A Robust Approach to Prevent Software Piracy

Download PDF
3 downloads 0 Views 185KB Size Report
Comment
Abstract-- Software piracy is a main concern in today's world. Many techniques are proposed and implemented to stop it. In this paper we are refining a newly ...
A Robust Approach to Prevent Software Piracy Ajay Nehra, Rajkiran Meena, Deepak Sohu, and Om Prakash Rishi

Abstract-- Software piracy is a main concern in today’s world. Many techniques are proposed and implemented to stop it. In this paper we are refining a newly proposed technique “Software Piracy Prevention through SMS Gateway” to make it more stable and effective against piracy. The targeted approach is based on SMS gateway service to install software on a system, but the technique left some problems untouched i.e. issues related to MAC address, time offset and Man in the middle attack (MiTM) [1]. In refined approach the server will initiate authentication process instead of client at regular time intervals, and this facility increase the effectiveness of the technique. Index Terms—piracy, Anti-piracy, software protection, piracy prevention, SMS gateway,

I. INTRODUCTION

U

NLAWFUL creation and distribution of any software is considered as software piracy and that resultsviolation of software copyright. The roots of software piracy may lie in the early 1960s, when computer programs were freely distributed with mainframe hardware by hardware manufacturers. In the late 1960s, manufacturers began selling their software separately from the required hardware. Some file sharing programs like ‘bit torrent’ and ‘napster’ are also contributing in software piracy. According to the BSA statistics, the piracy rate is increased from 2% to 43% inshort span, just because of the highly demanded PC market in developing countries like INDIA, CHINA, and BRAZIL. As of 2008, piracy practices have reached considerable levels in France, wherein the piracy rate is estimated at 45 % and the calculated loss of income for software developers was about 2.9 billion Euros [2]. II. RELATED WORK Many approaches are proposed and implemented to prevent software piracy, but still no approach is completely able to stop this work [3]. Some people gave the concept of hardware Ajay Nehra is M.Tech. Student in Department of Computer Science and Engineering, Central University of Rajasthan, Kishangarh, India (e-mail: [email protected]). Rajkiran Meena is M.Tech. Student in Department of Computer Science and Engineering, Central University of Rajasthan, Kishangarh, India(email:[email protected]). Deepak Sohu is M.Tech. Student in Department of Computer Science and Engineering, Central University of Rajasthan, Kishangarh, India (e-mail: [email protected]). Om Prakash Rishi is with the Department of Computer Science and Engineering, Central University of Rajasthan, Kishangarh, India (e-mail: [email protected]).

978-1-4673-0455-9/12/$31.00 ©2012 IEEE

key (Dongle) to use software. The dongle significantly increases the level of security in a non-linear way, because a hardware key is an external device that is controlled and protected by the security solution provider and not the end-user [4]. Another approach is Client Side Component (CSC) that can be integrated with any software. In this approach, CSC is delivered to the software developerwhich is integrated in the partially developed software and the final product (software with integrated CSC) is delivered to the client. Now client makean activation request to install the software through internet by sending unique set of hardware characteristics of client machine. Then Server side Component collects the secure information and store it in the SoftLock data store on the system. Activation command is send from the server based software to the client [5]. In some other approach, software piracy is prevented by the use of software birthmark i.e. set of intrinsic characteristics of software program or program module. In this approach, a birthmark is created for each software and then compared to other software birthmarks to estimate the similarity between them [6]. To prevent copyright infringement, a smart approach is proposed to makeevery system only beable to read copyright information. This may require some new hardware in our existing system but itwill improve the efficiency of system against pirated documentsandcan block the access of data [7]. The most recent technique suggestedfor preventing software piracy “Software Piracy Prevention through SMS Gateway” is used to communicate with the authentication server by user system. III. ISSUES IN SOFTWARE PIRACY PREVENTION THROUGH SMS GATEWAY APPROACH Normally software piracy prevention approaches consider the issues related to MAC address, time offset, and man in the middle attack (MiTM). But in this approach these issues remain untouched. The targeted approach use XORing of entities like date, MAC address but may interpret ambiguously. A. MAC Address MAC address of any machine depends on itsNIC card. If a machine is having two or more NIC cards then it will not have unique MAC address. Suppose a machine having a LAN card and a wireless card then for each NIC ithas a unique MAC address and it will be effective accordingly[8]. So if any user installs the software second time on thatmachine using

different NIC card then it will show an error message, and that is not fair for client machine. B. Time Offset As we know, the time in UTC clock system varies from location to location and so does the date. In targeted approach, XOR of date and MAC address is sendto the server and in response server sends XOR of unique id and server date to the client. Date on client and server side may vary due to different time offset on different geometric locations. Whenever server tries to retrieve the MAC address (by XORing the received digest and current local server date) it may misinterpret and will get wrong MAC address for that machine. In another case when server sends the digest of unique code and current date then user machine may also misinterpret the unique code and whenever client enter the unique code in installing process, the process will terminate with an error message that the unique code is not correctand a genuine user will not get the services he required. For e.g. Suppose a software is installed in new Delhi (UTC+05:30) and the verifying server is in USA Alaska (UTC-09:00).Let’s assumethe date and time is (23rd August 2011) and 12:31in Delhi, at the same time USA Alaska server will show the time 22:01and date 22nd August 2011.So if client is installing on the above mentioneddate and time, the server will interpret the wrong MAC of the machine. And in the same case whenever client will get the XOR of unique id and date then client will also misinterpret the unique id and error message encounters.

what should be done next. Figure 1 shows overall flow of the system.

