Sentinel Hardware Keys Developer's Guide - Customer Connection ...
Sentinel Hardware Keys Developer's Guide - Customer Connection ...
Sentinel Hardware Keys Developer's Guide - Customer Connection ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Copyright © 2009, SafeNet, Inc.<br />
All rights reserved.<br />
We have attempted to make this document complete, accurate, and useful, but we cannot guarantee it to be<br />
perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct<br />
them in succeeding releases of the product. SafeNet, Inc. is not responsible for any direct or indirect damages or<br />
loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject<br />
to change without notice.<br />
SafeNet, <strong>Sentinel</strong>, <strong>Sentinel</strong> V-Clock, CodeCover, and the Business Layer APIs are either registered trademarks or<br />
trademarks of SafeNet, Inc. Microsoft, Windows, Windows 95, Windows 98, Windows ME, Windows NT, Windows<br />
2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2008 R2,<br />
Windows 7, and Internet Explorer are either trademarks or registered trademarks of Microsoft Corporation in<br />
the United States and other countries. Java is a trademark of Sun Microsystems, Inc. in the United States and<br />
other countries. Linux is a trademark of Linus Torvalds, in the United States and other countries. Mac and the<br />
Mac logo are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. All other trademarks<br />
are the property of their respective owners.<br />
The <strong>Sentinel</strong> <strong>Keys</strong> SDK makes use of certain third-party software. Please refer to Acknowledgments.pdf under<br />
the Manuals directory for details.<br />
CONFIDENTIAL INFORMATION<br />
The <strong>Sentinel</strong> <strong>Keys</strong> SDK is designed to protect your software applications from unauthorized use. It is in your best<br />
interest to protect the information herein from access by unauthorized individuals.<br />
Part Number 002266-001, Revision J<br />
Software versions 1.3.1<br />
Revision Action/Change Date<br />
A 1.0.0 release for Windows 32-bit platforms November 2005<br />
B 1.0.2 release for Linux platforms May 2006<br />
C 1.0.2 release for Windows 32-bit and x64 platforms August 2006<br />
D 1.0.2 release for Macintosh platforms September 2006<br />
E 1.0.3 release for Windows Vista 32-bit and x64 platforms March 2007<br />
ii <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Revision Action/Change Date<br />
F 1.2.0 release for Windows 32-bit and x64 platforms December 2007<br />
G 1.2.1 release for cross platform support (Windows, Linux,<br />
and Macintosh).<br />
H 1.3.0 release for cross platform support (Windows, Linux,<br />
and Macintosh).<br />
J 1.3.1 release for cross platform support (Windows, Linux,<br />
and Macintosh).<br />
May 2008<br />
June 2009<br />
November 2009<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> iii
Certifications<br />
European Community Directive Conformance Statement<br />
WEEE and RoHS Compliance<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> are in conformity with the protection requirements of EC<br />
Council Directive 89/336/EEC. Conformity is declared to the following applicable standards<br />
for electro-magnetic compatibility immunity and susceptibility; CISPR22 and<br />
IEC801. This product satisfies the CLASS B limits of EN 55022.<br />
Mac OS X Universal Logo Compliance<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> are environment-friendly and comply<br />
to Waste Electrical and Electronic Equipment (WEEE) and<br />
Restriction of Hazardous Substances (RoHS) standards.<br />
The WEEE symbol indicates that the electronic devices<br />
included with this product package must not be disposed of<br />
with other non-electrical waste. It is the responsibility of<br />
your organization to dispose of your electronic waste by<br />
handing it over to a designated collection point for the recycling<br />
of waste electrical and electronic equipment (WEEE).<br />
The <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK is designed for the Macintosh operating<br />
system (Mac OS X) and runs natively on both PowerPC- and Intelbased<br />
computers from Apple.<br />
iv <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
USB 2.0 Compliance<br />
Ready for Red Hat Linux<br />
This logo is a registered trademark of Red Hat, Inc.<br />
WHQL Certification<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> comply to the USB 2.0 standards.<br />
The <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK is supported on Red Hat Linux.<br />
The <strong>Sentinel</strong> System Driver (for Windows) is certified by Windows <strong>Hardware</strong> Quality Lab (WHQL) for Windows<br />
2000, Windows XP (32-bit and x64), Windows Server 2003 (32-bit and x64), Windows Vista (32-bit and x64),<br />
Windows Server 2008 (32-bit and x64), Windows Server 2008 R2 (x64), and Windows 7 (32-bit and x64)<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> v
FCC Compliance<br />
FC<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> have passed the FCC Self-authorization process of Computers and Computer<br />
Peripherals. FCC Part 15 Class B Specifications.<br />
FCC Notice to Users<br />
This equipment has been tested and found to comply with the limits for a class B digital device, pursuant to part<br />
15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a<br />
residential installation. This equipment generates, uses and can radiate radio frequency energy and if not<br />
installed and used in accordance with the instructions, may cause harmful interference to radio communications.<br />
However, there is no guarantee that interference will not occur in a particular installation. If this equipment<br />
does cause harmful interference to radio or television reception, which can be determined by turning the equipment<br />
off and on, the user is encouraged to try to correct the interference by one or more of the following measures:<br />
Reorient or relocate the receiving antenna.<br />
Increase the separation between the equipment and receiver.<br />
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.<br />
Consult the dealer or an experienced radio/TV technician for help.<br />
In order to maintain compliance with FCC regulations, shielded cables must be used with this equipment. Operation<br />
with non-approved equipment or unshielded cables is likely to result in interference to radio and TV<br />
reception. The user is cautioned that changes and modifications made to the equipment without the approval<br />
of manufacturer could void the user's authority to operate this equipment.<br />
vi <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Table Of Contents<br />
Certifications ................................................................................................................. iv<br />
Preface ........................................................................................... xiii<br />
Where to Find Information? ........................................................................................ xiii<br />
Conventions Used in This <strong>Guide</strong>.................................................................................. xiv<br />
Technical Support ....................................................................................................... xvi<br />
SafeNet Sales Offices ................................................................................................... xvii<br />
Export Considerations ............................................................................................... xviii<br />
We Welcome Your Comments .................................................................................. xviii<br />
Part 1: <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Basics................. 1<br />
Chapter 1 – Introduction .................................................................. 3<br />
Software Piracy Hurts Your Business.............................................................................3<br />
<strong>Sentinel</strong> <strong>Keys</strong> Protect Against Software Piracy ..............................................................4<br />
License Models to Increase Your Revenue .....................................................................6<br />
<strong>Sentinel</strong> <strong>Keys</strong> Offer Sophisticated Protection..................................................................7<br />
Frequently Asked Questions.........................................................................................14<br />
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components............... 19<br />
Overview ......................................................................................................................19<br />
Developer Key...............................................................................................................21<br />
Distributor Key .............................................................................................................23<br />
<strong>Sentinel</strong> <strong>Keys</strong> ................................................................................................................24<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> vii
Contents<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server .................................................................................................... 28<br />
<strong>Sentinel</strong> System Driver ................................................................................................ 31<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit ................................................................................................... 33<br />
Command-Line CodeCover Utility ............................................................................... 35<br />
Key Programming APIs............................................................................................... 36<br />
Compiler Interfaces ..................................................................................................... 38<br />
License Manager (Stand-alone)................................................................................... 39<br />
<strong>Sentinel</strong> <strong>Keys</strong> License Monitor..................................................................................... 40<br />
<strong>Sentinel</strong> Protection Installer........................................................................................ 43<br />
Configuration Files ...................................................................................................... 44<br />
Remote Update Options ............................................................................................... 44<br />
Frequently Asked Questions........................................................................................ 45<br />
Chapter 3 – Planning Application Protection and<br />
Licensing Strategy .......................................................................... 51<br />
About Features, Templates, and Groups ..................................................................... 51<br />
Planning Application Protection and Licensing Strategy ........................................... 61<br />
Frequently Asked Questions........................................................................................ 70<br />
Part 2: Designing and Implementing<br />
Protection............................................................. 73<br />
Chapter 4 – Protecting Applications Using CodeCover ................ 75<br />
Add CodeCover Feature Dialog Box............................................................................. 76<br />
Adding Files................................................................................................................. 76<br />
Providing Licensing Settings ....................................................................................... 79<br />
Providing Networking Settings ................................................................................... 80<br />
Providing Security Settings ......................................................................................... 83<br />
Customizing Error Messages........................................................................................ 85<br />
Customizing CodeCover Error Message Title ............................................................... 86<br />
Changing File Encryption Settings .............................................................................. 87<br />
Applying CodeCover Protection .................................................................................. 89<br />
CodeCover Protection Using the Command-Line Utility ............................................. 91<br />
CodeCover Protection using Custom CodeCover Key.................................................. 95<br />
viii <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Contents<br />
What’s Next? ................................................................................................................98<br />
Frequently Asked Questions...................................................................................... 100<br />
Chapter 5 – Protecting Applications Using API........................... 109<br />
Steps to Protect Applications Using API.................................................................... 109<br />
Adding API Features ................................................................................................. 113<br />
What’s Next? ............................................................................................................. 132<br />
Frequently Asked Questions...................................................................................... 134<br />
Chapter 6 – Secure Remote Updates............................................ 137<br />
Secure Remote Updates ............................................................................................. 137<br />
Secure Remote Feature/License Update .................................................................... 139<br />
Secure Remote New License Addition....................................................................... 145<br />
Remote Update Codes ................................................................................................ 149<br />
Remote Update Methods............................................................................................ 151<br />
About Remote Update Actions .................................................................................. 157<br />
Generating Update Codes .......................................................................................... 162<br />
Frequently Asked Questions...................................................................................... 163<br />
Chapter 7 – Implementing Secure Licensing............................... 167<br />
Vulnerability Assessment - Basic Types of Attacks ................................................... 168<br />
Tips and Tricks .......................................................................................................... 171<br />
Frequently Asked Questions...................................................................................... 182<br />
Part 3: Grouping Licenses and<br />
Programming <strong>Hardware</strong> <strong>Keys</strong> .......................... 185<br />
Chapter 8 – License Grouping ...................................................... 187<br />
Why Create Groups?.................................................................................................. 187<br />
Creating New Groups ................................................................................................ 189<br />
Loading Groups ......................................................................................................... 190<br />
Duplicating Groups ................................................................................................... 191<br />
Removing Groups...................................................................................................... 191<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> ix
Contents<br />
Sending Group Files to Distributors........................................................................... 191<br />
Viewing Group Layouts............................................................................................. 192<br />
Modifying Default Feature Instances......................................................................... 193<br />
Creating New Feature Instances ............................................................................... 193<br />
Add Templates to Groups .......................................................................................... 194<br />
Remove Templates From Groups .............................................................................. 194<br />
Export-File Manager.................................................................................................. 195<br />
Locking/Unlocking Groups ....................................................................................... 196<br />
Frequently Asked Questions...................................................................................... 197<br />
Chapter 9 – Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong>................... 203<br />
Programming <strong>Sentinel</strong> <strong>Keys</strong> using <strong>Sentinel</strong> <strong>Keys</strong> Toolkit ......................................... 203<br />
Programming <strong>Sentinel</strong> <strong>Keys</strong> using the Key Programming APIs............................... 208<br />
Frequently Asked Questions...................................................................................... 212<br />
Part 4: Distributing Protected Applications .... 221<br />
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors 223<br />
Checklist for <strong>Customer</strong>s And Distributors ................................................................. 223<br />
Deploying <strong>Sentinel</strong> System Driver ............................................................................. 225<br />
Deploying <strong>Sentinel</strong> <strong>Keys</strong> Server................................................................................. 227<br />
Deploying (Client) Configuration File........................................................................ 227<br />
Deploying Secure Update Utility................................................................................ 228<br />
Deploying Secure Update Wizard (Windows Only) ................................................... 230<br />
Deploying <strong>Sentinel</strong> Data Protection Driver (Windows Only) .................................... 235<br />
Deploying Stand-alone License Manager .................................................................. 237<br />
Deploying System Administrator’s Help.................................................................... 239<br />
Frequently Asked Questions...................................................................................... 240<br />
Appendix A – Troubleshooting .................................................... 243<br />
Problems and Solutions............................................................................................. 243<br />
x <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Contents<br />
Appendix B – Glossary .................................................................. 257<br />
A ................................................................................................................................ 257<br />
B ................................................................................................................................ 258<br />
C ................................................................................................................................ 259<br />
D ................................................................................................................................ 261<br />
E................................................................................................................................. 262<br />
F................................................................................................................................. 264<br />
G ................................................................................................................................ 265<br />
H ................................................................................................................................ 265<br />
K ................................................................................................................................ 266<br />
L................................................................................................................................. 266<br />
M ............................................................................................................................... 268<br />
N ................................................................................................................................ 268<br />
O ................................................................................................................................ 268<br />
P ................................................................................................................................ 269<br />
Q ................................................................................................................................ 269<br />
R ................................................................................................................................ 270<br />
S................................................................................................................................. 270<br />
T ................................................................................................................................ 273<br />
U ................................................................................................................................ 274<br />
W ............................................................................................................................... 275<br />
Appendix C – <strong>Sentinel</strong> <strong>Keys</strong> <strong>Hardware</strong> Specifications ............... 277<br />
Appendix D – Migration from SuperPro and UltraPro ............... 279<br />
Stage 1 - Distribute <strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> .................................................... 279<br />
Stage 2 - Design New Protection Strategy................................................................. 281<br />
Index .............................................................................................. 283<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> xi
Contents<br />
xii <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Preface<br />
Thank you for choosing <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong>—the state-of-the-art USB<br />
tokens with advanced cryptographic capabilities. Using <strong>Sentinel</strong> <strong>Hardware</strong><br />
<strong>Keys</strong>, you can:<br />
Protect your intellectual property from piracy.<br />
Implement different license models for different customers.<br />
Secure your product revenue.<br />
Where to Find Information?<br />
The <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK documentation is for the following users:<br />
You want to... Recommended<br />
References<br />
Manager or New User<br />
Understand the product installation,<br />
features and benefits<br />
Application Programmer<br />
Plan, design, and implement the<br />
application protection.<br />
Program <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> for<br />
your customers.<br />
Release notes<br />
Part I of this guide<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help<br />
Part I and Part II of this guide<br />
Business Layer API Help<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help<br />
Part III of this guide<br />
Help included with the License<br />
Manager application<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> xiii
Conventions Used in This <strong>Guide</strong><br />
You want to... Recommended<br />
References<br />
Builder<br />
Prepare the protected application for<br />
release, including deploying the<br />
redistributables.<br />
<strong>Customer</strong>s and Helpdesk<br />
Learn how to use the hardware key and<br />
the redistributables, like the <strong>Sentinel</strong><br />
System Driver, <strong>Sentinel</strong> <strong>Keys</strong> Server,<br />
configuration file.<br />
Conventions Used in This <strong>Guide</strong><br />
Please note the following conventions used in this guide:<br />
Convention Meaning<br />
Part IV of the guide<br />
<strong>Sentinel</strong> Protection Installer Help<br />
(for<br />
Windows only)<br />
System Administrator’s Help<br />
FAQs included in the <strong>Sentinel</strong><br />
<strong>Keys</strong> Toolkit Help<br />
Courier Denotes syntax, prompts and code examples. Bold<br />
Courier type represents characters that you type; for<br />
example: logon.<br />
Bold Lettering Words in boldface type represent keystrokes, menu<br />
items, window names or fields.<br />
Italic Lettering Words in italic type represent file names and directory<br />
names; it is also used for emphasis.<br />
The root drive on your system where your operating<br />
system is installed.<br />
xiv <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Convention Meaning<br />
Conventions Used in This <strong>Guide</strong><br />
The path where the software, in context, is installed.<br />
For example, the default for <strong>Sentinel</strong><br />
<strong>Hardware</strong> <strong>Keys</strong> SDK is as follows:<br />
On Windows 32-bit: :\Program<br />
Files\SafeNet <strong>Sentinel</strong>\<strong>Sentinel</strong> <strong>Keys</strong>\<br />
On Windows x64: :\Program<br />
Files(x86)\SafeNet <strong>Sentinel</strong>\<strong>Sentinel</strong> <strong>Keys</strong>\<br />
On Linux: /opt/safenet_sentinel/sentinel_keys/<br />
<br />
On Macintosh: /Applications/Safenet <strong>Sentinel</strong>/<strong>Sentinel</strong><br />
<strong>Keys</strong>/<br />
The default path for the Personal folder on Windows<br />
2000/XP (32-bit and x64)/Server 2003 (32-bit and x64)<br />
systems is: :\Documents and Settings\user<br />
name.<br />
The default path for the Personal folder on Windows<br />
Vista (32-bit and x64)/Server 2008 (32-bit and x64)/ Server<br />
2008 R2 (x64)/Windows 7 systems is: :\Users\user name.<br />
Refers to the default user's directory on Linux and<br />
Macintosh.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> xv
Technical Support<br />
Technical Support<br />
If you have questions, need additional assistance, or encounter a problem,<br />
please contact Technical Support using the information given below:<br />
Technical Support Contact Information<br />
<strong>Customer</strong> <strong>Connection</strong> Center (C3)<br />
http://c3.safenet-inc.com<br />
Existing customers with a <strong>Customer</strong> <strong>Connection</strong> Center account can log in to<br />
manage incidents, get latest software upgrades and access the complete<br />
SafeNet Knowledge Base repository.<br />
Support and Downloads<br />
http://www.safenet-inc.com/Support<br />
Provides access to knowledge base and quick downloads for various products.<br />
E-mail-based Support<br />
support@safenet-inc.com<br />
Telephone-based Support<br />
United States (800) 545-6608, (410) 931-7520<br />
France 0825 341000<br />
Germany 01803 7246269<br />
United Kingdom 0870 7529200, +1 410 931-7520<br />
Australia and New<br />
Zealand<br />
+1 410 931-7520<br />
China (86) 10 8851 9191<br />
India +1 410 931-7520<br />
xvi <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
SafeNet Sales Offices<br />
SafeNet Sales Offices<br />
For more information about SafeNet products and offerings, contact the<br />
sales offices located in the following countries:<br />
Australia<br />
+61 2 9906 2988<br />
Finland<br />
+358 20 500 7800<br />
Hong Kong<br />
+852 3157 7111<br />
Korea<br />
+82 31 705 8212<br />
Singapore<br />
+65 6297 6196<br />
U.S. (Massachusetts)<br />
+1 978.539.4800<br />
U.S. (Irvine, California)<br />
+1 949.450.7300<br />
Brazil<br />
+55 11 6121 6455<br />
France<br />
+33 1 47 55 74 70<br />
India<br />
+91 120 4020797<br />
+91 120 4020555<br />
+91 22 3240 2984<br />
Mexico<br />
+52-55-5202-5411,<br />
+52-55-5202-5445<br />
Taiwan<br />
886 2 8698 1238<br />
U.S. (New Jersey)<br />
+1 201 876 3457<br />
U.S. (San Jose, California)<br />
+ (408) 452 7651<br />
China<br />
+86 10 88519191<br />
Germany<br />
+49 (0) 89 288 90251<br />
Japan (Tokyo)<br />
+ 81 3 5776 2751<br />
Netherlands<br />
+31 73 658 1900<br />
UK (Camberley)<br />
+44 0 1276 608000<br />
U.S. (Virginia)<br />
+1 703 647 8400<br />
U.S. (Torrance, California)<br />
+1 310.533.8100<br />
Tip: Please visit http://www.safenet-inc.com/Support for the most up-to-date<br />
information about <strong>Sentinel</strong> <strong>Keys</strong>, downloads, FAQs, and technical notes.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> xvii
We Welcome Your Comments<br />
Export Considerations<br />
We offer products that are based on encryption technology. The Bureau of<br />
Industry and Security (BIS) in the U.S. Department of Commerce administers<br />
the export controls on our commercial encryption products.<br />
Rules governing exports of encryption can be found in the Export Administration<br />
Regulations (EAR), 15 CFR Parts 730-774, which implements the<br />
Export Administration Act (“EAA” 50 U.S.C. App. 2401 et seq.).<br />
An Important Note<br />
BIS requires that each entity exporting products be familiar with and comply<br />
with their obligations described in the Export Administration<br />
Regulations. Please note that the regulations are subject to change. We recommend<br />
that you obtain your own legal advice when attempting to export<br />
any product that uses encryption. In addition, some countries may restrict<br />
certain levels of encryption imported into their country. We recommend<br />
consulting legal counsel in the appropriate country or the applicable governmental<br />
agencies in the particular country.<br />
We Welcome Your Comments<br />
To help us improve future versions of the documentation, we want to know<br />
about any corrections, clarifications or further information you would find<br />
useful. When you contact us, please include the following information:<br />
The title and version of the guide you are referring to.<br />
The version of the software you are using.<br />
Your name, company name, job title, phone number, and e-mail<br />
address.<br />
Send us e-mail at: techsupport@safenet-inc.com<br />
xviii <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Part 1<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Basics<br />
Software piracy problem and its solution<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK components<br />
Planning application protection and licensing<br />
strategy
Chapter 1<br />
Introduction<br />
In this chapter we will assess how software piracy threatens your profits and<br />
understand how <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> (also referred as “<strong>Sentinel</strong> <strong>Keys</strong>”)<br />
can curb widespread piracy and add value to your software distribution.<br />
Software Piracy Hurts Your Business<br />
Software piracy hurts the bottom-line of your business. Every year a huge<br />
share of revenue is lost due to piracy—affecting your profits and subsequently<br />
the product research and development prospects.<br />
Software piracy can occur in many forms, varying from malicious counterfeiting<br />
to unintended violations of the license agreement by users who may<br />
be unaware they are doing so (for example, more than permissible number<br />
of users using the application concurrently, unreported installations, and<br />
exchange of software disks among peers).<br />
Software licensing not only effectively secures against piracy but can also<br />
enhance product versatility with flexible licensing models. You can use new<br />
avenues to distribute your applications and ultimately improve your returnon-investment.<br />
Moreover, software protection must be simple to implement,<br />
so that your schedules are not burdened with lengthy training and licensing<br />
implementation. Read on to know how <strong>Sentinel</strong> <strong>Keys</strong> can do all this and<br />
much more!<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 3
Chapter 1 – Introduction<br />
Contents Glossary Index Troubleshooting<br />
<strong>Sentinel</strong> <strong>Keys</strong> Protect Against Software Piracy<br />
4 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
<strong>Sentinel</strong> <strong>Keys</strong> provide hardware token-based licensing to your software<br />
application(s). These also provide better market penetration through easyto-implement<br />
licensing models, such as demos, lease, and network licenses.<br />
This section briefly explains the process of protecting your application and<br />
describes how the protected application will behave when your customers<br />
run it.<br />
In order to protect your application, you first need to design the protection<br />
strategy in the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit 1 (referred as Toolkit hereafter). The<br />
Toolkit is the main application using which you will do everything from preparing<br />
a protection strategy to programming hardware keys.<br />
Note: You may also program your <strong>Sentinel</strong> <strong>Keys</strong> using the Key Programming APIs.<br />
Please refer to the section “Programming <strong>Sentinel</strong> <strong>Keys</strong> using the Key Programming<br />
APIs”.<br />
The Toolkit provides two basic methods to protect your applications:<br />
CodeCover Protection 2 : The method in which protective wrappers<br />
are put around the application quickly and easily. For more details,<br />
see Chapter 4, “Protecting Applications Using CodeCover,” on page<br />
75.<br />
API Protection: The method in which you insert the Business Layer<br />
API functions into your application's source code. For more details,<br />
see Chapter 5, “Protecting Applications Using API,” on page 109.<br />
Whatever method you choose, the outcome will be a protected application,<br />
different from the original application. The protected application is dependent<br />
on the <strong>Sentinel</strong> Key for execution. It will check for the presence of the<br />
<strong>Sentinel</strong> Key in order to run successfully. If the operation is successful, the<br />
application is allowed to run. If it fails, such as when the correct <strong>Sentinel</strong><br />
1.Available only on Windows.<br />
2. Available only on Windows and can be used for protecting Windows 32-bit and 64-bit executables,<br />
DLLs, and BPLs.
<strong>Sentinel</strong> <strong>Keys</strong> Protect Against Software Piracy<br />
Contents Glossary Index Troubleshooting<br />
Key is not attached or has been tampered with, access to the application is<br />
denied. Since the application can be programmed to check for the <strong>Sentinel</strong><br />
Key periodically, it is impossible to remove it while the application is running.<br />
As a result, the protected application is allowed to run only when the<br />
stipulated licensing conditions are met. For example, the users may be able<br />
to freely copy your application, but will not be able to execute it beyond the<br />
number of users allowed.<br />
You can see the diagram below to understand the typical behavior on the<br />
customer site when the correct <strong>Sentinel</strong> Key is attached or not.<br />
Licensing Behavior on Application Run-time<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 5
Chapter 1 – Introduction<br />
Contents Glossary Index Troubleshooting<br />
Note: The Secure Communication Tunnel (term used in the diagram above) is<br />
explained on page 14.<br />
License Models to Increase Your Revenue<br />
6 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
<strong>Sentinel</strong> <strong>Keys</strong> provide the most advanced hardware-based protection<br />
against software piracy. For software vendors and developers, it opens a new<br />
world of opportunities by preventing illegal copying and distribution of their<br />
proprietary applications. It also provides better market penetration by<br />
increasing the product usage/trial rate among the potential customers. A<br />
few examples are described below. Using <strong>Sentinel</strong> <strong>Keys</strong>, you can:<br />
Lease the protected application for a certain period. Later, your<br />
customers may want to extend the lease or convert it to a perpetual<br />
license.<br />
To lease your applications, you can choose from RTC-based <strong>Sentinel</strong><br />
<strong>Keys</strong> or non-RTC tokens with <strong>Sentinel</strong> V-ClockTM .<br />
RTC-based <strong>Sentinel</strong> <strong>Keys</strong> contain an internal real-time clock to track<br />
the exact date and time of the leased applications. The real clock keeps<br />
track of time independent of the system clock—providing the best<br />
solution against time tampering attacks.<br />
The non-RTC tokens with <strong>Sentinel</strong> V-Clock also allow reliable and<br />
secure distribution of time-limited applications. These do not require<br />
an on-board battery to detect time tampering.<br />
Sell demo versions of the protected application. These can be<br />
upgraded to full-versions whenever desired.<br />
Provide stand-alone and network 3 licenses for individual customers<br />
and enterprise-level set-ups.<br />
Protect multiple applications with a single <strong>Sentinel</strong> Key.<br />
3. Also known as concurrent or floating licenses.
<strong>Sentinel</strong> <strong>Keys</strong> Offer Sophisticated Protection<br />
Contents Glossary Index Troubleshooting<br />
Activate and renew applications/features, increase lease/demo limits,<br />
add new licenses and convert to full versions remotely (such as, using<br />
an e-mail).<br />
<strong>Sentinel</strong> <strong>Keys</strong> Offer Sophisticated Protection<br />
This section provides a summary of the main features of <strong>Sentinel</strong> <strong>Keys</strong> SDK,<br />
which make it the most reliable and chosen solution to protect your intellectual<br />
property and copyrights.<br />
<strong>Hardware</strong> Key with Cutting-edge Security Technology<br />
<strong>Sentinel</strong> <strong>Keys</strong> use the cutting-edge technology for superior security. Here are<br />
the major highlights of the hardware key:<br />
Contains the ECC algorithm for digital signing and verification,<br />
providing data authentication, confidentiality, integrity, and nonrepudiation.<br />
Contains the 128-bit AES algorithm for block encryption/decryption<br />
and query-response protection.<br />
Provides secure communication using the Secure Communication<br />
Tunnel. The tunnel is an end-to-end secured session between the<br />
application and the <strong>Sentinel</strong> Key. The communication packets are<br />
encrypted using the AES algorithm, for which the session key is<br />
generated using ECC-based key exchange (ECKAS-DH1).<br />
Allows random generation of ECC and AES keys. Unlimited number of<br />
keys can be generated.<br />
Uses chip-on-board (COB) technology for better performance, high<br />
reliability, and greater protection against reverse engineering.<br />
Uses mirroring and self-correction for higher reliability against<br />
memory corruption.<br />
Has the in-built capability to write-once in the field. It means that<br />
ignoring the access rights, the data can be modified at run-time only<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 7
Chapter 1 – Introduction<br />
Contents Glossary Index Troubleshooting<br />
8 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
once. Hence, it prevents unauthorized revisions of the data contained<br />
in the <strong>Sentinel</strong> Key.<br />
Supports universal binaries for compatibility with PowerPC and Intelbased<br />
Macintosh systems.<br />
USB 2.0 compliant, full-speed for bulk transfer.<br />
16-bit RISC MCU for high performance.<br />
WHQL certified <strong>Sentinel</strong> System Driver for Windows 2000, XP (32-bit<br />
and x64), Server 2003 (32-bit and x64), Vista (32-bit and x64),<br />
Server 2008 (32-bit and x64), Server 2008 R2 (x64), and Windows 7<br />
(32-bit and x64) compatibility.<br />
Role-enforcement Using <strong>Hardware</strong> <strong>Keys</strong><br />
The Toolkit application is used to prepare important and confidential license<br />
policies. Hence, it is important to restrict the unauthorized access to the<br />
Toolkit. To control this, you are provided with a developer key, a hardware<br />
key to authenticate developers. Other users, who do not have the developer<br />
key, might be able to access the Toolkit, but will not be able to do any productive<br />
tasks (such as, prototyping the protection strategies, etc.). You can<br />
further prevent unauthorized use of your developer key by setting a password<br />
for it. This will ensure that any malicious user having access to your<br />
developer key cannot use it to tamper the protection strategy or program the<br />
<strong>Sentinel</strong> <strong>Keys</strong>, Also, once you have programmed <strong>Sentinel</strong> <strong>Keys</strong> for your customers,<br />
other developers cannot program or update them using their<br />
developer keys.<br />
Similarly, your sales distributors require a distributor key (the hardware key<br />
you specifically program for each distributor) to program <strong>Sentinel</strong> <strong>Keys</strong> for<br />
your customers<br />
Innovative Licensing Models for Market Penetration<br />
<strong>Sentinel</strong> <strong>Keys</strong> not only secure unauthorized usage of your software, but also<br />
provide options to package your software differently to suit different price or<br />
feature categories. Using <strong>Sentinel</strong> <strong>Keys</strong>, you can:
<strong>Sentinel</strong> <strong>Keys</strong> Offer Sophisticated Protection<br />
Contents Glossary Index Troubleshooting<br />
Easily create demos, time-limited, and executions-limited software<br />
packages.<br />
Distribute stand-alone licenses, typically used by home users and<br />
individuals.<br />
Distribute floating licenses, typically used in enterprises.<br />
Lease your software for certain time periods.<br />
Allow license sharing for each Seat user.<br />
Allow terminal clients.<br />
Robust Protection Options<br />
The <strong>Sentinel</strong> <strong>Keys</strong> SDK provides robust methods to protect applications. It<br />
has options to quickly protect your applications (using the CodeCover and<br />
Quick CodeCover) and ways to implement intensive and controlled protection<br />
strategies (using API protection). Here are the quick highlights of these<br />
methods:<br />
The CodeCover 4 provides automatic and faster protection for<br />
Windows executables, DLLs, and BPLs. It is capable of protecting<br />
against debugging, disassembling, reverse-engineering, and memory<br />
dumping attacks. The Quick CodeCover is a variant of the CodeCover<br />
and offers basic protection. It is typically used for getting started with<br />
the Toolkit and protecting applications.<br />
CodeCover Command-Line Protection - CodeCover protection<br />
using command-line options not only saves your time but also<br />
enables you to execute <strong>Sentinel</strong> CodeCover protection from batch<br />
files without going through the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit screens.<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Command-Line CodeCover Utility is also<br />
referred to as CMDShell.exe. The utility is a console-based program<br />
that protects executables, DLLs, and BPLs via command-line. For<br />
4.An automatic method of protecting Windows executables, DLLs, and BPLs. It does not<br />
require source code of your application.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 9
Chapter 1 – Introduction<br />
Contents Glossary Index Troubleshooting<br />
more information, please refer to the section “Command-Line<br />
CodeCover Utility”.<br />
10 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Under API protection, you call the Business Layer API functions into<br />
your application source code. These functions let you implement both<br />
basic and advanced protection, There are functions for<br />
encrypting\decrypting data using 128-bit AES, digitally<br />
signing\verifying data using ECC, reading and writing data into the<br />
key memory (such as, integers, Boolean, string, and raw data).<br />
For a quick look at the Business Layer API functions, see the diagram<br />
below. The Business Layer API Help contains details on using each API<br />
function. You can launch it from the Help menu of the Toolkit,<br />
browse in the Help directory of the compiler interfaces.
The Business Layer API Functions<br />
<strong>Sentinel</strong> <strong>Keys</strong> Offer Sophisticated Protection<br />
Contents Glossary Index Troubleshooting<br />
Smart and Flexible (One-time) Implementations<br />
The Toolkit is based on the architecture that divides the complete licensing<br />
process as per the different roles seen in real-life. Typically, the license<br />
designing and implementation part is done by the developers, while the<br />
license management and hardware key programming is handled by marketing<br />
and administration personnel, involved in license fulfillment.<br />
The stand-alone License Manager application is also available for your distributors<br />
using which they can program <strong>Sentinel</strong> <strong>Keys</strong>. The number of<br />
licenses sold by them can be traced using the distributor key count. The<br />
count can be updated remotely.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 11
Chapter 1 – Introduction<br />
Contents Glossary Index Troubleshooting<br />
12 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Note: If desired, your <strong>Sentinel</strong> Key vendors can program <strong>Sentinel</strong> <strong>Keys</strong> in bulk for<br />
you. See the option described on page 206.<br />
Convenient Licensing for Your <strong>Customer</strong>s<br />
<strong>Sentinel</strong> <strong>Keys</strong> are ultimately deployed on your customer's site to allow<br />
authorized access to your protected applications. The following features<br />
ensure that the licensing process is enforced without being inconvenient:<br />
Easy-to-carry, small, and durable tokens.<br />
<strong>Hardware</strong>-based licenses unaffected by application crashes/<br />
uninstallations.<br />
Self-guided license installation/updates using the Secure Update<br />
Wizard (for Windows only).<br />
Remote license installation, addition and updates (via e-mail and file).<br />
License tracking and client information using a Web browser-based<br />
monitoring tool. The same tool provides an option to system<br />
administrators for canceling licenses.<br />
Support for widely used TCP/IPv4 along with the next generation<br />
Internet protocol TCP/IPv65 , on Windows, Linux and Macintosh.<br />
XML-based configuration files for network application users and<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
Support for Different Types of Programming<br />
Environments<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> offer different interfaces for programming that<br />
enable a quick implementation of your protection strategy.<br />
5.TCP/IPv6 communication (between the application and the hardware key) is supported<br />
only on the same subnet. Please see Question 12 of Chapter 2 to view the list of operating systems<br />
on which SHK supports IPv6.
Programming<br />
Utility<br />
<strong>Sentinel</strong> <strong>Keys</strong><br />
Toolkit<br />
Stand-alone<br />
License<br />
Manager<br />
Key<br />
Programming<br />
APIs<br />
<strong>Sentinel</strong> <strong>Keys</strong> Offer Sophisticated Protection<br />
Contents Glossary Index Troubleshooting<br />
The table below provides a summary of each programming component and<br />
the category of users using them.<br />
Various Key Programming Interfaces for <strong>Sentinel</strong> <strong>Keys</strong><br />
User Associated File/<br />
Key<br />
Usage Description<br />
Developer Developer Key Refer to page 203, for more information.<br />
Distributor Distributor<br />
Key<br />
.lgx file<br />
Developer Developer<br />
Key<br />
*.ISV file<br />
Distributor Distributor<br />
Key<br />
*.DIS file<br />
The .lgx file is a package of licenses that<br />
you want to program in the <strong>Sentinel</strong> Key<br />
for your customers.<br />
Only a Developer along with a Developer<br />
Key, can generate the *.ISV file, using the<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit. Once generated, this<br />
file is programmed into the end user<br />
token, in association with a Developer Key.<br />
Only a Developer, along with a Developer<br />
Key, and in the presence of a Distributor<br />
Key, can generate the *.DIS file, using the<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit. Once, generated by<br />
a Developer, it is provided to the<br />
Distributor. The distributor programs the<br />
end user token with its contents, in<br />
association with a valid Distributor Key.<br />
Operator *.OPR file Only a Developer, along with a Developer<br />
Key, and in the presence of an end user<br />
token, can generate the *.OPR file, using<br />
the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit. Once generated,<br />
this file is programmed into the end user<br />
token at the fulfillment center, without<br />
any authentication.<br />
Note: The .lgx/*.ISV/*.DIS/*.OPR files are generated by the Developer using the<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 13
Chapter 1 – Introduction<br />
Contents Glossary Index Troubleshooting<br />
Frequently Asked Questions<br />
Question 1 - What is the Secure Communication Tunnel?<br />
The Secure Communication Tunnel is an end-to-end secured session<br />
between the client and the <strong>Sentinel</strong> Key for providing secure private communication.<br />
The communication packets are encrypted using the AES<br />
algorithm, for which the session key is generated using ECC-based key<br />
exchange (ECKAS-DH1).<br />
It provides maximum protection against the following types of attacks that<br />
can foil the security of your protected applications:<br />
Record/playback attacks<br />
Driver emulation attacks<br />
Middle layer key communication attacks<br />
Brute force attacks<br />
14 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The tunnel is created at the time of obtaining a license and is maintained<br />
throughout the session. The tunnel can exist over a local workstation for<br />
stand-alone applications and on a subnet for network application.<br />
The following diagrams depict how the protected application and <strong>Sentinel</strong><br />
Key communicates over the secure communication tunnel, in network and<br />
stand-alone modes.
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Secure Communication Tunnel<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 15
Chapter 1 – Introduction<br />
Contents Glossary Index Troubleshooting<br />
Question 2 - What are the typical ways to verify the presence of the<br />
<strong>Sentinel</strong> Key?<br />
16 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
<strong>Sentinel</strong> Key is a state-of-the-art cryptographic device with many capabilities.<br />
For example, you can use the 128-bit AES algorithm for data<br />
encryption/decryption or use the ECC algorithm for digital signing and verification.<br />
The <strong>Sentinel</strong> <strong>Keys</strong> can also store variety of data in its memory like,<br />
strings, integers, Boolean, and raw data commonly used by developers.<br />
You can utilize these capabilities to verify <strong>Sentinel</strong> Key's presence via a rich<br />
set of Business Layer API functions. In addition, you can wrap multiple<br />
CodeCover layers around your compiled files, which is only for Windows<br />
executables, DLLs, and BPLs. Both the methods provide secure and robust<br />
licensing.<br />
Given below are a few examples of verifying the <strong>Sentinel</strong> Key's presence:<br />
Use the SFNTReadString API function to read a string written on the<br />
<strong>Sentinel</strong> Key.<br />
Use the SFNTEncrypt API function to encrypt the data.<br />
Use the SFNTDecrypt API function to decrypt the data.<br />
Use the SFNTSign API function to digitally sign the data.<br />
Use the SFNTVerify API function to verify the digital signature.<br />
Use the SFNTQueryFeature API function to perform the queryresponse<br />
operation and to verify the licensing controls.<br />
Note: The <strong>Sentinel</strong> <strong>Keys</strong> client library functions are known as the Business Layer<br />
API functions. For more information, refer to its Help available under the<br />
Help menu of the Toolkit.<br />
Question 3 - Is it always necessary to use the Toolkit for protecting<br />
applications?<br />
The workflow of protecting application requires you to use the Toolkit for<br />
almost all the tasks, from preparing protection strategies to programming<br />
hardware keys. However, you may also program your keys using the Key
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Programming APIs. Refer to the section, “Programming <strong>Sentinel</strong> <strong>Keys</strong><br />
using the Key Programming APIs”.<br />
Please do not try implementing the licensing scheme incompletely or<br />
directly (such as by just calling the Business Layer API functions and linking<br />
libraries). Refer to the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help or this guide for understanding<br />
the complete steps involved.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 17
Chapter 1 – Introduction<br />
Contents Glossary Index Troubleshooting<br />
18 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Chapter 2<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK<br />
Components<br />
Overview<br />
This chapter provides information about the major components included in<br />
the <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK.<br />
The <strong>Sentinel</strong> <strong>Keys</strong> SDK contains various components that are used by the<br />
following category of users:<br />
Developer - An individual or a software development company that<br />
uses the <strong>Sentinel</strong> <strong>Keys</strong> SDK to protect and license their applications.<br />
Distributor - An individual/organization authorized by the<br />
developer to distribute the protected application along with the<br />
<strong>Sentinel</strong> <strong>Keys</strong>.<br />
<strong>Customer</strong> - An individual/organization using a <strong>Sentinel</strong> Key<br />
protected application.<br />
Operator - An individual/group who is unaware of the contents on<br />
the <strong>Sentinel</strong> <strong>Keys</strong>, and is more concerned about the number of tokens<br />
being programmed using the programming utility/stand-alone<br />
executable provided to him by a Developer.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 19
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
Deployer: An individual responsible for protecting applications at<br />
the customer’s site using a Custom CodeCover Key and Command-<br />
Line CodeCover Utility provided by a Developer.<br />
The table below provides a summary of hardware keys that are included in<br />
<strong>Sentinel</strong> <strong>Keys</strong> SDK.<br />
Summary of the <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Component Description<br />
Developer Key The hardware key that must be attached to the system where the Toolkit is<br />
running.<br />
Distributor Key The hardware key that must be attached to the system where the stand-alone<br />
License Manager application is running (typically meant for the distributors).<br />
<strong>Sentinel</strong> Key The hardware key that is programmed with the application protection<br />
strategy (by a developer or distributor) and shipped to the customers. A<br />
customer cannot use the protected application without it. <strong>Sentinel</strong> Key is<br />
available for both the stand-alone and network environments (and is<br />
referred hereafter as stand-alone key and network key, respectively).<br />
Following table provides summary of each of the <strong>Sentinel</strong> <strong>Keys</strong> SDK<br />
component.<br />
Summary of the <strong>Sentinel</strong> <strong>Keys</strong> SDK Components<br />
Component Description<br />
<strong>Sentinel</strong> <strong>Keys</strong><br />
Server<br />
<strong>Sentinel</strong><br />
System Driver<br />
<strong>Sentinel</strong> <strong>Keys</strong><br />
Toolkit<br />
Command-Line<br />
CodeCover<br />
Utility<br />
Key<br />
Programming<br />
APIs<br />
A program that manages the <strong>Sentinel</strong> <strong>Keys</strong> license information in a network.<br />
The device driver for all the USB tokens included in the SDK.<br />
A Java application used by the developer for preparing the application<br />
protection strategy and performing related activities.<br />
A console-based program that protects executables, DLLs, and BPLs using the<br />
CodeCover method via command-line. Please refer to the Command-Line<br />
CodeCover Utility ReadMe, for more information.<br />
Set of API functions used for programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong>, and<br />
creating update packets. Please refer to the Key Programming API Help, for<br />
more information.<br />
20 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Compiler<br />
Interfaces<br />
<strong>Sentinel</strong> <strong>Keys</strong><br />
License<br />
Manager<br />
<strong>Sentinel</strong> <strong>Keys</strong><br />
License<br />
Monitor<br />
<strong>Sentinel</strong><br />
Protection<br />
Installer<br />
Configuration<br />
Files<br />
Remote<br />
Update<br />
Options<br />
Developer Key<br />
Developer Key<br />
Contents Glossary Index Troubleshooting<br />
Summary of the <strong>Sentinel</strong> <strong>Keys</strong> SDK Components<br />
Component Description<br />
The popular languages/compiler interfaces for implementing the API<br />
protection.<br />
A stand-alone application used by the distributor for programming <strong>Sentinel</strong><br />
<strong>Keys</strong> for customers.<br />
A Web based tool using which the system administrator (on the customer’s<br />
site) can monitor, track, and cancel licenses. This tool also helps view/update<br />
the information related to <strong>Sentinel</strong> <strong>Keys</strong> Server, stored in the server-side<br />
configuration file.<br />
An installer that can be either run directly or integrated with your application<br />
installer to redistribute the <strong>Sentinel</strong> System Driver, <strong>Sentinel</strong> <strong>Keys</strong> Server, and<br />
<strong>Sentinel</strong> Protection Server. Refer to Chapter 10, “Redistributables for<br />
<strong>Customer</strong>s and Distributors,” on page 223 for more information.<br />
Refers to the two configuration files (client-side and server-side) that can be<br />
used by your customers for configuring the protected application and<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server, respectively.<br />
Refers to the methods for updating applications and hardware keys in the<br />
field (the process is known as remote update process).<br />
The subsequent sections contain details of each component mentioned in<br />
above tables.<br />
The developer key is meant for you—the software publisher/vendor, who<br />
prepares the application protection strategy using the Toolkit. The developer<br />
key provides an authentication and signing mechanism to the<br />
developer—much more convenient and secure than the key access passwords<br />
because it contains 128-bit AES secret keys for the following:<br />
Digitally signing the licenses programmed into the <strong>Sentinel</strong> <strong>Keys</strong><br />
Encrypting the remote update packets<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 21
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
Digitally signing the licenses programmed into the distributor keys<br />
These seeds are unique for each developer. As a result, a license created<br />
using your developer key will not match with that of any other developer.<br />
Please note that:<br />
Uniquely Matched <strong>Hardware</strong> <strong>Keys</strong><br />
You typically require one developer key to use the Toolkit.<br />
No configuration/programming is required to use the developer key.<br />
The USB device can be plugged-in and is ready for use as soon as it is<br />
detected by the system.<br />
22 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
You will not be able to build (prototype) the protection strategy in the<br />
Toolkit, unless the developer key is plugged-in.<br />
If your developer key supports password authentication and if you<br />
have enabled the authentication (refer Question 7), the Toolkit allows<br />
you to perform the key-dependent operations (refer Question 11) only<br />
after specifying the correct password.<br />
Password-protected Developer Key<br />
A developer key for which access has been restricted using a password is<br />
called a password-protected developer key. A password is defined by the developer<br />
who owns the developer key. The password length can vary from 8 to<br />
16 alphanumeric characters.
