[gmpi] Re: 3.18 Copy Protection

On Mon, Sep 20, 2004 at 03:10:09 -0700, Tim Hockin wrote:
> There are lots of authentication schemes that might apply, I just don't
> know how apply them.
> 
> I mean, we *really* don't want to encourage plugs that are locked to
> hosts.  Can public key encryption come into play here?  Can fingerprinting
> be used?

Not effectivly - the user controls the host and plugin, and thier written
in x86/PPC assembler, which is easy to disassemble.

You can encrypt the plugin and only give the intended host the key, but at
some point the plugin must be unecryped in ram so the the kernel can
execute it.

If you want to go this way then allowing for the host and plugin to
exchange information (could include keys) before the plugin will execute
is probably the most versatile, eg:

host checks plugins object file to make sure its not been tampered with
(against its internal list of checksums), then loads plugin if its ok.
plugin sends host a randomly generated stream of bits
host sends back same stream coded with its key
plugin checks coded stream to see if it matches its random sequence

this technique (challenge-authenticate IIRC) is still very vulnerable when
the attacker controls both sides, but it would stop someone who didn't
know what they were doing.

- Steve

----------------------------------------------------------------------
Generalized Music Plugin Interface (GMPI) public discussion list
Participation in this list is contingent upon your abiding by the
following rules:  Please stay on topic.  You are responsible for your own
words.  Please respect your fellow subscribers.  Please do not
redistribute anyone else's words without their permission.

Archive: http://www.freelists.org/archives/gmpi
Email gmpi-request@xxxxxxxxxxxxx w/ subject "unsubscribe" to unsubscribe

Other related posts: