Sentinel Keys Protection Installer directory The Sentinel Keys Protecti...

Page 219: ...Server must be installed on the networked system where the Sentinel Key is attached For platforms supported and installation path refer to Sentinel Keys Server on page 33 How to Deploy Please refer to...

Page 220: ...File Template For Linux installdir Configuration File Template For Macintosh installdir Configuration File Template Note The Sentinel Keys Server configuration file is deployed along with the Sen tin...

Page 221: ...as the executable above chm Help file available at installdir Secure Update Secure Update Utility Language packs en_US Note If you are shipping a chm file you may also need to ship hhupd exe and hhact...

Page 222: ...oy The Secure Update Wizard need to be deployed on a Windows based cus tomer s system only if you are planning to update Sentinel Keys remotely and not using the Secure Update utility or API functions...

Page 223: ...can obtain its copy from the following location in your Sentinel Keys SDK installation installdir Secure Update Update Wizard INTF UpdateWizard API Function Format unsigned short UpdateWizard SPP_UPDA...

Page 224: ...e Update Wizard 508 SP_ERR_EXCEPTION_ERROR An exception error occurred within the Update Wizard 509 SP_ERR_INVALID_CLIENT_LIB Not a valid Secure Update DLL 510 SP_ERR_CABINET_DLL The CABINET DLL is no...

Page 225: ...at typedef struct SP_UPDATE_WIZARD_INFO DWORD size DWORD wndHandle long spawnAndWait long enableTryButton long daysLeft long executionsLeft long minutesLeft char configFile SP_MAX_PATH_LEN 230 SP_ERR_...

Page 226: ...to 1 to run and wait A value of 0 will run the Update Wizard and return immediately enableTryButton This member defines the state of the Try button on the Update Wizard It has the following values DI...

Page 227: ...atus line on the Update Wizard screen indicating to the customer how many executions are left for a trial period Define a value of 0 to indicate that the trial period has expired and 1 or undefined to...

Page 228: ...stem folder and required registry entries are made WINDOWS SYSTEM SENTDATA VXD WINDOWS SYSTEM INSTDRVR EXE Otherwise you can modify this installation program for your own installa tion needs we have p...

Page 229: ...e installer returns a 1 Deploying Stand alone License Manager When to Deploy You need to provide the stand alone License Manager application to your product distributors resellers so that they can pro...

Page 230: ...USB hubs cables and connectors to attach multiple USB keys on your system CD ROM if installing using a CD Operating System Windows Windows 2000 Windows XP 32 bit and x64 or Windows Server 2003 32 bit...

Page 231: ...utor The license_manager english directory contains the sklm_install sh script to allow installation of License Manager and related items You need to ship the complete contents of the License Manager...

Page 232: ...he Help How to Deploy Distribute the complete contents of the directory path mentioned below along with the index htm page The index htm page is used for launching the System Administrator s Help For...

Page 233: ...the following path on a Windows x64 system OS drive Program Files x86 Common Files SafeNet Sentinel Sentinel Keys Server On Linux opt safenet_sentinel common_files sentinel_keys_server On Macintosh A...

Page 234: ...y entries hence free you from the burdensome task of creating entries manually Also using merge modules the above mentioned Sentinel Key redistributables are installed and uninstalled with your applic...

Page 235: ...your customers to download the latest version of the Sentinel Protection Installer themselves from http www safenet inc com support tech sentinel asp A copy of the self extracting installer is availa...

Page 236: ...Chapter 10 Redistributables for Customers and Distributors 218 Sentinel Hardware Keys Developer s Guide...

Page 237: ...safenet inc com search asp Sentinel Keys Toolkit Help integrated with the Toolkit for a list of Shell and API specific error codes Problems and Solutions Problem Time Date Tampering You are using Sent...

Page 238: ...The Multi layer option has a large effect on application startup time Under the License Design section select the Shell tab and then click Edit Select the Security tab and under the Advance Options i...