Distributor Key<br />
Distributor Key<br />
Contents Glossary Index Troubleshooting<br />
Note: A password can be set for only those developer keys for which the Configure<br />
Password option on the Options menu of <strong>Sentinel</strong> <strong>Keys</strong> Toolkit is<br />
enabled.<br />
A password-protected key can be used to perform key-dependent operations<br />
(refer Question 11), only after the valid password has been specified. The<br />
password remains valid for a particular session till the developer key is<br />
plugged out.<br />
You can change the password or disable it. To do so, you must remember the<br />
original password. The Frequently Asked Questions section of this chapter<br />
contains complete steps for enabling/disabling/changing the password.<br />
Do NOT forget the password of your developer key! If forgotten, the Toolkit does<br />
not allow you to reset/disable/change the password; and you will need to contact<br />
SafeNet to request for the new developer key.<br />
The distributor keys are meant for your sales distributors authorized to program<br />
<strong>Sentinel</strong> <strong>Keys</strong> for your customers using the strategy you created.<br />
Note that:<br />
The distributor key can contain a metering count to control the<br />
number of licenses programmed by the distributor.<br />
You will provide them a file (paired with the distributor key) using<br />
which they will import the protection strategy in the License Manager<br />
application. The details are provided in Chapter 9, “Programming<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong>,” on page 203.<br />
Each distributor requires a different distributor key and its paired file.<br />
Note: You will need to order more distributor keys, if more than one distributors<br />
are to program <strong>Sentinel</strong> <strong>Keys</strong> for your customers.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 23
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
<strong>Sentinel</strong> <strong>Keys</strong><br />
The <strong>Sentinel</strong> <strong>Keys</strong> are meant for your customers. They will be able to run<br />
your protected application only if the correct <strong>Sentinel</strong> Key is accessed. It is<br />
available for both stand-alone and network environments:<br />
Top-view of <strong>Sentinel</strong> Key<br />
24 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Stand-alone <strong>Keys</strong><br />
Refers to the hardware keys that allow access to the protected<br />
application(s) on a system. A stand-alone key is connected directly to<br />
a user’s local workstation. Stand-alone keys have zero (0) hard limit<br />
and do not serve any license requests from network. Hence, these can<br />
neither be detected by the <strong>Sentinel</strong> <strong>Keys</strong> Server running on the<br />
system, nor monitored by the <strong>Sentinel</strong> <strong>Keys</strong> License Monitor.<br />
Network <strong>Keys</strong><br />
A network key allows multiple network clients to run the protected<br />
application concurrently. It is typically connected to a networked<br />
system where the <strong>Sentinel</strong> <strong>Keys</strong> Server is running. The network keys<br />
are meant for the number of users defined by the hard limit. If desired,
<strong>Sentinel</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
you can program a user limit for restricting the hard limit (see Hard<br />
Limit).<br />
One Network Key For Multiple Clients in LAN/WAN<br />
<strong>Sentinel</strong> <strong>Keys</strong> Models<br />
Details about the <strong>Sentinel</strong> <strong>Keys</strong> Models<br />
Model Name Description Characteristics<br />
<strong>Sentinel</strong> S Stand-alone<br />
non-RTC version<br />
Form-factor: USB<br />
Total memory: 8KB<br />
Hard-limit: Zero (0); for standalone<br />
users only<br />
Algorithms: AES and ECC<br />
<strong>Sentinel</strong> V-Clock<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 25
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
Details about the <strong>Sentinel</strong> <strong>Keys</strong> Models (Continued)<br />
Model Name Description Characteristics<br />
<strong>Sentinel</strong> SN Network non-RTC<br />
version<br />
<strong>Sentinel</strong> ST Stand-alone RTC<br />
version<br />
<strong>Sentinel</strong> SNT Network RTC<br />
version<br />
<strong>Sentinel</strong> X Stand-alone<br />
Extended Memory<br />
non-RTC version<br />
<strong>Sentinel</strong> XN Network Extended<br />
Memory non-RTC<br />
version<br />
Form-factor: USB<br />
Total memory: 8KB<br />
Hard-limit: 3, 5, 10, 25, 50, 100,<br />
and 250<br />
Algorithms: AES and ECC<br />
<strong>Sentinel</strong> V-Clock<br />
Form-factor: USB<br />
Total memory: 8KB<br />
Hard-limit: Zero (0); for standalone<br />
users only<br />
Algorithms: AES and ECC<br />
Real Time Clock battery with lifetime<br />
of 4 years<br />
Form-factor: USB<br />
Total memory: 8KB<br />
Hard-limit: 3, 5, 10, 25, 50, 100,<br />
and 250.<br />
Algorithms: AES and ECC<br />
Real Time Clock battery with lifetime<br />
of 4 years<br />
Form-factor: USB<br />
Total memory: 64KB<br />
Hard-limit: Zero (0); for standalone<br />
users only<br />
Algorithms: AES and ECC<br />
<strong>Sentinel</strong> V-Clock<br />
Form-factor: USB<br />
Total memory: 64KB<br />
Hard-limit: 3, 5, 10, 25, 50, 100,<br />
and 250<br />
Algorithms: AES and ECC<br />
<strong>Sentinel</strong> V-Clock<br />
26 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
<strong>Sentinel</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
Details about the <strong>Sentinel</strong> <strong>Keys</strong> Models (Continued)<br />
Model Name Description Characteristics<br />
<strong>Sentinel</strong> XT Stand-alone<br />
Extended Memory<br />
RTC version<br />
<strong>Sentinel</strong> XNT Network Extended<br />
Memory RTC<br />
version<br />
Form-factor: USB<br />
Total memory: 64KB<br />
Hard-limit: Zero (0); for standalone<br />
users only<br />
Algorithms: AES and ECC<br />
Real Time Clock battery with lifetime<br />
of 4 years<br />
Form-factor: USB<br />
Total memory: 64KB<br />
Hard-limit: 3, 5, 10, 25, 50, 100,<br />
and 250.<br />
Algorithms: AES and ECC<br />
Real Time Clock battery with lifetime<br />
of 4 years<br />
See also, Appendix C, “<strong>Sentinel</strong> <strong>Keys</strong> <strong>Hardware</strong> Specifications,” on page<br />
277.<br />
Note: A <strong>Sentinel</strong> Key can also be initialized as Custom CodeCover Key for protecting<br />
application at the customer’s site. For information on Custom Code-<br />
Cover Key, see “About Custom CodeCover Key” on page 95.<br />
<strong>Sentinel</strong> Extended Memory <strong>Hardware</strong> Key (SHK XM)<br />
SHK XM is a 64K variant of <strong>Sentinel</strong> keys that can be utilized to create<br />
advanced and robust protection strategies of larger size. With a memory size<br />
as large as 64K, SHK XM provides the following benefits:<br />
Increased Feature Size: The maximum size of data that can be<br />
stored in the Raw Data and String features has been increased from<br />
256 bytes to 2032 bytes.<br />
Enhanced License Size: The size of licenses that can be<br />
programmed into <strong>Sentinel</strong> <strong>Keys</strong> of 8K memory is limited to 1792<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 27
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
bytes. SHK XM allows you to program licenses of a size as much as<br />
4080 bytes. This provides the following benefits:<br />
28 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
More licenses —You can design 7-8 licenses of 2032 bytes each,<br />
at the License Manager stage of the Toolkit.<br />
More features per license—You can add more number of<br />
features in your license.<br />
The above capabilities of SHK XM can be utilized to create advanced and<br />
robust protection strategies of larger size.<br />
<strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong><br />
<strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> provide migration platform for <strong>Sentinel</strong> Ultra-<br />
Pro and <strong>Sentinel</strong> SuperPro developers and customers to the much-advanced<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong>. <strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> are available in USB<br />
form factor with the following two flavors:<br />
<strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> for UltraPro: Meant for <strong>Sentinel</strong><br />
UltraPro-based developers and customers<br />
<strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> for SuperPro: Meant for <strong>Sentinel</strong><br />
SuperPro-based developers and customers<br />
Refer to “Migration from SuperPro and UltraPro” on page 279 for more<br />
details.<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Server manages the licenses available with the <strong>Sentinel</strong><br />
<strong>Keys</strong> attached to a system.<br />
It maintains a database of the <strong>Sentinel</strong> <strong>Keys</strong> attached to a networked system<br />
and handles the availability, maintenance, sharing, and cancellation of<br />
licenses for its clients. It must be redistributed with your network applications.<br />
A few of its important characteristics are given below:<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Server is available across platforms. For example,<br />
<strong>Sentinel</strong> <strong>Keys</strong> attached to a Windows system can be accessed by a<br />
protected application running on Linux and vice-versa.
<strong>Sentinel</strong> <strong>Keys</strong> Server<br />
Contents Glossary Index Troubleshooting<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server provides an HTTP interface to view the <strong>Sentinel</strong><br />
Key(s) and license details via a Web browser, and to update server-side<br />
configuration file. It is known as the <strong>Sentinel</strong> <strong>Keys</strong> License Monitor.<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server only manages the network keys attached to a<br />
system. It does not manage the stand-alone keys.<br />
Note: Administrator privileges are required for installing, starting, stopping, and<br />
restarting the <strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
For Windows<br />
Supports the following platforms:<br />
Windows 2000 Professional<br />
Windows XP Professional (32-bit and 64-bit)<br />
Windows Server 2003 (32-bit and 64-bit)<br />
Windows Vista Ultimate (32-bit and 64-bit)<br />
Windows Server 2008 (32-bit and 64-bit)<br />
Windows Server 2008 R2 (64-bit)<br />
Windows 7 (32-bit and 64-bit)<br />
Supports TCP/IPv4 and TCP/IPv6 1 protocols.<br />
Installed at the following path on a Windows 32-bit NT-based system:<br />
:\Program Files\Common Files\SafeNet <strong>Sentinel</strong>\<strong>Sentinel</strong><br />
<strong>Keys</strong> Server.<br />
Installed at the following path on a Windows x64 system:<br />
\Program Files(x86)\Common Files\SafeNet<br />
<strong>Sentinel</strong>\<strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
It runs as a service on the Windows system.<br />
1.Supported only on the same subnet. Please see Question 12 to view the list of operating systems<br />
on which SHK supports IPv6.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 29
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
For Linux (Daemon)<br />
Supports the following platforms:<br />
Red Hat Enterprise Linux ES/AS 4.7 and 5.4 (32-bit and x64)<br />
Red Hat Enterprise Linux WS 4.7 and 5.4 (32-bit and x64)<br />
Red Hat Enterprise Linux Desktop 4.7 and 5.4 (32-bit and x64)<br />
Fedora 9.0 (32-bit and x64), 10.0 (32-bit), and 11.0 (32-bit)<br />
Open Suse 11.1 (32-bit and x64)<br />
Suse Linux Enterprise Server 10.2 (32-bit and x64)<br />
Supports TCP/IPv4 and TCP/IPv6 1 protocols.<br />
Installed at the following path on a Linux system: /opt/<br />
safenet_sentinel/common_files/sentinel_keys_server.<br />
For Macintosh<br />
Supports the following 32-bit and x64 platforms:<br />
Macintosh 10.3.9 (32-bit), 10.4.11 (32-bit), and 10.5.8 (32-bit)<br />
for PowerPC<br />
Macintosh 10.4.11 (32-bit), 10.5.8 (32-bit), and 10.6.1 (32-bit<br />
and x64) for Intel<br />
Supports TCP/IPv4 and TCP/IPv6 1 protocols.<br />
Installed at the following path on a Macintosh system: /Applications/<br />
Safenet <strong>Sentinel</strong>/Common Files/<strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
30 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
1.Supported only on the same subnet. Please see Question 12 to view the list of operating systems<br />
on which IPv6 is supported.
<strong>Sentinel</strong> System Driver<br />
<strong>Sentinel</strong> System Driver<br />
Contents Glossary Index Troubleshooting<br />
The <strong>Sentinel</strong> System Driver is the device driver for communicating with the<br />
USB hardware keys listed below. It must also be redistributed with your protected<br />
applications:<br />
<strong>Sentinel</strong> <strong>Keys</strong><br />
<strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong><br />
Developer <strong>Keys</strong><br />
Distributor <strong>Keys</strong><br />
UltraPro <strong>Keys</strong><br />
SuperPro <strong>Keys</strong><br />
<strong>Sentinel</strong> Duo <strong>Keys</strong> (for SuperPro-protected applications on<br />
Macintosh)<br />
The platform-specific information is given below:<br />
For Windows<br />
Supports the following Windows platforms (Windows NT does not<br />
support USB):<br />
Windows 98 and ME (for only client-side support)<br />
Windows 2000 Professional<br />
Windows XP Professional (32-bit and 64-bit)<br />
Windows Server 2003 (32-bit and 64-bit)<br />
Windows Vista Ultimate (32-bit and 64-bit)<br />
Windows Server 2008 (32-bit and 64-bit)<br />
Windows Server 2008 R2 (64-bit)<br />
Windows 7 (32-bit and 64-bit)<br />
Microsoft Windows <strong>Hardware</strong> Quality Labs (WHQL) certified for<br />
Windows 2000, XP (32-bit and x64), Server 2003 (32-bit and x64),<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 31
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
Vista (32-bit and x64), Server 2008 (32-bit and x64), Server 2008<br />
R2 (x64), and Windows 7 (32-bit and x64).<br />
32 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Installed at the following path on a Windows 32-bit NT-based system:<br />
:\Program Files\Common Files\SafeNet <strong>Sentinel</strong>\<strong>Sentinel</strong><br />
System Driver.<br />
Installed at the following path on a Windows x64 system:<br />
\Program Files (x86)\Common Files\SafeNet<br />
<strong>Sentinel</strong>\<strong>Sentinel</strong> System Driver.<br />
For Linux (USB Daemon)<br />
Supports the following Linux platforms:<br />
Red Hat Enterprise Linux ES/AS 4.7 and 5.4 (32-bit and x64)<br />
Red Hat Enterprise Linux WS 4.7 and 5.4 (32-bit and x64)<br />
Red Hat Enterprise Linux Desktop 4.7 and 5.4 (32-bit and x64)<br />
Fedora 9.0 (32-bit and x64), 10.0 (32-bit), and 11.0 (32-bit)<br />
Open Suse 11.1 (32-bit and x64)<br />
Suse Linux Enterprise Server 10.2 (32-bit and x64)<br />
Installed at the following path on a Linux system: /opt/<br />
safenet_sentinel/common_files/sentinel_usb_daemon.<br />
For Macintosh (KEXT)<br />
Supports the following 32-bit and x64 Macintosh platforms:<br />
Macintosh 10.3.9 (32-bit), 10.4.11 (32-bit), and 10.5.8 (32-bit)<br />
for PowerPC<br />
Macintosh 10.4.11 (32-bit), 10.5.8 (32-bit), and 10.6.1 (32-bit<br />
and x64) for Intel<br />
Installed at the following path on a Macintosh system: /System/<br />
Library/Extensions.
Backward-compatibility Information<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit<br />
Contents Glossary Index Troubleshooting<br />
For Macintosh, if any of the following <strong>Sentinel</strong> products are already installed<br />
on your system, then the installation package will upgrade the existing <strong>Sentinel</strong><br />
System Driver (KEXT/Framework):<br />
<strong>Sentinel</strong> UltraPro SDK<br />
<strong>Sentinel</strong> SuperPro SDK<br />
<strong>Sentinel</strong> Protection Installer<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit<br />
The Toolkit is a Java application. It is used for preparing the application protection<br />
strategy and programming hardware keys for your customers and<br />
distributors. Here are some features of the Toolkit:<br />
About the Toolkit Screens<br />
This section introduces you to the various screens of the Toolkit and guides<br />
you on the tasks that can be performed in each screen. For more details, you<br />
can refer to the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help.<br />
Quick CodeCover<br />
In the Quick CodeCover screen, you can protect an executable with popular<br />
licensing controls, like an expiration date, expiration time, and execution<br />
count.<br />
The CodeCover tab on the License Designer screen provides you with<br />
advanced options, like multi-file and data file protection, and so on.<br />
License Designer<br />
In the License Designer screen, you can design and build your application<br />
protection strategy—a license template consisting of CodeCover and API<br />
features. You can begin by creating a template using the License Designer<br />
wizard.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 33
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
For Windows, you may also associate the Secure Update Wizard here for<br />
remote activation.<br />
License Manager<br />
34 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
In the License Manager screen, you can package the licenses and program<br />
hardware keys. Groups are created to package the license (templates). Subsequently,<br />
these groups are used for programming <strong>Sentinel</strong> <strong>Keys</strong> and<br />
distributor keys. Using the Export - File Manager dialog of License Manager,<br />
you can export .ISV, .DIS, *.OPR, and .NLF files used for key<br />
programming and remote license additions. Using the License Manager<br />
screen, you can also create a Custom CodeCover Key and generate update<br />
code for modifying the expiry date of a Custom CodeCover keys.<br />
Update Manager<br />
In the Update Manager screen, you can create update actions and generate<br />
update codes for remotely updating the hardware keys.<br />
API Explorer<br />
In the API Explorer screen, you can experiment with the Business Layer<br />
API prior to adding them into your source code. It also generates the usage<br />
code in popular programming languages for a platform.<br />
Key Status Panel<br />
A Key Status panel (in the left-side of the Toolkit) that displays the developer,<br />
distributor, and <strong>Sentinel</strong> hardware keys attached to the system. You can<br />
select the hardware key using the left and right arrow buttons. This panel<br />
can be used to view details of the attached hardware key, including the key<br />
type, developer ID, and serial number. For <strong>Sentinel</strong> <strong>Keys</strong>, the Key Status<br />
panel helps you identify the capability which can be:<br />
RTC— <strong>Sentinel</strong> Key with real-time clock (RTC)<br />
NRTC—<strong>Sentinel</strong> Key with no real-time clock (RTC) support<br />
DUAL— <strong>Sentinel</strong> Dual <strong>Hardware</strong> key
Command-Line CodeCover Utility<br />
Contents Glossary Index Troubleshooting<br />
XM RTC—<strong>Sentinel</strong> Extended Memory (XM) <strong>Hardware</strong> Key with RTC<br />
support<br />
XM NRTC—<strong>Sentinel</strong> Extended Memory (XM) <strong>Hardware</strong> Key with no<br />
RTC support<br />
Note: For Distributor and Developer keys, the capability is displayed as NEU to<br />
indicate that the attached key is a Non End User key.<br />
The following figure shows how the key status panel appears for a developer<br />
key, distributor key, and for a non-RTC <strong>Sentinel</strong> Key.<br />
Key Status Panel<br />
Note: The Key Status panel behaves different in the API Explorer screen, where<br />
it establishes contact with the <strong>Sentinel</strong> Key only when the SFNTGetLicense<br />
API function is successfully executed.<br />
Command-Line CodeCover Utility<br />
The Command-Line CodeCover Utility is meant for the developers who<br />
want to incorporate the process of protecting files (applying the CodeCover<br />
layer) into their application build process. This allows them to protect files<br />
without having to use the Toolkit. The tool protects the files using the<br />
options specified in the license template file and programs the license into<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 35
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
36 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
the <strong>Sentinel</strong> Key attached to the system. This tool also provides the developer<br />
an option to customize the source files and the destination path, using<br />
the CodeCover option XML file.<br />
You need to attach both the Developer Key and <strong>Sentinel</strong> Key (of the same<br />
developer ID), to protect files and program keys using the Command-Line<br />
CodeCover Utility. However, if you are using the Custom CodeCover Key,<br />
the Developer Key and <strong>Sentinel</strong> Key are not required as in that case the utility<br />
can be used for applying only the CodeCover protection and not for<br />
programming <strong>Sentinel</strong> <strong>Keys</strong>.<br />
For more information, refer to “CodeCover Protection Using the Command-<br />
Line Utility” on page 91.<br />
Key Programming APIs<br />
Key Programming APIs include the API functions used for:<br />
Programming the <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Provides a Toolkit independent programming environment wherein<br />
the license group files are exported by the developer and programmed<br />
into the memory of the <strong>Sentinel</strong> <strong>Keys</strong> using the Key Programming<br />
API functions.<br />
Refer to section, “Programming <strong>Sentinel</strong> <strong>Keys</strong> using the Key<br />
Programming APIs” on page 208.<br />
Creating Update Packets: The update packets are generated to:<br />
Enable creation of data buffers 1 (also termed as update packets)<br />
that overwrites new values to the existing features in the <strong>Sentinel</strong><br />
<strong>Hardware</strong> <strong>Keys</strong> in field, or<br />
Overwrite the values (provided at the license designing stage) by<br />
key programming the <strong>Sentinel</strong> Key, with .ISV/.DIS/.OPR file,<br />
before it is distributed to the end user.<br />
Note: SFNTCreateUpdatePacket API function of the Key Programming library is<br />
1.Set of encrypted data.
Key Programming APIs<br />
Contents Glossary Index Troubleshooting<br />
used to generate the update codes. Refer to, page 149.<br />
The update packets enable you to update the end user token for the license<br />
feature(s) as follows:<br />
1. License/Feature Update:<br />
AES and ECC<br />
Activating, Deactivating, or Modifying Key<br />
Overwriting, Incrementing or Detaching Execution Count<br />
Setting new Expiration date, Detaching Lease<br />
Integer, String, Raw, Boolean<br />
Modifying value<br />
Changing Write Password<br />
Counter<br />
Overwriting and Incrementing the Counter value<br />
Set User Limit<br />
2. <strong>Sentinel</strong> Key Update<br />
Set Device Date<br />
Set Cheat Counter<br />
Note: Please refer to the Key Programming API Help, for more information.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 37
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
Compiler Interfaces<br />
For implementing the API-based protection, the following language/compiler<br />
interfaces are provided:<br />
For Windows a<br />
Compiler/Environment Version Type<br />
AutoCAD (ARX) 14, 2000, 2004, and<br />
2007 b<br />
38 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Static (MT) Static (MD) Dynamic<br />
Borland C 5.5 <br />
Borland C++ Builder 5.0 and 6.0 <br />
Borland Delphi 5.0 and 6.0 <br />
COM object (Microsoft Visual C) 6.0 <br />
Microsoft Visual BASIC 6.0 <br />
Microsoft C# .NET 2002, 2003, 2005c, 2008 c , and 2010c Microsoft VB .NET 2002, 2003, 2005 c ,<br />
2008 c , and 2010 c<br />
Microsoft Visual C++ 6.0, 7.0, 8.0, 9.0, and<br />
10.0<br />
a. The Windows x64 libraries are provided for Microsoft VC, .NET C#, VB .NET, and COM only.<br />
b. The ReadMe files for these compiler interfaces are provided at the location, \Compiler<br />
Interfaces\Other Interfaces\.<br />
c. For Windows x64 platforms, versions 2005, 2008, and 2010 are supported.<br />
<br />
<br />
<br />
<br />
Java Native interface (J2SE SDK) 1.5 and 1.6 <br />
Fortran Intel Visual 9.0 b <br />
Foxpro Microsoft Visual 9.0 b <br />
Windev Pc Soft 11.0 b <br />
Macromedia Flash 8.0 b <br />
Power Builder 10.0 b
GCC a<br />
For Linux<br />
Compiler/Environment Version Type<br />
Java Native interface (J2SE SDK) a<br />
a. Also supported on Linux x64 platform.<br />
Static Dynamic<br />
4.0.2 <br />
1.5 and 1.6 <br />
For Macintosh<br />
Compiler/Environment Version Type<br />
Code Warrior a<br />
GCC b<br />
REALbasic a<br />
Java Native interface (J2SE<br />
SDK) c<br />
Xcode b<br />
a. Available only on Macintosh PowerPC.<br />
b. Also supported on x64 platform.<br />
c. Also supported on Macintosh Intel x64 platform.<br />
Static Shared Framework<br />
10.0 <br />
4.2 <br />
2007, 2008, and<br />
2009<br />
1.5 and above <br />
2.x on Mac 10.4.11<br />
3.x on Mac 10.5.8<br />
and 10.6.1<br />
For Carbon, the supported versions are: 10.3.9, 10.4.11,<br />
and 10.5.8<br />
License Manager (Stand-alone)<br />
License Manager (Stand-alone)<br />
Contents Glossary Index Troubleshooting<br />
<br />
<br />
<br />
A Java application that your distributor can use for programming <strong>Sentinel</strong><br />
<strong>Keys</strong> for customers. You also need to provide a license group file (.lgx) and<br />
the associated distributor key. A license group is a package of licenses that<br />
you want to program in the <strong>Sentinel</strong> Key for your customers.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 39
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
40 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Tip: The License Manager application resembles the License Manager screen of<br />
the Toolkit. However, the functionality is limited to programming <strong>Sentinel</strong><br />
<strong>Keys</strong>. The License Manager Help included with the application describes the<br />
steps for using it.<br />
<strong>Sentinel</strong> <strong>Keys</strong> License Monitor<br />
<strong>Sentinel</strong> <strong>Keys</strong> License Monitor is a Web-based management tool that provides<br />
a user-friendly interface to <strong>Sentinel</strong> <strong>Keys</strong> Server. It is used for the<br />
following:<br />
To view details of the <strong>Sentinel</strong> <strong>Keys</strong> and clients accessing them. It is a<br />
convenient way to view and track license activity and analyze<br />
application usage. For example, your customer could use it to<br />
determine whether or not enough licenses were purchased, based on<br />
license demand.<br />
To cancel the licenses issued to clients from a <strong>Sentinel</strong> Key. For details<br />
on canceling a license, please refer to the <strong>Sentinel</strong> <strong>Keys</strong> System<br />
Administrator Help.<br />
To view and configure the start-up settings for the <strong>Sentinel</strong> <strong>Keys</strong><br />
Server, which are stored in the server-side configuration file<br />
(sntlconfigsrvr.xml).<br />
<strong>Sentinel</strong> <strong>Keys</strong> License Monitor provides critical information related to <strong>Sentinel</strong><br />
<strong>Keys</strong> Server, such as number of keys attached and licenses in use. Hence<br />
its access is restricted to only a specific set of users in a network. Only an<br />
authorized set of users, defined in the sntlconfigsrvr.xml, can access <strong>Sentinel</strong><br />
<strong>Keys</strong> License Monitor.<br />
Following is the information displayed on the various pages of <strong>Sentinel</strong> <strong>Keys</strong><br />
License Monitor:<br />
Welcome Page<br />
The Welcome page provides an overview of the enhancements and new<br />
features in the current release of <strong>Sentinel</strong> <strong>Keys</strong> License Monitor. It also dis-
<strong>Sentinel</strong> <strong>Keys</strong> License Monitor<br />
Contents Glossary Index Troubleshooting<br />
plays answers to some frequently- asked questions for an better<br />
understanding of the enhancements.<br />
<strong>Keys</strong> Information Page<br />
The <strong>Keys</strong> Information page provides details about the network keys connected<br />
to the <strong>Sentinel</strong> <strong>Keys</strong> Server. These details (as displayed on different<br />
pages) include:<br />
Main Page<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server host's IP address<br />
Number of <strong>Sentinel</strong> <strong>Keys</strong> attached to the system<br />
Serial Number<br />
Hard Limit<br />
Total number of licenses in use (sum of licenses issued from the<br />
<strong>Sentinel</strong> Key)<br />
License Information Page (clicking <strong>Keys</strong># will display this<br />
page)<br />
License # (a list of licenses/templates programmed into the<br />
<strong>Sentinel</strong> Key)<br />
License ID<br />
User limit<br />
Number of licenses in use<br />
Client Information Page (clicking License# will display this<br />
page)<br />
Option to cancel licenses (if enabled)<br />
(Client) System name<br />
User name<br />
Client login time<br />
Client process ID<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 41
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
Configuration Page<br />
42 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The Configuration page helps view/edit the <strong>Sentinel</strong> <strong>Keys</strong> Server configuration<br />
settings, which are specified in the server-side configuration file. You<br />
can edit the following fields:<br />
Error log: Specifies the name (not the path) of the log file, which is<br />
used to record errors related to network/client-server<br />
configuration.<br />
Response log: Specifies the name (not the path) of the log file,<br />
which is used to record the transaction log for <strong>Sentinel</strong> <strong>Keys</strong><br />
Server. It records information related to the <strong>Sentinel</strong> <strong>Keys</strong> Server<br />
startup, shut-down, clients accessing the network keys and<br />
licenses in-use. The specified file is created at the location where<br />
the <strong>Sentinel</strong> <strong>Keys</strong> Server is installed.<br />
SKLM Port: Sets the <strong>Sentinel</strong> <strong>Keys</strong> License Monitor HTTP port.<br />
The default port is 7002. It can be set as a value between 1024 to<br />
65535. Setting the value to 0 disables the SKLM port.<br />
Server Port: Sets the <strong>Sentinel</strong> <strong>Keys</strong> Server socket port. The default<br />
port is 7001. It can be set as a value between 1024 to 65535.<br />
Make sure that the port specified is not in use, and the same value<br />
is specified in the client-side configuration file. Setting the value to<br />
0 disables the Server port.<br />
Protocol(s): Sets the network protocol for the client-server<br />
communication. The supported protocols are SP_TCP_PROTOCOL<br />
(for TCP/IPv4) and SP_TCP6_PROTOCOL (for TCP/IPv6 1 ).<br />
Authorized user list: Specifies the IPv4 addresses of the remote<br />
clients that are allowed to access <strong>Sentinel</strong> <strong>Keys</strong> License Monitor.<br />
Only a valid IPv4 address can be entered (NOT computer name,<br />
MAC address, or IPv6 address). The maximum number of IP<br />
addresses allowed is 32. By default, the loopback address is<br />
displayed in this field.<br />
1.Supported only on the same subnet. Please see Question n to view the list of operating systems<br />
on which SHK supports IPv6.
<strong>Sentinel</strong> Protection Installer<br />
Contents Glossary Index Troubleshooting<br />
To save the settings specified on the Configuration page in the server-side<br />
configuration file, click Update. The <strong>Sentinel</strong> <strong>Keys</strong> Server will use these settings<br />
on next restart.<br />
Note: If multiple users concurrently update the server-side configuration file<br />
(directly or by using <strong>Sentinel</strong> <strong>Keys</strong> License Monitor), the file reflects only<br />
the last saved changes (the changes done by the user who is the last one to<br />
click Update).<br />
Please refer to the <strong>Sentinel</strong> <strong>Keys</strong> System Administrator Help for more information<br />
on <strong>Sentinel</strong> <strong>Keys</strong> License Monitor.<br />
<strong>Sentinel</strong> Protection Installer<br />
The <strong>Sentinel</strong> Protection Installer is an integrated installer of the <strong>Sentinel</strong><br />
System Driver, <strong>Sentinel</strong> Protection Server, and <strong>Sentinel</strong> <strong>Keys</strong> Server. These<br />
components are required by the customers using your protected<br />
applications.<br />
Note: No additional steps are needed to deploy <strong>Sentinel</strong> <strong>Keys</strong> License Monitor,<br />
unless you are customizing its .class files. Refer to the Customizing <strong>Sentinel</strong><br />
<strong>Keys</strong> License Monitor - ReadMe for details on customization.<br />
Using <strong>Sentinel</strong> Protection Installer, the deployment of redistributables<br />
becomes rather simple. It offers you the following two choices:<br />
You can directly ship the <strong>Sentinel</strong> Protection Installer to your<br />
customers. They can run the installer to install <strong>Sentinel</strong> System<br />
Driver and/or <strong>Sentinel</strong> <strong>Keys</strong> Server without any assistance. A copy of<br />
this installer is also available at our Technical Support Web site<br />
(www.safenet-inc.com/support/tech/sentinel.asp).<br />
If desired, you can integrate the <strong>Sentinel</strong> System Driver and <strong>Sentinel</strong><br />
<strong>Keys</strong> Server along with your application’s installer.<br />
For more details on redistributables, see Chapter 10, “Redistributables for<br />
<strong>Customer</strong>s and Distributors,” on page 223.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 43
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
Configuration Files<br />
<strong>Sentinel</strong> <strong>Keys</strong> SDK provides you the following configuration files:<br />
Client-side Configuration File (sntlconfig.xml)<br />
Using this file, the protected application users can set these<br />
parameters: the network protocol, <strong>Sentinel</strong> <strong>Keys</strong> Server host,<br />
heartbeat interval for maintaining license time, and <strong>Sentinel</strong> <strong>Keys</strong><br />
Server socket port. See the section “About Client-side Configuration<br />
File” on page 66 for details.<br />
44 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Server-side Configuration File (sntlconfigsrvr.xml)<br />
Using this file, the system administrator (root user) on the customer<br />
site can set the start-up parameters for <strong>Sentinel</strong> <strong>Keys</strong> Server. These<br />
parameters include: the network protocol for client-server<br />
communication, <strong>Sentinel</strong> <strong>Keys</strong> License Monitor HTTP port, <strong>Sentinel</strong><br />
<strong>Keys</strong> Server socket port, logging details, and allowed users of <strong>Sentinel</strong><br />
<strong>Keys</strong> License Monitor. The information stored in this file can be<br />
updated by a remote network user using <strong>Sentinel</strong> keys License<br />
Monitor. The server-side configuration file is located at the following<br />
path:<br />
Remote Update Options<br />
On Windows: :\Program Files\Common Files\SafeNet<br />
<strong>Sentinel</strong>\<strong>Sentinel</strong> <strong>Keys</strong> Server\sntlconfigsrvr.xml.<br />
On Linux: /opt/safenet_sentinel/common_files/sentinel_keys_server/<br />
Sntlconfigsrvr.xml.<br />
On Macintosh: /Applications/Safenet <strong>Sentinel</strong>/Common Files/<strong>Sentinel</strong><br />
<strong>Keys</strong> Server/Sntlconfigsrvr.xml.<br />
You can provide the following options to your customers for updating hardware<br />
keys in the field:<br />
Secure Update Utility<br />
Secure Update Wizard (for Windows only)
Secure Update API<br />
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Your distributors can use the Secure Update Utility for easily updating the<br />
distributor keys.<br />
Refer to Chapter 6, “Secure Remote Updates,” on page 137 for details.<br />
Frequently Asked Questions<br />
Question 1: Can a stand-alone key be used by a single user in the<br />
network?<br />
No. A stand-alone key provides licenses to the users on the system where it<br />
is attached (local workstation).<br />
Its licenses are neither managed by the <strong>Sentinel</strong> <strong>Keys</strong> Server, nor monitored<br />
by the <strong>Sentinel</strong> <strong>Keys</strong> License Monitor.<br />
Question 2: How can I install and run the Toolkit?<br />
For details on installation, please refer to the Release Notes available in the<br />
Manuals directory.<br />
Question 3: I received some hardware keys with the SDK. How do I<br />
order additional hardware keys?<br />
The <strong>Sentinel</strong> <strong>Keys</strong> SDK has the following three hardware keys:<br />
Developer Key<br />
This is required by the developer who uses the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit.<br />
You require ONLY ONE developer key. If you happen to lose it, contact<br />
your SafeNet Sales representative for replacement.<br />
<strong>Sentinel</strong> Key<br />
This will be programmed for your customers—without which they<br />
will not be able to run your protected applications. To order additional<br />
<strong>Sentinel</strong> <strong>Keys</strong>, you should contact the SafeNet Sales representative<br />
They can guide you further on which <strong>Sentinel</strong> Key suits your<br />
requirements best. In general, you should be aware about the<br />
following:<br />
Do you want stand-alone keys or network keys?<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 45
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
If you want network keys, what is the hard limit you want?<br />
Distributor Key<br />
This will be programmed for your sales distributors, so you can<br />
control the number of licenses they program into the <strong>Sentinel</strong> <strong>Keys</strong>.<br />
To order additional distributor keys, you should contact the SafeNet<br />
Sales representative.<br />
46 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question 4: I have installed <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> on Linux/Macintosh,<br />
but I do not see the Toolkit in the installed components. Is it<br />
supported on Linux/Macintosh?<br />
No, the Toolkit is not available on Linux/Macintosh. <strong>Sentinel</strong> <strong>Hardware</strong><br />
<strong>Keys</strong> (version 1.2.1 and higher) enable the developer to generate header files<br />
for protecting applications on Linux/Macintosh from Windows Toolkit.<br />
Developers need to transfer the header files generated with Windows Toolkit<br />
manually to the Linux/Macintosh platform. Refer to the release notes for a<br />
detailed list of installed components on all supported platforms.<br />
Question 5: How can I identify if my developer key supports password<br />
protection capability?<br />
In <strong>Sentinel</strong> <strong>Keys</strong> Toolkit, look for the Configure Password option on the<br />
Options menu. This option is enabled for ONLY those developer keys that<br />
support password protection capability.<br />
Question 6: I forgot my developer key’s password. How can I get a<br />
new password or disable the authentication?<br />
If you have forgotten your developer key’s password, then contact your<br />
SafeNet Sales representative for a new developer key.<br />
You can still explore the Toolkit interface by selecting the Skip this ISV<br />
token check box when prompted for password. But, the key-dependent<br />
operations will not be allowed till the correct password is entered. Please see<br />
Question 11 to view the list of these key-dependent operations.<br />
Question 7: How can I set a password for my developer key?<br />
1. Open the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit, and click Options -> Configure<br />
Password -> Enable Password. (The Configure Password option<br />
is enabled for only those developer keys that support password
authentication.)<br />
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
2. Enter the password in the New Password and Confirm Password<br />
fields. The password can contain 8 to 16 alphanumeric characters.<br />
3. Click OK.<br />
Note: After the password is successfully set, the Enable Password option is disabled.<br />
The option becomes available again only if you disable the authentication.<br />
Now, the Toolkit will prompt you to enter the password as soon as you plugin<br />
the developer key. Only after specifying the correct password, you can<br />
access the complete functions of Toolkit. However, if you choose to skip the<br />
password, you are not allowed to perform key-dependent functions (refer<br />
Question 11). On skipping the password, Toolkit does not prompt for password<br />
for that particular Toolkit session.<br />
Question 8: Can I enable my developer’s key password again once I<br />
have disabled it?<br />
Yes. The steps to enable the password are similar to the steps of setting a<br />
password, as explained in Question 7 above.<br />
Question 9: How to change the password of my developer key?<br />
1. Open the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit, and click Options -> Configure<br />
Password -> Disable/Change Password.<br />
2. Select the Change Password check box.<br />
3. Enter your old password in the Password field.<br />
4. Enter the new password in the New Password and Confirm Password<br />
fields. The password can contain 8 to 16 alphanumeric characters.<br />
5. Click OK.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 47
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
Question 10: I configured a password for my developer key. But I<br />
no longer want to use it. How can I disable it?<br />
1. Open the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit, and click Options -> Configure<br />
Password -> Disable/Change Password.<br />
2. Enter the developer key’s password in the Password field, and click<br />
OK.<br />
48 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question 11: Which operations are not permitted in Toolkit when<br />
password authentication for the developer key is skipped?<br />
You cannot perform the following key-dependent operations until you enter<br />
the correct password for the developer key:<br />
Building the protection strategy<br />
Programming hardware keys<br />
Creating a WPS file<br />
Generating *ISV, *.DIS, *.OPR, and *.NLF files<br />
Generating update codes<br />
Question 12: What is the minimum operating system support<br />
required for using IPv6?<br />
The IPv6 support has been provided only for the same subnet. Following<br />
table lists the minimum operating system support required for using IPv6 in<br />
SHK.<br />
IPv6 supported Operating Systems<br />
Operating System Supported Versions<br />
Windows Windows XP Professional<br />
Windows Server 2003<br />
Windows Vista - Ultimate<br />
Windows Server 2008<br />
Windows Server 2008 R2<br />
Windows 7
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
IPv6 supported Operating Systems<br />
Operating System Supported Versions<br />
Linux Red Hat Enterprise Linux ES/AS 4.7 and 5.4<br />
Red Hat Enterprise Linux WS 4.7 and 5.4<br />
Red Hat Enterprise Linux Desktop 4.7 and 5.4<br />
Fedora 9.0, 10.0, and 11.0<br />
Open Suse 11.1<br />
Suse Linux Enterprise Server 10.2<br />
Macintosh Macintosh 10.5.8 (for PowerPC and Intel) and 10.6.1<br />
(for Intel)<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 49
Chapter 2 – <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> SDK Components<br />
Contents Glossary Index Troubleshooting<br />
50 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Chapter 3<br />
Planning Application<br />
Protection and Licensing<br />
Strategy<br />
The first part of this chapter introduces you to the concepts used for planning<br />
the application protection and licensing strategy. The latter part<br />
breaks-down the various tasks involved in planning application protection.<br />
About Features, Templates, and Groups<br />
This section explains the concepts of features, license templates, and groups<br />
as used in the <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Toolkit and other components.<br />
Features<br />
A feature is the most basic unit of an application protection strategy. The<br />
Toolkit assigns a feature ID to every feature created in a license template.<br />
Described below are the features you can create in the Toolkit:<br />
CodeCover Feature<br />
When you use a CodeCover feature, protective wrappers are put<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 51
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
52 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
around your application (.exe, .dll, or .bpl) that guard it from<br />
unauthorized access. Refer to the section on page 55 for more details.<br />
API Features<br />
When you use API features to protect your applications, you need to<br />
add the Business Layer API functions into your application code. You<br />
can create the following API features in the Toolkit:<br />
AES - A 128-bit AES algorithm-based feature that allows you to:<br />
Encrypt data<br />
Decrypt data<br />
Use the query-response protection 1<br />
Specify licensing controls (like, expiration date, expiration<br />
time, and an execution count).<br />
ECC - An ECC algorithm-based feature that allows you to:<br />
Digitally sign content<br />
Verify signed content<br />
Specify licensing controls (like, expiration date, expiration<br />
time, and an execution count).<br />
String - A data feature that can contain up to 2032 2 ASCII<br />
printable characters.<br />
Raw Data - A data feature that can contain 2032 2 -bytes of any<br />
developer-defined data type, including printable/non-printable<br />
characters and hexadecimal numbers. For example, _4ÒJë¿:"A"g-<br />
Ƶþ_n°_Ç&´_Â).<br />
Integers - A data feature that can contain any of the following<br />
integers: 8-bit (0 to 255), 16-bit (0 to 65,535), or 32-bit (0 to<br />
4,294,967,295).<br />
1. To understand the query-response protection, please see “Implement Query-Response Protection”<br />
on page 172.<br />
2.The maximum length is 2032 bytes for SHK XM keys; and 888 bytes for non-XM keys.
