The document discusses the Sentinel HASP Envelope, which provides automatic protection for software applications through file encryption, code obfuscation, and anti-debugging techniques. It summarizes key features of the Sentinel HASP Envelope, including one-click protection, multiple calls to the connected hardware key for validation, and protection of intellectual property and trade secrets. The Envelope also provides multi-layered protection through dynamic arrangement of protection code layers to obscure the connection between the application and hardware key.
Ensuring Technical Readiness For Copilot in Microsoft 365
Sentinel HASP Envelope
1. The Sentinel HASP Envelope
whiTepaper
Table of Contents
Executive Summary............................................................................................................. 2
Evaluating a Hardware-based Protection System ............................................................... 2
Sentinel HASP Envelope Protection Method ........................................................................ 2
The Sentinel HASP Envelope ............................................................................................... 3
One-Click, Easy-to-Use Solution ................................................................................... 3
Multiple, Non-obtrusive Calls to the Sentinel HASP Hardware Key ................................ 4
Security for Your Intellectual Property and Know-How .................................................. 4
Multi-layered Shield—Security for the Weakest Point ................................................... 4
Anti-Debugging Methods .............................................................................................. 5
How to Tell Friend from Foe? .......................................................................................... 5
Vary Behavior when Cracking Attempt is Detected......................................................... 6
How to Get More out of Your Software Protection ................................................................ 6
License Management .................................................................................................... 6
SafeNet Sentinel: An Easier Way to Envelope ...................................................................... 6
Conclusion .......................................................................................................................... 6
SafeNet Sentinel Software Monetization Solutions ............................................................ 7
The Sentinel HASP Envelope Whitepaper 1
2. Software piracy has become executive Summary
an issue of great concern One complex issue faced by software publishers in today’s computing environment is the prevention
around the globe because it is of unauthorized use of their software, without creating unnecessary obstacles for customers who
widespread, difficult to identify wish to legitimately purchase and use it. There is a direct correlation between the adoption of new
its real source and even harder technologies and the amount of unlicensed and hacked software copies. The internet has greatly
to prevent and negate. Too often affected this phenomenon as it provides an open platform which eliminates international barriers,
software publishers are faced language obstacles, and other constraints, thus making information easily available.
with the proliferation of illegal
copies of their applications Software piracy, including various types of either software or hardware licenses, or unfulfilled
across the Internet, losing upgrades, denies deserved revenue and harms existing and paying customers, who ultimately
revenue as a result bear the cost of illegal product use. Piracy limits the competitive edge, leads to higher-priced,
less advanced products and ultimately harms the entire process.
Software piracy becomes an issue of great concern around the globe because it is widespread,
difficult to identify its real source and even harder to prevent and negate. Too often software
publishers are faced with the proliferation of illegal copies of their applications across the
Internet, losing revenue as a result. Those that have proactively protected their software using
some sort of licensing scheme are not always fully protected against the ever-growing cracking
programs that can compromise their application’s security and licensing mechanisms.
This paper examines a variety of counterattacks available as part of the Sentinel
HASP Envelope mechanism for protecting applications from piracy.
evaluating a hardware-based protection System
Cracking a hardware-based protection key is a lengthy, expensive, and painstaking process,
not always worth the effort for the cracker in terms of potential “Return on Investment” i.e.
time spent versus income. Hackers will always prefer the easy route, and will try to avoid long
debugging hours and tedious code review in order to generate a fully working generic hack.
Hackers will always prefer to create a generic hack – one that applies to all the applications
protected by a specific manufacturer’s hardware key. Upon failing such a hack, crackers will
turn to the next feasible task of creating an application-specific crack, i.e. one that applies to an
individual application only. Of course they will need to repeat this process for every application
they wish to crack, but typically this is not an obstacle for those who are determined to profit
from the application. Consequently, it is imperative that the software-based security features
that augment the hardware-based solution be powerful, and continuously improved.
A common misconception amidst the industry is that once a certain application is secured
and distributed using some sort of licensing protection scheme it is then completely “bullet-
proof” against software piracy forever. It is imperative that the ISV work with the licensing
vendor/hardware manufacturer to constantly update and improve the level of security. By
incorporating innovative anti-hacking technologies, ISVs can always stay one step ahead of
software piracy threats.
