Schneier on Security
A blog covering security and security technology.
« Top CTOs |
| Bluetooth Sniper Rifle »
April 13, 2005
The Doghouse: ExeShield
Yes, there are companies that believe that keeping cryptographic algorithms secret makes them more secure.
ExeShield uses the latest advances in software protection and encryption technology, to give your applications even more protection. Of course, for your security and ours, we won't divulge the encryption scheme to anyone.
If anyone reading this needs a refresher on exactly why secret cryptography algorithms are invariably snake oil, I wrote about it three years ago.
Posted on April 13, 2005 at 9:19 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Correction: This company doesn't "believe" that secrecy keeps the product more secure. Rather, they believe that not revealing how much it sucks helps keep them more profitable.
"Of course, for your security and ours, we won't divulge the encryption scheme to anyone."
That is ok someone else likely will divulge their "encryption scheme" to everyone...
Their 'secret encryption' hasn't helped them very much - it only took me a couple of minutes to find a program on the internet to crach exesheilded programs...
this is Intel assembler and N possible opcodes. instead of days it will take weeks or months to break, but after you broke it once, second time is trivial.
i wonder who pay money for this and how much ?
Bruce, you're ignoring the kind of problem that this application tries to solve. They are making tool to achieve something that's practically impossible. They "protect" the software that is to be executed by the user. The only thing that they can make is to protect it until somebody reverse engineers the code. So they must frequently change the algorithms.
For the goals they have, not publishing algorithms has a lot of sense.
"For the goals they have, not publishing algorithms has a lot of sense"
So what happens when someone finds a flaw in their scheme or perhaps even implementation of their scheme and publishes it to the world? Not only will they have to apply damage control but if their scheme has an intrinsic design flaw the product line is useless against this published knowledge. *all the while this could have been avoided by allowing peer review*
Security through obscurity really isn't the way to go when trying to protect anything that someone else really wants to get.
Yes, while not divulging the algorithm makes a bit of sense, the problem is that it creates a false sense of security for the customer. The customer believes that while the algorithm is secret, it can't be cracked. This is patently false, and anyone who cares to look can find generic cracks for this variety of protection. The actuality is that the customer is usually far better off integrating their own protection because the likelihood of a crack circulating goes down from 100% to something like 80% depending on popularity.
"They are making tool to achieve something that's practically impossible. They "protect" the software that is to be executed by the user."
if you remove the word "practically", you'll be a bit closer to the truth...
I agree, security through obscurity is a terrible model. Just look at our current identity system and how it is based on trying to keep social security numbers and dates of birth secure through obscurity.
You're point that someone lifting the cloud of obscurity from Execshield's algorithm and causing the system to be worthless is spot on. Just look at the identity sytem we have and how all of the data aggregators out there are removing obscurity from the system and how that has been turning out!
Any system based on information not being freely available is eventually going to fail.
I'm sorry but Bruce chose a crap example here. Look at the website - no FAQ, no technical details, customer links are mailto: . How dodgy is that? Be honest, would you buy from these lot? Along with 99% of the reasonably sane software community I wouldn't.
I see they have a free trial version available on their site. I wonder if they've secured it with their own technology -- that would be the ultimate piracy deterrant!
You download the trial, get a crack for the security, then use it to secure your own sof... Doh!
(The flaw being that you penalise your paying customers)
And in other news (mentioned in Larry Osterman's blog entry):
It turns out that on VW cars (and other manufacturers), the pattern for the door key is based on the VIN for the car.
I guess you could argue that anyone with the equipment to cut keys from the VIN would do better to just get some master keys for that make/model.
(Car models do have master keys, don't they? Or was that part of "Gone in 60 seconds" not factual?)
@"Anonymous at April 13, 2005 11:57 AM"
Soon, once the computers run the TCPA/Palladium based OS, there will be change from "practically impossible" to "practically possible".
Bruce, Exeshield may belong in the doghouse, but not quite for the reason
you state. If you read their website further, they state the program
uses RSA keys. The problem is, like all DRM schemes, the user must
simultaneously possses the key, yet be unable to access them. This is an
impossible task (at least, until Palladium), so the best anyone can do is
hide the keys with an obscure algorithm.
A more accurate name for Exeshield would be a code obfuscator, rather than
If you look closely at this program it is not an encryption tool. It allows developers to create trial software to the end user. The program encrypts the code section of an executable using Rijndael
which gets decrypted when the executable is executed. It can't encrypt anything else, so it is not really an encryption program. A key is not needed to execute a win32 executable, they just run when you click on them, so in this case a lot of these programs get cracked often and the developers have to update the encryption or the keys being used. Not publishing the encryption scheme in this case is a good move. Also, if you look at their website, they have an export license from U.S. Department of Commerce, Bureau of Industry & Security.
I came across this while researching this particular product. I have a great respect for Bruce and his work but being an engineer whose primary work is to write hardware code, what are my options for distributing my program for 30 day trials. I'm talking about a non-consumer product, this is not Photoshop which I know you can get a crack anywhere on the web. I understand that the model of copy protecting your software is impossible , I cannot have my company setup a server to track all the installations of this product. This is a revenue generator but not the next killer app for us. We make hardware and sometimes write software that automates testing for our product if we think it is going to sell. You can safely assume that neither me nor most people who work here are crypto experts, probably most people in my client list too. Any other product suggestions, trust me I have exhausted searching all search engines, all types of software.
I have to say that EXEShield is quite possibly the worst protector I have EVER seen. It is ugly, and does not protect anything at all. It is just an expensive ripoff of a UPX packer + bloated loader code written in DELPHI. I am not bragging, but I downloaded the trial for EXEShield in a minute, installed it, and manually unpacked it in less than five minutes. THE ORIGINAL FILE! The protection is the most broken I have ever seen; a few IsDebuggerPresent() and FindWindow() checks are not enough... The protection is outdated, and the price for the software is too much.
Well, looks as though we were stupid enough to purchase it. It took less than 6 hours from the time we installed it and started testing to find a flaw which freely allows execution. And the other package we wanted to protect, a console application, it hangs.
I also feel stupid for purchasing this software. It looked like a quick and easy solution to provide me with a way of having some basic copy protection for a non-consumer specialist app, and also be able to distribute a 30-day trial.
The first problem I had was that once you generate a license for your chosen executable, then that executable name and path is permanently fixed. You cannot change the name OR EVEN THE PATH to the executable without starting from blank and re-generating licenses. Its treated as a different product if you move it. Forget it if you build your project in another folder, drive, or PC.
It then turned out that it just didn't work on some of my clients PC's, returning a cryptic error number and then nothing. This happened twice, which was awkward with clients on the phone.
It looked 'good enough' for low security situations, but I just can't rely on it working.
Having just purchased without reading the reviews, somewhat worried!
Still if we changed the laws, found the thieving gits, prosecuted the thieving gits , threw the thieving gits in jail and confiscated all computer equipment from the thieving gits, whether it belonged to them or not, and applied automatic deductions to any source income from the thieving gits. That might help.
Any security can be breached, however, the more levels you apply the better
I live in hope.
Makes no difference, all software copy protection have been cracked many times over. Nothing is safe, ExeShield and all others have been cracked.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.