About Features, Templates, and Groups<br />
Contents Glossary Index Troubleshooting<br />
Boolean - A data feature that can contain a true or false value.<br />
Counter - A data feature that can contain a count-down value<br />
between 0 to 4,294,967,295.<br />
(License) Template<br />
A license template is a container of features that define your application protection<br />
strategy. The Toolkit assigns a unique license ID to every license<br />
template created/duplicated, so that multiple licenses can be programmed<br />
in a <strong>Sentinel</strong> Key.<br />
Note: The license templates are created in the License Designer screen using<br />
the License Designer Wizard. Refer to the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help for<br />
complete details.<br />
A license template is typically created to secure a single application. Each<br />
template can have multiple features to control the distinct application functionality,<br />
such as the compile, save, and print operations.<br />
For example, AppSoft Corp wants to protect its three applications—WordEditor<br />
App, Database App, and Drawing App. It creates three license templates<br />
to protect each application. Each license template has multiple features that<br />
control the independent functionality of the application, such as the Counter<br />
feature can control the number of times the File Save option can be run.<br />
Group<br />
A group 3 is a package of licenses (templates) that you want to program in<br />
the <strong>Sentinel</strong> Key for your customers. These groups can be created to meet<br />
the packaging and licensing requirements.<br />
Note: The license groups are created in the License Manager screen. More<br />
information on license grouping is provided in “License Grouping” on<br />
page 187.<br />
3. The distributor keys are also programmed with a group.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 53
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
Relating Features, Templates, and Groups<br />
54 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
About Features, Templates, and Groups<br />
Contents Glossary Index Troubleshooting<br />
About CodeCover Protection (For Windows Only)<br />
In CodeCover, protective wrappers are put around your application that<br />
guard it from unauthorized access. CodeCover encrypts your original application<br />
and will deny access unless the correct <strong>Sentinel</strong> Key is always present<br />
and all the licensing conditions are met.<br />
The CodeCover has multi-layer architecture. The previous layer, only if executed<br />
successfully, will decrypt the successive layer. Multiple layers provide<br />
extra protection to your application—similar to what multiple locks provide<br />
to your door. Breaking them require additional resources, time, and skill<br />
that could potentially deter hacking attacks. Further, due to the random<br />
pattern of the layers, no two CodeCover implementations are same.<br />
CodeCover Protection in Action<br />
CodeCover also provides the following security options that you can choose<br />
while adding a CodeCover feature (steps are provided in Chapter 4, “Protecting<br />
Applications Using CodeCover,” on page 75):<br />
Multi-layered Protection<br />
The CodeCover provides multi-layered protection. Since the joint<br />
between an application and the CodeCover layers is vulnerable to<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 55
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
56 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
attacks, you can choose the number of layers the CodeCover uses to<br />
protect your application, from level 1 to 5. Level 1 provides reasonable<br />
protection and level 5 provides the most protection. However, with<br />
each level of protection added, the size of the application and the time<br />
it takes to start up also increases. By default, level 3 multi-layering is<br />
used.<br />
Anti-debugging Protection<br />
The CodeCover is capable of detecting debuggers, like SoftICE and<br />
OllyDbg. It can also provide reasonable protection against breakpoints<br />
targeted at important functions. You can choose to deny<br />
application execution in the presence of debuggers. An error message<br />
is displayed when the protected application is executed from a<br />
debugger to indicate that the application can not run. Also, if a<br />
debugger is attached to the running application, the application<br />
terminates silently within two minutes.<br />
Anti-reverse Engineering Protection<br />
Using CodeCover SDK macros, you can add additional level of security<br />
to your application. CodeCover SDK provides run-time protection to<br />
your business logic. You can protect important parts of your<br />
application (strings, constants, and code fragments) for various<br />
compiler interfaces available, such as Visual C, Visual BASIC, and<br />
Delphi.<br />
Using CodeCover SDK macros, you can either obfuscate or encrypt<br />
your important data. The code fragments obfuscated with Code Morphing<br />
are difficult to understand in disassemblers and during runtime<br />
analysis. You can use Crypt macros to encrypt important code<br />
fragments, constants, and strings. The encrypted code fragments are<br />
decrypted only when executed and are encrypted back after their execution<br />
is complete. The constants and strings are decrypted in a temporary<br />
memory area which is cleared after the usage is complete.<br />
Refer to the ReadMe available at the \<strong>Sentinel</strong> <strong>Keys</strong> Toolkit\Shell<br />
SDK\Help\English folder for details.
About Features, Templates, and Groups<br />
Contents Glossary Index Troubleshooting<br />
Note: For 32-bit, Code Morphing is supported for Visual C++ compilers and runtime<br />
encryption is supported for Visual C++, Visual BASIC, and Delphi compilers.<br />
For 64-bit, run-time encryption is supported only for Visual C++ applications.<br />
Also, you can implement CodeCover SDK in unmanaged part of the mixed<br />
mode .NET applications.<br />
Anti-dumping Protection<br />
CodeCover provides protection against a memory dump of the<br />
protected application. You need to select the Hide import symbols<br />
check box (under the Security tab of Add/Edit CodeCover Feature<br />
dialog box) to enable this added protection.<br />
Anti-disassembling Protection<br />
A CodeCover-protected application is difficult to disassemble due to<br />
the use of expert techniques, like Maze technology and dummy<br />
macros.<br />
Enhanced security for .NET applications<br />
.NET Enhancements feature provides enhanced security to pure .NET<br />
applications (executables and DLLs).<br />
Support for Terminal Client<br />
Using the support for Terminal Client you can protect your<br />
applications in a terminal service environment. It is similar to using<br />
Windows Remote Desktop.<br />
Data File Protection<br />
Using CodeCover, you can encrypt your important data files that are<br />
used by the protected application at run-time. The encrypted data<br />
files cannot be accessed from other applications. You can also specify<br />
to use standard AES algorithm for encrypting the data files. However,<br />
AES encryption should not be used to protect data files if the<br />
application executes on Windows 9x as well.<br />
Note: Data file protection is not supported with 32-bit and 64-bit .NET DLLs.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 57
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
When to Use CodeCover?<br />
The CodeCover is a popular method of protecting Windows executables,<br />
DLLs, and BPLs because:<br />
It is extremely easy to implement. People with no-programming<br />
experience can use it without any hassles.<br />
It does not require source code of your application.<br />
It uses the 128-bit AES algorithm for protection.<br />
It allows implementing the most-popular licensing models in just a<br />
few clicks.<br />
58 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
It helps implement anti-debugging, anti-reverse engineering<br />
protection; and other security features that are not available with API<br />
protection.<br />
About API Protection<br />
When you use API features to protect your applications, you need to add the<br />
Business Layer API into your application code.<br />
The Business Layer API are the <strong>Sentinel</strong> <strong>Keys</strong> API functions—used for communicating<br />
between your application and the <strong>Sentinel</strong> Key. These API<br />
functions can be used for verifying the <strong>Sentinel</strong> Key's presence by obtaining<br />
a license, reading/writing data on its memory, encrypting/decrypting data,<br />
signing/verifying data, sending queries and evaluating responses and so on.<br />
These API functions provide a high-level interaction with the <strong>Sentinel</strong> Key<br />
and drastically reduce the efforts involved in implementing several popular<br />
license models, like demo and leases.<br />
Note: For platforms other than Windows, CodeCover is not available.<br />
Using the Business Layer API functions, you can control the amount, frequency,<br />
and location of the software locks within your application. If an<br />
unexpected response is received, the action taken is left up to you.
About Features, Templates, and Groups<br />
Contents Glossary Index Troubleshooting<br />
The more locks you add to your application, the more difficult it will be for<br />
hackers to break your application’s protection.<br />
When to Use API Features?<br />
Compared to CodeCover, this method of protection is most commonly used<br />
when:<br />
You have access to the source code of the application.<br />
You want to have control over the protection techniques used to<br />
secure your application. For example, you can control the amount,<br />
frequency, and location of the software locks4 within your application;<br />
and the action taken if an unexpected response is received is left up to<br />
you. Generally, the more locks you add to your application, the more<br />
difficult it will be for hackers to break your application’s protection.<br />
You have a little more time available to implement and test your<br />
application protection. Typically, the API protection takes longer than<br />
the CodeCover. Because, to implement the API protection, you must<br />
understand the various functions and manually add them to your<br />
code.<br />
You want to take advantage of the state-of-the-art protection<br />
techniques possible with <strong>Sentinel</strong> <strong>Keys</strong>—like AES-based encryption/<br />
decryption, ECC-based signing/verification—in addition to the usual<br />
data reading and writing methods. Using the API protection, you can<br />
implement protection, both basic and advanced, that work best for<br />
your application.<br />
4. Refers to a decision point in your protected application. The purpose of a software<br />
lock is to verify the presence of the correct <strong>Sentinel</strong> Key. For example, an application<br />
might verify the validity of the signed data or send query data to the <strong>Sentinel</strong> Key<br />
and require a specific response in order to continue execution. Other software locks<br />
may simply read the data and compare it to the value known.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 59
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
Creating Features, Templates, and Groups<br />
You must create a license template in the License Designer screen to add<br />
features to it. Use the License Designer Wizard to create a license template.<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help provides detailed steps on adding and managing<br />
features, templates, and groups.<br />
License Designer Wizard<br />
Chapter 4, “Protecting Applications Using CodeCover,” on page 75 contain<br />
steps for adding CodeCover feature.<br />
Chapter 5, “Protecting Applications Using API,” on page 109 contain steps<br />
for adding API features.<br />
Chapter 8, “License Grouping,” on page 187 contain steps on creating license<br />
groups.<br />
60 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
Planning Application Protection and Licensing<br />
Strategy<br />
To design the application protection strategy, several factors involving<br />
licensing and security are to be considered. This section discusses a few of<br />
them:<br />
How would you like to protect your applications—using<br />
CodeCover or API features (Business Layer API<br />
functions)?<br />
The decision to choose the protection method depends on various factors,<br />
such as time-in-hand, access to the source code, which platform(s) you are<br />
supporting and so on. We recommend you understand both the methods<br />
using the information provided on page 55 and page 58.<br />
How many different license templates do you need?<br />
This is typically dependent on the number of applications you want to protect.<br />
Each license template has a license ID that will distinctly identify it<br />
when multiple applications are protected using one <strong>Sentinel</strong> Key. You can<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 61
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
create a group of the license templates to be programmed into a <strong>Sentinel</strong><br />
Key.<br />
Which API features will you use?<br />
62 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
There are seven API features provided in the Toolkit, including AES and<br />
ECC. In general, you must include at least one AES feature to implement the<br />
query-response protection (see page 172). Other factors that help you in<br />
choosing appropriate features are:<br />
Estimate the number of independent features that need to be<br />
controlled/licensed.<br />
Decide your licensing policy, such as whether you want to provide<br />
perpetual licenses or demo or try-and-buy licenses. You can create<br />
time-limited or executions-limited demos. These can be combined<br />
with a suitable remote activation method to provide try-and-buy<br />
licenses.<br />
Identify the data that needs to be digitally signed/ verified and<br />
encrypted/decrypted. Depending on which you will add one or more<br />
AES and ECC features.<br />
Identify the critical data that need to be protected, such as the user<br />
registration number. Using data type features (String, Boolean, Raw<br />
Data, and Integers), you can store variety of data in the <strong>Sentinel</strong> Key<br />
memory.<br />
Note: While creating the license groups you can modify the licensing settings,<br />
such as the expiration date, time, or execution count. This will NOT affect<br />
the CodeCover or API implemented in the application/source code.
Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
What should be the maximum memory size of the group<br />
I can program in the <strong>Sentinel</strong> Key?<br />
Size of the License Group: The maximum size of the group that can<br />
be programmed depends only upon the memory size of the attached<br />
user key. The size of the group should always be less than the memory<br />
size of the attached user key. The memory size of the group to be<br />
programmed in the <strong>Sentinel</strong> Key is shown in the Group Layout.<br />
Size of the License Template: The maximum memory size of a<br />
license template in a group must not exceed 4080 bytes.<br />
Would you like to specify the number of<br />
users—different from the hard limit?<br />
<strong>Sentinel</strong> <strong>Keys</strong> come with standard hard limits (3, 5, 10, 25, 50, 100, and<br />
250), you might want to impose a soft-limit—known as the user limit.<br />
The user limit restricts the number of users allowed by the hard limit. Otherwise,<br />
the number of users allowed is equivalent to the hard limit. For<br />
example, if the <strong>Sentinel</strong> Key hard limit is 25 and you need to allow for maximum<br />
15 users, then stipulating a user limit equal to 15 meets your<br />
requirements exactly.<br />
Specifying User Limit<br />
The user limit common (global) to a license. You can associate it with a<br />
license template in the Toolkit.<br />
You can specify a user limit using various options in the Toolkit (such as, at<br />
the time of creating a template using the License Designer wizard). A<br />
quick option, suitable for an already created template, is described below:<br />
1. In the License Designer screen, load the template for which a user<br />
limit is to be specified.<br />
2. In the template layout, select a template and right-click to open a<br />
short-cut menu.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 63
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
64 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
3. Click Properties. The dialog box shows the user limit for the license<br />
template. Note that if 0 user limit is specified now (also the default<br />
value), then it is not possible to customize the user limit afterward; the<br />
user limit will always be equal to the hard limit. However, if you specify<br />
a value other than zero, then you can optionally modify it later<br />
through the following means:<br />
At the time of programming <strong>Sentinel</strong> <strong>Keys</strong>. To do so, make sure you<br />
keep the Override user limit later check box selected.<br />
Remotely update the user limit by using the Update user limit<br />
command (see the last row of the table “Feature and License Action<br />
Type” on page 158 for details).<br />
Note: The user limit can be updated remotely only if a non-zero user limit was<br />
specified in the license template.<br />
Do you plan to allow/disallow license sharing?<br />
A license is said to be shared when multiple instances of a protected application<br />
on a seat can be run using one license.<br />
A seat represents a user name and MAC address combination.<br />
For a stand-alone key user, a license is always shared.<br />
For network key users, license sharing is not enabled by default.<br />
Therefore each instance of the application (regardless of the seat) will<br />
consume one user limit/hard limit.
Enabling License Sharing<br />
Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
The decision to share licenses depends on your licensing policy. To enable<br />
license sharing:<br />
For CodeCover-protected applications, you can specify ON in the<br />
License sharing option (under the Networking tab).<br />
For API-protected applications, you need to call the SFNTGetLicense<br />
function with the SP_SHARE_ON flag.<br />
Are you protecting applications for a stand-alone or<br />
network environment?<br />
This decision will help you in choosing the type of <strong>Sentinel</strong> Key you want to<br />
ship with your protected application. Please note that a stand-alone key<br />
cannot provide licenses to network users; while, a network key can provide<br />
licenses to users across LAN/WAN.<br />
In addition, you will also need to decide the access mode you want to set in<br />
your application. For extensive and busy networks, you can ship a clientside<br />
configuration file with your protected application.<br />
About Access Modes<br />
An access mode determines the route a protected application follows to<br />
obtain a license. <strong>Sentinel</strong> <strong>Keys</strong> Toolkit allows you to use one of the following<br />
access modes:<br />
Stand-alone mode (SP_STANDALONE_MODE)<br />
The application looks for a license on the same system without<br />
requiring the <strong>Sentinel</strong> <strong>Keys</strong> Server (it directly accesses the <strong>Sentinel</strong><br />
System Driver). If the required <strong>Sentinel</strong> Key is not attached to the<br />
system, an error is returned.<br />
Server mode (SP_SERVER_MODE)<br />
The application obtains a license from a network key. It does not look<br />
for a stand-alone key. A specific host can be set using the<br />
SFNTSetContactServer API function or the client-side configuration<br />
file. Else, the license request will be broadcasted within the subnet.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 65
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
However, note that SFNTSetContactServer has higher priority over<br />
the client-side configuration file.<br />
About Client-side Configuration File<br />
66 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The client-side configuration file is meant for your customers—the protected<br />
application users. By default, this configuration file exists, by the<br />
name sntlconfig.xml, in the same directory where your protected application<br />
is installed. However, you can specify a different name and path for the configuration<br />
file by using either the SFNTSetConfigFile Business Layer API or<br />
the Customize <strong>Sentinel</strong> configuration file path and name option<br />
available in the Toolkit during CodeCover protection.<br />
The protected application users can set the parameters (tags) described<br />
below:<br />
Protocol<br />
Sets the network protocol for client-server communication. If a protocol is<br />
specified here, the same must be set in the server configuration file.<br />
Tag Values<br />
For Windows/Linux/Macintosh, the following protocols (tags) are<br />
supported.<br />
TCP/IPv4 (SP_TCP_PROTOCOL) - The default protocol supported.<br />
TCP/IPv6 5 (SP_TCP6_PROTOCOL)<br />
ContactServer<br />
Sets the <strong>Sentinel</strong> <strong>Keys</strong> Server host (the system where the <strong>Sentinel</strong> Key is<br />
attached). It can be set across LAN and WAN.<br />
Multiple entries (up to 100) can be specified, separated using a new line<br />
character (the Enter key). The license will be searched for in the order mentioned<br />
(top to bottom).<br />
5.Supported only on the same subnet
Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
Please note that the SFNTSetContactServer function has higher priority<br />
over this tag. If the tag is empty, the license request will be broadcasted<br />
within the subnet.<br />
Tag Values<br />
For Windows: You can set a workstation name, IP address, or<br />
NetBIOS name.<br />
For Linux: You can set a workstation name or an IP address.<br />
For Macintosh: You can set a workstation name or an IP address.<br />
Heartbeat/Maintain License Time<br />
Sets the heartbeat interval for maintaining the license acquired by network<br />
applications. Please note that any setting in SFNTSetHeartbeat (for API-protected<br />
applications) or under the Networking tab (for CodeCover-protected<br />
applications) will override the value specified in the configuration file.<br />
Tag Values<br />
The default value is 120 seconds. It can be set as any value from 1 minute to<br />
30 days, in multiples of 1 second. You can also choose from the following<br />
constants:<br />
SP_MAX_HEARTBEAT = 2592000<br />
SP_MIN_HEARTBEAT = 60<br />
SP_INFINITE_HEARTBEAT = 0xFFFFFFFF<br />
ServerPort<br />
Sets the <strong>Sentinel</strong> <strong>Keys</strong> Server port.<br />
Tag Values<br />
The default port is 7001. It can be set as a value between 1024 to 65535.<br />
Make sure of the following:<br />
The port specified is not already in use.<br />
The same value must be specified in the client-side configuration file.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 67
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
Protecting For Stand-alone Environments<br />
When protecting an application for stand-alone environment, you must<br />
note the following points:<br />
Distribute a stand-alone key with your protected application.<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Server is not required by stand-alone applications.<br />
68 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
You must specify stand-alone access mode using the options described<br />
below:<br />
For API-protected applications, call the SFNTGetLicense API<br />
function with the SP_STANDALONE_MODE flag.<br />
For CodeCover/Quick CodeCover-protected applications, select<br />
STANDALONE from the Access mode drop-down box.<br />
The network API functions, like SFNTGetServerInfo will return error.<br />
Note: The terminal clients can access both the network and stand-alone <strong>Sentinel</strong><br />
<strong>Keys</strong> in a network. To allow stand-alone keys (<strong>Sentinel</strong> S and ST) access, set<br />
the SP_ENABLE_TERMINAL_CLIENT flag in the SFNTGetLicense API function.<br />
The network keys (<strong>Sentinel</strong> SN and SNT) can be accessed without any<br />
such setting.<br />
Protecting for Network Environments<br />
Distribute a network key with your protected application.<br />
Specify network access mode using the following options:<br />
For API-protected applications, call the SFNTGetLicense API<br />
function with the SP_NETWORK_MODE flag.<br />
For CodeCover/Quick CodeCover-protected applications, select<br />
NETWORK from the Access mode drop-down box.<br />
When network mode is set, the application looks for a <strong>Sentinel</strong> Key<br />
with a license in the following sequence. If the required <strong>Sentinel</strong><br />
Key is not found or a license is not available, an error is returned:<br />
1.The host specified in the SFNTSetContactServer API function.
Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
2.If Step 1 fails, it looks for the host in the ContactServer tag of<br />
the client-side configuration file.<br />
3.If Step 2 fails or the ContactServer tag is empty, the license<br />
request will be broadcasted within the subnet.<br />
Note: Broadcasting requires additional network resources and may result in a<br />
longer time to acquire a license. If network resources and timing is an issue<br />
for your customers, you may want to set the <strong>Sentinel</strong> <strong>Keys</strong> Server host in<br />
the SFNTSetContactServer API function or they can set it in the client-side<br />
configuration file.<br />
To allow license sharing for seat users, call the SFNTGetLicense API<br />
function with the SP_SHARE_ON flag. Else, each instance will<br />
consume an individual user limit/hard limit.<br />
Note: You can use the option, Use short ECC for Key Exchange, available at<br />
the License Designer stage of Toolkit to improve the performance of SFNT-<br />
GetLicense API in network mode.<br />
Would you like to allow updating <strong>Sentinel</strong> <strong>Keys</strong><br />
remotely? If so, then which method would you choose?<br />
The remote updates allow you to update products, features, and add licenses<br />
to the hardware keys in the field, using simple methods like, file and e-mail.<br />
You can choose from the following three methods of remote activation:<br />
Integrate the Secure Update Wizard with your application (option<br />
available for Windows only).<br />
Ship the Secure Update Utility with your application.<br />
Implement a custom remote activation option using the Secure<br />
Update API.<br />
Refer to Chapter 6, “Secure Remote Updates,” on page 137 for details.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 69
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
Frequently Asked Questions<br />
70 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question 1 - How many features can be added into a license<br />
template?<br />
You can add up to 255 features into your license template, depending upon<br />
the size of your token. However, you must make sure to limit the license template<br />
size to 4080 bytes, while programming your token.<br />
Question 2 - Can I use the CodeCover and API protection together?<br />
Yes. For Windows platforms, we recommend combining the API-based custom<br />
protection with CodeCover. It adds an extra layer of protection. The<br />
CodeCover encrypts your final executable, which makes it difficult to disassemble<br />
or debug your application. Even if the attacker manages to overcome<br />
the difficult task of removing the CodeCover, the application inside is still<br />
protected—due to two strong layers of protection.<br />
Question 3 - What is the type of data that can be encrypted/<br />
decrypted?<br />
All kinds of digital data/content can be encrypted/decrypted.<br />
Question 4 - What is the type of data that can be signed/verified?<br />
All kinds of digital data/content can be signed/verified.<br />
Question 5 - What is the size of data that can be encrypted/<br />
decrypted?<br />
You can encrypt/decrypt blocks of 16-bytes using SFNTEncrypt/SFNTDecrypt.<br />
For larger data, you can use the function in a loop.<br />
Question 6 - What is the size of data that can be signed/verified?<br />
The maximum data length that can be sign/verified is 0xFFFFFFFF.
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Question 7 - How to specify the number of users for an application/<br />
feature?<br />
By default, the number of users is equal to the hard limit of the <strong>Sentinel</strong> Key.<br />
The <strong>Sentinel</strong> <strong>Keys</strong> come with the following “standard” hard limits: 3, 5, 10,<br />
25, 50, 100, and 250. To set the number of users different from that, you<br />
can specify the user limit for a license under the License/Feature Properties<br />
dialog box. Here are the steps to open this dialog box:<br />
1. Right-click the feature (title) in the layout. A short-cut menu appears.<br />
2. Click Properties. The License/Feature Properties dialog box<br />
appears.<br />
Question 8 - For multiple applications, can I specify different user<br />
limits?<br />
If you are protecting multiple applications using one <strong>Sentinel</strong> Key—each<br />
supporting different number of users in a network—you need to take care of<br />
the following:<br />
Distribute a network key with your suit of protected applications.<br />
Set the user limit for each license template. However, the total number<br />
of concurrent users cannot exceed the hard limit. There must be a<br />
hard limit available—regardless of the user limit availability—before<br />
a license can be obtained. For example, assume the hard limit of your<br />
<strong>Sentinel</strong> Key is 20. If you are protecting three applications with a<br />
single key, you could use the following user limits:<br />
Set the user limit for application A to ten (10)<br />
Set the user limit for application B to seven (7)<br />
Set the user limit for application C to ten (10)<br />
Notice that the total number of user limits (27) is greater than the<br />
hard limit (20). This means, if ten users are running the Application<br />
A, only ten hard limit is left. If seven users are running Application B,<br />
only three hard limit is left for Application C. Thus, even though<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 71
Chapter 3 – Planning Application Protection and Licensing Strategy<br />
Contents Glossary Index Troubleshooting<br />
72 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Application C has 10 user limit available, only three users can run it.<br />
This is because the hard limit is obtained first, then the user limit.<br />
You may want to share the licenses for seat users.<br />
Question 9 - Can I import protection strategies (.ltx files), created<br />
with earlier Windows/Linux/Macintosh versions of <strong>Sentinel</strong> <strong>Hardware</strong><br />
<strong>Keys</strong>, in the latest Toolkit version?<br />
Yes, the protection strategies (.ltx files), created with earlier versions of <strong>Sentinel</strong><br />
<strong>Hardware</strong> <strong>Keys</strong> Toolkit on any of the supported platforms, can be<br />
imported in the latest <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Toolkit version.
Part 2<br />
Designing and<br />
Implementing Protection<br />
Using the CodeCover protection<br />
Using the Business Layer API protection<br />
Designing remote update strategy<br />
The best practices for secure licensing
Chapter 4<br />
Protecting Applications<br />
Using CodeCover<br />
In this chapter, we will describe how to protect your applications using<br />
CodeCover. To learn about the CodeCover method of protecting applications,<br />
see Chapter 3, “About CodeCover Protection (For Windows Only),” on page<br />
55.<br />
The CodeCover features can be added only using the Windows version of the<br />
Toolkit, using any of the following options:<br />
Under the CodeCover tab of the License Designer screen - This<br />
option allows you to add a CodeCover feature to an existing license<br />
template. The complete steps are covered in this chapter.<br />
Using the License Designer Wizard - This option allows you to<br />
create a license template by adding a CodeCover or API feature to it.<br />
Refer to the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help for complete steps.<br />
Note: Quick CodeCover, shown on the introductory screen, is a gateway to the<br />
Toolkit. You can use it for quickly protecting an executable with basic<br />
licensing controls, like expiration date and execution count. Consider using<br />
the CodeCover tab on the License Designer screen to make use of<br />
advanced options, like protecting multiple files at one time and encrypting<br />
data files.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 75
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
Add CodeCover Feature Dialog Box<br />
Adding Files<br />
To obtain the Add CodeCover Feature dialog box:<br />
1. In the License Designer screen, load the template to which the<br />
CodeCover feature will be added. The loaded template shows in the<br />
template layout.<br />
2. Click the CodeCover tab.<br />
3. Click the Add button. The Add CodeCover Feature dialog box<br />
appears.<br />
To add the files for CodeCover protection:<br />
1. Under the Files tab, click the Add button.<br />
76 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
You must add at least one executable, DLL, or BPL file to proceed. You<br />
can add files from various directories, including any data files. The<br />
CodeCover layer will be applied to the executables, DLLs, and BPLs; all<br />
other files will be encrypted at protection-time and can only be<br />
decrypted at run-time using the protected application.<br />
2. Type or browse for the path of the destination directory in the edit<br />
field under the Change destination path check box. This is the destination<br />
path for writing the output files (recommended step). The<br />
output files are placed at the specified destination path, within the<br />
replicated directory structure (similar to original path).<br />
If you clear this check box, the output files will overwrite the original<br />
files once the Protect button is clicked. Hence, we recommend that<br />
you always specify a different path for generating the output files.<br />
You can select the Use absolute path only check box if you want to<br />
store all the output files in one folder, rather than in separate folders<br />
(identified by original directory structure). Do NOT select this check
Adding Files<br />
Contents Glossary Index Troubleshooting<br />
box if any of the files you are protecting have same names.<br />
Note: For better understanding of where the destination files are stored, you can<br />
refer to the figure “Output Files at the Destination Path (when absolute<br />
path is not specified)” on page 90.<br />
3. Specify a CodeCover name (necessary). The constant name will be<br />
automatically generated. However, you may modify it if needed.<br />
4. Provide comments for this feature (optional). You can now provide<br />
the licensing settings.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 77
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
Add CodeCover Feature Dialog Box<br />
78 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Providing Licensing Settings<br />
To provide the licensing settings:<br />
Providing Licensing Settings<br />
Contents Glossary Index Troubleshooting<br />
1. Click the Licensing tab in the Add CodeCover Feature dialog box.<br />
2. Choose the desired attributes. Depending on which the other options<br />
will be disabled/enabled. The attributes are described below:<br />
CodeCover Licensing Attributes<br />
Attribute Description Default Setting<br />
Active Select to provide a perpetual license<br />
for using the application.<br />
Lease Select to allow specifying an<br />
expiration date or expiration time for<br />
the application. Else, the application<br />
will use a perpetual license.<br />
Limit<br />
executions<br />
Select to allow specifying the number<br />
of times the protected application will<br />
run for.<br />
Selected<br />
Not selected<br />
Not selected<br />
3. Specify values for default feature instance. The options are described<br />
below:<br />
Default Feature Instance Settings<br />
Item Description Default Setting<br />
Secret key The 128-bit AES secret key. By default, a secret key is<br />
generated and shown in<br />
the Toolkit. You can use the<br />
icon shown next to<br />
the Secret key field to<br />
generate another secret<br />
key.<br />
Expiration date Specify an expiration date<br />
(mm/dd/yy format).<br />
One year from current date<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 79
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
Default Feature Instance Settings (Continued)<br />
Item Description Default Setting<br />
Expiration time Specify an expiration time<br />
(in minutes).<br />
14400 minutes (10 days)<br />
Execution count Specify an execution count<br />
for running the protected<br />
application.<br />
80 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Note: If you specify both the licensing controls—lease and limited executions—the<br />
application will expire as soon as any of these limits is reached.<br />
4. Selecting the Add instances later check box will allow you to add<br />
new feature instances later in the License Manager screen. This<br />
option helps in modifying the "licensing values" without modifying<br />
the "licensing implementation" in the application/code.<br />
For example, the programmer who implemented the application protection<br />
had set the expiration date as "10/10/05" and also selected<br />
this check box. Later, if desired, the marketing/key programming personnel<br />
can modify it to suit some customer's requirement (such as,<br />
10/10/07) and program the <strong>Sentinel</strong> Key. This does not require you<br />
to apply the CodeCover protection again, modify the API calls, or<br />
repackage the product.<br />
You can now specify the networking settings (such as, the access<br />
mode, license sharing, and maintain license time interval) under the<br />
Networking tab.<br />
Providing Networking Settings<br />
To provide the networking settings:<br />
1. Click the Networking tab in the Add CodeCover Feature dialog<br />
box.<br />
1
2. Specify options using the information below:<br />
Access<br />
Mode<br />
License<br />
Sharing<br />
Providing Networking Settings<br />
Contents Glossary Index Troubleshooting<br />
CodeCover Networking Settings<br />
Item Description Default Setting<br />
Maintain<br />
license time<br />
Terminal<br />
Client<br />
Specifies the access mode to<br />
find the <strong>Sentinel</strong> Key.<br />
Specifies whether license<br />
sharing is enabled or<br />
disabled.<br />
Sets the interval for which<br />
the <strong>Sentinel</strong> <strong>Keys</strong> Server<br />
maintains the license.<br />
Allows you to protect an<br />
application in a Terminal<br />
Service environment.<br />
This option is enabled only in<br />
stand-alone mode. It is not<br />
available in network mode as<br />
remote client services are<br />
already ON for network<br />
applications.<br />
STANDALONE (Stand-alone<br />
mode)<br />
OFF (License sharing not<br />
allowed for network users)<br />
120 seconds. If you do not<br />
modify the default value,<br />
license time/heartbeat interval<br />
(if specified) in the<br />
configuration file will override<br />
it.<br />
OFF (Terminal Client service is<br />
disabled for stand-alone<br />
applications by default).<br />
Setting this option to ON<br />
enables Terminal Client<br />
Services for CodeCoverprotected<br />
applications, in<br />
stand-alone mode.<br />
For API-protected applications,<br />
you need to call the<br />
SFNTGetLicense function with<br />
the<br />
SP_ENABLE_TERMINAL_CLIENT<br />
flag (in API Explorer).<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 81
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
Customize<br />
<strong>Sentinel</strong><br />
configurati<br />
on file path<br />
and name<br />
CodeCover Networking Settings (Continued)<br />
Item Description Default Setting<br />
Allows you to specify a<br />
different name and path for<br />
the client-side configuration<br />
file. Click Browse or type the<br />
configuration file path in the<br />
edit field. The maximum<br />
length of the configuration<br />
file’s path and name is 255<br />
characters.<br />
The protected application<br />
will use the configuration file<br />
with the specified name and<br />
path for execution. If this file<br />
does not exist, the<br />
application uses the<br />
broadcast mode to obtain<br />
the license over the network.<br />
Note: For the license template<br />
files imported<br />
from previous Toolkit<br />
versions, the<br />
default configuration<br />
file— sntlconfig.xml,<br />
is used.<br />
Enabled when access mode is<br />
set to NETWORK. By default,<br />
the check box is not selected.<br />
You may now specify the advanced security settings for a CodeCover-protected<br />
application under the Security tab.<br />
82 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
If you keep the check box<br />
clear, the default<br />
configuration file—<br />
sntlconfig.xml, is used. This file<br />
is stored in the same directory<br />
that of protected application.
Providing Security Settings<br />
To provide the security settings:<br />
Providing Security Settings<br />
Contents Glossary Index Troubleshooting<br />
1. Click the Security tab in the Add CodeCover Feature dialog box.<br />
2. Specify options using the information below:<br />
CodeCover Security Settings<br />
Item Description Default<br />
Setting<br />
Multi-layering<br />
levels<br />
Allow my<br />
application to<br />
run when a<br />
debugger is<br />
present<br />
You can choose from layers with varying<br />
strengths, from level 1 to 5. The size of the<br />
application increases, as more protection code<br />
is added with higher levels. Level 1 provides<br />
reasonable protection, with minimum<br />
increase in the file size. Level 5<br />
provides maximum protection and maximum<br />
increase in the file size.<br />
Please note that you must always run the<br />
output files (protected applications) in an<br />
environment, typical to your product users, to<br />
experience its performance. If the size of the<br />
application is an issue, you may choose the<br />
best-fitting level of protection.<br />
You can keep the check box cleared to deny<br />
application execution in a debugger. At runtime,<br />
the protected application will terminate<br />
if it detects a debugger on the system. Nonmalicious<br />
users will close the debugger and<br />
start the application again.<br />
However, if for some reason you want to<br />
allow your application to run in the presence<br />
of debuggers, select this check box.<br />
Level 3<br />
Not<br />
selected<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 83
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
I have used<br />
CodeCover<br />
SDK<br />
Hide import<br />
symbols<br />
Use AES<br />
Encryption for<br />
data files<br />
CodeCover Security Settings (Continued)<br />
Item Description Default<br />
Setting<br />
Select this check box if you have implemented<br />
the CodeCover SDK features (Code<br />
Morphing and/or run-time encryption/<br />
decryption) to protect your important code<br />
fragments, constants, and string data.<br />
Refer to the ReadMe available in the \<strong>Sentinel</strong><br />
<strong>Keys</strong> Toolkit\Shell SDK\Help\English folder for<br />
more details.<br />
Select this check box to hide your import<br />
symbols. However, please note that this<br />
option does not apply to the file types<br />
discussed in Question 4 (see “Frequently<br />
Asked Questions” at the end of this chapter).<br />
The Hide import symbols option is ignored if<br />
there is any data file to be protected or the<br />
file encryption settings have been specified.<br />
Select this check box if you want the data files<br />
to be encrypted with the standard AES<br />
encryption.<br />
Do not select the check box if you want to run<br />
your application on Windows 98/Me or if your<br />
application uses the data files protected on<br />
Windows 9x.<br />
Not<br />
selected<br />
Selected<br />
Selected<br />
84 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
.NET<br />
Enhancement<br />
Customizing Error Messages<br />
Contents Glossary Index Troubleshooting<br />
You may now customize the CodeCover error messages and/or change the<br />
file encryption settings.<br />
Customizing Error Messages<br />
You can customize the CodeCover application run-time error messages by<br />
clicking the Customize the CodeCover error messages link, available<br />
while adding/editing the CodeCover feature in License Designer of <strong>Sentinel</strong><br />
<strong>Keys</strong> Toolkit. This is an optional step and the default text messages will<br />
be shown if you do not modify them.<br />
To customize the error messages:<br />
CodeCover Security Settings (Continued)<br />
Item Description Default<br />
Setting<br />
.NET Enhancement feature provides enhanced<br />
security to pure .NET applications<br />
(executables and DLLs). The feature performs<br />
the following functions:<br />
Hides original entry point method (only<br />
.NET executable)<br />
Encrypts strings of original application<br />
Encrypts constant of original application<br />
When this feature is selected then the<br />
SDNPro.dll (for 32-bit .NET applications)<br />
and SDNPro64.dll (for 64-bit .NET<br />
applications) needs to be provided to the enduser<br />
along with the protected application.<br />
Note: To use the .NET enhancement feature<br />
for protecting .NET applications, the machine<br />
should have the same version of .NET Framework<br />
and .NET SDK installed. The mixed code<br />
applications are not supported with the .NET<br />
Enhancement option.<br />
Not<br />
Selected<br />
1. Click the Customize the CodeCover error messages link, in the<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 85
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
Add CodeCover Feature dialog box. The Edit CodeCover error<br />
messages dialog box appears.<br />
2. You must review the existing messages before deciding to modify<br />
them. Afterward, you may select an error message from the list for<br />
modification.<br />
3. In the edit field, write your message text. It can contain up to 200<br />
characters.<br />
86 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
4. If you are not satisfied with your message text, click Restore to accept<br />
the original message. Clicking Restore All will replace all the customized<br />
messages with their original text strings.<br />
5. You can select one of the following message types for the error messages<br />
that appear during the execution of a protected application:<br />
Windows Message: Select if your application is GUI-based. The<br />
application run-time error messages will be displayed in a message<br />
box.<br />
Console Message: Select if your application is console-based. The<br />
application run-time error messages will be displayed at the<br />
command-prompt. However for GUI applications, the message<br />
type is automatically switched from Console Message to<br />
Windows Message.<br />
No Message: Select if you do not want to display the run-time<br />
error messages.<br />
Customizing CodeCover Error Message Title<br />
You can customize the CodeCover run-time error message title by clicking<br />
Customize the CodeCover error message title link, available while adding/editing<br />
the CodeCover feature in License Designer of <strong>Sentinel</strong> <strong>Keys</strong><br />
Toolkit. This is an optional step and if you do not use this option, then the<br />
default string (the application name) is displayed as the title on the error<br />
message dialog.
To customize the error message title:<br />
Changing File Encryption Settings<br />
Contents Glossary Index Troubleshooting<br />
1. Click the Customize the CodeCover error message title link, in<br />
the Add CodeCover Feature dialog box. The Customize Code-<br />
Cover Error Message Title dialog box appears.<br />
2. Select your choice of title from the following two options provided on<br />
the dialog:<br />
Default: This option allows the application name to be displayed as<br />
the title on the Error Message dialog. Select the Use default string as<br />
title check box to use this option.<br />
Custom: This option allows you to define a new caption (blank/<br />
customized text string) as the title on the Error Message dialog. You<br />
can select either of the following options, while customizing the<br />
CodeCover error message title:<br />
Use a blank title: Select this option to have a blank title for the<br />
error message dialog.<br />
Define a new title: Select this option to enter your own text as<br />
the title of the error message dialog. This field accepts up to 80<br />
characters.<br />
3. Click OK to return to License Designer where you find the CodeCover<br />
feature added under the CodeCover tab.<br />
To modify the data file encryption settings, see the steps below.<br />
Changing File Encryption Settings<br />
In the CodeCover file encryption settings dialog box, you can specify<br />
your choices for encrypting the external files, other than the executables,<br />
DLLs, and BPLs—such as, data files or other file types. Your protected application<br />
will automatically and transparently decrypt these files at run-time,<br />
as needed.<br />
When not-in-use these files remain encrypted. If your application creates<br />
one of these files, it will be decrypted only if the correct <strong>Sentinel</strong> Key is being<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 87
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
used to run the application. Though this step is optional for adding a Code-<br />
Cover feature, and by default all files, other than .exe, .dll, and .bpl, you<br />
selected under the Files tab, will be encrypted.<br />
To specify the file encryption settings:<br />
1. Click the Change the file encryption options link in the Add<br />
CodeCover Feature dialog box. The CodeCover file encryption<br />
settings dialog box appears.<br />
88 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
2. Select the Encrypt/decrypt the following files at run-time check<br />
box. Now, type the file extensions in the edit field. This field can contain<br />
up to 255 characters. You can filter files using the wildcard symbols<br />
asterisk (*) and semicolon (;). The 8.10 naming convention is<br />
followed, meaning that the file name and extension cannot exceed 8<br />
and 10 characters, respectively. File filters like, *.*, *name.* are not<br />
acceptable. Given below is a description of the valid conventions:<br />
Providing Files for Encryption/Decryption<br />
Convention Example<br />
*.extension *.txt will encrypt/decrypt files. For example,<br />
settings.txt and install.txt.<br />
name*.* safe*.* will encrypt/decrypt files. For example,<br />
safeobj.htm and safenet.cpp.<br />
name*.extension safe*.txt will encrypt/decrypt files. For example,<br />
safeobj.txt and safenet.txt.<br />
3. The Toolkit automatically generates an encryption seed. If you want<br />
to provide your own encryption seed, select the Specify my own<br />
encryption seed check box and edit the value. Please note that if the<br />
encrypted data files are shared by multiple applications, all the applications<br />
must use the same encryption seed. The seed can consist of<br />
two strings of 14 hexadecimal characters each (forming a 112-bit<br />
long seed).<br />
4. Click OK. You are returned to the Add CodeCover Feature dialog<br />
box.