Sentinel haSp envelope protection Method
The system is composed of an encryption-based hardware protection key and supporting
software-based protection tools. A Sentinel HASP protected application can load and run only if
the hardware key is physically connected to the host computer.
There are two protection methods that can be incorporated when securing applications with
Sentinel HASP, Sentinel HASP Run-Time API, and the Sentinel HASP Envelope. In order to
achieve the highest level of security and protection, it is advised to incorporate both methods.
The Sentinel HASP Run-Time API is a set of libraries that are linked to the application envelope,
both applied by Sentinel HASP software tools during the application development stage.
Protection achieved through the use of the API requires changes to the source code and allows
the customization of calls to the Sentinel HASP HL key throughout the application. In order to
achieve the highest level of security and protection, careful consideration and planning needs
to take place before and during the software development process, incorporating the Sentinel
HASP HL from the beginning. Integrating the Sentinel HASP Run-Time API is a manual and more
The Sentinel HASP Envelope Whitepaper 2
3. laborious intense process when compared to the Sentinel HASP Envelope, as it requires careful
Sentinel envelope planning throughout the whole development stage. The Envelope is an out-of-the-box (push
Features and Benefits button) automatic protection tool, deployed on executable, DLL, OCX or other PE-format files of
your application which is carried out once the application is ready and fully tested.
• automatic File wraper -
Provide robust protection The Sentinel haSp envelope
against software reverse The Sentinel HASP Envelope is an automatic file wrapper that provides robust Intellectual
engineering through file Property (IP) protection against software reverse engineering through file encryption, code
encryption and native code obfuscation and system-level anti-debugging. This ensures that algorithms, trade secrets, and
obfuscation professional know-how are embedded in the software is secured against hackers. Software
• reconnection of the solutions not only consist of executables and DLLs, but they also contain data files which may be
application to the hardware - of even greater value than the software applications themselves. In many cases, these data files
The application is now tightly contain highly sensitive information and IP which must be secured against prying eyes and theft.
coupled with the Hardware by
means of a protection key To protect data files, the Sentinel HASP Envelope and DataHASP tools wrap the application,
• Secure communication encrypting and controlling access to the software data files so that only authorized users and
channel - Sentinel HASP the hosting software can decrypt and accessit. In seconds, top-notch security and access-
eliminates man-in-the-middle control is achieved for the entire product suite at a simple click of a button. The Sentinel HASP
attacks by providing a secure ToolBox is a GUI-based utility that helps familiarize you with the Sentinel HASP Run-time API
channel for communication and generates code for inclusion in your software source code.
between the protected
application and the protection The Sentinel HASP Envelope secures your application by adding a protective shield responsible
key. The Java Envelope for binding the application to the Sentinel HASP HL key, encrypting the application file, managing
uses this ability to prevent and tracking the licensing information stored in the key and introducing numerous piracy
a hacker from intercepting
obstacles that are not available within the Sentinel HASP API.
communications to access
data sent back from the When the application is launched, the Envelope sends a query to the Sentinel HASP HL key
protection key. validating its physical connection to the host computer. If the dedicated Sentinel HASP HL key
• runtime decryption - Because is connected to the computer the Envelope uses the Sentinel HASP HL encryption engine to
Sentinel HASP decrypts files decrypt the application file (previously encrypted by the developer). If the Sentinel HASP HL key
as they are requested at is not connected, the application halts and cannot execute.
runtime rather than loading all
the .class files into the virtual
Original File Envelope Protection Protected File
machine at once, it prevents
hackers from rebuilding the
entire application
Application Encrypted
Application
One-Click, easy-to-Use Solution
Protecting with the Sentinel HASP Envelope is a procedure that takes only a few seconds,
assuming that the default protection scheme is chosen. The process is slightly extended if
additional steps and measures are taken in order to use some or all of its available options,
providing an extremely powerful platform for software vendors who have no access to the
application’s source code. For example, resellers and dealers that sell unprotected software can
use the basic default Envelope settings in order to protect the products for their local markets—
an easy and rapid process.
Since custom protection with the Sentinel HASP Run-Time API must be done at early
development stages, the Envelope provides a simple out-of-the-box alternative. Once
development is finalized, and the application executables are ready, the Sentinel HASP Envelope
can be used to quickly apply another important and extremely strong layer of protection without
affecting the actual application.