Page 239: ...acking up the Templates Features and Groups You want to back up the templates features and groups generated in the toolkit Solution By default there are two directories to backup the templates feature...

Page 240: ...orming Silent Command Line Driver and Server Install You want to know what files are needed to perform a silent command line driver and server install Solution Use the command setup v qn ADDLOCAL USB_...

Page 241: ...erver Solution UDP port 7001 In case UDP port 7001 is blocked open the port in the advanced option of the IP firewall Note This applies to networked implementation of security only Problem Monitoring...

Page 242: ...ttings specified Launch the License Monitor successfully after customizing the above set tings in Internet Explorer running on a Windows 2003 64 bit system with Java Runtime Environment JRE 1 6 0 Prob...

Page 243: ...needs to be installed on a Super Pro and or UltraPro key server computer 7 Plug in the key s 8 Download the Medic utility from the location http www safenet inc com support files SuperproMedic exe or...

Page 244: ...ich version of NET Framework will be used A Sample appname exe config is as follows configuration startup requiredRuntime version v1 1 4322 safemode true startup configuration Problem Runtime error me...

Page 245: ...ependency assembly Problem Building Multiple Applications to a Single Key You want to build multiple applications to a single key Solution Use the following series of steps to build multiple applicati...

Page 246: ...eys using Remote Desktop However you cannot program keys connected to a different computer Problem The application receives a SP_ERR_INVALID_LICENSE error The application receives a SP_ERR_INVALID_LIC...

Page 247: ...figuration file Problem The application receives a SP_ERR_PROTOCOL_NOT_INSTALLED error The application receives a SP_ERR_PROTOCOL_NOT_INSTALLED error Solution This error is encountered when the protoc...

Page 248: ...protect the file Clear the read only attributes in the file s Proper ties dialog box then try again Problem Releasing a License You have closed the Shell protected application on your system to free...

Page 249: ...shelled exe is located 3 Running the Shelled exe now should execute it fine Note The sgen exe utility can be found in Program Files Microsoft Visual Studio 8 SDK v2 0 Bin folder of Visual Studio Inst...

Page 250: ...Keys You are unable to program the hardware keys Solution An error can occur while programming hardware keys due to hardware or software reasons You should verify the hardware key is firmly connected...

Page 251: ...nd are ready to package the hardware keys for shipping please make sure that you use cold plastic or conductive plastic to avoid any further damage Problem Error Programming a Distributor File You get...

Page 252: ...Appendix A Troubleshooting 234 Sentinel Hardware Keys Developer s Guide...

Page 253: ...re information Action Refers to a collection of remote update commands AES Short for Advanced Encryption Standard an industry standard symmetric key encryption algorithm You can use it through the AES...

Page 254: ...hms for a comparable key size Typically the former are used for encrypting the hash values and symmetric session keys which are compar atively much smaller in size than bulk data B Bidirectional Code...

Page 255: ...rce code It is a good reference when you are not sure which API functions are relevant for your particular strategy The code sketch is written into an HTML file present in the Toolkit working folder I...

Page 256: ...eys provided by SafeNet to the developer You can view the developer ID in the Key Status panel of the Toolkit Developer Key The hardware key must to be used for preparing the application protection st...

Page 257: ...menting public key cryptography ECC is primarily used for creating digital signatures signed with a private key and verified with the public key ECKAS is used for key exchange to create a shared secre...

Page 258: ...en The Sentinel Key used to protect the applications being used by an individ ual or an organization Execution Count The number of times the application will run for It can be a value between 1 and 65...

Page 259: ...uted at 1500 hours of 30 September 2007 Therefore the application will expire at 1600 hours of 30 September 2007 Note If you are creating the licensing strategy much in advance and expect that the exp...

Page 260: ...API features are added in the License Designer screen the default feature instances are said to be created Additional new feature instances can be added in the License Manager screen while creating g...

Page 261: ...g a license template For example SentinelKeysLicense h for Visual C It contains important information for your license strategy including the license ID feature ID software key query response table if...

Page 262: ...re parties to exchange keys in cryptosystems Courtesy http www rsasecurity com Key Programming APIs A set of API functions that enable you to create your own programming util ity or a stand alone exec...

Page 263: ...nd developer ID for finding your Sentinel Keys on the customers site License Sharing When multiple instances of a protected application on a seat can be run using one license A seat represents a user...

Page 264: ...m where the Sentinel Keys Server and Sentinel System Driver are also installed For stand alone applications the Sentinel Key must be attached to each workstation Network Keys A network key allows mult...

Page 265: ...the Sentinel Key You pro gram your application to send queries to the Sentinel Key The Sentinel Key scrambles the string using the AES algorithm and returns a response to the application Query Respons...

Page 266: ...t Key A secret key generally refers to the key in a secret key cryptography system in which both sides use the same key It may also refer to the private key in a public key cryptography system because...

Page 267: ...n module KEXT is provided Sentinel Keys License Monitor The Sentinel Keys License Monitor shows the details of the Sentinel Keys and clients accessing them via a Web browser It is a convenient way to...

Page 268: ...command line shelling suppresses the dis play of information related to shell features present in the license template file For example source file destination path shelling layer level etc Software...

Page 269: ...y for each user that will be running the application Stand alone Keys Refers to the Sentinel Keys with zero 0 hard limit It is typically connected to a user s local workstation providing access to the...

Page 270: ...o a specified Sentinel Hardware Key with a particular Serial Number Universal Binary A universal binary is an executable file that runs natively on both PowerPC and Intel based Macintosh computers whi...

Page 271: ...and ready for use Sentinel Keys are USB 2 0 compliant User limit A soft limit that restricts the number of users allowed by the hard limit Oth erwise the number of users allowed is equivalent to the h...

Page 272: ...SV The ISV file contains basic information about the licenses and features a protection strategy consists of and to be programmed in the end user token using the Key Programming API library Only a Dev...

Page 273: ...Safety Compliance FCC Part 15 Subpart B CLASS B CE EN55022 1998 CLASS BEN55024 1998 CLASS B VCCI CAN CSA V3 2001 04 VCCI CISPR 22 1997 CLASS B UL 94V 0 Material Flammability Environmental Characterist...

Page 274: ...atic Current 60mA max Operating Current 60mA max Suspend Current 1mA typ 1 5mA max LED Circuit Power Consumption 69mW typ Data Retention More than 200 years Memory Cycle Life 1 000 000 erase write cyc...

Page 275: ...ys In Stage 1 you will be creating a customer base for Sentinel Hardware Keys by distributing Sentinel Dual Hardware Keys instead of SuperPro or Ultra Pro These keys have support for your current prot...

Page 276: ...a small modification described below before they program the design into Dual Keys Note that in stage 1 you need not do any modifications in the application code or API implementation In the Protecti...

Page 277: ...representative 2 After installation use the Sentinel Keys Toolkit to implement superior Shell and or high level Business Layer API protection including AES based encryption decryption and ECC based s...

Page 278: ...age 1 New Customers Who Do Not Have Sentinel Dual Hardware Keys You can program Sentinel Hardware Keys for customers who are buying your software for the first time You will need to ship them New appl...

Page 279: ...2 B Boolean feature about 42 adding 111 building template 114 Business Layer API 115 C cheat counter 139 148 checklist redistributables 197 checksum code 157 code sketch 116 237 command 136 237 Comman...

Page 280: ...ementing 187 steps for using 184 Key Status panel 23 key secret 244 248 L lease attribute 68 license 244 license addition code 131 245 License Designer about 22 license ID 245 License Manager Export F...

Page 281: ...al number 250 SFNTGetLicense 159 Shell SDK module 46 72 Shell feature about 45 adding files 66 customizing messages 73 customizing shell error message title 73 file encryption 74 files supported 83 li...

Page 282: ...Index 264 Sentinel Hardware Keys Developer s Guide...

Reviews:

No comments