Applying CodeCover Protection<br />
Contents Glossary Index Troubleshooting<br />
5. Click OK. You are returned to the License Designer screen where<br />
you find the CodeCover feature added under the CodeCover tab.<br />
Note: Your customers need to receive and install the data protection driver in the<br />
scenarios where you are protecting either of the following:<br />
- Encrypted data files for Windows 9x, or<br />
- .NET applications for 9x<br />
The data protection driver installer can be found in the \Data Protection<br />
Driver directory of the <strong>Sentinel</strong> <strong>Keys</strong> CD. See also, “Deploying <strong>Sentinel</strong><br />
Data Protection Driver (Windows Only)” on page 235.<br />
Applying CodeCover Protection<br />
After selecting your choices in the Add CodeCover Feature dialog box,<br />
you must now click the Protect button. This will wrap the CodeCover layer<br />
around your executables, DLLs, BPLs; and encrypt the data files (if any).<br />
This may take time depending upon the number of files and layers you have<br />
added.<br />
If you had cleared the Change destination path check box under the<br />
Files tab, your original files were overwritten during the protection process.<br />
Your source files are replaced by the output files. Otherwise, your protected<br />
files were written at the path specified in the Change destination path<br />
edit field.<br />
Please note that if you had selected multiple files from different disk drives<br />
on your system, then the protected files will be copied to the individual<br />
directories identified by the appropriate drive names and path names (see<br />
the screen-shot below for an example). This is to ensure that files carrying<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 89
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
same name, even if selected from different path, are not overwritten during<br />
the protection and their source path can be tracked easily.<br />
Output Files at the Destination Path<br />
(when absolute path is not specified)<br />
If you selected the Use absolute path only check box, all the output files<br />
will be stored together in one specified folder, and not in separate folders.<br />
90 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
CodeCover Protection Using the Command-Line Utility<br />
Contents Glossary Index Troubleshooting<br />
CodeCover Protection Using the Command-Line<br />
Utility<br />
Before you can use the Command-Line CodeCover Utility, you require the<br />
following Command-Line Utility components on a new system:<br />
Files to be copied: Before you use the Command-Line Utility on a<br />
system on which the <strong>Sentinel</strong> <strong>Keys</strong> software installation has not been<br />
performed, you must copy certain files/components to it. Following is<br />
a list of all possible files/components that you must copy.<br />
RelLic.dll<br />
SKCoreJDK.dll<br />
SKIntfJDK.dll<br />
SKShell.dll<br />
SKShellJDK.dll<br />
DesignIDJDK.dll<br />
LanguageLibJDK.dll<br />
OsPlatLibJNI.dll<br />
DNHelp.dll<br />
RelLic64.dll<br />
SDNPro64.dll<br />
SDNPro.dll<br />
SKShell641.dll<br />
SKShell642.dll<br />
DNHelp.exe<br />
CMorph.exe<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 91
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
Note: The above binaries should be copied to the folder where the files CMD-<br />
Shell.exe, and ShellCommandLine.jar reside.<br />
Required Installations:<br />
92 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
<strong>Sentinel</strong> System Driver 7.5.1: <strong>Sentinel</strong> System Driver version<br />
7.5.1, the Device Driver for the hardware keys should be installed<br />
on the system so as to detect the keys.<br />
JRE version 1.6.0: Apart from the above files, please make sure to<br />
install JRE version 1.6.0 on your system so as to launch the<br />
Command-Line CodeCover utility.<br />
Attached Key Specifications: A Developer - User key pair of same<br />
Developer ID, should be attached to the system. If the utility is being<br />
used to protect applications at the customer’s location, then only a<br />
Custom CodeCover key is attached.<br />
File to be Generated: <strong>Sentinel</strong> keys License template file (.ltm file),<br />
created using Toolkit and programmed using the Developer - User key<br />
pair.<br />
Default path of .ltm file on a Windows system is: :\Documents and Settings\\My<br />
Documents\<strong>Sentinel</strong> <strong>Keys</strong> 1.3\My License<br />
Templates\LICENSE_NAME_FOLDER\LICENSE_NAME.ltm.<br />
Note: You may also use a strategy created (and saved as a License Template) in<br />
the Quick CodeCover screen of the Toolkit.<br />
Using the Command-Line CodeCover Utility<br />
This section provides details on using the Command-Line CodeCover Utility.<br />
1. Attach the hardware key(s) as specified below:<br />
For building protection strategy or programming <strong>Sentinel</strong><br />
<strong>Keys</strong>: Attach the <strong>Sentinel</strong> <strong>Hardware</strong> Key and the Developer key to an<br />
available USB port on your system. The developer ID of the <strong>Sentinel</strong>
CodeCover Protection Using the Command-Line Utility<br />
Contents Glossary Index Troubleshooting<br />
Key and the Developer Key should be the same as that of the<br />
Developer Key that was used to program the created license.<br />
For protecting an application at customer’s site: Attach the<br />
Custom CodeCover Key to an available USB port on your system.<br />
Ensure not to attach any other hardware key.<br />
2. Run the Command-Line CodeCover Utility with the appropriate command-line<br />
options.<br />
The Command-Line CodeCover Utility Interface<br />
If desired, you can integrate the utility into your application build process<br />
(which might be done using a batch file or build script in some environments).<br />
The following options are provided:<br />
CMDShell [/?] [/S] /F LicenseTemplateFilePath [/P Password] [/L1 or /<br />
L2 LogFilePath] [/G or /U CodeCoverOptionFile Path] [/CK] [/RL]<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 93
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
Note: At a time, only an instance of either the Toolkit, or the Command-Line<br />
CodeCover utility can be run.<br />
The following table describes the commands displayed on the Command-<br />
Line Utility screen:<br />
Option Description<br />
/? Displays the help.<br />
/S Denotes the silent mode and suppresses all messages sent to the<br />
console.<br />
/F<br />
LicenseTemplateFilePa<br />
th<br />
Provides the full path of the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit license template file<br />
to load the license template.<br />
/P Password Specifies the password of the attached developer key for<br />
authentication. You must use this option if the developer key, using<br />
which you want to protect the application, is password-protected.<br />
This option is always used along with the /F option which specifies the<br />
license template file.<br />
/L1 LogFilePath Provides the full path of the log file to generate a brief log.<br />
/L2 LogFilePath Provides the full path of the log file to generate a detailed log.<br />
/CK Protects files using the Custom CodeCover Key at the customer’s<br />
location. When using this option, the Developer and <strong>Sentinel</strong> keys are<br />
not required. This option cannot be used to program the license into a<br />
<strong>Sentinel</strong> Key.<br />
/G<br />
CodeCoverOptionFile<br />
/U<br />
CodeCoverOptionFile<br />
Generates the CodeCover option XML file using the license template<br />
file.<br />
The XML file specifies the source file name and the destination path of<br />
the various protection features present in the license. This option is<br />
always used along with the /F option which specifies the license<br />
template file.<br />
Protects only the files mentioned in the CodeCover option XML file. This<br />
option is always used along with the /F option which specifies the<br />
license template file.<br />
/RL Retains license in the token once the files have been protected.<br />
94 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
CodeCover Protection using Custom CodeCover Key<br />
Contents Glossary Index Troubleshooting<br />
Note: The license template file name and the log file name cannot contain any of<br />
the following characters: / * ? “ < > |<br />
Please refer to the Command-Line CodeCover Utility ReadMe, for more<br />
information.<br />
CodeCover Protection using Custom CodeCover<br />
Key<br />
About Custom CodeCover Key<br />
In certain situations, you may be required to<br />
protect applications at the customer’s location.<br />
For instance, a customer customizes an<br />
application for some specific requirements<br />
and then wants you to apply the CodeCover<br />
protection to the customized application.<br />
The usual scenario is to carry the developer<br />
key to customer’s place and then use the<br />
Command-Line CodeCover Utility to protect<br />
the files. However, it involves the risk of<br />
developer key being misplaced and misused<br />
for creating extra licenses/modifying existing<br />
licenses. For such scenarios (involving application<br />
protection at customer’s end), you are<br />
advised to use the Custom CodeCover Key.<br />
Please Note:<br />
What is a Custom Code-<br />
Cover Key?<br />
A Custom CodeCover key is a<br />
<strong>Sentinel</strong> Key that helps you<br />
protect applications using<br />
the Command-Line Code-<br />
Cover Utility, without<br />
requiring a developer key. It<br />
is used to apply CodeCover<br />
protection to applications at<br />
the end user’s site.<br />
A Custom CodeCover key cannot be used to design protection<br />
strategies or to program <strong>Sentinel</strong> <strong>Keys</strong>. It can only be used for<br />
protecting files using CodeCover.<br />
It protects files using the options specified in a license template file;<br />
with the help of Command-Line CodeCover Utility. The license<br />
template file is created using the same developer key that is used to<br />
create Custom CodeCover key.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 95
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
96 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The license template to be programmed into the Custom CodeCover<br />
key must have at least one CodeCover feature. The features other than<br />
CodeCover (if present) are ignored.<br />
Each Custom CodeCover key has an validity date (called global lease<br />
date) that specifies the date till when this key can be used for<br />
protection.<br />
Creating Custom CodeCover Key<br />
A Custom CodeCover key is created using the Custom CodeCover Key tab<br />
on the License Manager screen of the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit.<br />
The Custom CodeCover Key Tab<br />
1. Attach the <strong>Sentinel</strong> Key that you want to initialize as Custom Code-<br />
Cover key to a USB port. Attach a developer key of the same developer
CodeCover Protection using Custom CodeCover Key<br />
Contents Glossary Index Troubleshooting<br />
ID as that of <strong>Sentinel</strong> Key. Make sure to select the <strong>Sentinel</strong> Key in the<br />
Key Status panel.<br />
Note: Make sure to attach only one <strong>Sentinel</strong> Key.<br />
2. On the License Manager screen, load the group containing the<br />
license templates that you want to program into the Custom Code-<br />
Cover key. Select the license(s) having at least one CodeCover feature;<br />
and if required further select the CodeCover features you want to program<br />
into the Custom CodeCover Key.<br />
Note: While creating Custom CodeCover key, the Toolkit ignores API features (if<br />
any) in the selected license templates. Only CodeCover features are programmed<br />
into the Custom CodeCover key.<br />
3. Click the Custom CodeCover Key tab on the License Manager<br />
screen of the Toolkit.<br />
4. Click the date picker icon, and select an Expiry Date till which you<br />
want the Custom CodeCover key to remain valid.<br />
5. Click Make CodeCover Key to initialize the attached <strong>Sentinel</strong> Key as<br />
Custom CodeCover key. The “Key programmed” message appears<br />
after the Custom CodeCover has been successfully created.<br />
Using Custom CodeCover Key<br />
An individual (referred to as deployer) uses the Custom CodeCover key and<br />
Command-Line CodeCover Utility to protect an application at the customer’s<br />
location. The customer can then execute the protected application<br />
using his <strong>Sentinel</strong> Key.<br />
The Command-Line CodeCover Utility provides the /CK option that you<br />
need to use for protecting files using the Custom CodeCover key. For more<br />
details, please see “Using the Command-Line CodeCover Utility” on page 92.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 97
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
What’s Next?<br />
Updating Custom CodeCover Key<br />
You may need to update the Custom CodeCover key for extending its expiry<br />
date. Follow the below steps to update the Custom CodeCover key:<br />
98 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
1. Generate a request code (.req file). This request code contains details,<br />
such as serial number and developer ID, of the Custom CodeCover key.<br />
2. On the Custom CodeCover Key tabbed page, load the request code<br />
(.req) file.<br />
3. Select a developer key in the Key Status panel. The developer key<br />
should have the same developer ID as that of the Custom CodeCover<br />
key for which you are generating the update code.<br />
4. By default, the serial number of the Custom CodeCover key using<br />
which the .req file was generated is displayed, in the Token Serial<br />
Number field. You can replace it by the serial number of other Custom<br />
CodeCover key which you want to update.<br />
5. Specify a new expiry date for the Custom CodeCover key.<br />
6. Click Generate Update Code to generate an update code (.upw file),<br />
which contains the modified expiry date for the custom CodeCover<br />
key.<br />
7. Either save the update code to a specified location or e-mail it directly<br />
to the customer, at the location of whom the Custom CodeCover key is<br />
used.<br />
8. Apply the update code using the Secure Update Utility/Secure Update<br />
Wizard, to update the expiry date of the Custom CodeCover key.<br />
After adding a CodeCover feature to the license template, you may now:<br />
Add API features to the license template (see Chapter 5, “Protecting<br />
Applications Using API,” on page 109).
What’s Next?<br />
Contents Glossary Index Troubleshooting<br />
Build the license template using the instructions described in the<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help.<br />
You can now test your protected application. We recommend testing<br />
your application to verify that it executes correctly with the<br />
appropriate <strong>Sentinel</strong> Key both attached and missing.<br />
Note: If you are testing your protected application in network environment,<br />
make sure to restart the <strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 99
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
Frequently Asked Questions<br />
Question 1: Compared to CodeCover option (in the License<br />
Designer screen), what are the security settings used by Quick<br />
CodeCover?<br />
Quick CodeCover makes use of the following security settings (by default).<br />
The differences with the CodeCover tab (available on the License<br />
Designer screen) are noted below:<br />
Multi-layer level - 3. For CodeCover, these levels can be increased/<br />
decreased.<br />
Anti-debugging added - Yes. For CodeCover, you can choose to<br />
allow/disallow debugging of your application.<br />
100 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Hide import symbols - Yes. For best security settings, Quick<br />
CodeCover hides the import symbols. However, if the application type<br />
is not compatible with this setting, Quick CodeCover automatically<br />
disables this security setting. For CodeCover, you can allow/disallow<br />
hiding the import table of your application at the time of adding a<br />
CodeCover feature.<br />
Question 2: What are the file types/compilers supported by<br />
CodeCover?<br />
The table below lists the file types/compilers supported by CodeCover for 32bit<br />
applications:<br />
File Types/Compilers Supported by CodeCover<br />
Compiler/Tool Version Executable DLLs<br />
Visual C++ 5.0, 6.0, 7.0, 7.1, 8.0, 9.0,<br />
10.0<br />
Yes Yes<br />
Visual Basic 5.0, 6.0 Yes No<br />
Visual FoxPro 5.0, 6.0, 7.0, 8.0, 9.0 Yes NA<br />
Borland C++<br />
Builder a<br />
6.0, v2006 Yes Yes<br />
Borland Delphi 7.0, v2006, v2007 Yes Yes
Power Builder 6.0, 7.0, 8.0, 9.0, 10.0, 10.5,<br />
11.0<br />
Director 5.0, 6.0, 8.0, 8.5, 9.0, 10.1,<br />
MX 2004<br />
VB .NET b<br />
C# a<br />
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
File Types/Compilers Supported by CodeCover (Continued)<br />
Compiler/Tool Version Executable DLLs<br />
7.0, 7.1, 8.0, 9.0, and 10.0<br />
with .NET Framework<br />
version 1.1, 2.0, 3.0, 3.5,<br />
and 4.0<br />
7.0, 7.1, 8.0, 9.0, and 10.0<br />
with .NET Framework<br />
version 1.1, 2.0, 3.0, 3.5,<br />
and 4.0<br />
Yes No<br />
Yes NA<br />
Yes Yes c<br />
Yes Yes b<br />
Delphi .NET v2006 Yes Yes<br />
Borland C# v2006 Yes Yes<br />
MFC 6.0, 7.0, 7.1, 8.0, 9.0, and<br />
10.0<br />
Yes Yes<br />
Authorware 6.0, 7.0 Yes No<br />
Windev 11, 12 Yes No<br />
Labview 7.1 Yes No<br />
Prolog 7.1 Yes No<br />
GameMaker 5.0, 7.0 Yes NA<br />
Excelsior JET 6.0, 6.4 Yes Yes<br />
Xenoage JEStart 2.0 Yes NA<br />
MDM Zinc d 2.5, 3.0 Yes NA<br />
a. Also supports protection of Borland Package Libraries (BPLs).<br />
b. Applications compiled with Any CPU configuration will execute as 32-bit pro<br />
cesses on 64-bit platforms.<br />
c. The.NET Framework must be present on your system for protecting .NET<br />
DLLs.<br />
d. MDM Zinc version 2.5.0.6 applications are not supported.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 101
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
102 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The table below lists the file types/compilers supported by CodeCover for 64bit<br />
applications:<br />
File Types/Compilers Supported by CodeCover<br />
Compiler/Tool Version Executable DLLs<br />
Visual C++ 8.0, 9.0, 10.0 Yes Yes<br />
VB .NET a<br />
C# a<br />
8.0, 9.0, 10.0 with .NET<br />
Framework version 2.0,<br />
3.0, 3.5, and 4.0<br />
8.0, 9.0, 10.0 with .NET<br />
Framework version 2.0,<br />
3.0, 3.5, and 4.0<br />
Yes Yes b<br />
Yes Yes b<br />
a. Binaries built with Any CPU and X86 configurations are supported.<br />
b. The.NET Framework must be present on your system for protecting .NET DLLs.<br />
Question 3: What are the file types supported by CodeCover for<br />
encryption/decryption?<br />
The table below lists the file types supported by CodeCover for encryption/<br />
decryption:<br />
File Types and Applications Supported for Encryption/Decryption<br />
File Type Applications<br />
DOC WordPad, MS Word<br />
RTF WordPad, MS Word<br />
HTML Internet Explorer, MS Word<br />
GIF Internet Explorer, MS Paint<br />
JPEG Internet Explorer, MS Paint<br />
TIFF Internet Explorer, MS Paint<br />
BMP Internet Explorer, MS Paint<br />
PDF Adobe Acrobat Reader<br />
PPT MS PowerPoint<br />
XLS MS Excel
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
File Types and Applications Supported for Encryption/Decryption<br />
Question 4: What are the file types not supported by the “Hide<br />
import symbols” option?<br />
The Hide import symbols option (under the Security tab) cannot be<br />
applied to the following file types:<br />
.NET<br />
Visual FoxPro<br />
Director<br />
Power Builder<br />
Adobe Acrobat Reader (PDF files)<br />
Windev<br />
Authorware<br />
Prolog<br />
GameMaker<br />
Excelsior JET<br />
Xenoage JEStart<br />
MDM Zinc<br />
File Type Applications<br />
MDB MS Access<br />
SWF Macromedia Flash<br />
Applications that use SmartHeap DLLs<br />
When you are also using data file encryption option<br />
Note: The Hide import symbols option is ignored if there is any data file to be<br />
protected or the file encryption settings have been specified.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 103
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
Question 5: Can I protect .NET DLLs using CodeCover? Are there<br />
any prerequisites for protecting .NET DLLs?<br />
Yes, you can protect both .NET executables and DLLs using CodeCover.<br />
However, please note the following:<br />
104 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
For .NET 1.0, 1.1, 2.0, 3.0, and 3.5 DLLs, you need to install .NET<br />
SDK of the same version as of the .NET DLL you want to protect. For<br />
example, install .NET SDK 1.1 to protect .NET 1.1 DLLs and .NET SDK<br />
2.0 to protect .NET 2.0 DLLs.<br />
For .NET 4.0 (Beta1/Beta 2) DLLs, you need to install Windows SDK<br />
7.0 and .NET Framework 2.0.<br />
Please note that an exception may occur while executing a 32-bit .NET 2.0,<br />
3.0, 3.5, or 4.0 DLL, protected using CodeCover. This exception occurs<br />
when applications are compiled using Any CPU configuration with only<br />
DLLs being protected and both executable and DLL being executed on a 64bit<br />
platform. To avoid this, please use any of the following methods with the<br />
executable calling this DLL:<br />
Select x86 configuration at the build time.<br />
Use the CorFlags Conversion tool to modify the binary (Type<br />
CorFlags theApp.exe /32bit+ in the command prompt and<br />
press Enter).<br />
Question 6: I am using XML serialization in my .NET executables.<br />
Are there any precautions to be taken care of?<br />
Here are the precautions to be taken care of while using CodeCover:<br />
Note: Windows 64-bit .NET applications that use XML serialization cannot be<br />
licensed on 32-bit operating system when .NET Enhancement option is<br />
selected.
.NET Framework<br />
Version<br />
Using “.NET<br />
Enhancement”<br />
Option<br />
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
<strong>Guide</strong>lines<br />
1.1 No The licensed application requires .NET<br />
Framework v 2.0 at run-time<br />
1.1 Yes The licensed application requires .NET<br />
Framework v 2.0 at run-time<br />
2.0, 3.0 and 3.5 No The .NET SDK 2.0 must be installed on<br />
system. The<br />
.XMLSerializers.dll is<br />
generated automatically during the<br />
licensing process. This DLL must be<br />
shipped with your licensed application.<br />
2.0, 3.0 and 3.5 Yes .NET SDK 2.0 must be installed on<br />
system.The<br />
.XMLSerializers.dll is<br />
generated automatically during the<br />
licensing process. This DLL must be<br />
shipped with your licensed application.<br />
4.0 No Windows SDK 7.0 must be installed on<br />
system. The<br />
.XMLSerializers.dll is<br />
generated automatically during the<br />
licensing process. This DLL must be<br />
shipped with your licensed application.<br />
4.0 Yes Windows SDK 7.0 must be installed on<br />
system. The<br />
.XMLSerializers.dll is<br />
generated automatically during the<br />
licensing process. This must be shipped<br />
along with your licensed application.<br />
Question 7: Why do .NET executables protected using Quick Code-<br />
Cover and CodeCover methods fail to run if it is signed with strong<br />
names?<br />
Protecting .NET executables, signed with strong names, is not supported.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 105
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
106 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question 8: Why do Vista applications that require .mui files fail to<br />
run when protected using Quick CodeCover and CodeCover<br />
methods?<br />
These protected files on Vista need .mui1 files to execute. These .mui files are<br />
stored inside the default language folder (for example, en-US for an English<br />
version) that must be placed at a location where the protected executable<br />
resides.<br />
For example, for an English version of vista, if the protected Notepad.exe<br />
resides in C:\ protected then the .mui files must reside at the same location<br />
inside the en-US folder. Please check for the .mui files, located at the location<br />
as advised in the example.<br />
For more FAQs, refer to the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help.<br />
Question 9: Are there any special files to be distributed to the end<br />
user for applications protected using the .NET Enhancement<br />
feature?<br />
The following DLLs should be distributed to end users:<br />
For 32-bit .NET applications protected using the .NET<br />
Enhancement security option:<br />
SDNPro.dll: If SDNPro.dll is not present with the protected<br />
application, then protected application will not execute and an<br />
error will be displayed that SDNPro.dll is missing.<br />
For 64-bit .NET applications protected using the .NET Enhancement<br />
security option:<br />
SDNPro64.dll (when .NET enhancement option is selected during<br />
protection): If SDNPro64.dll is not present with the protected<br />
application, then the protected application will not execute and an<br />
error will be displayed that SDNPro64.dll is missing.<br />
1.Files required for language and region settings.
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Question 10: What precautions should I take while protecting<br />
applications using CodeCover?<br />
We recommend you to protect only the RELEASE build applications for<br />
CodeCover, as the memory management and optimizations may differ for<br />
DEBUG and RELEASE build applications.<br />
Hence, it is recommended not to use CodeCover protection for the DEBUG<br />
built applications.<br />
Question 11: Why is it so that when I protect the DLL that is statically<br />
linked to the application, the application fails to execute with<br />
the protected DLL. Whereas, if the DLL is linked dynamically, it executes<br />
successfully?<br />
This is a static linked DLL issue that occurs once you have protected your<br />
application. Please use one of the following tips while protecting a statically<br />
linked DLL to resolve this issue:<br />
Protect both the static linked DLL, and executable instead of<br />
protecting only the DLL.<br />
Use LoadLibrary instead of linking the DLL statically.<br />
Question 12: What is the advantage of using the Command-Line<br />
CodeCover utility?<br />
The Command-Line CodeCover utility is an exe file. And as such, it can be<br />
called by your project building script, to protect your desired application.<br />
This eliminates the dependency on the Toolkit to protect the application.<br />
Question 13: Will there be any difference in my protected application<br />
if I protect my file using the Command-Line CodeCover utility,<br />
instead of the Protect button provided in the License Designer<br />
stage of the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit?<br />
The Command-Line CodeCover utility uses the license template (*.ltm) file to<br />
get the various protection options (like: protection layer level, licensing<br />
mode, network settings, etc. Hence, there is no difference between the file<br />
protected via the Command-Line CodeCover utility or <strong>Sentinel</strong> <strong>Keys</strong> Toolkit.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 107
Chapter 4 – Protecting Applications Using CodeCover<br />
Contents Glossary Index Troubleshooting<br />
108 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question 14: Does the Command-Line CodeCover utility provides<br />
any option to change the protection options?<br />
The Command-Line CodeCover provides a way to customize the source path<br />
and the destination path only. In case you want to edit the other options,<br />
then you have to edit the license via the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit, and then use<br />
the new license template (*.ltm) file (after programming the license), with<br />
the Command-Line CodeCover utility.
Chapter 5<br />
Protecting Applications<br />
Using API<br />
In this chapter, we will describe how to add API features in the Toolkit. To<br />
learn about the API-based method of protecting applications, see “About<br />
API Protection” on page 58.<br />
Steps to Protect Applications Using API<br />
The steps for protecting applications using the Business Layer API functions<br />
are as follows:<br />
Prepare a Conceptual Plan<br />
In the initial stage you need to decide which software locks to use for protecting<br />
your application. The purpose of a software lock is to verify the<br />
presence of the correct <strong>Sentinel</strong> Key. You will begin by contacting the <strong>Sentinel</strong><br />
Key for a license (SFNTGetLicense API call). Subsequently, you can craft<br />
variety of software locks to check the presence of the <strong>Sentinel</strong> Key, such as<br />
encrypting the data using the AES algorithm present in the key. Please refer<br />
to the Business Layer API Help to understand the various API functions.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 109
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
Many of these software locks can be used for implementing popular licensing<br />
models. For example, you can call the SFNTEncrypt API function to<br />
verify your lease or demo validity.<br />
Add the API Features to License Template<br />
Which API features need to be added in the license template? To drive the<br />
functionality of the software locks, you need to add appropriate API features.<br />
You can choose from the API features discussed in the topic<br />
“Features” on page 51. The chapter describes the steps of adding API<br />
features.<br />
Evaluate the Business Layer API Calls for Familiarity<br />
110 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
In the API Explorer screen, you can experiment with the Business Layer<br />
API prior to adding them into your source code. Corresponding to each<br />
function, it also generates the usage code for various languages. The <strong>Sentinel</strong><br />
<strong>Keys</strong> Toolkit Help contains steps on using the API Explorer.<br />
Re-build the License Template (if Required)<br />
In case you modified your API features or template properties, after evaluating<br />
the API functions, you need to re-build the license template to generate<br />
the "final set" of header file 1 , libraries, and code sketch 2 .<br />
1. The header file is generated at the time of building a license template. It contains important<br />
information for your (license) strategy, including the developer ID, license ID, feature ID, software<br />
key, query-response table (if you have included an AES feature in your template), and a<br />
public key (if you included a ECC feature in your template).<br />
2. The code sketch consists of an outline of the Business Layer API functions that you should<br />
incorporate in your source code. It is a good reference when you are not sure which API functions<br />
are relevant for your particular strategy.
Steps to Protect Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
Add the Business Layer API Functions into Source Code,<br />
Compile, and Link<br />
You now need to insert the Business Layer API calls into your application<br />
source code. The code sketch for your license template can guide you on the<br />
relevant API functions that can be called. Also, do refer to the best practices<br />
described in Chapter 7, “Implementing Secure Licensing,” on page 167.<br />
Finally, compile and link your application after including the <strong>Sentinel</strong> <strong>Keys</strong><br />
header files and libraries.<br />
Apply the CodeCover Protection (for Windows<br />
Applications Only)<br />
For extra protection, you can apply CodeCover over your API-protected<br />
(compiled) applications. However, this step is optional and depends on<br />
whether your executables, DLLs, and BPLs are supported by the CodeCover<br />
or not. The steps for using the CodeCover are described in Chapter 4, “Protecting<br />
Applications Using CodeCover,” on page 75.<br />
Test the Protected Application<br />
You can now test your protected application. We recommend testing your<br />
application to verify that it executes correctly with the appropriate <strong>Sentinel</strong><br />
Key both attached and missing.<br />
Tip: If you are testing your protected application in network environment, make<br />
sure to restart the <strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 111
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
Steps for Protecting Applications Using API<br />
112 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Adding API Features<br />
Adding API Features<br />
Contents Glossary Index Troubleshooting<br />
The API features can be added using any of the following ways:<br />
Under the API tab of the License Designer screen - This option<br />
allows you to add an API feature to an existing license template. The<br />
complete steps are covered in this chapter.<br />
Using the License Designer Wizard - This option allows you to<br />
create a license template by adding a CodeCover or API feature to it.<br />
Refer to the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help for complete steps.<br />
Add Feature Dialog Box<br />
To obtain the Add Feature dialog box:<br />
1. In the License Designer screen, load the template to which the API<br />
feature will be added. The loaded template is shown in the template<br />
layout.<br />
2. Click the API tab.<br />
3. Click the Add button. The Add Features dialog box appears.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 113
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
Adding AES Feature<br />
Add Features Dialog Box<br />
114 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
1. In the License Designer screen, load the template to which the AES<br />
feature will be added.<br />
2. Click the API tab.<br />
3. Click Add. The Add Features dialog box appears.<br />
4. Select AES from the list of API features.
Adding API Features<br />
Contents Glossary Index Troubleshooting<br />
5. Choose the desired attributes. Depending on which the other options<br />
will be enabled/disabled. The attributes are described below:<br />
Attributes<br />
Attribute Description Default Setting<br />
Active When only this check box is selected<br />
the feature can be used for:<br />
Encryption, decryption, queryresponse<br />
protection<br />
Providing a perpetual license for<br />
using the application.<br />
AES-based<br />
encryption<br />
AES-based<br />
decryption<br />
When Lease and/or Limit executions<br />
check box(es) are also selected, the<br />
feature can be used for:<br />
Encryption, decryption, queryresponse<br />
protection<br />
Providing a time-limited or executions-limited<br />
license for using the<br />
application.<br />
Select to encrypt 16-byte blocks using<br />
the AES algorithm.<br />
You need to call SFNTEncrypt API<br />
function in your code. Refer to the<br />
Business Layer API Help for details on<br />
the function.<br />
Select to decrypt 16-byte blocks of<br />
encrypted data using the AES<br />
algorithm.<br />
You need to call SFNTDecrypt API<br />
function in your code. Refer to the<br />
Business Layer API Help for details on<br />
the function.<br />
Lease Select to allow specifying an<br />
expiration date or expiration time for<br />
the application. Else, the application<br />
will use a perpetual license.<br />
Selected<br />
Not selected<br />
Not selected<br />
Not selected<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 115
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
Limit<br />
executions<br />
6. Specify values for default feature instance. The options are described<br />
below:<br />
Default Feature Instance<br />
Item Description Default Setting<br />
Secret key The 128-bit AES secret key. By default, a secret key is<br />
generated and shown in the<br />
Expiration<br />
date<br />
Expiration<br />
time<br />
Execution<br />
count<br />
Attributes (Continued)<br />
Attribute Description Default Setting<br />
Select to allow specifying the number<br />
of times the protected application will<br />
run for.<br />
Write random Select this check box for randomly<br />
generating the secret key at the time<br />
of programming the <strong>Sentinel</strong> Key. The<br />
random value is generated by the<br />
<strong>Sentinel</strong> Key itself and is not known to<br />
you/your application. Selecting this<br />
will automatically disable the<br />
Secret Key field.<br />
Specify an expiration date<br />
(mm/dd/yy format).<br />
Specify an expiration time<br />
(in minutes).<br />
Specify an execution count<br />
for running the protected<br />
application.<br />
116 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Toolkit. You can use the icon<br />
shown next to the Secret key<br />
field to generate another secret<br />
key. However, this button is<br />
disabled when the Write<br />
Random attribute check box is<br />
selected because the <strong>Sentinel</strong> Key<br />
generates it randomly at the time<br />
of programming.<br />
One year from current date<br />
14400 minutes (10 days)<br />
1<br />
Not selected<br />
Not selected
Adding API Features<br />
Contents Glossary Index Troubleshooting<br />
Note: If you specify both the licensing controls—lease and limited executions—the<br />
application will expire as soon as any of these limits is reached.<br />
7. Selecting the Add instances later check box will allow you to add<br />
new feature instances later in the License Manager screen. This<br />
option helps in modifying the "licensing values" without modifying<br />
the "licensing implementation" in the application/code.<br />
For example, the programmer who implemented the application protection<br />
had set the expiration date as "10/10/05" and also selected<br />
this check box. Later, if desired, the marketing/key programming personnel<br />
can modify it to suit some customer's requirement (such as,<br />
10/10/07) and program the <strong>Sentinel</strong> Key. This does not require you<br />
to apply the CodeCover protection again, modify the API calls, or<br />
repackage the product.<br />
8. Provide a name for this feature (necessary).<br />
9. The constant name will be automatically generated. However, you<br />
may modify it, if needed.<br />
10. You may optionally provide comments. When done, click OK.<br />
Note: You can use the following Business Layer API functions for an AES feature:<br />
- SFNTQueryFeature - To implement the query-response protection with/<br />
without the licensing checks.<br />
- SFNTEncrypt - To encrypt 16-byte blocks.<br />
- SFNTDecrypt - To decrypt 16-byte encrypted blocks.<br />
Adding ECC Feature<br />
1. In the License Designer screen, load the template to which the ECC<br />
feature will be added.<br />
2. Click the API tab.<br />
3. Click Add. The Add Features dialog box appears.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 117
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
4. Select ECC from the list of API features.<br />
5. Choose the desired attributes. Depending on which the other options<br />
will be disabled/enabled. The attributes are described below:<br />
Attributes<br />
Attribute Description Default Setting<br />
Active When only this check box is selected<br />
the feature can be used for:<br />
Data signing and verification<br />
Providing a perpetual license for<br />
using the application.<br />
When Lease and/or Limit executions<br />
check box(es) are also selected, the<br />
feature can be used for:<br />
Data signing and verification<br />
Providing a time-limited or executions-limited<br />
license for using the<br />
application.<br />
ECC-based<br />
signing<br />
Select to sign digital content using the<br />
ECC algorithm. You need to call<br />
SFNTSign API function in your code.<br />
Refer to the Business Layer API Help<br />
for details on the function.<br />
Lease Select to allow specifying an<br />
expiration date or expiration time for<br />
the application. Else, the application<br />
will use a perpetual license.<br />
Limit<br />
executions<br />
Select to allow specifying the number<br />
of times the protected application will<br />
run for.<br />
Selected<br />
Selected<br />
Not selected<br />
Not selected<br />
118 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Adding API Features<br />
Contents Glossary Index Troubleshooting<br />
Write random Select this check box for randomly<br />
generating the private key and public<br />
key pair at the time of programming<br />
the <strong>Sentinel</strong> Key. When generated<br />
randomly, the private and public key<br />
pair will not be shown in the Toolkit;<br />
however, the public key will be written<br />
in the header file. Selecting this will<br />
automatically disable the Private<br />
Key and Public Key fields.<br />
ECC-based Key<br />
Exchange<br />
Not selected<br />
6. Specify values for default feature instance. The options are described<br />
below:<br />
Private<br />
Key<br />
This is not supported in the current<br />
release. However, please keep it<br />
selected.<br />
Default Feature Instance<br />
Selected<br />
Item Description Default Setting<br />
The private key used for<br />
data signing.<br />
Attributes (Continued)<br />
Attribute Description Default Setting<br />
Public Key The public key used for<br />
data verification. It will be<br />
written into the header<br />
file.<br />
By default, a pair of private and<br />
public keys is generated and<br />
shown in the Toolkit.<br />
You can use the icon shown<br />
next to the Private key field to<br />
generate another pair.<br />
However, this button is disabled<br />
when the Write Random<br />
attribute check box is selected<br />
because the <strong>Sentinel</strong> Key<br />
generates them randomly at the<br />
time of programming.<br />
-same as above-<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 119
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
Expiration<br />
date<br />
Expiration<br />
time<br />
Execution<br />
count<br />
Default Feature Instance (Continued)<br />
Item Description Default Setting<br />
Specify an expiration date<br />
(mm/dd/yy format).<br />
Specify an expiration time<br />
(in minutes).<br />
Specify an execution count<br />
for running the protected<br />
application.<br />
120 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Note: If you specify both the licensing controls—lease and limited executions—the<br />
application will expire as soon as any of these limits is reached.<br />
7. Selecting the Add instances later check box will allow you to add<br />
new feature instances later in the License Manager screen. This<br />
option helps in modifying the "licensing values" without modifying<br />
the "licensing implementation" in the application/code.<br />
For example, the programmer who implemented the application protection<br />
had set the expiration date as "10/10/05" and also selected<br />
this check box. Later, if desired, the marketing/key programming personnel<br />
can modify it to suit some customer's requirement (such as,<br />
10/10/07) and program the <strong>Sentinel</strong> Key. This does not require you<br />
to apply the CodeCover protection again, modify the API calls, or<br />
repackage the product.<br />
8. Provide a name for this feature (necessary).<br />
One year from current date<br />
14400 minutes (10 days)<br />
9. The constant name will be automatically generated. However, you<br />
may modify it, if needed.<br />
10. You may optionally provide comments. When done, click OK.<br />
1
Adding API Features<br />
Contents Glossary Index Troubleshooting<br />
Note: You can use the following Business Layer API functions for an ECC feature:<br />
- SFNTSign - To sign content.<br />
- SFNTVerify - To verify the signed content.<br />
Adding Counter Feature<br />
1. In the License Designer screen, load the template to which the<br />
Counter feature will be added.<br />
2. Click the API tab.<br />
3. Click Add. The Add Features dialog box appears.<br />
4. Select Counter.<br />
5. Specify a value between 0 to 4,294,967,295 for the default instance.<br />
6. Selecting the Add instances later check box will allow you to add<br />
new feature instances later in the License Manager screen. This<br />
option helps in modifying the "licensing values" without modifying<br />
the "licensing implementation" in the application/code.<br />
7. Provide a name for this feature (necessary).<br />
8. The constant name will be automatically generated. However, you<br />
may modify it, if needed.<br />
9. You may optionally provide comments. When done, click OK.<br />
Note: You can use the following Business Layer API functions for a Counter feature:<br />
- SFNTCounterDecrement - To decrement the Counter value by specified<br />
amount on each call.<br />
- SFNTReadInteger - To read the Counter value.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 121
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
Adding String Feature<br />
1. In the License Designer screen, load the template to which the<br />
String feature will be added.<br />
2. Click the API tab.<br />
3. Click Add. The Add Features dialog box appears.<br />
122 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
4. Select String. Depending on which the other options will be enabled/<br />
disabled. The attributes are described below:<br />
Attributes<br />
Attribute Description Default Setting<br />
Write-Random If selected, a unique random string will<br />
be written as the feature value when<br />
the <strong>Sentinel</strong> Key is programmed. You<br />
can specify its length in the String<br />
Length field.<br />
The random value is generated by the<br />
<strong>Sentinel</strong> Key itself and is not known to<br />
you/your application. However, you<br />
can call the SFNTReadString API<br />
function to read the value.<br />
Please note that this value can be<br />
overwritten in the field using the<br />
Update value command or by calling<br />
the SFNTWriteString API function<br />
(requires the write password<br />
you specified).<br />
Read-Only Select this check box if you do not<br />
want to allow writing the feature<br />
value by the protected application<br />
(that calls the SFNTWriteString API<br />
function).<br />
Not Selected<br />
Not selected
Adding API Features<br />
Contents Glossary Index Troubleshooting<br />
Attributes (Continued)<br />
Attribute Description Default Setting<br />
Write-Once Select this check box if you want to<br />
allow writing the feature only once,<br />
without providing a write password<br />
(specify any value in the<br />
WritePassword parameter of the<br />
SFNTWriteString API function). This<br />
attribute is suitable for accepting<br />
string data that a user provides only<br />
once for validation (such as the user<br />
name) without exposing<br />
the write password.<br />
However, note that this value can be<br />
overwritten in the field using the<br />
Update value command.<br />
Typically, this attribute is best used<br />
with the read-only attribute.<br />
Not selected<br />
5. Specify a string containing up to 2032 3 ASCII printable characters<br />
for the default instance.<br />
If Write-Random check box is clear, you can click Browse to copy<br />
the contents of a file into the string feature.<br />
6. Specify a write password if you want to write the feature value using<br />
the SFNTWriteString API function. The option will be disabled if you<br />
have selected the Read-Only option.<br />
7. Selecting the Add instances later check box will allow you to add<br />
new feature instances later in the License Manager screen. This<br />
option helps in modifying the "licensing values" without modifying<br />
the "licensing implementation" in the application/code.<br />
The option will be disabled if you have selected the Write-once and/<br />
or Write-random option.<br />
3.The maximum length is 2032 bytes for SHK XM keys; and 888 bytes for non-XM keys.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 123
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
124 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
8. If you selected the check box described in step 7, specify the maximum<br />
size. It has to be greater than the existing string length and less than<br />
2032 ASCII printable characters. The overridden values will never<br />
exceed the maximum limit set.<br />
9. Provide a name for this feature (necessary).<br />
10. The constant name will be automatically generated. However, you<br />
may modify it, if needed.<br />
11. You may optionally provide comments. When done, click OK.<br />
Note: You can use the following Business Layer API functions for a String feature:<br />
- SFNTReadString - To read the String feature value.<br />
- SFNTWriteString - To write the String feature value.<br />
Adding Raw Data Feature<br />
1. In the License Designer screen, load the template to which the Raw<br />
Data feature will be added.<br />
2. Click the API tab.<br />
3. Click Add. The Add Features dialog box appears.
Adding API Features<br />
Contents Glossary Index Troubleshooting<br />
4. Select Raw Data. Depending on which the other options will be disabled/enabled.<br />
The attributes are described below:<br />
Attributes<br />
Attribute Description Default Setting<br />
Write random If selected, some unique random raw<br />
data will be written as the feature<br />
value when the <strong>Sentinel</strong> Key is<br />
programmed. You can specify its<br />
length in the Raw Data Length<br />
field. The random value is generated<br />
by the <strong>Sentinel</strong> Key itself and is not<br />
known to you/your application.<br />
However, you can call the<br />
SFNTReadRawData API function to<br />
read the value. Please note that this<br />
value can be overwritten in the field<br />
using the Update value command or<br />
by calling the SFNTWriteRawData API<br />
function (requires the write password<br />
you specified).<br />
Read-only Select this check box if you do not<br />
want to allow writing the feature<br />
value by the protected application.<br />
Please note that this value can be<br />
overwritten in the field using the<br />
Update value command.<br />
Write-once Select this check box if you want to<br />
allow writing the feature only once,<br />
without providing a write password<br />
(specify NULL in the WritePassword<br />
parameter of the SFNTWriteRawData<br />
API function). This attribute is suitable<br />
for accepting raw data that a user<br />
provides only once for validation (such<br />
as the registration number) without<br />
exposing the write password.<br />
Please note that this value can be<br />
overwritten in the field using the<br />
Update value command.<br />
Not Selected<br />
Not selected<br />
Not selected<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 125
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
5. Specify a value containing up to 2032 4 raw data value (any developer-defined<br />
data type—including printable/non-printable ASCII<br />
characters and hexadecimal numbers) for the default instance.<br />
126 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
If the Write-Random check box is clear, you can click Browse to<br />
copy the contents of a file into the raw data feature. You can specify<br />
Offset and Length, in bytes, for the file contents you want to copy. By<br />
default, Offset is 0 and Length is 2032, indicating that only first 2032<br />
bytes of data is copied. Alternatively. you can also click the Hex-ASCII<br />
converter to browse the file.<br />
6. Specify a write password if you want to write the feature value using<br />
the SFNTWriteRawData API function. The option will be disabled if<br />
you have selected the Read-only option.<br />
7. Selecting the Add instances later check box will allow you to add<br />
new feature instances later in the License Manager screen. This<br />
option helps in modifying the "licensing values" without modifying<br />
the "licensing implementation" in the application/code.<br />
The option will be disabled if you have selected the Write-Once and/<br />
or Write-random option.<br />
8. If you selected the check box described in step 7, specify the maximum<br />
size. It has to be greater than the existing feature size and less than<br />
2032 raw data characters. The overridden values will never exceed<br />
the maximum limit set.<br />
9. Provide a name for this feature (necessary).<br />
10. The constant name will be automatically generated. However, you<br />
may modify it, if needed.<br />
11. You may optionally provide comments. When done, click OK.<br />
4.The maximum length is 2032 bytes for SHK XM keys; and 888 bytes for non-XM keys.