The Sentinel HASP Envelope Whitepaper 3
4. Enveloping combines encryption Multiple, Non-obtrusive Calls to the Sentinel haSp hardware Key
and native code obfuscation to In addition to various tasks performed at runtime, the Envelope is also responsible for checking
provide the strongest protection that the Sentinel HASP HL key is connected to the computer throughout the software runtime.
available today for protecting Since the Envelope is employed on a compiled file, calls to the Sentinel HASP HL key are not
Intellectual Property. By using incorporated within the application code; they are executed periodically by the protection
the Sentinel HASP Envelope code that is added onto the application file. Time intervals of Sentinel HASP HL key checks are
solution, you gain the advantages Envelope parameters that are fully configurable by the developer during the protection phase.
of enveloping, without spending Each call to the key employs the Sentinel HASP HL hardware-based encryption engine, sending
the time and effort to develop a an encrypted string. The returned decrypted string is analyzed to confirm the presence of the
solution from scratch. key. Both the encryption and decryption mechanisms employ the AES 128-bit encryption engine
making sure that the two-way communication channel is fully secured.
Security for Your intellectual property and Know-how
Time and resources spent in developing your product is reflected in its quality and ability to
answer market needs and therefore should be well hidden from prying eyes.
The Sentinel HASP Envelope’s encryption specific capability is one of its most important
qualities allowing the encryption of parts or the entire application file, ensuring that no prying
eyes can peek into your code. This is most useful against cases where one may want to change
your code in order to adapt the application to their personal benefit. Moreover, this is of true
value in preventing your competitors from learning your professional secrets and know-how. The
Sentinel HASP Envelope allows the prevention of industrial espionage thus maintaining your
competitive advantage.
By automatically wrapping files and using code obfuscation, the Envelope provides robust anti-
reverse engineering encryption protecting valuable algorithms and trade secrets. The Sentinel
HASP Envelope performs sophisticated encryption to hide your source code. Each file protected
with the Envelope is encrypted using a different random seed, resulting in very different files
after protection, even if the originals were identical. The application file is divided into multiple
blocks, which are scalable and can be predetermined by developers during the protection
session. Each block is encrypted using 128-bit AES based encryption engine and different
arbitrary seeds.
Multi-layered Shield—Security for the weakest point
The weakest point in an application protected with any wrapping mechanism is the seam
between the application file and the externally added protection code. This is the point which,
once annulled, will disconnect the link to the hardware key, leaving the application completely
unprotected. Consequently, this is the point at which most attackers will attempt to strike.
Hackers will study the protected file analyzing the protection code and how it is linked to the
attached hardware key. Once they understand the code and recognize its location, they can then
operate in one of the following manners:
• Break the protection link for the specific application file – Specific hack
• Break the protection link for all other files protected by the same mechanism if the exact
same method appears in all of them repeatedly – Generic hack
Envelope
Original Application File Protection
Code
The seam is the weakest point
It is therefore essential that the seam point between the protected file and the added protection
code be ambiguous and untraceable, presenting a long and tiresome search procedure for anyone
trying to break the protection. One of the strongest features of the Sentinel HASP Envelope is in
its ability to protect the seam point and present numerous obstacles that prevent the protection
The Sentinel HASP Envelope Whitepaper 4
5. link from being broken. This is achieved by supplying multi-layered protection code, which is added
onto the application file dynamically during the protection process. These layers are pieces of
code specially designed to fit one-after-the-other like train cars. In each protection session, the
Envelope ensures that the various layers constructing the entire code are organized in a different
sequence when added to the original application file – as can be seen below.
Original Application File
Envelope Protection Code
The dynamic arrangement of the layers differs in each and every single Envelope protection
session ensuring that every protected file is unique. There is no resemblance between protected
files, even if the original files are completely identical. The transition from the last instruction
in the Envelope code to the first instruction in the application code differs between protected
applications. For each application, the original code starts at a different place making the
Envelope application-seam almost impossible to trace. Learning and understanding the different
layers and their layout within the protected file implies nothing about the layout in the same
file protected in another Envelope session. To make it even more difficult to break, the Envelope
not only arranges the layers differently, it also selects a different number of layers for each
file it protects. Furthermore, the layers are encrypted, each one in a different way. And, during
application runtime, each layer is responsible for decrypting the next layer in the sequence using
a random encryption key.
Confused? There’s more! The code in each layer is obscured, by using dummy opcodes, which
are inserted between valid code instructions. This severely obstructs the ability to investigate
the code and ensures that disassemblers cannot analyze the protection mechanism or the
disassembled code.
anti-Debugging Methods
An additional, extremely powerful feature of the Sentinel HASP HL Envelope is its debugger
detection mechanism, which is constantly on the prowl for active debuggers. By sending
misleading commands and false information to “attract attention,” the Envelope misleads and
distracts debuggers. As a result, debuggers in action are disclosed and handled by the Envelope
accordingly allowing distinction between friend and foe.
how to Tell Friend from Foe?
Normally, debuggers are used by software developers to detect bugs and trace problems during
the development process of their application. However, people trying to gain illegal access to
your software use the same debuggers to detect and trace the implanted protection code with
the ultimate goal of changing, disabling, or removing it altogether.
Since both groups use the same debugging tools, the Envelope must have the ability to
distinguish between debugging activities of an innocent developer and that of someone
intending to do harm. This is achieved by displaying a message that a debugger has been
detected and preventing the protected application from loading. A developer will turn off the
debugger at this stage to enable the application to load properly and run. However, if a debugger
The Sentinel HASP Envelope Whitepaper 5
6. is activated after the application loads and runs, clearly this is the activity of a software “pirate”
attempting to crack the software, and thus the application halts.
Vary Behavior when Cracking attempt is Detected
Another technique used by the Sentinel HASP Envelope to fight debuggers is what we call
“behavior alteration.” Sentinel HASP HL keys employ a sophisticated code design that takes
advantage of the fact that the operating system and the debugger execute applications
differently. When a cracking attempt is detected (for example, through using a checksum), the
reactive behavior of the software is delayed, thus breaking the logical connection between
“cause” and “effect.” Delayed reaction confuses the software cracker by obscuring the true
logical link between the cracking attempt and the negative reaction of the software to that
specific attempt. Behavior such as impairing program functionality when a cracking attempt is
detected can be very effective. Additional behaviors could include causing the program to crash,
overwriting data files, or deliberately causing the program to become inaccurate, causing the
program to become altogether undependable.
how to Get More out of Your Software protection
In addition to protecting your software, the Sentinel HASP HL key system invokes an advanced
automatic license generator that allows the definition of various licensing terms specifically
tailored to your applications allowing you to comply with your ever-changing business model.
License Management
Innovative selling models such as rental, subscription, demo, concurrent users, pay-per-use and
try-before-you-buy are all achievable with the Sentinel HASP HL key licensing system. These
are implemented by storing license parameters in the Sentinel HASP HL key’s memory such as
counters, expiry dates and number of concurrent users. Once the protected application reaches
the end-user, the Sentinel HASP Envelope takes control and acts as the License Manager
responsible for executing the application in accordance with the predetermined predefined
licensing terms. It truly is automatic; you only need to trigger the licensing mechanism by
checking a flag when protecting your application with the Envelope.
SafeNet Sentinel: an easier way to envelope
The Sentinel HASP Envelope is an automatic file wrapper that provides robust protection against
software reverse engineering through file encryption and native code obfuscation. This ensures
that algorithms, trade secrets, and professional know-how embedded in software are secured
against hackers. Sentinel HASP eliminates man-in-the-middle attacks by providing a secure
channel for communication between the protected application and the protection key using
128-bit AES encryption. The Envelope uses this ability to prevent a hacker from intercepting
communications data sent to and from the Sentinel HASP HL protection key.
Conclusion
While hackers constantly improve their hacking techniques, so does technology and what it
offers in terms of fighting piracy. Commercial disassemblers further simplify this process for
hackers, and while the Envelope provides very strong out-of-the-box security, the included
capabilities are sometimes insufficient to fully prevent attacks. Techniques such as encryption
and obfuscation are commonly used to slow attackers, but still leave points of vulnerability.
Enveloping combines encryption and native code obfuscation to provide the strongest protection
to date enabling the protection of Intellectual Property. By using the Sentinel HASP Envelope
solution, you gain the advantages of enveloping without spending the time and effort to develop
a solution from scratch.
The Sentinel HASP Envelope Whitepaper 6