Fig. 1.Overall flow of the system

In proposed technique, at the time of purchasing software, authentication server maintains serial number SN and a mobile number MN association. Server starts the process by sending periodic challenge to each of itsclient on registered mobile number by sending server time stamp Ts along with hash of time stamp H{Ts} which is encrypted by private key of server SKr i.e. server sends Ts+E(SKr,H{Ts}) which provides integrity with authentication and then server waits for response from client. Client receives challenge and compare received H{Ts} with D(SKu,E(SKr,H(Ts))) or decrypted hash of server timestamp with public key of server i.e. SKu. Otherwise, if client will not receive challenge at fix period or received hash is not equal to calculated hash i.e. challenge is tempered, software Uninstallation process starts.

C. Man in the Middle Attack (MiTM) In this approach, no one focuson data security in transmission mode. A third person can easily capture all the data packets and can easily get the unique code without actually buying the product [9]. Initially, whenever the client send the XOR of the current date and MAC of its machine, the middle person simply captures the packet and can retrieve the MAC of that machine by XORing the current date with the captured data and save it for future attack. Now whenever the server sends the packet with the product (XOR of unique id and current date), the middle man can also capture the packet and can retrieve the unique code by simply XORing the current date with the captured data. The middle man has the unique id (only necessary item to run the software) without actually paying for it. IV. PROPOSED APPROACH The most recentapproach discussed, uses SMS gateway in order to overcome from the problem of software piracy but still unable to prevent software piracy completely. In this paper, we are suggesting an approach that dependson server based challenge in which server initiates the authentication process and identify the genuine software copy. Server starts the process by sending the authentication challenge to client then client will response to it and server will verify the response. After getting expected reply from client, server will send status message to client by whichclient machine decides

Fig. 2.Server side flow diagram.

Client will send response which includes timestamp for client Tc, Ts, serial number SN, random number RN (client software generates random number for every challenge) and E(CKr,H{Tc+Ts+SN+RN}) where CKr is client private key. Server checks for authentication of response by decrypting the hash with client public key CKu and integrity by calculating hash and comparingit with decrypted hash. If

H{Tc+Ts+SN+RN} is not equal to D(CKu,E(CKr, H{Tc+Ts+SN+RN})) or SN associated with different mobile number MN then server will prepare a STATUS message Tc+Ts+RN+STATUS_ FAIL which is encrypted with CKu to provide confidentialitythen generate its hash i.e. h{Tc+Ts+RN+STATUS_FAIL} to provide integrity and finally encrypt it using private key of server i.e. E(SKr, h{E(CKu,Tc+Ts+RN+STATUS_FAIL)}) to provide authentication and then sends itto the client. Otherwise, server will send E(CKu,Tc+Ts+RN+STATUS_SUCCESS)+E(SKr,H{ E(CKu,Tc+Ts+RN+STATUS_SUCCESS)}) on service providing server number through SMS. Figure 2 and 3 are systematic flow chart of server and client respectively.

V. THEORETICAL PROOF FOR CORRECTNESS Let’s just break the whole process into steps and verify each step in reverse order. After client receives Ts+E(SKr,H{Ts}), it can verify authenticity of sender by decrypting hash using key SKu and integrity of timestamp Ts by comparing the calculated and received hash, that means no fake server no fake request. Now if server receives Tc+Ts+SN+ RN+E(CKr,H{Tc+Ts+SN+RN}) it will ensure about Client’s authenticity and integrity in same explained way, which means no replay attack. Again client will ensure about false response in the same way. Proof is purely theoretical and can be verified by using any asymmetric encryption/decryption algorithm. VI. CONCLUSION AND FUTURE WORK In this paper, we proposed a SMS gateway based technique, checking the authenticity of the Software atevery fixed time interval gives it advantage to identify fake unauthorized users. And then blocking such installed software save software companies from huge loss. But a manual response for each S/W in the client machine will be a tedious task thereforewe need to find anautomation process. REFERENCES

Fig. 3.Client side flow diagram.

Client software checks STATUS message authentication, integrity and retrieve decrypted STATUS. If Status is _SUCCESS and received RN, Tc, Tsare same as sent then s/w will run uninterrupted for next challenge or otherwise software will uninstall. The proposed technique is implemented theoretically and is under the procedure of experimental implementation. The experimental results will be discussed in the subsequent publication.

[1] Abhinav Kumar, Anant Kumar Rai, Ankur Kumar Shrivastava, DhirendraYadav, Monark Bag andVrijendra Singh,“Software piracy prevention through sms gateway”, Networks and Intelligent Computing 5th International Conference on Information Processing ICIP 2011. [2] Busniss Software Alliance, “Eighth annual bsaglobal software2010 piracy study”,May 2011. [3] AttayaHeger,“Software piracy and producers developers’ strategies”, June 2009. [4] Ireneusz J. Jozwiak and KrzysztMarczak,“A hardwarebased software protection systems – analysis of security dongles with time meters”, Dependability of Computer Systems, DepCoS-RELCOMEX '07, 2nd International Conference, June 2007. [5] SaadiaMumtaz, SameenIqbal and Engr. IrfanHameed, “Development of a Methodology for Piracy Protection of Software Installations”, 9th International Multitopic Conference, IEEE INMIC, Dec. 2005. [6] YasirMahmood,Zeeshan Pervez, SohailSarwar and Hafiz Farooq Ahmed,“Method Based Static Software Birthmarks: A New Approach to Derogate Software Piracy”,2nd International Conference on Computer, Control and Communication, IC4 2009, Feb. 2009. [7] Shamos Michael, “Machines as readers: A solution to the copyright problem”,Journal Of Zhejiang University Science 2005, pp. 1179-1187. [8] MAC address, en.wikipedia.org/wiki/MAC_address. [9] Alberto Ornaghi and Macro Valleri,“Man in the Middle Attacks Demos”,BlackhatConference USA-2003.