Adding API Features<br />
Contents Glossary Index Troubleshooting<br />
Note: You can use the following Business Layer API functions for a Raw Data feature:<br />
- SFNTReadRawData - To read the Raw Data feature value.<br />
- SFNTWriteRawData - To write the Raw Data feature value.<br />
Adding Integer Feature<br />
1. In the License Designer screen, load the template to which the Integer<br />
feature will be added.<br />
2. Click the API tab.<br />
3. Click Add. The Add Features dialog box appears.<br />
4. Select Integer. Depending on which the other options will be disabled/enabled.<br />
The attributes are described below:<br />
Attributes<br />
Attribute Description Default Setting<br />
Write random If selected, some unique random<br />
integer data will be written as the<br />
feature value when the <strong>Sentinel</strong> Key is<br />
programmed. You can specify its<br />
length in the range specified<br />
by the Integer type radio buttons.<br />
The random value is generated by the<br />
<strong>Sentinel</strong> Key itself and is not known to<br />
you/your application. However, you<br />
can call the SFNTReadInteger API<br />
function to read the value.<br />
Please note that this value can be<br />
overwritten in the field using the<br />
Update value command or by calling<br />
the SFNTWriteInteger API function<br />
(requires the write password<br />
you specified).<br />
Not Selected<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 127
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
Attributes (Continued)<br />
Attribute Description Default Setting<br />
Read-only Select this check box if you do not<br />
want to allow writing the feature<br />
value by the protected application.<br />
However, this value can be written in<br />
the field using the Update value<br />
command.<br />
If you selected Write random check<br />
box, the value will be written at the<br />
time of programming the <strong>Sentinel</strong> Key.<br />
You can read the Integer feature value<br />
using the SFNTReadInteger function.<br />
Not selected<br />
Write-once Select this check box if you want to<br />
allow writing the feature only once,<br />
without providing a write password<br />
(specify NULL in the WritePassword<br />
parameter of the SFNTWriteInteger<br />
API function). This attribute is suitable<br />
for accepting integer data that a user<br />
provides only once for validation (such<br />
as the registration number) without<br />
exposing the write password.<br />
Please note that this value can be<br />
overwritten in the field using the<br />
Update value command.<br />
5. Choose the integer type from the options shown:<br />
8-bit integer: A value between 0 and 255.<br />
16-bit integer: A value between 0 and 65,535.<br />
32-bit integer: A value between 0 and 4,294,967,295.<br />
6. Specify an integer value for the default instance.<br />
Not selected<br />
128 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
7. Specify a write password if you want to write the feature value using<br />
the SFNTWriteInteger API function. The option will be disabled if you<br />
have selected the Read-only option.
Adding API Features<br />
Contents Glossary Index Troubleshooting<br />
8. Selecting the Add instances later check box will allow you to add<br />
new feature instances later in the License Manager screen. This<br />
option helps in modifying the "licensing values" without modifying<br />
the "licensing implementation" in the application/code.<br />
The option will be disabled if you have selected the Write-once and/or<br />
Write-random option.<br />
9. Provide a name for this feature (necessary).<br />
10. The constant name will be automatically generated. However, you<br />
may modify it, if needed.<br />
11. You may optionally provide comments. When done, click OK.<br />
Note: You can use the following Business Layer API functions for an Integer feature:<br />
- SFNTReadInteger - To read the Integer feature value.<br />
- SFNTWriteInteger - To write the Integer feature value.<br />
Adding Boolean Feature<br />
1. In the License Designer screen, load the template to which the<br />
Boolean feature will be added.<br />
2. Click the API tab.<br />
3. Click Add. The Add Features dialog box appears.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 129
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
4. Select Boolean. Depending on which the other options will be disabled/enabled.<br />
The attributes are described below:<br />
Attributes<br />
Attribute Description Default Setting<br />
Write random If selected, a random Boolean value<br />
will be written as the feature value<br />
when the <strong>Sentinel</strong> Key is programmed.<br />
The random value is generated by the<br />
<strong>Sentinel</strong> Key itself and is not known to<br />
you/your application. However, you<br />
can call the SFNTReadInteger<br />
API function to read the value.<br />
Please note that this value can be<br />
overwritten in the field using the<br />
Update value command or by calling<br />
the SFNTWriteInteger API function<br />
(requires the write password<br />
you specified).<br />
Read-only Select this check box if you do not<br />
want to allow writing the feature<br />
value by the protected application.<br />
However, this value can be written in<br />
the field using the Update value<br />
command.<br />
If you selected Write random check<br />
box, the value will be written at the<br />
time of programming the <strong>Sentinel</strong> Key.<br />
You can read the Integer feature value<br />
using the SFNTReadInteger function.<br />
Write-once Select this check box if you want to<br />
allow writing the feature only once,<br />
without providing a write password<br />
(specify NULL in the WritePassword<br />
parameter of the SFNTWriteInteger<br />
API function).<br />
Please note that this value can be<br />
overwritten in the field using the<br />
Update value command.<br />
Not Selected<br />
Not selected<br />
Not selected<br />
130 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Adding API Features<br />
Contents Glossary Index Troubleshooting<br />
5. Specify a true (1)or false (0) value for the default instance.<br />
6. Specify a write password if you want to write the feature value using<br />
the SFNTWriteInteger API function. The option will be disabled if you<br />
have selected the Read-only option.<br />
7. Selecting the Add instances later check box will allow you to add<br />
new feature instances later in the License Manager screen. This<br />
option helps in modifying the "licensing values" without modifying<br />
the "licensing implementation" in the application/code.<br />
8. The option will be disabled if you have selected the Write-once and/<br />
or Write-random option.<br />
9. Provide a name for this feature (necessary).<br />
10. The constant name will be automatically generated. However, you<br />
may modify it, if needed.<br />
11. You may optionally provide comments. When done, click OK.<br />
Note: API functions for Boolean feature<br />
You can use the following Business Layer API functions for a Boolean feature:<br />
- SFNTReadInteger - To read the Boolean feature value.<br />
- SFNTWriteInteger - To write the Boolean feature value.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 131
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
What’s Next?<br />
After adding the API features, you may now:<br />
Build the license template using the instructions described in the<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help. When a license template is built, the<br />
following tasks are performed:<br />
<strong>Sentinel</strong> Key is programmed with the license information.<br />
Header file is generated.<br />
Code sketch is generated.<br />
Add the Business Layer API functions into your application’s source<br />
code,<br />
The Business Layer API Help provides complete details on each function.<br />
Also, do refer to the best practices described in Chapter 7,<br />
“Implementing Secure Licensing,” on page 167.<br />
Compile your application after including the <strong>Sentinel</strong> <strong>Keys</strong> header<br />
files and libraries. You may also apply CodeCover protection to your<br />
Windows executables and data files (if the file types are supported).<br />
You can now test your protected application. We recommend testing<br />
your application to verify that it executes correctly with the<br />
appropriate <strong>Sentinel</strong> Key both attached and missing.<br />
Note: If you are testing your protected application in network environment,<br />
make sure to restart the <strong>Sentinel</strong> <strong>Keys</strong> Server after building the license<br />
template.<br />
132 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Business Layer API - Quick Reference<br />
SFNTSetContactServer - Sets the <strong>Sentinel</strong> <strong>Keys</strong> Server to be contacted for obtaining a<br />
license.<br />
SFNTSetConfigFile - Allows to reconfigure the name and path of the client-side configuration<br />
file.<br />
SFNTGetLicense - Obtains a license from the <strong>Sentinel</strong> Key having required developer ID and<br />
license ID.<br />
SFNTQueryFeature - Performs the query-response operation and verifies the licensing controls.<br />
SFNTEncrypt - Encrypts data using the AES algorithm.<br />
SFNTDecrypt - Decrypts data using the AES algorithm.<br />
SFNTSign - Signs content using the ECSSH algorithm.<br />
SFNTVerify - Verifies the digitally signed content using the public key.<br />
SFNTSetHeartbeat - Sets the heartbeat interval for maintaining a license.<br />
SFNTCounterDecrement - Decrements the Counter value by a specified amount.<br />
SFNTReadInteger - Reads Integer, Boolean, and Counter feature values of the in the <strong>Sentinel</strong><br />
Key.<br />
SFNTWriteInteger - Updates the Integer and Boolean feature values in the <strong>Sentinel</strong> Key.<br />
SFNTWriteRawData - Updates the Raw Data feature value in the <strong>Sentinel</strong> Key.<br />
SFNTReadRawData - Reads the Raw Data feature value in the <strong>Sentinel</strong> Key.<br />
SFNTReadString - Reads the String feature value in the <strong>Sentinel</strong> Key.<br />
SFNTWriteString - Updates the String feature value in the <strong>Sentinel</strong> Key.<br />
SFNTGetFeatureInfo - Obtains information about a feature.<br />
SFNTGetLicenseInfo - Obtains information about a license.<br />
What’s Next?<br />
Contents Glossary Index Troubleshooting<br />
SFNTGetServerInfo - Obtains information about the <strong>Sentinel</strong> <strong>Keys</strong> Server that granted<br />
license(s) to the application.<br />
SFNTEnumServer - Enumerates the <strong>Sentinel</strong> <strong>Keys</strong> Servers running within the subnet for a<br />
<strong>Sentinel</strong> Key (having the desired developer ID and license ID combination).<br />
SFNTGetDeviceInfo - Obtains information about the <strong>Sentinel</strong> Key attached to a system.<br />
SFNTReleaseLicense - Releases the license and cleans up the memory allocated to the client<br />
library resources.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 133
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
Frequently Asked Questions<br />
134 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question 1 - Can I modify the feature ID?<br />
If required, you can modify the feature ID assigned by the Toolkit. Specify a<br />
numeric value between 1 to 255 in the Feature ID text box. It must be<br />
unique for a license template.<br />
Question 2 - What is a code sketch?<br />
The code sketch is the protection plan generated by the Toolkit when a<br />
license template is built. It consists of an outline of the Business Layer API<br />
functions that you should incorporate in your source code. It is a good reference<br />
when you are not sure which API functions are relevant for your<br />
particular strategy.<br />
The code sketch is written into an HTML file present in the Toolkit working<br />
folder.<br />
It can be generated for the most-frequently used development languages.<br />
To view the code sketch, you can either click View under the Build Options<br />
tab, or navigate to the Toolkit working folder.<br />
Question 3 - Are there any API samples provided?<br />
Yes. Sample applications are provided that demonstrate various licensing<br />
models, such as lease and demos. These samples make use of Business Layer<br />
API functions, suitable for that licensing scheme.<br />
Follow the steps given below:
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
1. Load a sample license template provided in the Toolkit.<br />
Load Sample<br />
2. Provide your build options under the Build Options tab, such as<br />
specify the development language you want the sample for.<br />
3. Build it by clicking the Build button. The following dialog box will<br />
appear (the dialog box differs across platforms) on completion of the<br />
build process for Windows sample.<br />
Take me there Link<br />
4. Click the Take me there link (the dialog box differs across platforms).<br />
You are directed to the language-specific directory for the sample,<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 135
Chapter 5 – Protecting Applications Using API<br />
Contents Glossary Index Troubleshooting<br />
136 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
wherein you can compile the sample application and understand the<br />
API functions used.<br />
Note: For more FAQs and troubleshooting tips, refer to the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit<br />
Help.
Chapter 6<br />
Secure Remote Updates<br />
Secure remote updates provide a method to update the hardware keys<br />
already deployed with the customers and distributors. This chapter<br />
describes the complete process of updating keys remotely.<br />
Usually, most of the product trials/purchases are followed by certain updates<br />
and activations. For example, customers who earlier used a demo version of<br />
AppSoftDrawing might want to buy a perpetual license later. Or, your enterprise<br />
customers might wish to increase the number of users allowed to run<br />
the application. Under rare circumstances, you might need to update the<br />
security settings in the key memory, such as revising the cheat counter<br />
value, deactivating the algorithms, or modifying the write password for a<br />
feature and so on. Secure remote updates allow you doing all this and much<br />
more in a few easy steps!<br />
Secure Remote Updates<br />
The secure update process does not require you to withdraw existing <strong>Sentinel</strong><br />
<strong>Keys</strong> from the field, ship new keys, provide additional software, or visit<br />
the customer site. You do not even need to prepare a remote update strategy<br />
in advance at the time of license designing.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 137
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
The following table lists the two types of Secure Remote Update methods,<br />
scenarios in which these methods are useful, and the file generated in each<br />
process.<br />
Remote Update Methods Update Scenario File Generated<br />
Secure Remote Feature/<br />
License Update<br />
Secure Remote New License<br />
Addition<br />
To modify values of<br />
existing features in<br />
existing licenses<br />
To add a new license, or<br />
add/remove features to/<br />
from an existing license<br />
.upw<br />
(update code file)<br />
.nlf<br />
(new license file)<br />
138 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Note: A license (template) is considered to be new if its License ID is distinct from<br />
the license IDs of licenses available in the end user token.<br />
A license (template) is considered to be existing if its license ID matches the<br />
license ID of any of the licenses available in the end user token.<br />
The following illustration explains the remote update processes involved in<br />
updating <strong>Sentinel</strong> <strong>Keys</strong> with feature/license updates, or new license<br />
additions.
Secure Remote Feature/License Update<br />
Contents Glossary Index Troubleshooting<br />
Secure Remote Feature/License Update<br />
The <strong>Sentinel</strong> <strong>Keys</strong> can be updated for features/licenses using files or e-mails<br />
in one of the following ways:<br />
Bidirectional Update<br />
Unidirectional Update<br />
Bidirectional Update<br />
In this process, there is a bidirectional flow of the update information<br />
between the end user and the developer as described below:<br />
1. The customer generates a request code.<br />
2. The customer sends the request code (.req file) using an e-mail to the<br />
developer.<br />
3. The developer loads the license template for which the request was<br />
sent.<br />
4. The developer clicks the Bidirectional Update option button under<br />
the Key Activator tab.<br />
5. The developer loads the request code (.req) file.<br />
Note: When the request code is loaded in the Update Manager, the License IDs of<br />
all the licenses are displayed. The developer views the licenses by using the<br />
arrow buttons ( , or ).<br />
6. The developer clicks Load to load the selected license.<br />
7. The developer creates update actions (described on page 157).<br />
8. The developer clicks Generate Update Code to generate an update<br />
code (described on page 162).<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 139
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
140 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
9. The developer sends the update code (.upw) file using an e-mail to the<br />
customer.<br />
10.The customer applies the update code using the secure update utility/<br />
secure update wizard, to have access to the requested applications/<br />
features.<br />
Bidirectional Remote Update Process<br />
The remote update bidirectional process allows you to update keys securely<br />
because:<br />
The updates codes are encrypted using the AES secret key.<br />
Due to the "one time update" capability built in the hardware, an<br />
update code cannot be used more than once.<br />
The "update code" and "request code" form a unique pair—an update<br />
code can update only that hardware key whose request code was used<br />
to generate it.
Secure Remote Feature/License Update<br />
Contents Glossary Index Troubleshooting<br />
Note: The Secure Remote Update process can also be used by your distributors to<br />
increment the exhausted metering count. They can do so using the Secure<br />
Update Utility or a custom option that calls the Secure Update API functions.<br />
See “Updating Distributor Key Metering Count” on page 206 for<br />
details. Also, refer to the Secure Update API - ReadMe for details on using<br />
Secure Update API functions.<br />
Unidirectional Update<br />
Unidirectional Update is a one-way update, that targets single or multiple<br />
<strong>Sentinel</strong> <strong>Hardware</strong> Key(s) present in the field. A Unidirectional update could<br />
be of the following two types:<br />
1. Unidirectional Single Target Update: The Developer generates the<br />
update code without any request code from the end user, and applies<br />
the update code to a specified <strong>Sentinel</strong> <strong>Hardware</strong> Key with a particular<br />
Serial Number.<br />
2. Unidirectional Broadcast Update: The Developer generates the<br />
update code without any request code from the end user, and broadcasts<br />
the code to all the end users possessing <strong>Sentinel</strong> <strong>Keys</strong> with the<br />
same DeveloperID.<br />
Some exceptions in the unidirectional mode are listed as follows:<br />
Only the update actions for License/Feature are shown in the Action<br />
List.<br />
For <strong>Sentinel</strong> <strong>Keys</strong>, the following update actions are not supported in<br />
the unidirectional mode:<br />
Set cheat counter (only for non-RTC keys)<br />
Set device date<br />
For Distributor <strong>Keys</strong>, the following update actions are not supported<br />
in the unidirectional mode:<br />
Metering count<br />
Modify File Encryption Key (hex)<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 141
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
142 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Under License/Feature actions, creating update codes for updating<br />
few features like Counter, AES and ECC’s expiration time and counter<br />
are restricted. Hence, you will not be able to select the following<br />
features in the action list while generating an update code (*.upw) file<br />
in unidirectional mode.<br />
Increment Counter (for Counter, ECC, AES)<br />
Overwrite Counter (for Counter, ECC, AES)<br />
Set Expiration time (for ECC, AES)<br />
Unidirectional Single Target Update<br />
The unidirectional single target update process is as described below:<br />
1. The developer loads the license template for which the update code<br />
needs to be generated.<br />
2. The developer clicks the Unidirectional Update option button<br />
under the Key Activator tab.<br />
3. The developer selects the Only update a specified SHK token<br />
check box.<br />
4. The developer enters the serial number (derived from a database<br />
maintained by the developer) of the <strong>Sentinel</strong> Key targeted for unidirectional<br />
single target update, in the Token Serial Number field.<br />
5. The developer selects the actions to be performed on the Key. The<br />
update actions are listed, corresponding to the License/Feature<br />
Action Types, present in the token. See “About Remote Update<br />
Actions” on page 157.<br />
6. The developer clicks Generate Update Code to generate an update<br />
code (described on page 162).<br />
7. The developer sends the update code (.upw) file using an e-mail to the<br />
customer.
Secure Remote Feature/License Update<br />
Contents Glossary Index Troubleshooting<br />
8. The customer applies the update code to have access to the requested<br />
applications/features.<br />
Note: The developer must maintain a database at the time of key programming,<br />
in which all the license group information which is to be programmed in<br />
the token should be stored. Without this information or incomplete information,<br />
updating the tokens could fail.<br />
Unidirectional Single Target Remote Update Process<br />
Unidirectional Broadcast Update<br />
The unidirectional broadcast update process is as described below:<br />
1. The developer loads the license template for which the update code<br />
needs to be generated.<br />
2. The developer clicks the Unidirectional Update option button<br />
under the Key Activator tab.<br />
3. The developer selects the actions to be performed on the Key. The<br />
update actions are listed, corresponding to the License/Feature 1<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 143
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
Action Types, present in the token. See “About Remote Update<br />
Actions” on page 157.<br />
4. The developer clicks Generate Update Code to generate an update<br />
code (described on page 162).<br />
144 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
5. The developer sends the update code (.upw) file using an e-mail to the<br />
customer.<br />
6. The customers apply the update code to have access to the requested<br />
applications/features.<br />
Unidirectional Broadcast Remote Update Process<br />
1.Some features like Counter, AES, ECC, and Lease are restricted for selection, from the action<br />
list while generating *.upw file in unidirectional mode.
Secure Remote New License Addition<br />
Secure Remote New License Addition<br />
Contents Glossary Index Troubleshooting<br />
Remote license addition method allows you to add new license(s) in the end<br />
user token present in the field.<br />
Note: A license (template) is considered to be new if its License ID is distinct from<br />
the license IDs of licenses available in the end user token.<br />
A license (template) is considered to be existing if its license ID matches the<br />
license ID of any of the licenses available in the end user token.<br />
The following table explains the scenarios in which the remote license addition<br />
process is useful.<br />
Scenario Token State Description<br />
Fresh License<br />
Addition<br />
New License<br />
Addition<br />
New Feature<br />
Addition<br />
Empty You have sent an empty token in the field and<br />
now you wish to add license(s) in the end user<br />
token remotely.<br />
Token with<br />
existing<br />
license(s)<br />
Token with<br />
existing<br />
license(s)<br />
The end user token has license L1 bound to<br />
application A1, and now you want to send a<br />
new license L2 bound to application A2.<br />
The end user token has license L1 with features<br />
F1, and F2, and you want to add another<br />
feature say F3 in the same license L1, present in<br />
the token.<br />
This is achieved by first deleting all the existing<br />
licenses from the token and then adding the<br />
modified L1 as the new license.<br />
Note: Do make sure to delete all licenses if<br />
you are adding the same license with a<br />
new feature. Otherwise, license loading<br />
fails displaying the message, “License<br />
already exists”.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 145
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
146 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
New license addition through secure update library requires the creation of<br />
license addition 2 (*.nlf) file. The following section explains the processes<br />
involved in new license additions into the end user tokens.<br />
Remote New License Addition Process<br />
The <strong>Sentinel</strong> <strong>Keys</strong> can be updated for new licenses in one of the following<br />
ways:<br />
Bidirectional New License Addition<br />
Unidirectional New License Addition<br />
Bidirectional New License Addition<br />
In this mode the developer<br />
loads the request code,<br />
received from the customer to<br />
retrieve the Serial number and<br />
Device Update Counter values.<br />
License addition in this mode<br />
targets a single end user token.<br />
This bidirectional flow of the<br />
license addition information<br />
between the end user and the<br />
developer is described below:<br />
1. The developer opens the<br />
License Manager screen.<br />
Device Update Counter is the global update counter<br />
in the end user token which is incremented every<br />
time any of the following operations are performed<br />
on the token:<br />
Deleting all licenses before adding new licenses<br />
using *.NLF file.<br />
Cheat counter value updates.<br />
Last known date and time (LKDT) updates, once<br />
the lease operation has been performed.<br />
User limit value updates.<br />
When the request code is generated, the value of<br />
device update counter is stored in the *.req file.<br />
2. Using the Group Management dialog box, the developer loads the<br />
group for which the license addition (*.nlf) file needs to be exported.<br />
3. The developer clicks the Export-File Manager icon ( ) to open<br />
the Export-File Manager wizard.<br />
2.The *.nlf file is created for new license addition(s) in the end user token using the Secure<br />
Update library. The end user is able to load the license(s) into the local SHK token by applying<br />
this license addition file.
Secure Remote New License Addition<br />
Contents Glossary Index Troubleshooting<br />
4. In the Export-File Manager wizard, the developer selects Export a file<br />
for License Addition. (Allows creation of *.NLF file), and clicks<br />
Next.<br />
5. The developer selects the Bidirectional mode from the Mode dropdown,<br />
and clicks Next.<br />
6. The developer browses and selects the request code (.req) file in the<br />
Request Code File field. The request code file populates the Serial<br />
Number and Device Update Counter 3 values in the respective<br />
fields.<br />
7. The developer may select the Delete all licenses from token check<br />
box, if required, to remove all the licenses from the token.<br />
Selecting this check box displays a warning, “This will remove all the<br />
licenses from the token. Are you sure you want to do this?”. Click Yes to<br />
confirm, and it removes all the existing licenses from your token,<br />
before loading a new license.<br />
8. The developer clicks Next to continue further in the wizard. After<br />
defining a destination path in the File Name field, specifies the cheat<br />
counter value in the Cheat Counter (only for non-RTC keys) field,<br />
and then clicks Generate. The loadable license packets are generated<br />
and exported in the form of *.nlf file.<br />
9. The developer sends the license addition (*.nlf) file using an e-mail to<br />
the customer.<br />
10.The customer applies the license addition code to use the new license.<br />
Unidirectional New License Addition<br />
In this mode, the developer generates the new license addition code without<br />
any request code from the end user. It is assumed that the Serial Number<br />
and Device Update Counter is known to the developer.<br />
3.The Device Update Counter, stored in the .req file in bidirectional mode, is needed when the<br />
developer wants to delete all licenses from the <strong>Sentinel</strong> Key, before loading new licenses.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 147
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
1. The developer opens the License Manager screen.<br />
2. Using the Group Management dialog box, the developer loads the<br />
group for which the new license addition (*.nlf) file needs to be<br />
exported.<br />
3. The developer clicks the Export-File Manager icon ( ) to open<br />
the Export-File Manager wizard.<br />
148 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
4. In the Export-File Manager wizard, selects Export a file for License<br />
Addition. (Allows creation of *.NLF), and clicks Next.<br />
5. The developer selects the Unidirectional mode from the Mode dropdown,<br />
and enters the serial number to apply the license addition code<br />
for a particular end user token (Unidirectional Single Target Mode).<br />
When the Single Target check box is unselected, the new license<br />
addition update is applicable to multiple end user tokens of the same<br />
Developer ID (Unidirectional Broadcast Mode4 ).<br />
The developer may select the Delete all licenses from token check<br />
box, if required, to remove all the licenses from the token.<br />
Selecting this check box displays a warning, “This will remove all the<br />
licenses from the token. Are you sure you want to do this?”. Click Yes to<br />
confirm, and it deletes all licenses from the token before loading a new<br />
license.<br />
This activates the Device Update Counter 5 check box for the developer<br />
to enter the device update counter value, required for formatting<br />
the token.<br />
6. The developer clicks Next to continue further in the wizard. After<br />
defining a destination path in the File Name field, specifies the cheat<br />
4.In unidirectional license addition mode, if the developer unselects the Single Target check<br />
box then the new license addition (*.nlf) file is generated for multiple end user tokens of the<br />
same developer ID. The developer is restricted to delete all licenses from tokens, in this mode,<br />
before loading a license.<br />
5.In unidirectional mode, you need to keep track of this value while sending the update<br />
codes.
Remote Update Codes<br />
Contents Glossary Index Troubleshooting<br />
counter value in the Cheat Counter (only for non-RTC keys) field,<br />
and then clicks Generate. The loadable license packets are generated<br />
and exported in the form of *.nlf file.<br />
Note: The update packets for LKDT packet is also integrated with the *.nlf file.<br />
7. The developer sends the license addition (*.nlf) file using an e-mail to<br />
the customer.<br />
8. The customer applies the license addition code to use the new license.<br />
Remote Update Codes<br />
Request Code<br />
Refers to the code generated (as a .req file) by the customers/distributors as a<br />
request to update their hardware keys. It contains the hardware key details<br />
(such as, the serial number) and the license information.<br />
Update Code<br />
Refers to the code generated by the developer. It defines the actions that you<br />
want to apply on the hardware key. The update code is generated under the<br />
Key Activator tab of the Toolkit.<br />
As a developer, only you have the rights for generating update codes to allow<br />
secure remote update.<br />
Note: An update code can also be generated using the SFNTCreateUpdatePacket<br />
API function of the Key Programming library.<br />
The update packets created using this function can be applied as a buffer<br />
and saved as a *.upw file to be further applied into the end user token<br />
using either the Secure Update Utility, or the SFNTApplyUpdateCode<br />
function from the Secure Update library.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 149
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
License Addition Code<br />
Refers to the code generated (as *.nlf file) by the developer for adding new<br />
license(s) files into the end user token through the Secure Update Utility/<br />
Wizard, or the SFNTApplyUpdateCode () function of Secure Update Library.<br />
The *.nlf file is generated using the Export-File Manager under the<br />
License Manager stage of the Toolkit.<br />
150 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Remote Update Methods<br />
Remote Update Methods<br />
Contents Glossary Index Troubleshooting<br />
You can use any of the following methods to update hardware keys<br />
remotely:<br />
Secure Update Wizard (available for Windows only)<br />
Secure Update Utility<br />
Secure Update API<br />
Secure Update Wizard<br />
The Secure Update Wizard provides a developer-branded graphical option to<br />
customers for remotely activating features/applications. It is suitable for<br />
activating licenses remotely under the following scenarios:<br />
Converting a trial/demo application to a full version<br />
Activating an inactive feature/application after installation<br />
Adding a new license<br />
You can brand the Secure Update Wizard with your custom graphics and<br />
text while associating it with your CodeCover/API-protected applications.<br />
The wizard collects product and publisher information to process a license<br />
activation request. It allows you to choose how the product activation will<br />
be presented to your customer, and defines the methods (file and/or e-mail)<br />
your customer can use to activate the product.<br />
When your customer runs the application, he/she will have the option of<br />
clicking the Try or Buy button:<br />
The Try button allows your customer to use the product for a<br />
specified time limit or determined number of executions.<br />
The Buy button prompts your customer for the necessary<br />
information and completes the product activation.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 151
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
152 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Note: The Secure Update Wizard is localization ready. You can translate the wizard<br />
text and messages—currently in U.S. English—into a language of your<br />
choice.<br />
Refer to the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help for complete details on integrating the<br />
Secure Update Wizard with your CodeCover or API-protected application.<br />
Also, Chapter 10, “Redistributables for <strong>Customer</strong>s and Distributors,” on<br />
page 223 describes what to ship along with your protected application to<br />
allow remote updates.
Remote Update Methods<br />
Contents Glossary Index Troubleshooting<br />
Secure Update Wizard Interface<br />
(The example shows how the interface can be branded to suit your preferences)<br />
Secure Update Utility<br />
The Secure Update Utility is a stand-alone application and provides an alternative<br />
for updating hardware keys.<br />
Using the Secure Update Utility, a customer/distributor can easily generate a<br />
request code file (.req). In response, the developer will provide an update<br />
code file (.upw), or a new license addition file (.nlf). The .upw or .nlf file can<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 153
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
be applied by the customer/distributor using the same utility, or directly by<br />
double-clicking the file (if the One-Click License Update facility is enabled).<br />
Note: Since, the .upw file generated by <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> (version 1.2 and<br />
higher) will not be applied using the Secure Update library of version 1.0,<br />
please make sure that you distribute the latest Secure Update Utility and<br />
associated DLLs to your customer/distributor.<br />
154 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The One-Click License Update facility allows your customers to directly<br />
update the key by double-clicking the .upw or .nlf file. On Windows 98, double-clicking<br />
a .upw or .nlf file initiates the Secure Update Utility rather than<br />
directly updating the key. To enable the one-click license update facility, you<br />
need to tune your application installer for creating certain registry entries<br />
(specific to .nlf and .upw files) at the client machine. These registry entries<br />
are listed in the following table:<br />
For .nlf Files<br />
Installer Registries for One-Click License Update<br />
Registry Value<br />
HKEY_CLASSES_ROOT\.nlf nlffile<br />
HKEY_CLASSES_ROOT\nlffil<br />
e<br />
HKEY_CLASSES_ROOT\nlffil<br />
e\shell\open\command<br />
For .upw Files<br />
HKEY_CLASSES_ROOT\.upw upwfile<br />
HKEY_CLASSES_ROOT\upwfi<br />
le<br />
HKEY_CLASSES_ROOT\upwfi<br />
le\shell\open\command<br />
New License Addition File<br />
It is a dynamic value that specifies the location<br />
where the SecureUpdateUtility.exe is installed<br />
on the client’s machine. The installer adds this<br />
registry value after the installation of Secure<br />
Update Utility.<br />
Secure Update File<br />
It is a dynamic value that specifies the location<br />
where the SecureUpdateUtility.exe is installed<br />
on the client’s machine. The installer adds this<br />
registry value after the installation of Secure<br />
Update Utility.
Remote Update Methods<br />
Contents Glossary Index Troubleshooting<br />
For Windows, a GUI-based application is provided (see screenshot below).<br />
For other platforms, a command-line utility is provided.<br />
Secure Update Utility Interface on Windows<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 155
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
156 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The table below quickly compares the Secure Update Wizard and Secure<br />
Update Utility to help you in choosing the method that suits your needs best:<br />
Secure Update Wizard Secure Update Utility<br />
Wizard-based and graphical. You can<br />
customize the user-interface, instructions,<br />
and include custom graphics,<br />
like a splash screen.<br />
Localization-ready.<br />
Best suited for try-and-buy applications<br />
that use expiration date, time,<br />
and execution count.<br />
It can be integrated with your protected<br />
application (as described in the<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help).<br />
Since it is installed with the protected<br />
application, your customers can use it<br />
for updating stand-alone keys.<br />
Available only for Windows.<br />
Remote Update API<br />
Compact and ready-to-use<br />
(requires no configuration).<br />
Suitable for updating the hardware<br />
key memory and features<br />
with all the action types defined<br />
on page 157. It can also be used<br />
for incrementing the counter<br />
programmed into distributor<br />
keys.<br />
Can be shipped as an independent<br />
utility. See also, “Deploying<br />
Secure Update Utility” on<br />
page 228.<br />
Can be used for updating standalone<br />
or network keys.<br />
Available for all supported platforms<br />
on Windows, Linux, and<br />
Macintosh.<br />
A developer may instead create a customized remote update option using<br />
the Secure Update API functions implemented in SecureUpdate.h. It is available<br />
at the following path in your <strong>Sentinel</strong> <strong>Keys</strong> SDK installation:<br />
For Windows: \Secure Update\Secure Update Utility\INTF.<br />
Please note that separate libraries are provided for Windows 32-bit<br />
and x64.<br />
For Linux: /secure_update/SecureUpdateUtility/INTF/<br />
For Macintosh: /Secure Update/Secure Update Utility/INTF/
About Remote Update Actions<br />
Contents Glossary Index Troubleshooting<br />
Note: Refer to the Secure Update API - ReadMe for more information on Secure<br />
Update API functions.<br />
About Remote Update Actions<br />
To be able to update <strong>Sentinel</strong> <strong>Keys</strong> and distributor keys in the field, you must<br />
define the update actions under the Add Actions tab of the Update Manager<br />
screen.<br />
Actions contain one or more commands grouped together, so you do not have<br />
to select the commands individually when generating update codes. The<br />
various commands are described in “Action Types” on page 157.<br />
When you generate an update code, the actions you select are encrypted<br />
into the update code specific to the selected hardware key. When the update<br />
code is entered in the Secure Update Wizard or Secure Update Utility, the<br />
actions and commands are applied to the key.<br />
Note: The task of adding remote update actions is not a part of license designing<br />
stage. You can add actions even after deploying your protected applications<br />
when the customer/distributor sends a request code.<br />
Action Types<br />
The following three categories of actions exist:<br />
For Features<br />
Choose License/Feature action type for:<br />
Updating the license template settings—like user limit—in the<br />
<strong>Sentinel</strong> Key.<br />
Updating the feature settings—like an execution date, execution<br />
count and so on—in the <strong>Sentinel</strong> Key.<br />
Given below are the steps:<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 157
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
1. In the Update Manager screen, load the license template for which<br />
the actions are to be created.<br />
158 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
2. Under Action Types, select the License/Feature radio button (if not<br />
already selected).<br />
3. Click Add. The Add action for features dialog box appears.<br />
4. Under Features and Commands, select the check box shown beside<br />
the feature for which commands are to be added. The applicable commands<br />
appear in the right-side panel (under Commands Options).<br />
The top-most command in the Command drop-down list is automatically<br />
selected. If desired, you can remove it using the Remove<br />
Command button. The table below shows you the possible commands<br />
that can be added for each feature type:<br />
Feature and License Action Type<br />
Command Description Applies to<br />
Update value Updates the existing feature value. String<br />
Raw Data<br />
Integer<br />
Boolean<br />
Change write<br />
password<br />
Increment<br />
counter*<br />
Overwrite<br />
counter*<br />
Activate AES<br />
feature<br />
Deactivate AES<br />
feature<br />
Changes the existing Write Password. String<br />
Raw Data<br />
Integer<br />
Boolean<br />
Increments the existing Counter feature value<br />
by the amount you specify.<br />
Replaces the existing Counter feature value<br />
with the value you specify.<br />
Enables a disabled AES algorithm. AES<br />
Counter<br />
Counter<br />
Disables an enabled AES algorithm. AES
Modify AES secret<br />
key<br />
Overwrite<br />
execution count*<br />
Increment<br />
execution count*<br />
Detach execution<br />
count<br />
Set expiration<br />
date<br />
Set expiration<br />
time*<br />
Detach lease<br />
control<br />
Activate ECC<br />
feature<br />
Deactivate ECC<br />
feature<br />
Modify ECC<br />
private key<br />
Feature and License Action Type (Continued)<br />
Replaces the existing secret key with the value<br />
you specify.<br />
Replaces the existing execution count value<br />
with the value you specify.<br />
Increments the existing Counter feature value<br />
by the amount you specify.<br />
Detaches the existing execution count value<br />
and makes the license perpetual.<br />
Updates the existing Expiration Date with the<br />
value specified.<br />
About Remote Update Actions<br />
Contents Glossary Index Troubleshooting<br />
Command Description Applies to<br />
Adds the specified Expiration Time (in minutes)<br />
to the existing value.<br />
Detaches the expiration date and expiration<br />
time control associated with the feature<br />
and makes the license perpetual.<br />
* One time update actions.<br />
5. Provide a name for the action in the Action name field. It can contain<br />
up to 20 characters.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 159<br />
AES<br />
Enables a disabled ECC algorithm. ECC<br />
Disables an enabled ECC algorithm. ECC<br />
Updates the Private Key.<br />
Note: The ISV can copy the Public Key and<br />
embed it in the application for sign and<br />
verify.<br />
Update user limit Updates the User limit associated with a license<br />
(template). This will remain disabled<br />
if you set the user limit as 0 in the License<br />
Designer screen.<br />
AES<br />
ECC<br />
AES<br />
ECC<br />
AES<br />
ECC<br />
AES<br />
ECC<br />
AES<br />
ECC<br />
AES<br />
ECC<br />
ECC<br />
License Template
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
160 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The name should be concise, yet descriptive, so the people generating<br />
update codes can easily see how the hardware key will be updated.<br />
6. You may optionally include comments for the action in the Action<br />
comments field.<br />
7. Click OK to add the action.<br />
Adding Actions For <strong>Sentinel</strong> <strong>Keys</strong><br />
Choose <strong>Sentinel</strong> Key action type for:<br />
Updating the cheat counter in the <strong>Sentinel</strong> Key.<br />
Updating the hardware key time in the <strong>Sentinel</strong> Key.<br />
To add actions for the <strong>Sentinel</strong> <strong>Keys</strong>:<br />
1. In the Update Manager screen, load the license template for which<br />
the actions are to be created.<br />
2. Under Action Types, select the <strong>Sentinel</strong> Key radio button.<br />
3. Click Add. The Add action for <strong>Sentinel</strong> Key dialog box appears.<br />
Shown below are commands applicable to <strong>Sentinel</strong> <strong>Keys</strong>:<br />
Command Description Applies to<br />
Set cheat<br />
counter*<br />
Sets the Cheat Counter (for non-RTC tokens only) <strong>Sentinel</strong> Key<br />
Set device date* Sets the hardware key date and time as per GMT. <strong>Sentinel</strong> Key<br />
* One time update actions.<br />
4. Provide a name for the action in the Action name field. It can consist<br />
of up to 20 characters.<br />
The name should be concise, yet descriptive, so the people generating<br />
update codes can easily see how the hardware key will be updated.<br />
5. You may optionally include comments for the action in the Action<br />
comments field.
6. Click OK to add the action.<br />
Adding Actions For Distributor Key<br />
Choose Distributor Key action type for:<br />
About Remote Update Actions<br />
Contents Glossary Index Troubleshooting<br />
Updating the metering count in the distributor key.<br />
Updating the File Encryption Key (FEK) in the distributor key.<br />
To add actions for the distributor keys:<br />
1. In the Update Manager screen, load the license template for which<br />
the actions are to be created.<br />
2. Under Action Types, select the Distributor key radio button.<br />
3. Click Add. The Add action for Distributor Key dialog box appears.<br />
Shown below are commands applicable to distributor keys:<br />
Command Description Applies to<br />
Metering count* Overwrites the existing metering count in the<br />
distributor key or increases it by<br />
the amount specified.<br />
Modify File<br />
Encryption Key<br />
Updates the FEK. This is to be used when you want<br />
to modify the encryption key used earlier (while<br />
creating an .lgx file).<br />
Distributor Key<br />
Distributor Key<br />
* One time update actions.<br />
4. Provide a name for the action in the Action name field. It can consist<br />
of up to 20 characters.<br />
The name should be concise, yet descriptive, so the people generating<br />
update codes can easily see how the hardware key will be updated.<br />
5. You may optionally include comments for the action in the Action<br />
Comments field.<br />
6. Click OK to add the action.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 161
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
Generating Update Codes<br />
162 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
You can generate update codes to activate features/applications, or new<br />
license additions remotely. For a bidirectional update you must have<br />
obtained a request code from the customer6 who has requested remote activation<br />
of features/applications.<br />
The following section explains the <strong>Sentinel</strong> Key details you must know for<br />
generating an update code file (.upw) or a new license addition file (.nlf):<br />
1. Remote Feature/License Update: Requires generating a .upw,<br />
update code file from the Key Activator tab of the Toolkit. The<br />
update file can be generated using either of the following methods:<br />
Bidirectional Update: Requires the following files to generate the<br />
.upw, update code file:<br />
A Request Code (.req) file from your customer<br />
Unidirectional Update: The unidirectional update could be one of<br />
the following types:<br />
Unidirectional Single Target Update: Requires the <strong>Sentinel</strong><br />
Key Serial Number targeted for a single target update.<br />
Unidirectional Broadcast Update: Requires the common<br />
Developer ID for all the <strong>Sentinel</strong> <strong>Keys</strong> targeted for a unidirectional<br />
broadcast update.<br />
Note: In all of the above modes, the cheat counter value can be specified in the<br />
Cheat Counter (only for non-RTC keys) field, before generating the<br />
*.nlf file. The update packets for LKDT packet is also integrated with the<br />
*.nlf file.<br />
2. Remote License Addition: Requires generating a .nlf, new license<br />
addition file from the Export-File Manager of License Manager in<br />
Toolkit.<br />
6. Your distributors might also require update codes to remotely update distributor<br />
keys with them.
