> OK I got a hold of Aaron's white paper from > http://www.ardiri.com/publications/palmsource2000.pdf
i have been meaning to write a revision 2 to this - specifically to cover how i did the DRM within our Lemmings product and the Tapwave Zodiac device :) - as you can see from the filename, its from 2000 :) > It's very good - more about protecting the software from being > copied rather than preventing data form being seen but does point > out that: > > "An applications algorithm is always open - to the point of being > able to read it in the operating systems assembly language." be sure to read the summary as well, you should only bother with this if you have the time/interest to as well :) there is a simple equation that you also need to put into play: time(to crack) >= time(required for someone to give up waiting) so, that way, if it takes too long/much effort to crack, the people who are waiting for the crack, that never comes will buy. but, there is also a small population that believe they'll never pay for an app :) > While the paper does provide techniques for protecting against this, > as Pascal says: > > "It is not because the algorithm is known that it is no longer secure !" > > So this is where I am: > > I will protect the application with a password. I should store the > password encrypted (or hashed). I also have to store the key on the > device and the user has to be able to decrypt the data - so I figure > I encrypt the key using the user's password. > > Of course, the users won't want to enter lengthy, strong passwords using > Graffiti. I figure that I should use RC4 with to encrypt the data. So, > I figure AES or 3DES is unlikely to improve on RC4 (especially if I use > "a key wider than 128 bits, avoiding weak keys and always skip the first > 256 bytes of output") - because the weak point of the system is that > the password gives access to the data. If my customer insists, I can > use AESLib to encrypt. > > I'm interested in the Aaron's dynamic key idea - any pointers about how > I implement that? take RC4, modify the 'dynamic key algorithm' slightly :) viola. done. the RC4 algorithm by default does swapping, i was doing modification to the key on every byte being encrypted. :) theoretically, after 256 calls - the key should look almost 100% different from the key i started out with. your key can be simple text buffers as well - in my implementation i put stuff like the customer name, email address, contact details inside. this also acted as a deterrant for them handing out the files to others - would you, a legit user pass on a registered data file that has your name inside it so someone can figure out how to break the DRM and then ship your binaries around the world? :) i have found a few people shipping the Lemmings level packs on certain boards, and - i have had some nice discussions with their parents (all orders come with a phone number). one particular case, i actually heard the father rip his son over to the phone and give him a serious hit. kid ran off screaming. what the father did was questionable, but - i can tell you that it gave that little kid a lesson :) oh well :) do yourself a favour, clear this with your client before you go any further. make sure they know what you are going to do. it will take a fair bit of work on your side to make it happen :) however, worst case - you can contact me for assistance offline. --- Aaron Ardiri PalmOS Certified Developer [EMAIL PROTECTED] http://www.mobilewizardry.com/members/aaron_ardiri.php -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