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Bidirectional License Addition: Requires the following files to<br />
generate the .nlf, new license addition code file:<br />
A Request Code (.req) file from your customer<br />
Unidirectional License Addition: The unidirectional license<br />
addition could be one of the following types:<br />
Unidirectional Single Target License Addition: Requires the<br />
following information by the developer, to generate the .nlf, new<br />
license addition code file:<br />
Serial Number of the <strong>Sentinel</strong> Key in field, targeted for a single<br />
target license addition<br />
The Device Update Counter value for formatting the Key before<br />
loading a license.<br />
Unidirectional Broadcast License Addition: Requires the<br />
common Developer ID for all the <strong>Sentinel</strong> <strong>Keys</strong> targeted for a<br />
unidirectional broadcast update.<br />
Note: In all of the above modes, the cheat counter value can be specified in the<br />
Cheat Counter (only for non-RTC keys) field, before generating the<br />
*.nlf file. The update packets for LKDT packet is also integrated with the<br />
*.nlf file.<br />
Frequently Asked Questions<br />
Question 1 - Why cannot I use telephone or fax to exchange request<br />
code and updates codes?<br />
Since both the codes are written in encrypted format (and might contain<br />
non-printable characters), they cannot be communicated over a phone or<br />
fax.<br />
Question 2 - What kind of customization can be done for the Secure<br />
Update Wizard interface on Windows?<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 163
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
164 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Because the Secure Update Wizard is integrated with the CodeCover/APIprotected<br />
application at the license designing stage, its interface can be customized<br />
to include your product and company-specific information (like,<br />
product name, version, and copyright), text (like, e-mail address and content)<br />
and images (like, splash image and application icon).<br />
Question 3 - What are the steps that a customer undergoes to activate<br />
the application using Secure Update Wizard?<br />
The topic “Walk-through of Secure Update Wizard (Screens)” in the <strong>Sentinel</strong><br />
<strong>Keys</strong> Toolkit Help describes these steps.<br />
Question 4 - Apart from the <strong>Sentinel</strong> Key and my application, what<br />
other files I need to ship along with my protected application?<br />
Please refer to Chapter 10, “Redistributables for <strong>Customer</strong>s and Distributors,”<br />
on page 223 for complete information.<br />
Question 5 - Can I use the same request code (.req) file to generate<br />
an update code (.upw) file, and a license addition (.nlf) file?<br />
No, you are not advised to do so, because when the request code is generated,<br />
the value of device update counter is stored in the *.req file. which is<br />
incremented every time you follow any of the following operations on the<br />
token:<br />
Formatting before adding new licenses using *.nlf file.<br />
Updating cheat counter value.<br />
Updating Last known date and time (LKDT) value, once the lease<br />
operation has been performed.<br />
Updating user limit value.<br />
Now, consider a scenario wherein you applied the *.req file to generate a<br />
*.upw file, and later used the same *.req file to generate the *.nlf file. The<br />
device update counter value in the *.req file may not match its value on the<br />
token if you have performed any of the operations listed above, hence<br />
restricting the process of applying the license addition code (*.nlf) file.
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Question 6 - Can Secure Update Utility of version 1.0 apply the .upw<br />
file generated by SHK1.2.1 and higher?<br />
No, since the .upw file generated by <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> version 1.2.1<br />
and higher will not be applied using the Secure Update library of version<br />
1.0, please ensure that you distribute the latest Secure Update Utility and<br />
associated DLLs to your customer/distributor.<br />
Question 7 - If I select Delete all licenses from token while generating<br />
*.nlf file, will the end user be able to apply this file on the token<br />
as many times as he/she wants?<br />
No, the new license can be added only once by applying the license addition<br />
(.nlf) file.<br />
Question 8 - What is the role of Device Update Counter value in<br />
removing all licenses from the token? In what scenarios its value is<br />
updated?<br />
Device Update Counter is the global update counter in the end user token<br />
which is incremented every time all licenses from the token are deleted. Its<br />
value is also updated in the following scenarios:<br />
Cheat counter value updates.<br />
Last known date and time (LKDT) updates, once the lease operation<br />
has been performed.<br />
User limit value updates.<br />
Question 9 - In case of Bidirectional Updates, which factors should<br />
be taken in consideration before generating the update code for a<br />
feature?<br />
The ISV’s should ensure that one Update file shall contain a single update<br />
action because the update actions of conflicting nature should not be<br />
applied with each other. The list of such update actions is provided below:<br />
Counter<br />
Increment Counter<br />
Overwrite Counter<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 165
Chapter 6 – Secure Remote Updates<br />
Contents Glossary Index Troubleshooting<br />
AES/ECC<br />
Overwrite Execution Counter<br />
Increment Execution Counter<br />
Detach Counter<br />
Distributor key<br />
Increment Counter<br />
Overwrite Counter<br />
166 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question 10 - How can I enable the One-Click License Update facility<br />
for my customers?<br />
You need to modify your application installer to create registry entries specific<br />
to .nlf and .upw files. These registry entries are listed in Table , “Installer<br />
Registries for One-Click License Update,” on page 154.
Chapter 7<br />
Implementing Secure<br />
Licensing<br />
Protecting a software application is never fail-safe. A good analogy are automobiles;<br />
they are stolen every day. However, there are many vehicles, despite<br />
their high value, that thieves avoid because they are too difficult to steal.<br />
This is generally the result of an auto manufacturer that purchased the best<br />
lock available and spent the time to integrate it properly. Otherwise, even the<br />
strongest lock can be easily defeated.<br />
<strong>Sentinel</strong> Key provides the best software protection system available today.<br />
However, like the auto manufacturer, you must take the time to properly<br />
implement the system or it will be bypassed.<br />
The goal of any software protection strategy is to make the cost of defeating<br />
it much more than purchasing the software legitimately. Once this is in<br />
place, users get more value from buying the software than stealing it. You<br />
should provide a security strategy that fits in with the value of the software<br />
itself—the higher the value of the software, the more time you should spend<br />
protecting it.<br />
This chapter provides you tips on implementing secure licensing strategies.<br />
If you are using an API-based protection strategy, keep in mind the following<br />
guidelines to ensure your strategy is effective.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 167
Chapter 7 – Implementing Secure Licensing<br />
Contents Glossary Index Troubleshooting<br />
Note: Creating your own customized protection scheme requires you to understand<br />
the API functions described in the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help.<br />
Vulnerability Assessment - Basic Types of Attacks<br />
168 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Before you can plan a good protection strategy, you need to understand the<br />
type of attacks targeted at breaking licensing. The diagram below shows the<br />
vulnerable points typically targeted for attacks:<br />
Basic Types of Attacks
Attack the <strong>Hardware</strong><br />
Vulnerability Assessment - Basic Types of Attacks<br />
Contents Glossary Index Troubleshooting<br />
Typically, this method is extremely difficult, time-consuming, and requires<br />
very expensive equipment to do. Moreover, the <strong>Sentinel</strong> Key use chip-onboard<br />
(COB) technology for high reliability, and greater protection against<br />
reverse-engineering. The <strong>Sentinel</strong> Key memory is encrypted using multiple<br />
unique random keys to defeat memory clones.<br />
Attack the SafeNet Components<br />
Generally, the hacker targets the SafeNet-supplied components (such as,<br />
driver replacement or emulation and replay attacks), so that they return<br />
correct answers to the application without the <strong>Sentinel</strong> Key being plugged<br />
in. To combat such attacks, all the communication between the components<br />
is passed through a Secure Communication Tunnel that makes use of industry-standard<br />
algorithms (see “<strong>Hardware</strong> Key with Cutting-edge Security<br />
Technology” on page 7).<br />
Attack the Communication Between Parties<br />
The communication between the various parties involved in licensing—the<br />
developer, customer, and distributor—is also prone to attacks. For example,<br />
a customer may try applying the update code multiple times. However, due<br />
to the “one time update” capability of the hardware key, an update code cannot<br />
be used more than once.<br />
Also, the distributor may program more number of licenses for customers<br />
than he/she is allowed for. To prevent this, you can specify a limit to meter<br />
the licenses programmed. For details, refer to “Programming Distributor<br />
<strong>Keys</strong>” on page 204.<br />
Time Tampering Attacks<br />
System time tampering or rolling back of the system clock is one of the mostcommon<br />
way of license infringement for lease/trial applications. To address<br />
this, you can use <strong>Sentinel</strong> Key with real-time clock. It contains a tamperresistant<br />
internal real-time clock that indicate the exact date and time to<br />
track the usage of the leased applications. The real clock keeps track of time<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 169
Chapter 7 – Implementing Secure Licensing<br />
Contents Glossary Index Troubleshooting<br />
independent of the system clock—providing the best solution against time<br />
tampering attacks.<br />
Non-RTC tokens with <strong>Sentinel</strong> V-Clock also allow reliable and secure distribution<br />
of time-limited applications. These do not require an on-board<br />
battery to detect time tampering and allow you to tolerate the number of<br />
time tampering attempts specified in the cheat counter.<br />
Cheat Counter Behavior<br />
170 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Cheat counter is a count-down value that allows tolerating the time tampering<br />
attacks ranging between 1 second to 30 days (excluding the daylight<br />
savings) till it reaches zero. Its behavior is described as follows:<br />
Cheat Counter Behavior<br />
Scenario Outcome Corrective Measures<br />
When the system clock is<br />
tampered for a duration<br />
between 1 second to 30<br />
days (excluding the<br />
daylight savings)<br />
When the system clock is<br />
tampered more than once<br />
(between 1 second to 30<br />
days) during<br />
one power-up session of<br />
the <strong>Sentinel</strong> Key a<br />
The system clock is<br />
tampered for more than 30<br />
days<br />
Cheat counter<br />
decrements by one.<br />
The AES/ECC algorithms<br />
are disabled—regardless<br />
of the cheat counter<br />
value.<br />
This prevents against<br />
multiple time tampering<br />
attempts during one<br />
power-up session.<br />
The AES/ECC algorithms<br />
are disabled—regardless<br />
of the cheat counter<br />
value.<br />
The application will run successfully till<br />
cheat counter has reached zero. After<br />
which, the AES/ECC algorithms are<br />
disabled and the associated API<br />
functions return error. You can decide<br />
the behavior of the application under<br />
such circumstances.<br />
If the <strong>Sentinel</strong> Key is re-plugged,<br />
normal functionality can be<br />
resumed.<br />
If the system clock is corrected, normal<br />
functionality can be resumed.<br />
If the system clock is corrected, normal<br />
functionality can be resumed.<br />
a. Refers to the duration between the plug-in and plug-out of the <strong>Sentinel</strong> Key.
Tips and Tricks<br />
Attack the Application<br />
Tips and Tricks<br />
Contents Glossary Index Troubleshooting<br />
Since most software developers do not write security code everyday, this is<br />
often the easiest target. Since a poorly protected application may only<br />
require a few quick changes to operate without the <strong>Sentinel</strong> Key attached,<br />
hackers might try code patching or fake the application components. Fortunately,<br />
by using many of the tips in this chapter this can also be made<br />
extremely difficult. The remaining chapter discusses such methods.<br />
We have provided many tips and tricks you can implement in your<br />
application. Each tip protects against specific type of attack—and multiple<br />
methods will complement each other.<br />
Use CodeCover to Encrypt Your Executable (For<br />
Windows)<br />
For Windows applications, you can combine your API elements-based custom<br />
protection with CodeCover and add an extra layer of protection. The<br />
CodeCover encrypts your final executable, which makes it difficult to disassemble<br />
or debug your application.<br />
Even if the attacker manages to overcome the difficult task of removing the<br />
CodeCover, the application inside is still protected—due to two strong layers<br />
of protection.<br />
Use CodeCover SDK<br />
CodeCover SDK provides run-time protection by making use of obfuscation<br />
and encryption. It also binds the original application to the CodeCover module.<br />
This ensures that if an attempt is made to recreate the application after<br />
removing the CodeCover protection, the application does not execute successfully.<br />
This is because decryption and obfuscation are dependent on the<br />
CodeCover module for execution.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 171
Chapter 7 – Implementing Secure Licensing<br />
Contents Glossary Index Troubleshooting<br />
Implement Query-Response Protection<br />
172 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The AES algorithm-based query/response protection is the primary method<br />
of securing an application. Simply storing data in the key memory is relatively<br />
easier to mimic because once the hacker knows what the memory<br />
should contain, they can modify the application to return those values<br />
instead of actually reading them from the <strong>Sentinel</strong> Key.<br />
Query-response protection is a challenge-response like technique driven by<br />
the AES algorithm programmed in the <strong>Sentinel</strong> Key. The application sends a<br />
query to the <strong>Sentinel</strong> Key, which sends a response calculated using the AES<br />
algorithm, for evaluation. If the response obtained matches the expected<br />
response, the key is assumed to be present and application is allowed to run.<br />
Using the SFNTQueryFeature API on an AES feature programmed into the<br />
<strong>Sentinel</strong> Key allows your application to issue a nearly infinite amount of<br />
unique challenges. This mechanism becomes the backbone of your protection<br />
strategy since it is extremely difficult to duplicate the correct responses.<br />
You can implement this protection by adding an AES feature to your template<br />
and then using the SFNTQueryFeature API to challenge the algorithm<br />
stored in the license.<br />
However, just using the API once in your application is not enough; there<br />
are many other tips, like given below, you should endeavor to employ.
Query-Response Protection<br />
Create a Large Query/Response Table<br />
Tips and Tricks<br />
Contents Glossary Index Troubleshooting<br />
If your application only knows a few challenges to issue to the <strong>Sentinel</strong> Key,<br />
then it becomes easier to predict them. However, a large table will take a<br />
long time to use every possibility; thereby increasing the time taken to emulate<br />
every possible challenge.<br />
Split Large Table<br />
You must split the large table into several smaller tables. This places the<br />
tables at multiple locations inside your protected application and makes it<br />
difficult to find them all.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 173
Chapter 7 – Implementing Secure Licensing<br />
Contents Glossary Index Troubleshooting<br />
Tip: The query/response table is written into the design header file when you<br />
build a license template containing an AES feature. 1<br />
Query Frequently<br />
If you rely on a single call at the beginning of your code, it is relatively easy<br />
for a skilled hacker to isolate the call and defeat your protection. Another<br />
potential problem with querying only once is that a user could remove the<br />
<strong>Sentinel</strong> Key after starting the application. The key could then be used to<br />
run another copy of the application. 2<br />
Query Randomly<br />
174 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
You must design the protection strategy to have the application pick the<br />
challenge from the query/response table randomly. This makes it difficult to<br />
anticipate what the challenge will be. Once you choose a challenge, use this<br />
one challenge repeatedly for some period of time (such as each time the program<br />
is run, or once a day). If your application uses a different challenge<br />
every time, then it will cycle through all available challenges in a faster time<br />
frame. This speeds up the time it takes to listen to every possible challenge.<br />
Add Noise to your Query Checks<br />
Generate random queries and then dismiss the results. This generates a<br />
large amount of unused data among the useful data. Anyone trying to<br />
record your communications with the key will need to record large amounts<br />
of data and have trouble deciphering what is meaningful.<br />
Generate New Tables Frequently<br />
Each time you create an update to your application, regenerate the query/<br />
response table. If an attacker has been able to record all the challenges used<br />
1. The query/response table will be generated for a CodeCover feature when you select the<br />
Include CodeCover features check box under the Build Options tab.<br />
2. To address this, you may also like to use the SFNTSetHeartbeat API function which will<br />
release the license after specified idle period.
Tips and Tricks<br />
Contents Glossary Index Troubleshooting<br />
by your program, the update will suddenly require this work to be repeated.<br />
If you have used the tips discussed above, it will likely be time consuming so<br />
the illegitimate user is stuck using outdated software.<br />
Specify Cheat Counter Value<br />
You can specify a cheat counter value only for non-RTC <strong>Sentinel</strong> <strong>Keys</strong>.<br />
The cheat counter value is global to the <strong>Sentinel</strong> Key. It applies to all the features<br />
having lease attribute enabled. You can specify a the cheat counter<br />
value right before programming hardware keys in the License Manager<br />
screen.<br />
If desired, you can use the Secure Update process to increment the cheat<br />
counter in the field.<br />
Note: You should call the SFNTQueryFeature function in your application code to<br />
detect time tampering. In addition, the SFNTEncrypt, SFNTDecrypt, SFNT-<br />
Sign, and SFNTGetDeviceInfo functions also check for system time tampering.<br />
Use AES Algorithm to Encrypt Data<br />
You can use the AES algorithm present in the <strong>Sentinel</strong> Key for encrypting<br />
16-byte data blocks. AES has withstood intense scrutiny from the cryptography<br />
experts and is adopted by National Institute of Standards and<br />
Technology (NIST) as US FIPS PUB 197 in November 2001 (after a 5-year<br />
standardization process). It is trusted by many organizations and has a<br />
proven track record.<br />
It provides an impenetrable security check because the AES algorithm and<br />
the 128-bit randomly generated secret key it uses are embedded in the <strong>Sentinel</strong><br />
Key—not accessible to any debugging or memory dumping program.<br />
You need to:<br />
Call the SFNTEncrypt API function to send the plain data and have it<br />
encrypted.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 175
Chapter 7 – Implementing Secure Licensing<br />
Contents Glossary Index Troubleshooting<br />
Call the SFNTDecrypt API function obtain the decrypted data. If the<br />
decrypted data matches the plain data, the correct <strong>Sentinel</strong> Key is<br />
assumed to be present.<br />
It becomes impossible to replicate these results by skipping the <strong>Sentinel</strong> Key<br />
because all the operations are performed in the hardware.<br />
SFNTEncrypt and SFNTDecrypt Operations<br />
You can use encryption to protect your application in many ways.<br />
Encrypt the Query/Response Table<br />
You should encrypt the query/response table, making it extremely difficult<br />
to find and use the table by looking at the code. If you only decrypt challenges<br />
as you use them, then the attacker never sees the table in a fully<br />
decrypted form.<br />
176 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Tips and Tricks<br />
Contents Glossary Index Troubleshooting<br />
Encrypt Critical Data Used by the Application<br />
All applications at some point require data to operate. Encrypt important<br />
data files or constants used by your program so it will only operate properly<br />
with the <strong>Sentinel</strong> Key attached.<br />
Verify Data Integrity Using ECC Signing and Verification<br />
ECC is a public key algorithm (uses public and private key pairs) based on<br />
discrete logarithms that are much more difficult to challenge at equivalent<br />
key lengths. You can use the ECC algorithm to implement security checks in<br />
the application as follows:<br />
1. Generate a random message.<br />
2. Call the SFNTSign API function to sign this message using the private<br />
key is stored secretly in the <strong>Sentinel</strong> Key.<br />
3. Call the SFNTVerify API function to verifies the signature using the<br />
known public key of the token. If the function returns success, the<br />
correct <strong>Sentinel</strong> Key is assumed to be present.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 177
Chapter 7 – Implementing Secure Licensing<br />
Contents Glossary Index Troubleshooting<br />
SFNTVerify Operation<br />
178 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
You may even sign part of your application data (such as constants) and verify<br />
its integrity before you use it. You can implement a similar signature<br />
verification scheme for your digital content (such as, text files and images)<br />
and store the 42-bit signature as raw data in the <strong>Sentinel</strong> Key memory.<br />
Decentralize Your Security Checks<br />
Decentralizing the security checks throughout the code is a good practice.<br />
This requires each place in the code to be modified in order for the application<br />
to run without the key. Restricting them to a few places can lead to easy<br />
detection and elimination subsequently. Given below are more tips:<br />
Use In-line Functions in Place of a Centralized Function<br />
Creating a single function call that checks the key and then making function<br />
calls throughout the code does not decentralize. Instead, only the<br />
security check function must be modified to operate without the key.<br />
Use Many Different Security Checks<br />
If you use the same security check in many places of the code, then you can<br />
find each check by searching for patterns.<br />
Tip: Place the security checks in hard-to-trace operations. For example, if you<br />
scatter you check throughout a series of database operations, it can be<br />
extremely time consuming to trace the calls.
Scatter the Security Checks<br />
Tips and Tricks<br />
Contents Glossary Index Troubleshooting<br />
Security checks typically consist of multiple steps: calling the key, evaluating<br />
the returned value, and acting on the evaluation results. Instead of putting<br />
the entire strategy at one place in your code, you should disperse the check<br />
all over to make the relation between them not obvious. A security check is<br />
harder to break if its code components are physically separated into different<br />
sections of the application instead of being located together.<br />
Use Multiple Threads to Your Advantage<br />
If the work of an individual security check happens over multiple threads,<br />
then tracing through the operation can be complicated. This makes debugging<br />
the code very difficult.<br />
Use Returned Values as Variables<br />
One effective technique to hide security checks in a high-level language is to<br />
use returned values to control application flow. With this method, a value<br />
returned by the key becomes a logical pointer or selection key to the next<br />
execution step or subroutine. This makes analysis of your code more<br />
difficult.<br />
Another way to use a returned value is to add it to the value of a variable so<br />
the sum is the desired value of the variable. If the variable is used in other<br />
parts of the code, then that code is dependent on the call to the hardware<br />
key.<br />
For example, suppose that at some point in your application you want a<br />
variable to contain the floating value 13.0. Assume that one of the query<br />
strings you send to the key returns the decimal number 12,345.<br />
Set the floating variable to -12,332.0.<br />
Send the query.<br />
Add the response to the variable.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 179
Chapter 7 – Implementing Secure Licensing<br />
Contents Glossary Index Troubleshooting<br />
Note: Use floating values for comparison. Instead of using only the SP_SUCCESS<br />
decimal value for comparing the API return codes, you may add floating<br />
point values (like 1.5) to it. This provides more security against reverse<br />
engineering of the assembly code.<br />
If the correct key is attached, the variable will contain the proper value. In<br />
actual practice, this technique is most effective if the mathematics behind<br />
the correct value is more complicated than simple addition.<br />
Checksum Your Code<br />
180 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
You should adopt the practice of making a checksum of your critical data.<br />
You should also verify the validity of the application and any DLLs or shared<br />
libraries that it uses. This helps detect if the code or data has been modified<br />
and identify when your application has been tampered.<br />
Dealing With Missing <strong>Sentinel</strong> <strong>Keys</strong><br />
If no <strong>Sentinel</strong> Key is attached to the computer or in network when a protected<br />
application is run, an error is returned by the SFNTGetLicense API<br />
function. If a connection is established, but the key is later removed, subsequent<br />
API functions will return errors. Refer to the Business Layer API Help<br />
for exact status codes.<br />
If your application detects that the <strong>Sentinel</strong> Key is not present, it is up to you<br />
to decide what action you want to take. Typically, you should not shut down<br />
your application because of a single unexpected response.<br />
Instead, repeat your query; if the response is still wrong, then you can take<br />
action. Possible actions include:<br />
Display a message and wait for the user to respond. This method does<br />
not prevent users from running the application, but it makes doing so<br />
extremely annoying, especially if the application queries the<br />
hardware key frequently.<br />
Shut down the application after a predetermined number of failed<br />
queries. (However, only under the most extraordinary circumstances
Tips and Tricks<br />
Contents Glossary Index Troubleshooting<br />
should you terminate your application without allowing the users to<br />
first save their work).<br />
Allow the application to appear as if it is functioning properly, while in<br />
fact it is not. (Be very careful if you use this method; less drastic<br />
actions should be considered first.)<br />
Display a critical error message and tell the user to contact your<br />
technical support department.<br />
These are just some suggested actions; you can implement any combination<br />
of them to suit your needs. Remember, other events, such as network transmission<br />
errors can also cause your application to detect a hardware key<br />
problem. Since these are almost always innocent events, you should design<br />
your strategy to be as forgiving of them as possible, while still maintaining<br />
protection integrity.<br />
Change your Strategy<br />
Finally, as you perform software updates to your application in the field,<br />
devote time to change and improve your security checks. The longer the<br />
checks exist in the field, the more time there is to attack the mechanism.<br />
Eventually, even the toughest checks might be overcome. However, if you<br />
continually update your checks, then you can stay one step ahead. Consider<br />
this action part of a planned maintenance to keep your security at its peak<br />
level.<br />
Note: For more personalized assistance in integrating the security checks in your<br />
application, please contact our Technical Support using the information<br />
given on page xvi.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 181
Chapter 7 – Implementing Secure Licensing<br />
Contents Glossary Index Troubleshooting<br />
Frequently Asked Questions<br />
182 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question 1 - If the application failed to obtain a license in one<br />
attempt, do I need to call the SFNTGetLicense function multiple<br />
times?<br />
We recommend calling SFNTGetLicense a few more times, before exiting the<br />
application. For example, you can call the SFNTGetLicense, despite of<br />
encountering SP_ERR_UNIT_NOT_FOUND error in stand-alone environments<br />
and SP_ERR_NO_LICENSE_AVAILABLE in network environments.<br />
Question 2 - Under which conditions are the AES/ECC algorithms in<br />
the token disabled?<br />
The AES and ECC algorithms are NEVER disabled in the token, unless you<br />
apply the deactivation remote update commands (Deactivate AES algorithms<br />
and Deactivate ECC algorithm). However, under the following<br />
conditions, they appear disabled because the licensing functionality associated<br />
with them has expired and the SFNTQueryFeature API function<br />
returns an error:<br />
When the lease period (based on the expiration date or time you<br />
specified) has been reached.<br />
When the number of executions allowed have finished.<br />
When the time tampering takes place as defined in the cheat counter<br />
scenarios on page 170.<br />
Question 3 - Where can I find the query-response pairs for the AES<br />
feature I created? In which format are these written?<br />
The query-response pairs are available in the header file generated under<br />
the Build Options tab. These are written in the hexadecimal format. You<br />
can convert it into ASCII format using the method described below (sample):
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Sample Conversion of Hexadecimal into ASCII<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 183
Chapter 7 – Implementing Secure Licensing<br />
Contents Glossary Index Troubleshooting<br />
184 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Part 3<br />
Grouping Licenses and<br />
Programming <strong>Hardware</strong><br />
<strong>Keys</strong><br />
License grouping and management<br />
Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> using <strong>Sentinel</strong> <strong>Keys</strong><br />
Toolkit and the Key Programming APIs
Chapter 8<br />
License Grouping<br />
This chapter describes how you can create and manage license groups.<br />
A group is a package of licenses (templates) that you want to program in the<br />
<strong>Sentinel</strong> Key for your customers. 1 The license groups are created in the<br />
License Manager screen. Different groups can be created to create different<br />
license packages.<br />
Why Create Groups?<br />
The ability to bundle license templates into groups allows you to create<br />
innovative licensing models in the most straight-forward manner. Using<br />
groups you can:<br />
Program multiple licenses into a single <strong>Sentinel</strong> Key in just a few<br />
clicks. Because each license is independent of the other, the <strong>Sentinel</strong><br />
Key makes it possible for you to offer products for both enterprise-level<br />
and small-scale customers.<br />
Modify the licensing values—like expiration date/time, executions,<br />
number of users—without modifying the application protection code.<br />
Since these values are preserved as groups, the licensing strategies<br />
can be reused to fulfill different customer requirements.<br />
1. The distributor keys are also programmed with a group.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 187
Chapter 8 – License Grouping<br />
Contents Glossary Index Troubleshooting<br />
Make the market fulfillment activity independent of the license<br />
designing and implementation. The two set of activities are typically<br />
unrelated and occur at different stages in a product life cycle.<br />
188 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
For example, the AppSoft marketing team can now roll different editions of<br />
their applications, at different times—without engineering's assistance. In<br />
fact, for bulk orders the <strong>Sentinel</strong> Key programming activity can be delegated<br />
to your <strong>Sentinel</strong> Key vendor (see “Creating WPS File” on page 206).<br />
Bundling Applications Using Groups
Creating New Groups<br />
To create a new group:<br />
Creating New Groups<br />
Contents Glossary Index Troubleshooting<br />
1. Before you move to the License Manager screen, use the License<br />
Designer screen to build all of the templates you plan to use. Make<br />
sure that both the developer key and <strong>Sentinel</strong> Key are attached to the<br />
system.<br />
2. In License Manager, click the Load license group icon ( ). The<br />
Group Management dialog box appears.<br />
3. Click Create. The Create Group dialog box appears. The template<br />
that you built in License Designer are shown here.<br />
Create Group Dialog Box<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 189
Chapter 8 – License Grouping<br />
Contents Glossary Index Troubleshooting<br />
4. Add the templates that you want to include in a group.<br />
5. Specify a group name. The user name automatically appears as the<br />
default owner.<br />
6. Specify comments (optional).<br />
7. Click OK.<br />
Loading Groups<br />
190 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
If you update the license template in the License Designer screen after<br />
adding it to a group, follow the steps described below, to reflect the changes<br />
in the group. This is important because, in the License Manager screen<br />
only a copy of the original license template is worked upon. If the original<br />
license template is updated, its copy in the License Manager screen must<br />
be updated as well.<br />
1. Build the updated template in the License Designer screen.<br />
2. Remove the template from the group (in the License Manager<br />
screen).<br />
3. Add the template again to the group (in the License Manager<br />
screen).<br />
Only the loaded group is shown in the group layout. To load a group:<br />
1. In License Manager, click the Load license group icon ( ). The<br />
Group Management dialog box appears.<br />
2. Select the group you want to load currently.<br />
3. Click Load. The loaded group is shown in the group layout.
Duplicating Groups<br />
Sending Group Files to Distributors<br />
Contents Glossary Index Troubleshooting<br />
You may duplicate groups to copy the settings. To duplicate a group:<br />
1. In License Manager, click the Load license group icon ( ). The<br />
Group Management dialog box appears.<br />
2. Select the group you want to load currently.<br />
3. Click Duplicate. The Duplicate Group dialog box appears.<br />
4. Specify a group name. The user name automatically appears as the<br />
default owner.<br />
5. Specify comments (optional).<br />
6. Click OK.<br />
Removing Groups<br />
To remove a group:<br />
1. In License Manager, click the Load license group icon ( ). The<br />
Group Management dialog box appears.<br />
2. Select the group you want to remove.<br />
3. Click Remove. A message box appear for confirmation.<br />
4. Click OK.<br />
Sending Group Files to Distributors<br />
If you want to send updated group files to your distributor without programming<br />
a new distributor key, you can use this option.<br />
To create a file for your distributor:<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 191
Chapter 8 – License Grouping<br />
Contents Glossary Index Troubleshooting<br />
1. In License Manager, click the Load license group icon ( ). The<br />
Group Management dialog box appears.<br />
2. Select the group you want to send.<br />
3. Click Create File. The Create File dialog box appears.<br />
4. Specify a path to write the file.<br />
5. Provide the same File Encryption Key (FEK) used earlier (when you<br />
programmed the distributor key, see page 204).<br />
6. Click OK.<br />
Viewing Group Layouts<br />
The group layout shows the license group currently loaded, its templates,<br />
features (default and new), and memory requirement.<br />
Group Layout<br />
192 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Creating New Feature Instances<br />
Contents Glossary Index Troubleshooting<br />
Note: Only the license templates selected using check boxes will be programmed<br />
in the <strong>Sentinel</strong> Key/distributor key. By default, all the license templates are<br />
selected. If the memory size of the group has exceeded that of hardware<br />
key, an error will be shown at the time of programming.<br />
Modifying Default Feature Instances<br />
You can modify the licensing values of the default feature instance after adding<br />
it to a group. This feature is provided to take care of the situations when<br />
minor modifications in the licensing values are required after a protected<br />
application is complied/protected already.<br />
To modify default feature values:<br />
1. Load a group from the Group Management dialog box.<br />
2. In the group layout, select the default feature instance. In the rightside<br />
panel, the options are shown. Please note that for default<br />
instances only the Update button is enabled—all other options<br />
remain disabled.<br />
3. Modify the values as desired.<br />
4. When done, click Update.<br />
Creating New Feature Instances<br />
If desired, you can create new feature instances having different licensing<br />
values. This will save you from modifying the default instance every time<br />
you receive a different licensing requirement. The new instances become a<br />
part of the feature node in the group layout, so that you can select the<br />
appropriate instance and program the <strong>Sentinel</strong> Key.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 193
Chapter 8 – License Grouping<br />
Contents Glossary Index Troubleshooting<br />
194 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Note: You can add new feature instances ONLY IF you selected the Add<br />
instance(s) later check box while adding CodeCover and API features. For<br />
some features, you can even specify the maximum limit up to which a<br />
value can be edited.<br />
To add new instances:<br />
1. Load a group from the Group Management dialog box.<br />
2. In the group layout, select the feature name. In the right-side panel,<br />
the options are shown. Please note that only the Add button is<br />
enabled—all other options remain disabled.<br />
3. Modify the values as desired. You cannot override the maximum limits<br />
specified.<br />
4. When done, click Add.<br />
Add Templates to Groups<br />
You can add templates to a group created already. Here are the steps to do<br />
so:<br />
1. Load the group to which the license templates are to be added.<br />
2. In License Manager, click the Add License Template icon ( ). The<br />
Add Template to Group dialog box opens.<br />
3. Select the license template(s) using the check box(es).<br />
4. Click Add. When done, you are brought back to the License Manager<br />
screen.<br />
Remove Templates From Groups<br />
You can remove templates from a group created already. Here are the steps<br />
to do so:
Export-File Manager<br />
Export-File Manager<br />
Contents Glossary Index Troubleshooting<br />
1. Load the group from which the license templates are to be removed.<br />
2. In License Manager, click the Remove License Template icon ( ).<br />
The Remove Template from Group dialog box opens.<br />
3. Select the license template(s) using the check box(es).<br />
4. Click Remove. When done, you are brought back to the License<br />
Manager screen.<br />
The License manager allows you to export the loaded *.LGP file in any of the<br />
four formats (*.ISV, *.DIS, *.OPR, *.NLF).<br />
To export the license group files:<br />
1. Using the Group Management dialog box, load the group from<br />
which the license group files are to be exported.<br />
2. In License Manager, click the Export-File Manager icon ( ) to open<br />
the Export-File Manager wizard.<br />
3. In the Export-File Manager wizard, select the type of file you wish to<br />
export. Click Next.<br />
4. Configure your inputs for the selected file type and click Next.<br />
5. Click Generate. The license group information contents are now<br />
generated for the selected file type.<br />
Define/view additional comments by clicking the Add comments to<br />
the file hyperlink.<br />
Note: For more information on the Export-File Manager wizard process, please<br />
refer to the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 195
Chapter 8 – License Grouping<br />
Contents Glossary Index Troubleshooting<br />
Locking/Unlocking Groups<br />
You can lock a group in the License Manager screen to disable its editing.<br />
Locking Group<br />
1. Load the group to be locked.<br />
196 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
2. In License Manager, click the Lock the License Group icon ( ). The<br />
Lock\Unlock Group dialog box appears.<br />
3. In the Password field, enter the password. These are case-sensitive<br />
and can contain 4 to 32 ASCII characters.<br />
4. In the Confirm Password field, enter the same password for confirmation.<br />
5. Click OK.<br />
Note: Do not forget the password to unlock the group! If you forget your password,<br />
there is no “backdoor” that is available to give you access to your<br />
group. Thus, it is VERY important that you remember the password you use<br />
to lock your group.<br />
Unlocking a Group<br />
You will need to unlock the group in order to load it.<br />
For an Unloaded Group<br />
1. Click the Load button on the Group Management dialog box. A<br />
small dialog box appears prompting you to provide the password.<br />
2. Specify the password.<br />
3. Click OK.
For a Loaded Group<br />
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
1. In License Manager, click the icon. The Lock\Unlock Group<br />
dialog box appears.<br />
2. Specify the password.<br />
3. Click OK.<br />
Frequently Asked Questions<br />
Question 1 - What is a default feature instance? How does it differ<br />
from other non-default/new feature instances?<br />
When you add a CodeCover or API feature in the License Designer screen,<br />
it is known as the default feature instance. If Add instances later check<br />
box is selected during this process, new feature instances can be created in<br />
the License Manager screen.<br />
These are known as the non-default or new feature instances. The option to<br />
create new feature instances provides the flexibility of changing the licensing<br />
values right-before programming hardware keys, without having to<br />
change the protection strategy (created in the License Designer screen).<br />
The FAQs below provide more information.<br />
Question 2 - What is the difference between “updating the default<br />
instance” and “adding a new instance?<br />
Updating a default feature instance allows you to modify the licensing settings<br />
right-before programming a batch of <strong>Sentinel</strong> <strong>Keys</strong>. This modification<br />
does not affect your protection implementation at the application-level. For<br />
example, you can specify 999 executions instead of 99, without generating<br />
the header file again, or applying the CodeCover protection again, and so on.<br />
However, updating the default instance can be quite tedious when the<br />
licensing values need to be modified quite frequently. Further, the updated<br />
values overwrite the values specified earlier (non-persistent). Therefore, it<br />
might be useful to add different feature instances having different licensing<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 197
Chapter 8 – License Grouping<br />
Contents Glossary Index Troubleshooting<br />
values. Using the radio buttons in the group layout, you can choose the<br />
required feature instance to be programmed in a hardware key.<br />
198 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question 3 - Which settings can be modified when instances are<br />
added or updated?<br />
You can modify the following while creating groups:<br />
User limit<br />
Please note you will be able to modify the user limit value only if you<br />
specified a non-zero value in the License Designer screen.<br />
To modify the user limit, select the license template in the group<br />
layout to view its existing user limit (see the screen-shot below). Click<br />
OK after modifying the user limit. Note that the user limit specified<br />
here will override the value you provided in the License Designer<br />
screen.<br />
Update User Limit<br />
Update existing licensing values<br />
For example, you might want to change the expiration date. Select the<br />
default feature in the group layout to view the update option (see the<br />
screen-shot below). Modify the licensing value (such as, the<br />
Expiration Date) and click Update to save the modifications.
Update Existing Licensing Values<br />
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Add new feature instances with different licensing values<br />
For example, instead of updating the default instance for a batch of<br />
hardware keys being programmed, you can create multiple feature<br />
instances—each with different set of licensing values. Select the<br />
feature name (top-most item in the feature node) in the group layout.<br />
If you had selected the Add instances later check box while creating<br />
that feature in the License Designer screen, you will see the Add<br />
button enabled in the right-side panel. Modify the licensing values<br />
and click Add to create the new feature instance.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 199
Chapter 8 – License Grouping<br />
Contents Glossary Index Troubleshooting<br />
Add New Feature Instances<br />
Question 4 - The options to add new instances or update existing<br />
instances appear grayed-out. What could be the reason?<br />
200 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Probably the group is locked. Unlock a group using the steps described in the<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help.<br />
Question 5 - Can my distributor also create groups and modify<br />
licensing settings?<br />
No. A distributor can only receive the groups created by you. The standalone<br />
<strong>Sentinel</strong> <strong>Keys</strong> License Manager application does not allow modifying<br />
the licensing values (see the screen-shot below, where a distributor can only<br />
choose the number of <strong>Sentinel</strong> <strong>Keys</strong> to be programmed in a batch).
Stand-alone License Manager<br />
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Question 6 - In the “Add Template to Group” dialog box, I am unable<br />
to select a license template. What could be the reason?<br />
This could happen when the license template was updated in the License<br />
Designer screen but was not built to reflect the changes. Build the license<br />
template in the License Designer screen to enable the check box shown<br />
beside the template name.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 201
Chapter 8 – License Grouping<br />
Contents Glossary Index Troubleshooting<br />
202 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Chapter 9<br />
Programming <strong>Sentinel</strong><br />
<strong>Hardware</strong> <strong>Keys</strong><br />
This chapter describes how to program the <strong>Sentinel</strong> <strong>Keys</strong> and distributor<br />
keys in the License Manager screen in the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit.<br />
It also briefs on the steps to program the <strong>Sentinel</strong> <strong>Keys</strong> using the Key Programming<br />
APIs.<br />
Programming <strong>Sentinel</strong> <strong>Keys</strong> using <strong>Sentinel</strong> <strong>Keys</strong><br />
Toolkit<br />
Given below are the steps for programming <strong>Sentinel</strong> <strong>Keys</strong> (in the Toolkit):<br />
1. Load the group, using which you want to program the <strong>Sentinel</strong> Key,<br />
from the Group Management dialog box.<br />
2. In the group layout, select the required licenses (templates and features)<br />
to be programmed in a <strong>Sentinel</strong> Key. You can program multiple<br />
licenses in a <strong>Sentinel</strong> Key.<br />
3. Click the Program <strong>Sentinel</strong> Key tab.<br />
4. Select whether you want to program a single key or multiple keys.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 203
Chapter 9 – Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
5. Attach the key (or keys) to be programmed to the USB port(s)/hub.<br />
You can attach as many keys as possible over the USB ports on your<br />
system.<br />
6. Specify the Cheat Counter value. It will be global for the <strong>Sentinel</strong><br />
Key (applicable only to non-RTC <strong>Sentinel</strong> <strong>Keys</strong>).<br />
7. Click Make <strong>Keys</strong>. Please do not attach/detach keys from the port/<br />
hub while the process is in progress.<br />
Programming Distributor <strong>Keys</strong><br />
204 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
If desired, you can allow your sales distributors to program <strong>Sentinel</strong> <strong>Keys</strong> for<br />
your customers. You need to provide them with the following items:<br />
<strong>Sentinel</strong> License Manager application (stand-alone)<br />
Group file (.lgx) containing the licenses (templates) that you want to<br />
allow them to program.<br />
Corresponding to every group is a distributor key that contains a<br />
metering count (optional) to track how many licenses they<br />
programmed.<br />
Note: The group file (.lgx) and distributor key form a unique pair. Hence, a distributor<br />
key will not work for any other group file generated with some<br />
other distributor key.<br />
To program a distributor key and create its associated group file:<br />
1. Load the group from the Group Management dialog box.<br />
2. In the group layout, select the required licenses (templates) using the<br />
check boxes. You can provide a group file containing multiple licenses<br />
(and one instance of each feature).<br />
When you are programming hardware key for your distributors, it is<br />
up to you to decide which license templates and features you want to<br />
include in it (you will note that check boxes are provided against the<br />
templates and features in the group layout). However, only one
Programming <strong>Sentinel</strong> <strong>Keys</strong> using <strong>Sentinel</strong> <strong>Keys</strong> Toolkit<br />
Contents Glossary Index Troubleshooting<br />
instance of a feature can be included (you will note that radio buttons<br />
are provided against feature instances). If your distributor requires<br />
licenses with different values (depending on the customer requirements),<br />
you will need to add a new instance and send the updated<br />
group file to the distributor. Your distributor can receive the group<br />
file, using the distributor key shipped with the earlier group.<br />
3. Click the Program Distributor Key tab.<br />
4. Select metering setting for your distributor:<br />
Non-metered<br />
Unlimited number of <strong>Sentinel</strong> <strong>Keys</strong> can be programmed by your<br />
distributor.<br />
Metered<br />
Specify a value between 1 to 65535. The metering count will be<br />
decremented by one for each license programmed.<br />
5. Specify a File Encryption Key (FEK). Make sure that you do NOT specify<br />
same FEK for every distributor.<br />
You must make a note of this down somewhere so that, if required,<br />
you can send updated group files to your distributors without programming<br />
a new distributor key. You may also copy the FEK to clipboard,<br />
by clicking the (Copies FEK to clipboard) icon.<br />
6. Specify a Cheat Counter value that you want your distributors to program<br />
in the non-RTC <strong>Sentinel</strong> <strong>Keys</strong>.<br />
7. Attach a single distributor key you purchased from SafeNet to your<br />
USB port/hub (it is not same as developer key or <strong>Sentinel</strong> Key).<br />
8. Click Make Distributor Key.<br />
9. Specify a path to write the group file (.lgx) for your distributor.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 205
Chapter 9 – Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
Updating Distributor Key Metering Count<br />
When the metering count on a distributor key reaches zero, the distributor<br />
will no longer be able to program <strong>Sentinel</strong> <strong>Keys</strong>. You can increment the<br />
count on a distributor key (and charge for doing so) in the same way that<br />
you update <strong>Sentinel</strong> <strong>Keys</strong> in the field.<br />
For doing so, you must add the Metering count command in the distributor<br />
key actions (see “Adding Actions For Distributor Key” on page 161) for<br />
the license template.<br />
To remotely update a distributor key:<br />
1. Ask your distributor to run the Secure Update Utility, while the distributor<br />
key is connected to his system, to generate a request code.<br />
2. Tell your distributor to send the request code to you (using an e-mail<br />
or file).<br />
3. Create a distributor key action type with the desired metering count.<br />
206 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
4. Enter the request code in the Key Activator tab. The key information<br />
is extracted from the request code.<br />
5. Select the action created in step 3.<br />
6. Click Generate Update Code. The Toolkit generates an update<br />
code—specific to the distributor’s key.<br />
7. Send the update code back to the distributor.<br />
8. Distributor enters the update code in the Secure Update Utility. The<br />
key is updated and the distributor can again program keys.<br />
Creating WPS File<br />
If desired, you can also write a .wps file for your <strong>Sentinel</strong> Key vendors. Using<br />
the .wps file they can program <strong>Sentinel</strong> <strong>Keys</strong> in bulk for you.
To create an .wps file:<br />
Programming <strong>Sentinel</strong> <strong>Keys</strong> using <strong>Sentinel</strong> <strong>Keys</strong> Toolkit<br />
Contents Glossary Index Troubleshooting<br />
1. Load the group from the Group Management dialog box.<br />
2. In the layout, select the required licenses (templates) using the check<br />
boxes. You can create a file containing multiple licenses (having one<br />
instance per feature).<br />
3. Click the Program <strong>Sentinel</strong> Key tab.<br />
4. Click Create WPS File.<br />
5. Specify a path for writing the file.<br />
6. Click Save.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 207
Chapter 9 – Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
Programming <strong>Sentinel</strong> <strong>Keys</strong> using the Key<br />
Programming APIs<br />
208 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Using the Key Programming APIs is a quick and effortless way for programming<br />
<strong>Sentinel</strong> <strong>Keys</strong> in bulk.<br />
The Key Programming APIs enable you to create your own programming<br />
utility or a stand- alone executable to program each <strong>Sentinel</strong> Key with the<br />
license group file exported using the Export-File Manager wizard in the<br />
License Manager of <strong>Sentinel</strong> <strong>Keys</strong> Toolkit.<br />
Note: For more information on the API functions, please refer to the Key Programming<br />
API Help.<br />
Steps for Using the Key Programming APIs<br />
Given below are the three major steps involved in programming <strong>Sentinel</strong><br />
<strong>Keys</strong> using the Key Programming APIs.<br />
1. Generate a License Group File for Export<br />
2. Implement the Key Programming APIs<br />
3. Compile and Create your own Programming Utility<br />
Step 1- Generating a License Group File for Export<br />
Before you can use the API functions described in this document, you must<br />
generate a license group file for the product keys you want to program.<br />
The steps below briefly describe the process you need to follow to export the<br />
license group information created at the License Manager stage of the<br />
Toolkit.<br />
1. Using the Group Management dialog box, load the group from<br />
which the license group files are to be exported.
Programming <strong>Sentinel</strong> <strong>Keys</strong> using the Key Programming APIs<br />
Contents Glossary Index Troubleshooting<br />
2. In License Manager, click the Export-File Manager icon ( ) to open<br />
the Export-File Manager wizard. The Export-File Manager wizard<br />
enables you to create a valid export file.<br />
3. In the Export-File Manager wizard, select the type of file you wish to<br />
export. Click Next. The contents of these files will be different for each<br />
of the category of users as described in the table below:<br />
Types of license group files to be exported for <strong>Sentinel</strong> <strong>Keys</strong> Programming<br />
File Type Category of<br />
Users<br />
*.ISV Developer a<br />
*.DIS Distributor b<br />
Description<br />
The *.ISV file contains basic information about the licenses<br />
and features, a protection<br />
strategy should consist of.<br />
Only a Developer, along with a Developer Key, can generate<br />
this file and then program it onto the end user token.<br />
The *.DIS file contains information related to licenses and<br />
features to be programmed in the end user token using the<br />
Key Programming API library and is bound to a Distributor<br />
Key using the File Encryption Key.<br />
Only a Developer, along with a Developer Key, and in the<br />
presence of a Distributor Key, can generate this file. The file is<br />
generated by a Developer and then provided to the<br />
Distributor that enables the distributor to program the end<br />
user token in association with a valid Distributor Key.<br />
*.OPR Operator c The *.OPR file contains license images which can be<br />
programmed on the token using the Key Programming API<br />
library.<br />
Only a Developer, along with a Developer Key, and in the<br />
presence of a end user token, can generate this file. This file is<br />
programmed onto the end user token at the fulfillment<br />
center.<br />
a. An individual or a software development company that uses the <strong>Sentinel</strong> <strong>Keys</strong> SDK to protect<br />
and license their applications.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 209
Chapter 9 – Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
b.An individual/organization authorized by the developer to distribute the protected application<br />
along with the <strong>Sentinel</strong> <strong>Keys</strong><br />
c.An individual/group who is unaware of the contents, and is more concerned about the number<br />
of tokens being programmed using the programming utility/stand-alone executable provided to<br />
him by a developer.<br />
4. Configure your inputs for the selected file and click Next. Enter the<br />
following information as per the selected file type:<br />
File Types and Required Inputs<br />
File Type Information<br />
*.ISV Define Location and Enter the cheat counter value:<br />
Browse and select the destination folder for the exported<br />
file, and enter the cheat counter value in the Cheat Counter<br />
(only for non-RTC keys) field. The default is 0.<br />
Note: You may also define/view additional comments by<br />
clicking the Add comments to the file hyperlink.<br />
*.DIS Specify the File Encryption Key a as programmed on the<br />
Distributor Key and then continue to select the destination<br />
folder for the file.<br />
*.OPR Define Location and Enter the cheat counter value:<br />
Browse and select the destination folder for the exported<br />
file, and enter the cheat counter value in the Cheat Counter<br />
(only for non-RTC keys) b field. The default is 0.<br />
Note: You may also define/view additional comments by<br />
clicking the Add comments to the file hyperlink.<br />
a. The distributor file is bound to the distributor token File Encryption Key;<br />
thereby allowing the rightful recipient to decrypt and use the file.<br />
b.Refer to section, “Cheat Counter Behavior” on page 170.<br />
210 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Define Location and Enter the cheat counter value:<br />
Browse and select the destination folder for the exported<br />
file, and enter the cheat counter value in the Cheat Counter<br />
(only for non-RTC keys) b field. The default is 0.<br />
Note: You may also define/view additional comments by<br />
clicking the Add comments to the file hyperlink.
Programming <strong>Sentinel</strong> <strong>Keys</strong> using the Key Programming APIs<br />
Contents Glossary Index Troubleshooting<br />
5. Click Generate. The license group information contents are now<br />
generated for each of the three category of users.<br />
Step 2 - Implementing the Key Programming APIs into your<br />
Solution<br />
Once you have successfully exported the License Group file (*.ISV/*.DIS/<br />
*.OPR) onto your system, you need to program the <strong>Sentinel</strong> Key with the<br />
exported file.<br />
The <strong>Sentinel</strong> <strong>Keys</strong> are programmed with the *.ISV/*.DIS/*.OPR file information,<br />
using the Key Programming API library.<br />
Please refer to the Key Programming API Help, for more information on<br />
implementing the Key Programming APIs into your solution.<br />
Step 3 - Compiling your Solution and Creating a<br />
Programming Utility<br />
Finally, compile and link your application after including the <strong>Sentinel</strong> <strong>Keys</strong><br />
header files and libraries.<br />
You may now create your own programming utility or a stand-alone executable<br />
to be distributed to your operators for bulk programming.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 211
Chapter 9 – Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
Frequently Asked Questions<br />
212 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question1 - How would I know if the group I created exceeds the<br />
amount of memory available in the <strong>Sentinel</strong> Key?<br />
In case the size of the group exceeds the memory size of your sentinel key,<br />
then you will get the error (stating that your key does not have sufficient<br />
memory to program the group) while programming the key.<br />
The group must not exceed 1776 bytes for 8KB memory <strong>Sentinel</strong> Key, and<br />
4080 bytes for 64 KB memory <strong>Sentinel</strong> Key (SHK XM). Else, the Toolkit displays<br />
an error message. The memory size of the group to be programmed in<br />
the <strong>Sentinel</strong> Key is shown in the Group Layout.<br />
Question 2 - How many hardware keys can be programmed at a<br />
time?<br />
On a Windows system, you can program up to 256 USB keys at a time. On a<br />
Linux and Macintosh system, you can program up to 32 USB keys at a time.<br />
However, the time taken will be according to the number of hardware keys<br />
attached. Please also make sure of the following:<br />
Do not attach/remove hardware keys during programming.<br />
Wait for progress bar to complete (show 100% status complete),<br />
before you remove the hardware keys.<br />
Question 3 - I am unable to program the hardware keys? What<br />
should I do?<br />
An error can occur while programming hardware keys due to hardware or<br />
software reasons. You should verify if the hardware key is firmly connected<br />
to the USB port/hub. The LED on the hardware key should be illuminated to<br />
verify if it has been plugged-in properly.<br />
To determine if a programming failure is due to a software error or a hardware<br />
error, try programming another hardware key with the same group. If<br />
the programming is successful, the previous error was hardware-related. If<br />
you try programming many keys, and all of them fail programming, the<br />
error is software-related.
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
If you suspect a technical problem, contact SafeNet Technical Support to<br />
help you in troubleshooting. The support representative will work with you<br />
to rule out resolvable software and/or configuration problems. If the problem<br />
cannot be resolved, you will be issued a RMA (Return Material<br />
Authorization) number. To ensure proper handling is acknowledged for the<br />
returned keys, you must obtain a RMA number prior to shipping the products.<br />
After you have obtained an RMA number and are ready to package the<br />
hardware keys for shipping, please make sure that you use "cold plastic" or<br />
"conductive plastic" to avoid any further damage.<br />
Question 4 - Is it possible to reprogram the already programmed<br />
hardware keys?<br />
Yes.<br />
Question 5 - Are there any log files created at the time of programming<br />
hardware keys?<br />
Yes. The following log file are created when the <strong>Sentinel</strong> <strong>Keys</strong>, distributor<br />
keys, and Custom CodeCover <strong>Keys</strong> are programmed:<br />
EndUserLog.xml - For <strong>Sentinel</strong> <strong>Keys</strong><br />
Make<strong>Keys</strong>Log.xml - For distributor keys<br />
CodeCoverLog.xml - For Custom CodeCover keys<br />
These contain information, including the following:<br />
Date and time at which the hardware key was programmed<br />
Serial number<br />
Developer ID<br />
Global lease value (only for Custom CodeCover keys)<br />
Information about the license groups and templates, including the<br />
number of licenses programmed.<br />
The default location for these log files on Windows systems is:<br />
\.safenet<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 213
Chapter 9 – Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
Question 6 - Is <strong>Sentinel</strong> <strong>Keys</strong> Toolkit the only utility using which I<br />
can program my <strong>Sentinel</strong> <strong>Keys</strong>?<br />
No. You have several other options for doing so. <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
offer different interfaces for programming that enable a quick and easy<br />
implementation of your protection strategy.<br />
The table below provides a summary (description) of each programming<br />
component and the category of users using them.<br />
Various Key Programming Interfaces for <strong>Sentinel</strong> <strong>Keys</strong><br />
Programming Utility User Associated File/Key Usage Description<br />
<strong>Sentinel</strong> <strong>Keys</strong><br />
Toolkit<br />
Stand-alone<br />
License Manager<br />
Developer Developer Key Refer to “Programming<br />
<strong>Sentinel</strong> <strong>Keys</strong> using <strong>Sentinel</strong><br />
<strong>Keys</strong> Toolkit” on page 203.<br />
Distributor Distributor key<br />
license group file<br />
(.lgx)<br />
214 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The .lgx file is a package of<br />
licenses that you want to<br />
program in the <strong>Sentinel</strong> Key<br />
for your customers.
Utility/Executable<br />
developed out of<br />
the Key<br />
Programming APIs<br />
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Various Key Programming Interfaces for <strong>Sentinel</strong> <strong>Keys</strong><br />
Programming Utility User Associated File/Key Usage Description<br />
Developer Developer Key<br />
*.ISV file<br />
Distributor Distributor Key<br />
*.DIS file<br />
Only a Developer, along<br />
with a Developer Key, can<br />
generate this file and then<br />
program it onto the end<br />
user token.<br />
The file is bound to a<br />
Distributor Key using the<br />
File Encryption Key.<br />
Only a Developer, along<br />
with a Developer Key, and in<br />
the presence of a Distributor<br />
Key, can generate this file.<br />
The file is generated by a<br />
Developer and then<br />
provided to the Distributor<br />
that enables the distributor<br />
to program the end user<br />
token in association with a<br />
valid Distributor Key.<br />
Operator *.OPR file Only a Developer, along<br />
with a Developer Key, and in<br />
the presence of a end user<br />
token, can generate this file.<br />
This file is programmed onto<br />
the end user token at the<br />
fulfillment center.<br />
Question 7 - What do I need Key Programming APIs for?<br />
Key Programming API (Setup) library can be used for two purposes:<br />
1. Programming the license information generated by Toolkit.<br />
2. Updating the instance values of features, based on conditions.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 215
Chapter 9 – Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
Question 8 - How is the update packet created using the Key Programming<br />
API library different from the ones created using the<br />
secure update library?<br />
216 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Secure update allows you to create updates using a predefined interface,<br />
whereas using Key Programming APIs you can define your own values programmatically<br />
or through an interface designed by you.<br />
Question 9 - How to create an update packet using the Key Programming<br />
APIs?<br />
For information on how to create an update packet, please look for the<br />
SampleUpdate folder located at the location, \Key Programming\Visual<br />
C++\Samples\SampleUpdate in the SDK.<br />
Question 10 - How do I generate the information to be programmed<br />
onto the token?<br />
Use the Export-File Manager wizard at the License Manager stage to generate<br />
the programmable information. Refer to, Generating a License Group<br />
File, on page 208.<br />
Question 11 - How do I program this generated information onto<br />
the token, using the Key Programming APIs?<br />
For information on how to program this generated information on your<br />
token, please look for the ProgramExportFile folder located at the location,<br />
\Key Programming\Visual C++\Samples\ProgramExportFile in the<br />
SDK.<br />
Question 12 - What are the constants, defined in the Key Programming<br />
APIs, used for?<br />
These constants allows you to manipulate the instruction to the Key Programming<br />
APIs. Please refer to the samples, located at the location<br />
\Key Programming\Visual C++\Samples, for more information.
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Question 13 - How can I define the end consumer of my update<br />
code?<br />
These updates can be used by either the Key Programming APIs, or the<br />
Secure Update Library.<br />
#define SP_PACKET_TYPE_ONE: Creates a license image for the Key<br />
Programming API<br />
#define SP_PACKET_TYPE_TWO: Creates a license image for the<br />
Secure Update library<br />
Question 14 - What are the different feature types and how can I<br />
use them?<br />
Please refer to the sample update to get information about different feature<br />
types and their usage.<br />
Question 15 - I get an error while programming the distributor file.<br />
What is this?<br />
Please refer to the error code descriptions for the source of the error and its<br />
description. The error codes have been listed down in the Key Programming<br />
API Help.<br />
Question 16 - My developer key is password-protected. How shall I<br />
use it to program <strong>Sentinel</strong> keys, using the Key Programming APIs ?<br />
Since you have set up a password for your developer key, you must specify it<br />
before programming <strong>Sentinel</strong> keys. To do so, you need to call the SFNTVerifyUser<br />
API that helps authenticate the password of the developer key. The<br />
developer key’s password contains 8-16 alphanumeric characters.<br />
Once the password is verified, you can create update packets to modify the<br />
key values, using the SFNTCreateUpdatePacket API.<br />
Question 17 - How to program a String/Raw Data Feature with 10K<br />
(or more) data into an SHK XM Key?<br />
To program a String/Raw Data Feature with 10K (or more) data into a SHK<br />
XM Key:<br />
1. Split the 10K (or more) data into chunks of 2032 bytes or less.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 217
Chapter 9 – Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
218 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
2. Create a License Template and add a Raw Data feature for each chunk<br />
of data (generated at step 1) in the License Designer screen of the<br />
Toolkit.<br />
3. Create a License Group in the License Manager screen.<br />
4. Add the License Template (created at step 2) into the new License<br />
Group.<br />
5. Click Make <strong>Keys</strong> under the Program <strong>Sentinel</strong> Key tab in the<br />
License Manager screen to program the license group into the<br />
attached SHK XM Key.<br />
Question 18 - How to program a String/Raw Data Feature with<br />
2032 bytes data into SHK XM Key using Key Programming APIs?<br />
To program a SHK XM Key with String/Raw Data feature containing 2032<br />
bytes data using Key Programming APIs:<br />
1. Use the header file sentinelsetup.h and the library <strong>Sentinel</strong>SetupW.dll.<br />
2. Export the *.ISV, *.DIS, or *.OPR file with <strong>Sentinel</strong> <strong>Keys</strong> Toolkit.<br />
3. Call the Key Programming API, SFNTProgramKey, as explained in<br />
the Key Programming API Help. However, the length of Raw Data feature<br />
can be 2032 bytes.<br />
Note: The files exported from earlier Toolkit versions can be imported by Key<br />
Programming API library of version 1.3.0 (and later); but the reverse operation<br />
is not possible.<br />
Question 19- How to program a String/Raw Data Feature with 2032<br />
bytes data into SHK XM Key with License Manager Utility?<br />
To program a String/Raw Data feature with 2032 bytes data into SHK XM<br />
Key with License Manager Utility:<br />
1. Click Start>Programs>SafeNet <strong>Sentinel</strong>><strong>Sentinel</strong> <strong>Keys</strong> English>License<br />
Manger to open the License Manger utility.
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
2. Import the license group file generated with Toolkit of version 1.3.0<br />
or later.<br />
3. Click Make <strong>Keys</strong> to program the Key.<br />
Note: The license group file generated with Toolkit 1.2.1 (and earlier) can be<br />
imported by License Manager Utility version 1.3.0 (and later) whereas the<br />
reverse is not allowed.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 219
Chapter 9 – Programming <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
Contents Glossary Index Troubleshooting<br />
220 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Part 4<br />
Distributing Protected<br />
Applications<br />
Checklist of redistributables for customers and<br />
distributors<br />
Information on deploying the redistributables
Chapter 10<br />
Redistributables for<br />
<strong>Customer</strong>s and Distributors<br />
This chapter guides you on the items that you must ship to your:<br />
<strong>Customer</strong>s who will be using the protected applications.<br />
Distributors who will be programming the <strong>Sentinel</strong> <strong>Keys</strong> for<br />
customers.<br />
Please make sure that you are familiar with your application’s licensing and<br />
protection strategy, so that you can choose the appropriate items for<br />
deployment.<br />
Checklist for <strong>Customer</strong>s And Distributors<br />
The table below shows a list of all possible items that you should consider<br />
before packaging the applications/CDs for your customers and distributors.<br />
If your company uses distributors to sell your products, then all the customer<br />
items must also be passed to your distributors.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 223
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors<br />
Contents Glossary Index Troubleshooting<br />
Check List of the Items to Be Redistributed<br />
Component Summary <strong>Customer</strong> Distributor<br />
<strong>Sentinel</strong> System Driver Device driver for the hardware keys <br />
<strong>Sentinel</strong> <strong>Keys</strong> Server a<br />
Configuration file<br />
(client)<br />
Secure Update Utility<br />
and its Help b<br />
Secure Update Wizard<br />
(only Windows)<br />
<strong>Sentinel</strong> Data Protection<br />
Driver (only Windows)<br />
<strong>Sentinel</strong> <strong>Keys</strong> System<br />
Administrator’s Help<br />
License Manager<br />
self-extracting installer<br />
Distributor key and<br />
.lgx file<br />
hhupd.exe and<br />
hhactivex.dll (only<br />
Windows)<br />
Rellic.dll, and Rellic64.dll<br />
(only for 32-bit and 64bit<br />
Windows<br />
applications)<br />
License manager for network<br />
applications<br />
For setting up the host to be contacted,<br />
network protocol, heartbeat interval,<br />
and <strong>Sentinel</strong> <strong>Keys</strong> Server socket port on<br />
the client-side (application)<br />
For updating hardware keys in the field <br />
Required only for Windows when you<br />
associated the Secure Update Wizard for<br />
remote updates<br />
Required only when you have either of<br />
the following in CodeCover:<br />
- Encrypted data files for Windows 9x, or<br />
- .NET applications for 9x<br />
HTML Help for the system administrator<br />
on the customer site<br />
Stand-alone application for<br />
programming <strong>Sentinel</strong> <strong>Keys</strong><br />
<strong>Hardware</strong> key for a distributor and<br />
associated group (.lgx file) c<br />
Needed for viewing the.chm files (on<br />
Windows), like Secure Update Utility<br />
Help.<br />
Needed only for executables protected<br />
using CodeCover to release the license.<br />
224 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
SDNPro.dll, and<br />
SDNPro64.dll (only for<br />
32-bit and 64-bit<br />
Windows applications)<br />
Deploying <strong>Sentinel</strong> System Driver<br />
When to Deploy?<br />
Deploying <strong>Sentinel</strong> System Driver<br />
Contents Glossary Index Troubleshooting<br />
Check List of the Items to Be Redistributed (Continued)<br />
Component Summary <strong>Customer</strong> Distributor<br />
<strong>Sentinel</strong> System Driver is the USB device driver for using the hardware keys.<br />
It must be redistributed to all customers and distributors.<br />
Where to Deploy?<br />
The <strong>Sentinel</strong> System Driver must be deployed on the system where the hardware<br />
key is attached (whether stand-alone or network key). For platforms<br />
supported and installation path, refer to “<strong>Sentinel</strong> System Driver” on<br />
page 31.<br />
How to Deploy?<br />
You can use the <strong>Sentinel</strong> Protection Installer to deploy the <strong>Sentinel</strong> System<br />
Driver and/or <strong>Sentinel</strong> <strong>Keys</strong> Server (including related items like, the <strong>Sentinel</strong><br />
<strong>Keys</strong> Server configuration file and <strong>Sentinel</strong> <strong>Keys</strong> License Monitor).<br />
For Windows<br />
Needed only when .NET enhancement<br />
option is selected during protection.<br />
a. Also includes <strong>Sentinel</strong> <strong>Keys</strong> License Monitor files and (server-side) configuration file.<br />
b. Your distributors may also use it for updating the distributor keys.<br />
c. Each distributor requires a different pair of distributor key and group file (.lgx).<br />
The <strong>Sentinel</strong> Protection Installer provides various installation options,<br />
including the ones that use Windows Installer merge modules and MSI. The<br />
developers who create Windows Installer-based installation programs can<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 225
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors<br />
Contents Glossary Index Troubleshooting<br />
refer to the <strong>Sentinel</strong> Protection Installer Help for details. It is available at:<br />
\<strong>Sentinel</strong> Protection Installer\English\help.<br />
For Linux<br />
226 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Protection Installer provides RPMs for the <strong>Sentinel</strong> System<br />
Driver (sntl-sud-7.5.1-0.i386.rpm) and <strong>Sentinel</strong> <strong>Keys</strong> Server (shk-server-<br />
1.3.1-0.i386.rpm). You may either run the skpi_install.sh script to install the<br />
two components, or use the following RPM commands:<br />
Use the rpm -ivh --force --nodeps sntl-sud-7.5.1-<br />
0.i386.rpm command to install the <strong>Sentinel</strong> System Driver (USB<br />
daemon).<br />
Use the rpm -ivh --force shk-server-1.3.1-0.i386.rpm<br />
command to install the <strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
For Macintosh<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Protection Installer installs the <strong>Sentinel</strong> System Driver<br />
(KEXT), <strong>Sentinel</strong> <strong>Keys</strong> Server (Daemon) and <strong>Sentinel</strong> Framework 1 .<br />
You need to ship the complete contents of the /<strong>Sentinel</strong> <strong>Keys</strong> Protection<br />
Installer directory. The /<strong>Sentinel</strong> <strong>Keys</strong> Protection Installer directory contains<br />
the <strong>Sentinel</strong><strong>Keys</strong>ProtechtionInstaller.pkg package to allow installation of the<br />
<strong>Sentinel</strong> System Driver and <strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
Tip: Keep watching http://www.safenet-inc.com/support for the latest releases of<br />
<strong>Sentinel</strong> <strong>Keys</strong> Protection Installer. You can provide the same Web address to<br />
your customers/distributors for downloads.<br />
For stand-alone environments, you can use the <strong>Sentinel</strong>SystemDriver.pkg,<br />
available in the SDK CD. This will only install the <strong>Sentinel</strong> System Driver and<br />
related files. This installer will also install an uninstallation script at: /Applications/SafeNet<br />
<strong>Sentinel</strong>/Common Files/<strong>Sentinel</strong> System Driver/. Your<br />
customers can run this to remove the <strong>Sentinel</strong> System Driver and its files.<br />
1. If <strong>Sentinel</strong> UltraPro /SuperPro already exists on the target system.
Deploying (Client) Configuration File<br />
Contents Glossary Index Troubleshooting<br />
Note: The uninstallation script available with the <strong>Sentinel</strong> <strong>Keys</strong> Protection<br />
Installer (at: /Applications/SafeNet <strong>Sentinel</strong>/<strong>Sentinel</strong> <strong>Keys</strong> //<strong>Sentinel</strong><br />
<strong>Keys</strong> Protection Installer/English/) will uninstall both the <strong>Sentinel</strong> System<br />
Driver and <strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
Deploying <strong>Sentinel</strong> <strong>Keys</strong> Server<br />
When to Deploy?<br />
It is the license manager for your network applications. It must be shipped<br />
with applications that use network keys.<br />
Where to Deploy?<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Server must be installed on the networked system where<br />
the <strong>Sentinel</strong> Key is attached. For platforms supported and installation path,<br />
refer to “<strong>Sentinel</strong> <strong>Keys</strong> Server” on page 28.<br />
How to Deploy?<br />
Please refer to the information given in the “How to Deploy” section of the<br />
topic “Deploying <strong>Sentinel</strong> System Driver” on page 225.<br />
Note: No additional steps are needed to deploy <strong>Sentinel</strong> <strong>Keys</strong> License Monitor,<br />
unless you are customizing its .class files. Refer to the Customizing <strong>Sentinel</strong><br />
<strong>Keys</strong> License Monitor - ReadMe for details on customization.<br />
Deploying (Client) Configuration File<br />
When to Deploy<br />
If you want to allow your customers to set any/all of the following settings,<br />
you must ship the configuration file:<br />
Network protocol for client-server communication<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 227
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors<br />
Contents Glossary Index Troubleshooting<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server host<br />
Heartbeat interval for maintaining the license acquired by network<br />
applications<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server socket port<br />
Where to Deploy<br />
By default, this file exists in the same directory where your protected application<br />
is installed. However, it may exists at a different location (with a<br />
different name) if you have customized its name and path.<br />
How to Deploy<br />
You can include it in your application’s installation program. It is available<br />
at the following path:<br />
For Windows: \Configuration File Template.<br />
For Linux: /Configuration_File_Template.<br />
For Macintosh: /Configuration File Template.<br />
228 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Note: The <strong>Sentinel</strong> <strong>Keys</strong> Server configuration file is deployed along with the <strong>Sentinel</strong><br />
<strong>Keys</strong> Server in its installation directory. You need not ship it separately.<br />
However, you may provide instructions to your customers on how to<br />
set parameters in the configuration files.<br />
Deploying Secure Update Utility<br />
When to Deploy<br />
You need to deploy the Secure Update utility when you are providing activations<br />
in the field. It provides an alternative to Secure Update Wizard (for<br />
Windows only) and Secure Update API.<br />
This utility can be used for updating <strong>Sentinel</strong> <strong>Keys</strong> and distributor keys<br />
remotely.
Where to Deploy<br />
Deploying Secure Update Utility<br />
Contents Glossary Index Troubleshooting<br />
The Secure Update Utility must be installed on the same system where the<br />
<strong>Sentinel</strong> Key/distributor key is attached. This is because the hardware keys<br />
cannot be updated over network. Be sure to modify your installation programs<br />
appropriately.<br />
How to Deploy<br />
Install the following items as a part of your application’s setup routine:<br />
For Windows<br />
SecureUpdateUtility.exe (available at: \Secure Update\Secure<br />
Update Utility)<br />
SecureUpdate.dll (location same as the executable above)<br />
.chm Help file (available at: \Secure Update\Secure Update<br />
Utility\Language packs\en_US)<br />
Note: If you are shipping a .chm file, you may also need to ship hhupd.exe and<br />
hhactivx.dll. Generally, these files reside in the \System directory of a Windows<br />
system. Otherwise, these can downloaded from: .<br />
For Linux<br />
Secure Update Utility application (available at: /<br />
secure_update/SecureUpdateUtility).<br />
libSecureUpdate32.so (location same as the utility above)<br />
HTML Help file (available at: /secure_update/<br />
SecureUpdateUtility/language_packs/en_US. You need to ship the<br />
WEBHELP directory along with the index.htm file)<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 229
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors<br />
Contents Glossary Index Troubleshooting<br />
For Macintosh<br />
Secure Update Utility application (available at: /Secure<br />
Update/Secure Update Utility/INTF).<br />
libSecureUpdate32.dylib (location same as the utility above)<br />
230 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
HTML Help file (available at: /Secure Update/Secure Update<br />
Utility/Language Packs/en_US. You need to ship the WEBHELP<br />
directory along with the index.htm file)<br />
Deploying Secure Update Wizard (Windows Only)<br />
When to Deploy?<br />
The Secure Update Wizard need to be deployed on a Windows-based customer’s<br />
system only if you are planning to update <strong>Sentinel</strong> <strong>Keys</strong> remotely<br />
and not using the Secure Update utility or API functions.<br />
Where to Deploy<br />
The Secure Update Wizard must be installed on the same system where the<br />
<strong>Sentinel</strong> Key is attached. Hence, if your application is a stand-alone application,<br />
the Secure Update Wizard must be installed on each workstation.<br />
How to Deploy<br />
For CodeCover-protected Applications<br />
For CodeCover-protected applications, you need to copy the following files at<br />
the location where your product executable resides.<br />
UpdateWizard.exe: The Secure Update Wizard executable.<br />
.cab: The compressed file for the template.
Error Code<br />
(Decimal)<br />
For API-protected Applications<br />
Deploying Secure Update Wizard (Windows Only)<br />
Contents Glossary Index Troubleshooting<br />
For API-protected applications, you need to call the UpdateWizard API function<br />
on the application startup. You also need to install the following files at<br />
the location where the application executables resides:<br />
UpdateWizard.exe: The Secure Update Wizard executable.<br />
.cab: The compressed file for the template.<br />
UPWITF.dll: A DLL that exports the UpdateWizard API. You can<br />
obtain its copy from the following location in your <strong>Sentinel</strong> <strong>Keys</strong> SDK<br />
installation: \Secure Update\Update Wizard\INTF.<br />
UpdateWizard API Function<br />
Format<br />
unsigned short UpdateWizard (SPP_UPDATE_WIZARD_INFO p_UpdInfo);<br />
Parameter<br />
Name Direction Type Description<br />
p_UpdInfo IN SPP_UPDATE_WIZARD_INFO Contains the Update<br />
Wizard configuration.<br />
Points to the<br />
SPP_UPDATE_WIZARD<br />
_INFO structure.<br />
Return Values<br />
If successful, the function returns SP_SUCCESS. If an error occurs, the function<br />
returns one of the following error codes:<br />
0 SP_SUCCESS<br />
Success.<br />
Description<br />
501 SP_ERR_KEY_NOT_FOUND<br />
The Valid hardware key not found. The Update Code is not meant for this<br />
key.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 231
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors<br />
Contents Glossary Index Troubleshooting<br />
Error Code<br />
(Decimal)<br />
502 SP_ERR_ILLEGAL_UPDATE<br />
One or more commands could not be performed.<br />
503 SP_ERR_DLL_LOAD_ERROR<br />
The Secure Update library not found, which is:<br />
SecureUpdate.DLL for Windows<br />
SecureUpdate.so for Linux<br />
libSecureUpdate32.dylib for Macintosh<br />
504 SP_ERR_NO_CONFIG_FILE<br />
Update wizard not able to locate the configuration file.<br />
505 SP_ERR_INVALID_CONFIG_FILE<br />
Not a valid Configuration file.<br />
506 SP_ERR_UPDATE_WIZARD_NOT_FOUND<br />
Could not find UpdateWizard.exe.<br />
507 SP_ERR_UPDATE_WIZARD_SPAWN_ERROR<br />
There was an error in spawning the Update Wizard.<br />
508 SP_ERR_EXCEPTION_ERROR<br />
An exception error occurred within the Update Wizard.<br />
509 SP_ERR_INVALID_CLIENT_LIB<br />
Not a valid Secure Update DLL.<br />
Description<br />
510 SP_ERR_CABINET_DLL<br />
The CABINET.DLL is not found on target system.<br />
511 SP_ERR_INSUFFICIENT_REQ_CODE_BUFFER<br />
The size of the request buffer is not sufficient to hold the request code.<br />
512 SP_ERR_UPDATE_WIZARD_USER_CANCELLED<br />
The application was canceled when the try/buy option is shown. Applicable<br />
only to applications that use <strong>Sentinel</strong> Update Wizard and are protected using<br />
CodeCover.<br />
513 SP_ERR_INVALID_DLL_VERSION<br />
The Secure Update DLL version is invalid. Use DLL version 1.2 or higher to<br />
apply the packet information.<br />
514 SP_ERR_INVALID_FILE_TYPE<br />
The type of the file is invalid. File types can be .upw or .nlf.<br />
232 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
SPP_UPDATE_WIZARD_INFO Structure<br />
Deploying Secure Update Wizard (Windows Only)<br />
Contents Glossary Index Troubleshooting<br />
Error Code<br />
Description<br />
(Decimal)<br />
/* Common error codes for Secure Update and Key Programming Library*/<br />
212 SP_ERR_COMMUNICATIONS_ERROR<br />
Unable to communicate with the <strong>Sentinel</strong> Key. Make sure of the<br />
following:<br />
The <strong>Sentinel</strong> System Driver is installed and running.<br />
The client and the <strong>Sentinel</strong> <strong>Keys</strong> Server use the same protocol.<br />
The <strong>Sentinel</strong> Key is attached properly.<br />
There is no network-related problem (for example, network congestion or<br />
break-down).<br />
226 SP_ERR_UNIT_NOT_FOUND<br />
The specified <strong>Sentinel</strong> Key is not found.<br />
230 SP_ERR_DUPLICATE_LIC_ID<br />
The License ID you specified, already exists.<br />
231 SP_ERR_DECRYPTION_FAILED<br />
The decryption process failed.<br />
232 SP_ERR_BAD_CHKSUM<br />
The checksum value not matching.<br />
233 SP_ERR_BAD_LICENSE_IMAGE<br />
The license image is corrupt in the .OPR file.<br />
234 SP_ERR_INSUFFICIENT_MEMORY<br />
Insufficient memory in key to load a license.<br />
The structure contains settings for the Update Wizard. The caller fills in the<br />
fields of the structure that they want to use as the settings for the Update<br />
Wizard. It is passed to the function UpdateWizard to run the Update Wizard.<br />
Format<br />
typedef struct SP_UPDATE_WIZARD_INFO {<br />
DWORD size;<br />
DWORD wndHandle;<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 233
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors<br />
Contents Glossary Index Troubleshooting<br />
long spawnAndWait;<br />
long enableTryButton;<br />
long daysLeft;<br />
long executionsLeft;<br />
long minutesLeft;<br />
char configFile[SP_MAX_PATH_LEN];<br />
} SP_UPDATE_WIZARD_INFO, *SPP_UPDATE_WIZARD_INFO;<br />
Member Information<br />
Item Description<br />
size Specifies the size of the SPP_UPDATE_WIZARD_INFO, in<br />
bytes. This parameter is required.<br />
wndHandle Specifies the handle to the application’s main window. This<br />
parameter is required.<br />
spawnAndWait Flag that indicates whether to run and wait for the Update<br />
Wizard to quit. Set the field value to 1 to run and wait. A<br />
value of 0 will run the Update Wizard and return<br />
immediately.<br />
enableTryButton This member defines the state of the Try button on the<br />
Update Wizard. It has the<br />
following values:<br />
DISABLE_TRY_BUTTON (0) - The Try button is not visible.<br />
ENABLE_TRY_BUTTON (1) - The Try button is visible.<br />
daysLeft Defines the number of days left for a demo license. This<br />
option displays a status line on the Update Wizard screen<br />
indicating to the customer how many days are left for a trial<br />
period. Define a value of 0 to indicate that the trial period<br />
has expired and –1 or undefined to disable this feature. This<br />
option is only valid when enableTryButton is set to<br />
ENABLE_TRY_BUTTON.<br />
234 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>
Deploying <strong>Sentinel</strong> Data Protection Driver (Windows Only)<br />
Item Description<br />
Contents Glossary Index Troubleshooting<br />
executionsLeft Defines the number of executions left for a demo license.<br />
This option displays a status line on the Update Wizard<br />
screen indicating to the customer how many executions<br />
are left for a trial period. Define a value of 0 to indicate<br />
that the trial period has expired and –1 or undefined to<br />
disable this feature. This option is only valid when<br />
enableTryButton is set to ENABLE_TRY_BUTTON.<br />
minutesLeft Defines the number of minutes left for a demo license. This<br />
option displays a status line on the Update Wizard screen<br />
indicating to the customer how many minutes or hours<br />
are left for a trial period. Define a value of 0 to indicate<br />
that the trial period has expired and –1 or undefined to<br />
disable this feature. This option is only valid when<br />
enableTryButton is set to ENABLE_TRY_BUTTON.<br />
configFile Refers to the .cab file. The file name must be fully qualified,<br />
path plus file name. This parameter is required.<br />
Deploying <strong>Sentinel</strong> Data Protection Driver<br />
(Windows Only)<br />
When to Deploy<br />
Deployment of <strong>Sentinel</strong> Data Protection Driver is required only for Windows<br />
98/ME systems.<br />
If you have encrypted data files or .NET applications that have been protected<br />
using CodeCover, then you need to deploy the <strong>Sentinel</strong> Data<br />
Protection Driver on your customer’s system.<br />
How to Deploy<br />
The \Data Protection Driver directory in the <strong>Sentinel</strong> <strong>Keys</strong> SDK CD consists of<br />
the following files:<br />
File Description<br />
Instdrvr.exe The Data Protection driver installer.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 235
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors<br />
Contents Glossary Index Troubleshooting<br />
File Description<br />
Instdrvr.c C source code of the Instdrvr.exe utility for you. You can use it<br />
to customize the driver installation and registry modification<br />
procedure.<br />
Sentdata.vxd The Data Protection driver.<br />
Readme.pdf A readme file that has details on the installation.<br />
You can either ship Instdrvr.exe and Sentdata.vxd files to your customer with<br />
the following instructions on how to load the driver:<br />
1. Copy the directory contents to a system.<br />
2. Select Run from the Taskbar and run the instdrvr.exe file.<br />
3. When the message “Driver installed! Restart your system” appears,<br />
click OK.<br />
4. Now, restart the system. The following files have been copied into<br />
your System folder and required registry entries are made:<br />
WINDOWS\SYSTEM\SENTDATA.VXD<br />
WINDOWS\SYSTEM\INSTDRVR.EXE<br />
Otherwise, you can modify this installation program for your own installation<br />
needs, we have provided the C source code that installs this program.<br />
236 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
You need to call the program to check for the type of operating system being<br />
used. You also need to remind customers that their computer must be<br />
rebooted after installing the data protection driver in order to load the driver.<br />
Your installation program may call the data protection driver with the following<br />
command line options:<br />
Option Description<br />
/P Specifies the source path for sentdata.vxd. If not included,<br />
the installer looks for the.VXD file in the directory where the<br />
driver installer resides.
Option Description<br />
Deploying Stand-alone License Manager<br />
Contents Glossary Index Troubleshooting<br />
/U Uninstalls the driver. The installation program returns a zero<br />
if it was successful; otherwise, it returns the error code of the<br />
last Win32 API call that had an error (if applicable).<br />
The installation program returns a zero if it was successful; otherwise, it<br />
returns the error code of the last Win32 API call that had an error (if applicable).<br />
If the unsuccessful API call does not return an error, the installer<br />
returns a -1.<br />
Deploying Stand-alone License Manager<br />
When to Deploy<br />
You need to provide the stand-alone License Manager application to your<br />
product distributors/resellers, so that they can program <strong>Sentinel</strong> <strong>Keys</strong> for<br />
the customers on their own. This application is supported on Windows platforms<br />
only.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 237
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors<br />
Contents Glossary Index Troubleshooting<br />
Where to Deploy?<br />
It must be deployed in the /System folder on the system where the protected<br />
application is installed.<br />
<strong>Hardware</strong> Requirements Software Requirements<br />
Processor<br />
Windows:<br />
- 64-bit processors: Athlon 64 or<br />
Opteron processors from AMD - Xeon<br />
with EM64T or Pentium 4 with EM64T<br />
from Intel<br />
- 32-bit processors: Pentium II or above<br />
Monitor and Display Settings<br />
VGA Monitor with 1024 x 768 resolution<br />
(1152 x 864 recommended)<br />
Hard Disk Space<br />
10 MB free hard disk space<br />
RAM<br />
128 MB RAM (256 MB recommended)<br />
Peripherals<br />
At least two USB ports (to attach the<br />
ISV key, LM or End User key).<br />
Disk Drive<br />
CD-ROM if installing using a CD.<br />
How to Deploy<br />
Operating System<br />
Windows 2000, Windows XP (32-bit and x64),<br />
or Windows Server 2003 (32-bit and x64), Windows<br />
Vista - Service Pack 1 (32-bit and x64),<br />
Windows Server 2008 (32-bit and x64), Windows<br />
Server 2008 R2 (64-bit), and Windows 7<br />
(32-bit and 64-bit)<br />
238 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Java Runtime Environment<br />
Java 2 Runtime Environment version 1.6 or<br />
higher. A copy might be included with the<br />
License Manager installer. Else, you may download<br />
the latest version from http://<br />
java.sun.com.<br />
Web Browser<br />
32-bit versions of the Internet Explorer (6.0 or<br />
later), Mozilla FireFox (1.0 or later), Safari (1.3<br />
or later). You may need to allow the blocked<br />
content (that uses Active X controls or scripts)<br />
in order to view the Help.<br />
PDF File Viewer<br />
Adobe Acrobat Reader 4.0 or higher.<br />
An installer is included in the <strong>Sentinel</strong> <strong>Keys</strong> installation CD using which,<br />
your distributors can install the following components:<br />
The License Manager application<br />
The License Manager Help file<br />
Java 2 Run-time Environment (version 1.6)
For Windows<br />
Deploying System Administrator’s Help<br />
Contents Glossary Index Troubleshooting<br />
The self-extracting installer is available at the following location in the<br />
media: \<strong>Sentinel</strong> <strong>Keys</strong> License Manager\English.<br />
Deploying System Administrator’s Help<br />
This Online Help contains information about the following topics that are of<br />
interest for the system administers and users of protected applications:<br />
Using <strong>Sentinel</strong> Key<br />
Deploying and troubleshooting <strong>Sentinel</strong> System Driver<br />
Deploying and troubleshooting <strong>Sentinel</strong> <strong>Keys</strong> Server<br />
Deploying and troubleshooting <strong>Sentinel</strong> <strong>Keys</strong> License Monitor<br />
Using client-side and server-side configuration files<br />
Updating <strong>Sentinel</strong> <strong>Keys</strong> remotely<br />
You can provide the complete Help to your customers, or use a portion of it<br />
(by copying the text), depending on what exact information they require.<br />
You may include it in your product documentation, print it, or send to your<br />
customers via e-mail. Your customers need Internet Explorer 6.0 (or higher)<br />
Netscape Navigator 4.6 (or higher) to view the Help.<br />
How to Deploy<br />
Distribute the complete contents of the directory (path mentioned below)<br />
along with the index.htm page. The index.htm page is used for launching the<br />
System Administrator’s Help.<br />
For Windows:<br />
\Manuals\English\<strong>Sentinel</strong><strong>Keys</strong>Manual\SysAdminHelp<br />
For Linux<br />
/manuals/english/SysAdminHelp<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 239
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors<br />
Contents Glossary Index Troubleshooting<br />
For Macintosh<br />
/Manuals/English/SysAdminHelp<br />
Frequently Asked Questions<br />
240 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Question 1 - Where is the <strong>Sentinel</strong> System Driver installed? Can I<br />
modify its location?<br />
The <strong>Sentinel</strong> System Driver is installed at the following location. Its location<br />
cannot be modified:<br />
Installed at the following path on a Windows 32-bit NT-based system:<br />
:\Program Files\Common Files\SafeNet <strong>Sentinel</strong>\<strong>Sentinel</strong><br />
System Driver<br />
Installed at the following path on a Windows x64 system: \Program Files(x86)\Common Files\SafeNet <strong>Sentinel</strong>\<strong>Sentinel</strong><br />
System Driver.<br />
On Linux: /opt/safenet_sentinel/common_files/sentinel_usb_daemon<br />
On Macintosh: /System/Library/Extensions<br />
Question 2 - Where is the <strong>Sentinel</strong> <strong>Keys</strong> Server installed? Can I modify<br />
its location?<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Server is installed at the following location. Its location<br />
cannot be modified:<br />
Installed at the following path on a Windows 32-bit NT-based system:<br />
:\Program Files\Common Files\SafeNet <strong>Sentinel</strong>\<strong>Sentinel</strong><br />
<strong>Keys</strong> Server<br />
Installed at the following path on a Windows x64 system:<br />
\Program Files(x86)\Common Files\SafeNet<br />
<strong>Sentinel</strong>\<strong>Sentinel</strong> <strong>Keys</strong> Server<br />
On Linux: /opt/safenet_sentinel/common_files/sentinel_keys_server<br />
On Macintosh: /Applications/Safenet <strong>Sentinel</strong>/Common Files/<strong>Sentinel</strong><br />
<strong>Keys</strong> Server
Frequently Asked Questions<br />
Contents Glossary Index Troubleshooting<br />
Question 3 - Does the <strong>Sentinel</strong> Protection Installer also install Java<br />
Run-time Environment?<br />
The <strong>Sentinel</strong> Protection Installer does not install Java Run-time Environment<br />
because neither the <strong>Sentinel</strong> System Driver, nor <strong>Sentinel</strong> <strong>Keys</strong> Server<br />
require it. However, it is required for using the <strong>Sentinel</strong> <strong>Keys</strong> License Monitor.<br />
You can download a copy from http://www.java.sun.com. A copy of JRE<br />
version 1.6.0 is also included in the <strong>Sentinel</strong> <strong>Keys</strong> SDK CD you received.<br />
For Macintosh, J2RE version 1.6 is not included in the <strong>Sentinel</strong> <strong>Keys</strong> SDK<br />
CD, you can download a copy from http://www.apple.com/java.<br />
Question 4 - What are the options available for using the <strong>Sentinel</strong><br />
Protection Installer in a Windows Installer based installation<br />
program?<br />
You can use the <strong>Sentinel</strong> Protection Installer in the following ways to install<br />
<strong>Sentinel</strong> System Driver and/or <strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
Using merge modules - The <strong>Sentinel</strong><strong>Keys</strong>USBDriver.msm and/or<br />
<strong>Sentinel</strong><strong>Keys</strong>Server.msm merge modules are packaged forms of<br />
redistributables and can be integrated seamlessly with your<br />
InstallShield for Windows Installer and WISE installation programs.<br />
The merge modules contain the necessary files and registry entries,<br />
hence free you from the burdensome task of creating entries<br />
manually. Also, using merge modules the above-mentioned <strong>Sentinel</strong><br />
Key redistributables are installed and uninstalled with your<br />
application.<br />
Note: Supports standard and basic projects<br />
The merge modules support both the basic and standard project types.<br />
Using MSI - If your Windows Installer based program does not<br />
support merge modules, you can make use of <strong>Sentinel</strong> Protection<br />
Installer (English) package for installing the abovementioned<br />
<strong>Sentinel</strong> Key redistributables.<br />
Using setup.exe - For legacy installers (such as, batch files or consolebased<br />
setup programs), you can use setup.exe available in<br />
\<strong>Sentinel</strong> Protection Installer\English directory to run a<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 241
Chapter 10 – Redistributables for <strong>Customer</strong>s and Distributors<br />
Contents Glossary Index Troubleshooting<br />
graphic installer that does step-by-step installation. Alternatively, the<br />
setup program can be executed quietly using the command-line<br />
switches.<br />
Graphical <strong>Sentinel</strong> Protection Installer<br />
242 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Internet Installer - You may even point your customers to<br />
download the latest version of the <strong>Sentinel</strong> Protection Installer<br />
themselves from http://www.safenet-inc.com/support/tech/sentinel.asp.<br />
A copy of the self-extracting installer is available at:<br />
\<strong>Sentinel</strong> Protection Installer\English\Internet Installer.<br />
For additional information, refer to the <strong>Sentinel</strong> Protection Installer Help.
Appendix A<br />
Troubleshooting<br />
This appendix on troubleshooting assists in providing solutions to the typical<br />
problems you might face, while using <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> to protect<br />
your application.<br />
In addition to the information contained in this chapter, you can also access<br />
the following resources for your queries.<br />
The SafeNet Knowledge Base at http://c3.safenet-inc.com/search.asp<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit Help, integrated with the Toolkit, for a list of<br />
CodeCover and API specific error codes.<br />
Problems and Solutions<br />
Problem: Time/Date Tampering<br />
You are using <strong>Sentinel</strong> <strong>Keys</strong> Toolkit to protect an application with a Lease<br />
License, and Make <strong>Keys</strong> works successfully. Now, for testing purposes when<br />
you set your system date forward, a time tampering error occurs and you<br />
can no longer generate keys or protect other applications with the toolkit.<br />
This happens even after you set the date on your system correctly. How can<br />
you rectify this error?<br />
Solution:<br />
Solution for <strong>Keys</strong> -<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 243
Appendix A – Troubleshooting<br />
Contents Glossary Index Troubleshooting<br />
1. Remove the USB key.<br />
2. Set your system’s date and time, and then reinsert the USB key.<br />
3. Start the protected application.<br />
Solution for Toolkit:<br />
For a toolkit error, build a different template, and then rebuild the original<br />
template.<br />
244 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Problem: Application Startup Time<br />
You have an application that takes about 3 seconds to start when unprotected.<br />
When protected using CodeCover, it takes about 15 seconds to start.<br />
How can you control the CodeCover options to effect the protected application<br />
startup time?<br />
Solution:<br />
The CodeCover provides multi-layered protection levels from 1 to 5. More is<br />
the number of layers, more is the startup time; and vice versa. By default,<br />
level 3 multi-layering is used. You need to change the multi-layering level to<br />
effect the protected application startup time.<br />
To access the Multi-layer level option, open the License Designer screen<br />
in the Toolkit. Select the CodeCover tab, and then click Edit. Select the<br />
Security tab, and under the Advance Options section, is the Multi-layer<br />
level option.<br />
Problem: Updating <strong>Keys</strong><br />
You are using <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> for protecting two applications and<br />
each application is set up with a different license template (the first application<br />
uses License template A, and the second application uses License template<br />
B).<br />
<strong>Customer</strong> 1 purchases the first application. We program the key for License<br />
template A. A month later, <strong>Customer</strong> 1 purchases the second application,<br />
therefore we need to add License Template B to the key.
Problems and Solutions<br />
Contents Glossary Index Troubleshooting<br />
Can Secure Update be used to update the key for adding a new license?<br />
Solution:<br />
Yes, <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Secure Update allows you to activate and add<br />
user licenses to the key. Refer to, “Secure Remote New License Addition” on<br />
page 145.<br />
Problem: Protecting .EXE, .DLL, and .BPL files using a<br />
Command Line Interface<br />
You want to use a command line interface for protecting .exe, .dll, and .bpl<br />
files.<br />
Solution:<br />
Use the Command-Line CodeCover Utility (CMDShell.exe) in the SDK that<br />
provides 32/64-bit CodeCover support, to protect your .exe, .dll, and .bpl<br />
files. Refer to, “CodeCover Protection Using the Command-Line Utility” on<br />
page 91.<br />
Problem: Backing up the Templates, Features, and<br />
Groups<br />
You want to back up the templates, features, and groups generated in the<br />
toolkit.<br />
Solution:<br />
By default, there are two directories to backup the templates, features, and<br />
groups generated in the toolkit.<br />
Programs are stored in the directory, \<strong>Sentinel</strong> <strong>Keys</strong><br />
Toolkit.<br />
The license group files are stored at: \My<br />
Documents\<strong>Sentinel</strong> <strong>Keys</strong> \My License Groups.<br />
Note - The license group files are stored at: \Documents\<strong>Sentinel</strong> <strong>Keys</strong>\My License Groups on<br />
Windows Vista.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 245
Appendix A – Troubleshooting<br />
Contents Glossary Index Troubleshooting<br />
The license template files are stored at: \My<br />
Documents\<strong>Sentinel</strong> <strong>Keys</strong> \My License Templates.<br />
Note - The license template files are stored at: \Documents\<strong>Sentinel</strong> <strong>Keys</strong>\My License Templates on<br />
Windows Vista.<br />
You can change the default License and Group templates directories by<br />
using the following steps:<br />
1. Navigate to Options > Setting > Working Folder > Folder Settings<br />
on <strong>Sentinel</strong> <strong>Keys</strong> Toolkit.<br />
246 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
2. Enter the new paths for License and Group templates respectively, and<br />
click Reset.<br />
3. Click OK.<br />
Problem: Performing Silent Command Line Driver and<br />
Server Install<br />
You want to know what files are needed to perform a silent command line<br />
driver, and server install.<br />
Solution:<br />
Use the command: setup /v”/qn ADDLOCAL=USB_Driver,<strong>Sentinel</strong><strong>Keys</strong>Server<br />
REBOOT=ReallySuppress CONFIRMUPGRADE=TRUE<br />
ENABLEFIREWALL=TRUE"<br />
The files needed are:<br />
Data1.cab<br />
<strong>Sentinel</strong> Protection Installer 7.6.2.exe<br />
<strong>Sentinel</strong> Protection Installer 7.6.2.msi<br />
setup.exe
Problems and Solutions<br />
Contents Glossary Index Troubleshooting<br />
Problem: Accessing <strong>Sentinel</strong> <strong>Hardware</strong> Key on a different<br />
network subnet<br />
You want to access a <strong>Sentinel</strong> <strong>Hardware</strong> Key on a different network subnet.<br />
Solution:<br />
Create a configuration file and place it in the same directory as the executable<br />
file. In the configuration file, under the ContactServer section, enter the<br />
IP Address of the server computer.<br />
Note: There is a sample configuration file at the location, \Configuration<br />
File Template.<br />
Problem: Ethernet Port for <strong>Sentinel</strong> <strong>Keys</strong> Server<br />
You want to know which Ethernet Port is used for <strong>Sentinel</strong> <strong>Keys</strong> Server.<br />
Solution:<br />
UDP port 7001. In case UDP port 7001 is blocked, open the port in the<br />
advanced option of the IP firewall.<br />
Note: This applies to networked implementation of security only.<br />
Problem: Monitoring <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> licenses<br />
in Use<br />
You want to monitor <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> licenses that are in use on the<br />
key server.<br />
Solution:<br />
You can do the same by connecting to http://localhost:7002, or http://<br />
IP_Address:7002<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 247
Appendix A – Troubleshooting<br />
Contents Glossary Index Troubleshooting<br />
248 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Problem: License Monitor fails to launch with Java Runtime<br />
Environment (JRE) 1.6.0, Installed on Windows<br />
Server 2003/Server 2008/Server 2008 R2/Windows 7 64bit<br />
Systems<br />
Java Runtime Environment (JRE) 1.6.0, installed on Windows Server 2003/<br />
Server 2008/Server 2008 R2/Windows 7 64-bit systems restricts launching<br />
the <strong>Sentinel</strong> <strong>Keys</strong> License Monitor.<br />
Solution:<br />
You can either uninstall Java Runtime Environment (JRE) 1.6.0 and install<br />
the 1.5.0 version, or try customizing the settings in Internet Explorer.<br />
Customizing Settings in Internet Explorer<br />
1. Launch Internet Explorer.<br />
2. From the Tools menu, select Internet Options.<br />
3. Click the Advanced tab.<br />
4. Under Browsing, select the checkbox titled, Enable third-party<br />
browser extensions (requires restart).<br />
5. Click OK to apply the settings specified.<br />
Launch the License Monitor successfully after customizing the above settings<br />
in Internet Explorer running on a Windows Server 2003/Server<br />
2008/Server 2008 R2/Windows 7 64-bit system, with Java Runtime Environment<br />
(JRE) 1.6.0.<br />
Problem: Upgrading the <strong>Sentinel</strong> USB Driver and <strong>Sentinel</strong><br />
<strong>Keys</strong> Server<br />
You want to upgrade the <strong>Sentinel</strong> USB Driver and <strong>Sentinel</strong> <strong>Keys</strong> Server.
Solution:<br />
Problems and Solutions<br />
Contents Glossary Index Troubleshooting<br />
Use the following steps to upgrade the <strong>Sentinel</strong> USB Driver and <strong>Sentinel</strong> <strong>Keys</strong><br />
Server:<br />
1. Verify that the USB or parallel port is working correctly.<br />
2. Log in as Administrator.<br />
3. Unplug the key(s).<br />
4. Remove the old <strong>Sentinel</strong> Protection Server/Driver/Combo and reinstall<br />
the <strong>Sentinel</strong> Protection Installer.<br />
Go to Start > Settings > Control Panel > Add or Remove Programs<br />
(Vista is Programs and Features). Select both the <strong>Sentinel</strong><br />
Protection Installer and <strong>Sentinel</strong> System Driver, and then click<br />
Remove.<br />
5. Shut Down, and then restart your system.<br />
6. Download and install the new <strong>Sentinel</strong> Protection Installer v7.6.2<br />
from the location www.safenet-inc.com/support/tech/sentinel.asp.<br />
Note: If you are using standalone applications, you can perform a custom install<br />
and uncheck both the servers from the installation. The <strong>Sentinel</strong> <strong>Keys</strong><br />
Server only needs to be installed on a <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> server computer.<br />
The <strong>Sentinel</strong> Protection Server only needs to be installed on a Super-<br />
Pro and/or UltraPro key server computer.<br />
7. Plug in the key(s).<br />
8. Download <strong>Sentinel</strong> Advanced Medic from the location<br />
www.safenet-inc.com/support/tech/sentinel.asp, and run it to make sure<br />
the key(s) is being detected correctly.<br />
The driver version in medic should be 7.5.1. If Medic detects the key,<br />
then it indicates that the computer, operating system, port, key and<br />
driver are working correctly.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 249
Appendix A – Troubleshooting<br />
Contents Glossary Index Troubleshooting<br />
Note: Medic does not detect the 64-bit operating system version correctly.<br />
9. Test the application software.<br />
Problem: Uninstalling the <strong>Sentinel</strong> <strong>Keys</strong> Server<br />
You want to uninstall the <strong>Sentinel</strong> <strong>Keys</strong> Server without uninstalling the<br />
<strong>Sentinel</strong> Driver.<br />
Solution:<br />
250 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
On the computer running the <strong>Sentinel</strong> <strong>Keys</strong> Server, run :\Program<br />
Files\Common Files\SafeNet <strong>Sentinel</strong>\<strong>Sentinel</strong> Protection Server\<br />
loadserv.exe. Specify the service name, :\Program Files\Common<br />
Files\SafeNet <strong>Sentinel</strong>\<strong>Sentinel</strong> <strong>Keys</strong> Server\ sntlkeyssrvr.exe and click Remove<br />
Service.<br />
Problem: Selecting .Net Framework version<br />
When protecting a .NET application with multiple versions installed, you<br />
want to select the version of .Net Framework to be used.<br />
Solution:<br />
The .config file appname.exe.config decides which version of .NET Framework<br />
will be used.<br />
A Sample appname.exe.config is as follows:<br />
<br />
<br />
<br />
<br />
Problems and Solutions<br />
Contents Glossary Index Troubleshooting<br />
Problem: Runtime error message R6034 from Code-<br />
Cover protected .EXE file.<br />
You receive an error message R6034 when protecting a .exe file using<br />
CodeCover.<br />
Solution:<br />
There are two ways to avoid this error:<br />
Remove the msvcr80.dll file from c:\windows\system32 folder or any<br />
other execution path, or<br />
Make a manifest file and place it in the same folder where the<br />
protected application is located.<br />
Whereas the original exe file name is app.exe, the manifest file name is<br />
in the format app.exe.manifest.<br />
A Sample app.exe.manifest is as follows:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Problem: Building Multiple Applications to a Single Key<br />
You want to build multiple applications to a single key.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 251
Appendix A – Troubleshooting<br />
Contents Glossary Index Troubleshooting<br />
Solution:<br />
252 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Use the following series of steps to build multiple applications to a single key:<br />
1. In License Designer of <strong>Sentinel</strong> <strong>Keys</strong> Toolkit, create a template for<br />
each application.<br />
2. In License Manager, create a group that includes both the templates.<br />
3. Click Make <strong>Keys</strong>, to program the group into the key.<br />
Problem: Protecting an Integrated Application using<br />
CodeCover<br />
You want to protect an integrated application using CodeCover.<br />
Solution:<br />
Use the following series of steps to build multiple applications to a single key:<br />
1. In License Designer of <strong>Sentinel</strong> <strong>Keys</strong> Toolkit, create a CodeCover template<br />
for the application to be protected.<br />
2. Create an API template for the integrated application.<br />
3. In License Manager, create a group that includes both the templates.<br />
4. Click Make <strong>Keys</strong>, to program the group into the key.<br />
Problem: Programming <strong>Keys</strong> using Remote Desktop<br />
You want to program keys using remote desktop.<br />
Solution:<br />
Yes, you can program keys using Remote Desktop. However, you cannot<br />
program keys connected to a different computer.
Problem: The application receives a<br />
SP_ERR_INVALID_LICENSE error<br />
Problems and Solutions<br />
Contents Glossary Index Troubleshooting<br />
The application receives a SP_ERR_INVALID_LICENSE error after a license<br />
is obtained.<br />
Solution:<br />
This error could occur when the license is timed-out. The license time interval<br />
is probably set too short. You can recommend to your customers that<br />
they use the client-side configuration file for setting a longer license time<br />
interval.<br />
Problem: The application receives a<br />
SP_ERR_SERVER_PROBABLY_NOT_UP error<br />
The application receives a SP_ERR_SERVER_PROBABLY_NOT_UP error,<br />
even when the <strong>Sentinel</strong> <strong>Keys</strong> Server is running.<br />
Solution:<br />
This error could occur when the network is busy. To overcome this<br />
error, you should re-try by calling the API function again. If the<br />
customers are facing this error, recommend that they launch the<br />
application again.<br />
This error may also occur when the server port is already in-use. You<br />
can verify this in the system EventLog or the <strong>Sentinel</strong> <strong>Keys</strong> Server<br />
error log file. To troubleshoot this, you can set a non-busy port in the<br />
server-side configuration file to run the <strong>Sentinel</strong> <strong>Keys</strong> Server. Make<br />
sure that the same port is set in the client-side configuration file.<br />
Problem: The application receives a<br />
SP_ERR_PROTOCOL_NOT_INSTALLED error<br />
The application receives a SP_ERR_PROTOCOL_NOT_INSTALLED error.<br />
Solution:<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 253
Appendix A – Troubleshooting<br />
Contents Glossary Index Troubleshooting<br />
254 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
This error is encountered when the protocol used for communication is not<br />
installed on the client system. You can modify the protocol in the client-side<br />
configuration file.<br />
Note: Only TCP/IP is supported on Linux and Macintosh.<br />
Problem: The Configuration File settings were not<br />
applied<br />
The Configuration File settings were not applied.<br />
Solution:<br />
If the client-side configuration file’s name and path have not<br />
been customized: The client-side configuration file must be present<br />
in the directory where your application's executable resides.<br />
If the client-side configuration file’s name and path have been<br />
customized: Make sure that the file with the customized name exists<br />
at the specified path. Also ensure that the file is valid and contains<br />
parameters in correct format.<br />
The server-side configuration file must be present in the directory<br />
where the <strong>Sentinel</strong> <strong>Keys</strong> Server is installed. The parameter settings<br />
will not be applied if the file is moved to any other location.<br />
Make sure that you specify only one value for a parameter (except<br />
setting the ContactServer tag and the Protocol tag in the client and<br />
server-side configuration files, respectively).<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Server must be restarted if the server-side<br />
configuration file is updated.<br />
Problem: Files not being Encrypted<br />
While protecting, one of your files is not being encrypted.
Solution:<br />
Problems and Solutions<br />
Contents Glossary Index Troubleshooting<br />
If any of your input files (the application executable, or any other files you<br />
have selected for encryption) have the read-only attribute set, CodeCover<br />
may not be able to protect the file. Clear the read-only attributes in the file’s<br />
Properties dialog box, then try again.<br />
Problem: Releasing a License<br />
You have closed the CodeCover-protected application on your system to free<br />
up a license. However, the <strong>Sentinel</strong> <strong>Keys</strong> License Monitor still shows the<br />
license in use.<br />
Solution:<br />
You should manually cancel the license in the <strong>Sentinel</strong> <strong>Keys</strong> License Monitor.<br />
To automatically release the license on application exit, copy the<br />
relLic.dll (for 32-bit application executable) or relLic64.dll (for 64-bit application<br />
executable) in the directory that contains the application executable.<br />
This DLL can be obtained from \<strong>Sentinel</strong> <strong>Keys</strong> Toolkit directory of the <strong>Sentinel</strong><br />
<strong>Keys</strong> SDK installation.<br />
Problem: Application fails to execute with a statically<br />
linked protected DLL<br />
When you protect the DLL that is statically linked to the application, the<br />
application fails to execute with the protected DLL. Whereas, if the DLL is<br />
linked dynamically, it executes successfully.<br />
Solution:<br />
This is a static linked DLL issue that occurs once you have protected your<br />
application. Please follow the following tips while protecting a statically<br />
linked DLL to resolve this issue.<br />
Protect both the static linked DLL, and executable instead of<br />
protecting only the DLL.<br />
Use Load Library instead of linking the DLL statically.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 255
Appendix A – Troubleshooting<br />
Contents Glossary Index Troubleshooting<br />
Problem: Unable to Program the <strong>Hardware</strong> <strong>Keys</strong><br />
You are unable to program the hardware keys.<br />
Solution:<br />
256 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
An error can occur while programming hardware keys due to hardware or<br />
software reasons. You should verify the hardware key is firmly connected to<br />
the USB port/hub. The LED on the hardware key should be illuminated to<br />
verify if it has been plugged-in properly.<br />
To determine if a programming failure is due to a software error or a hardware<br />
error, try programming another hardware key with the same group. If<br />
the programming is successful, the previous error was hardware-related. If<br />
you try programming many keys, and all of them fail programming, the<br />
error is software-related.<br />
If you suspect a technical problem, contact SafeNet Technical Support to<br />
help you in troubleshooting. The support representative will work with you<br />
to rule out resolvable software and/or configuration problems. If the problem<br />
cannot be resolved, you will be issued a RMA (Return Material<br />
Authorization) number. To ensure proper handling is acknowledged for the<br />
returned keys, you must obtain a RMA number prior to shipping the<br />
products.<br />
After you have obtained an RMA number and are ready to package the<br />
hardware keys for shipping, please make sure that you use “cold plastic” or<br />
“conductive plastic” to avoid any further damage.<br />
Problem: Error Programming a Distributor File<br />
You get an error while programming the distributor file, using the Key Programming<br />
APIs.<br />
Solution:<br />
Please refer to the error code descriptions for the source of the error and its<br />
description. The error codes have been listed down in the Key Programming<br />
API Help.
Appendix B<br />
Glossary<br />
A<br />
Access Mode<br />
An access mode determines the route a protected application follows to<br />
obtain a license. See page 65 for more information.<br />
Action<br />
Refers to a collection of remote update commands.<br />
AES<br />
Short for Advanced Encryption Standard—an industry-standard symmetric<br />
key encryption algorithm. You can use it through the AES feature to<br />
encrypt/decrypt 16-bytes of data.<br />
API<br />
Short for Application Program Interface. The set of client interface routines<br />
your application uses to communicate with the <strong>Sentinel</strong> Key.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 257
Appendix B – Glossary<br />
Contents Glossary Index Troubleshooting<br />
B<br />
ASCII<br />
Short for American Standard Code for Information Interchange; a code for<br />
information exchange between computers made by different companies; a<br />
string of 7 binary digits represents each character; used in most<br />
microcomputers.<br />
Asymmetric Key Encryption System<br />
258 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Also referred as the public key encryption system. It uses a pair of keys—a<br />
private key and a public key—to encrypt and decrypt data.<br />
The asymmetric algorithms are considered to be slower than the symmetric<br />
algorithms for a comparable key size. Typically, the former are used for<br />
encrypting the hash values and symmetric session keys (which are comparatively<br />
much smaller in size than bulk data).<br />
Bidirectional Code Generation<br />
The Developer generates this code (Feature/License update [.upw], or New<br />
License Addition [.nlf]) with a request code from the end user, and updates a<br />
single key in field.<br />
Block<br />
A sequence of bits of fixed length; longer sequences of bits can be broken<br />
down into blocks.<br />
Courtesy - http://www.rsasecurity.com<br />
Borland Package Library (BPL)<br />
BPL is a special dynamic-link library (DLL) that is used for building Borland<br />
applications; and contains modules to be shared across multiple projects.
C<br />
<br />
Business Layer API<br />
Contents Glossary Index Troubleshooting<br />
Refers to the <strong>Sentinel</strong> <strong>Keys</strong> client library API functions—used for communicating<br />
between your application and the <strong>Sentinel</strong> Key. See page 58 and<br />
page 133 for more information. A separate Business Layer API Help is also<br />
provided (you can launch it from the Help menu of the <strong>Sentinel</strong> <strong>Keys</strong><br />
Toolkit).<br />
Cheat Counter<br />
A count-down value that allows tolerating the time tampering attacks ranging<br />
between 1 second to 30 days (excluding the daylight savings) till it<br />
reaches zero. See page 169 for more information.<br />
CodeCover<br />
An automatic method of protecting Windows executables, DLLs, and BPLs.<br />
It does not require source code of your application. See page 55 for more<br />
information.<br />
Code Morphing<br />
Code Morphing is the technique to obfuscate important parts of application<br />
code (such as strings, constants, and code fragments). The obfuscated code<br />
is difficult to analyze in disassemblers and during run-time analysis. The use<br />
of Code Morphing helps add extra security to an application by hiding the<br />
implementation logic of sensitive code from reverse engineering techniques.<br />
To use Code Morphing, you need to implement CodeCover SDK macros in<br />
your source code. Refer to the ReadMe available at the \<strong>Sentinel</strong><br />
<strong>Keys</strong> Toolkit\Shell SDK\Help\English folder for details.<br />
Code Sketch<br />
The protection plan generated by the Toolkit when a license template is<br />
built. It consists of an outline of the Business Layer API functions that you<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 259<br />
C
Appendix B – Glossary<br />
Contents Glossary Index Troubleshooting<br />
should incorporate in your source code. It is a good reference when you are<br />
not sure which API functions are relevant for your particular strategy. The<br />
code sketch is written into an HTML file present in the Toolkit working<br />
folder. It can be generated for the most-frequently used development<br />
languages.<br />
To view the code sketch, you can either click View under the Build Options<br />
tab, or navigate to the Toolkit working folder.<br />
Command<br />
Refers to the function calls that describe what will be done to a hardware<br />
key in the field. For example, the Change write password command will<br />
change the Write Password associated with the feature.<br />
Command-Line CodeCover Utility<br />
A console-based program that protects executables, DLLs, and BPLs using<br />
the CodeCover method via command-line.<br />
<strong>Customer</strong><br />
An individual or organization using the application protected with <strong>Sentinel</strong><br />
Key.<br />
Custom CodeCover Key<br />
260 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
A <strong>Sentinel</strong> Key initialized to protect applications at the end user’s site, using<br />
the Command-Line CodeCover Utility. It eliminates the need to carry a developer<br />
key to the customer’s location; to avoid any licensing violations that<br />
may occur if the developer key is lost.<br />
A Custom CodeCover key contains only CodeCover features and can be used<br />
to protect applications till a specified date. It can not be used to program<br />
hardware keys or modify licensing strategies.
D<br />
<br />
Decryption<br />
Contents Glossary Index Troubleshooting<br />
The conversion of encrypted data into plain text data (the original form), so<br />
it can deciphered by the intended recipients/process.<br />
Developer<br />
An individual or a software development company that uses the <strong>Sentinel</strong><br />
<strong>Keys</strong> SDK to protect and license their applications.<br />
Developer ID<br />
A unique identification code for the hardware keys provided by SafeNet to<br />
the developer. You can view the developer ID in the Key Status panel of the<br />
Toolkit.<br />
Developer Key<br />
The hardware key must to be used for preparing the application protection<br />
strategy using the Toolkit. You must always plug-in the developer key in<br />
order to build a license template. See also, “Developer Key” on page 21.<br />
Digital Signature<br />
A digital guarantee that information has not been modified, as if it were protected<br />
by a tamper-proof seal that is broken if the content were altered. The<br />
two major applications of digital signatures are for setting up a secure connection<br />
to a Web site and verifying the integrity of files transmitted.<br />
Courtesy - http://www.answers.com/<br />
Distributor<br />
An entity/organization authorized by the developer to distribute the protected<br />
application along with the <strong>Sentinel</strong> <strong>Keys</strong>. They can also program<br />
<strong>Sentinel</strong> <strong>Keys</strong> using the License Manager (stand-alone) application.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 261<br />
D
Appendix B – Glossary<br />
Contents Glossary Index Troubleshooting<br />
E<br />
Distributor Key<br />
262 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The hardware key that your distributor requires to use the License Manager<br />
(stand-alone) application. It has the capability to validate the file sent by the<br />
developer for programming <strong>Sentinel</strong> <strong>Keys</strong>. It can also digitally sign the<br />
license templates programmed into the <strong>Sentinel</strong> <strong>Keys</strong>.<br />
ECC<br />
Short for Elliptic Curve Cryptography. It is an alternative method for implementing<br />
public key cryptography. ECC is primarily used for creating digital<br />
signatures—signed with a private key and verified with the public key.<br />
ECKAS is used for key exchange to create a shared secret key.<br />
ECC uses points on an elliptic curve to derive a 163-bit public key that is<br />
equivalent in strength to a 1024-bit RSA key. The public key is created by<br />
agreeing on a standard generator point in an elliptic curve group (elliptic<br />
curve mathematics is a branch of number theory) and multiplying that<br />
point by a random number (the private key). Although the starting point<br />
and public key are known, it is extremely difficult to backtrack and derive<br />
the private key.<br />
Courtesy - http://www.answers.com/<br />
Encryption<br />
The conversion of plain text data into a form that cannot be read by unintended<br />
recipients. The encrypted data is referred to as cipher text.<br />
End User Token<br />
The <strong>Sentinel</strong> Key, used to protect the applications, being used by an individual<br />
or an organization.
Execution Count<br />
Contents Glossary Index Troubleshooting<br />
The number of times the application will run for. It can be a value between 1<br />
and 65535. The counter is decremented by one every time the application is<br />
executed.<br />
Expiration Date<br />
The fixed date after which the protected application will not run. Specify for<br />
leasing your applications/features.<br />
Expiration Time<br />
The time period, after which the protected application will not run. The time<br />
period will start soon after the application is executed first. Specify for leasing<br />
your applications/features. For example,<br />
The expiration time chosen is 60 minutes.<br />
The application is first executed at 1500 hours of 30 September,<br />
2007.<br />
Therefore, the application will expire at 1600 hours of 30 September,<br />
2007.<br />
Note: If you are creating the licensing strategy much in advance and expect that<br />
the expiration date may approach rather soon, then choose expiration<br />
time instead. The expiration time will begin only after the first execution.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 263<br />
E
Appendix B – Glossary<br />
Contents Glossary Index Troubleshooting<br />
F<br />
Feature(s)<br />
A feature refers to the most-basic unit of a protection strategy (license template).<br />
Refer to the topic “About Features, Templates, and Groups” on<br />
page 51 for details.<br />
FEK<br />
Short for File Encryption Key. Refers to a 16-byte AES secret key used for<br />
encrypting/decrypting the license group file (.lgx) sent to your distributor.<br />
Feature Attributes<br />
An attribute defines the properties of a feature. Refer to the <strong>Sentinel</strong> <strong>Keys</strong><br />
Toolkit Help for a list of feature attributes.<br />
Feature ID<br />
264 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
An identifier of a feature in the license template. It is assigned by the Toolkit<br />
while a feature is created.<br />
Feature Instance<br />
Refers to a feature with attributes defined. When CodeCover and API features<br />
are added in the License Designer screen, the default feature<br />
instances are said to be created.<br />
Additional (new) feature instances can be added in the License Manager<br />
screen while creating groups (if the Add instances later check box is<br />
selected in the License Designer screen while adding/editing the default<br />
feature instance).<br />
Firmware<br />
Computer programming instructions that are stored in a read-only memory<br />
unit rather than being implemented through software.
G<br />
H<br />
<br />
Group<br />
Contents Glossary Index Troubleshooting<br />
A group is a package of licenses (templates) that you want to program in the<br />
<strong>Sentinel</strong> Key for your customers and distributors. Groups are also used to<br />
program distributor keys.<br />
Hard Limit<br />
The hard limit is the factory-programmed limit that defines the maximum<br />
number of users allowed by the hardware key. <strong>Sentinel</strong> <strong>Keys</strong> are available<br />
with the following hard limits: 3, 5, 10, 25, 50, 100, and 250. <strong>Sentinel</strong> <strong>Keys</strong><br />
with 0 hard limit are known as stand-alone keys.<br />
Header File<br />
The header file is generated at the time of building a license template. For<br />
example, <strong>Sentinel</strong><strong>Keys</strong>License.h for Visual C.<br />
It contains important information for your (license) strategy, including the<br />
license ID, feature ID, software key, query-response table (if you have<br />
included an AES feature in your template), and a public key (if you included<br />
a ECC feature in your template).<br />
Heartbeat<br />
The interval for which the <strong>Sentinel</strong> <strong>Keys</strong> Server maintains the license. By<br />
default, it releases the license after two minutes (120 seconds).<br />
Hexadecimal<br />
Refers to the base-16 number system, which consists of 16 unique symbols:<br />
the numbers 0 to 9 and the letters A to F.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 265<br />
H
Appendix B – Glossary<br />
Contents Glossary Index Troubleshooting<br />
K<br />
L<br />
Key<br />
266 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
A string of bits used widely in cryptography, allowing people to encrypt and<br />
decrypt data; a key can be used to perform other mathematical operations as<br />
well. Given a cipher (the encryption-decryption algorithm), a key determines<br />
the mapping of the plaintext (the data to be encrypted) to the<br />
ciphertext (the encrypted data).<br />
Courtesy - http://www.rsasecurity.com<br />
Key Exchange<br />
A process used by two more parties to exchange keys in cryptosystems.<br />
Courtesy - http://www.rsasecurity.com<br />
Key Programming APIs<br />
A set of API functions that enable you to create your own programming utility<br />
or a stand- alone executable to program each <strong>Sentinel</strong> Key with the<br />
license group file exported using the Export-File Manager wizard in the<br />
License Manager of <strong>Sentinel</strong> <strong>Keys</strong> Toolkit.<br />
Certain Key Programming API functions also allow you to create update<br />
packets for inserting value instances to <strong>Sentinel</strong> <strong>Keys</strong> or licenses.<br />
License<br />
A license is an agreement under which your customer is granted the right to<br />
use an application in the manner specified in the software license<br />
agreement.
License Addition Code<br />
Contents Glossary Index Troubleshooting<br />
Refers to the code generated (as *.nlf file) by the developer for adding new<br />
license(s) files into the end user token through the secure update library.<br />
The *.nlf file is generated using the Export-File Manager wizard under the<br />
License Manager stage of the Toolkit.<br />
License ID<br />
A 16-bit identifier generated by the Toolkit for the license template you<br />
created.<br />
It is written into the <strong>Sentinel</strong> Key memory at the time of programming. The<br />
SFNTGetLicense function makes use of the license ID and developer ID for<br />
finding your <strong>Sentinel</strong> <strong>Keys</strong> on the customers' site.<br />
License Sharing<br />
When multiple instances of a protected application on a seat can be run<br />
using one license. A seat represents a user name and MAC address<br />
combination.<br />
License Template<br />
A license template is a container of features that define your application protection<br />
strategy.<br />
Corresponding to every license template is a license ID that identifies the<br />
license in the <strong>Sentinel</strong> Key.<br />
A <strong>Sentinel</strong> Key can contain multiple licenses (templates)—depending on the<br />
memory size and the features included. Using the license grouping option of<br />
Toolkit, you can bundle multiple licenses into one group, so that one <strong>Sentinel</strong><br />
Key can be deployed to license multiple applications on a customer site.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 267<br />
L
Appendix B – Glossary<br />
Contents Glossary Index Troubleshooting<br />
M<br />
N<br />
O<br />
MAC Address<br />
Stands for Media Access Control Address, a hardware address that uniquely<br />
identifies each node of a network.<br />
Network Applications<br />
268 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
A network application is designed to be run on multiple computers so that<br />
several users can run it concurrently. You should attach the <strong>Sentinel</strong> Key on<br />
a networked system, where the <strong>Sentinel</strong> <strong>Keys</strong> Server and <strong>Sentinel</strong> System<br />
Driver are also installed.<br />
For stand-alone applications, the <strong>Sentinel</strong> Key must be attached to each<br />
workstation.<br />
Network <strong>Keys</strong><br />
A network key allows multiple network clients to run the protected application<br />
concurrently.<br />
It is typically connected to a networked system running the <strong>Sentinel</strong> <strong>Keys</strong><br />
Server in the subnet.<br />
The network keys are meant for the number of users defined by the hard<br />
limit. If desired, you can program a user limit for restricting the hard limit.<br />
One-Click License Update<br />
It is the ability to directly update/add license to a key by just double-clicking<br />
the .upw or .nlf file. It is a quick shortcut to apply the update/license code<br />
avoiding a series of steps, which include opening the Secure Update Utility,<br />
browsing the required file, and clicking Apply Code.
P<br />
Q<br />
<br />
Contents Glossary Index Troubleshooting<br />
As a developer, you can enable the One-Click license Update facility for a<br />
customer/distributor by creating certain registry entries via your installer.<br />
Personal Folder<br />
See “Conventions Used in This <strong>Guide</strong>” on page xiv.<br />
Private Key<br />
In public-key cryptography, this is the secret key. <strong>Sentinel</strong> <strong>Keys</strong> contain the<br />
ECC private keys, primarily used for key exchange and digital signatures.<br />
Public Key<br />
In public-key cryptography this key is made public to all. It is primarily used<br />
for verifying digital signatures and solving the key exchange problem.<br />
Public Key Cryptography<br />
Cryptography based on methods involving a public key and a private key.<br />
Query Data<br />
The data scrambled using the AES algorithm in the <strong>Sentinel</strong> Key. You program<br />
your application to send queries to the <strong>Sentinel</strong> Key. The <strong>Sentinel</strong> Key<br />
scrambles the string using the AES algorithm and returns a response to the<br />
application.<br />
Query-Response Protection<br />
Please see the topic “Implement Query-Response Protection” on page 172.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 269<br />
Q
Appendix B – Glossary<br />
Contents Glossary Index Troubleshooting<br />
R<br />
S<br />
Request Code<br />
270 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Refers to the code generated (as a .req file) by the customers/distributors as a<br />
request to update their hardware keys. It contains the hardware key details<br />
(such as, the serial number) and the license information.<br />
Your customers can generate it using the option you allow—Secure Update<br />
utility, Secure Update Wizard (for Windows only), or some custom utility<br />
that calls the Secure Update API functions. Your distributors can generate it<br />
using the Secure Update utility or some custom utility (to update the distributor<br />
key count).<br />
Using the request code, an update code, or a license addition code is generated<br />
under the Key Activator tab of the Toolkit.<br />
Response Data<br />
The scrambled result derived when the <strong>Sentinel</strong> Key processes the query<br />
data using the AES algorithm. The <strong>Sentinel</strong> Key returns the response data to<br />
the application. The application then uses the response to determine<br />
whether the user is authorized to run the application.<br />
Seat<br />
A seat represents a user name and MAC address combination.<br />
Secret Key<br />
A secret key generally refers to the key in a secret key cryptography system,<br />
in which both sides use the same key. It may also refer to the private key in a<br />
public key cryptography system, because the private key must also be kept<br />
"secret."<br />
The AES feature uses a 128-bit long secret key to encrypt/decrypt data.
Secure Communication Tunnel<br />
Contents Glossary Index Troubleshooting<br />
An end-to-end secured session between the client and the <strong>Sentinel</strong> Key for<br />
providing secure private communication. The communication packets are<br />
encrypted using the AES algorithm, for which the session key is generated<br />
using ECC-based key exchange (ECKAS-DH1).<br />
Secure Update Utility<br />
The Secure Update utility is used for updating the <strong>Sentinel</strong> <strong>Keys</strong> and distributor<br />
keys remotely. It provides an alternative to the Secure Update Wizard.<br />
<strong>Sentinel</strong> Key<br />
The hardware key meant to be used by your customer in order to run the<br />
protected application. It can be attached to a stand-alone or network system<br />
depending the key type.<br />
A <strong>Sentinel</strong> Key can be programmed by you (the developer) or your distributor<br />
with a license group.<br />
<strong>Sentinel</strong> System Driver<br />
The <strong>Sentinel</strong> System Driver is the device driver for communicating with the<br />
hardware keys (<strong>Sentinel</strong> Key, developer key, and distributor keys). For Linux,<br />
a user-level daemon is provided. For Macintosh, a kernel extension module<br />
(KEXT ) is provided.<br />
<strong>Sentinel</strong> <strong>Keys</strong> License Monitor<br />
The <strong>Sentinel</strong> <strong>Keys</strong> License Monitor shows the details of the <strong>Sentinel</strong> <strong>Keys</strong><br />
and clients accessing them via a Web browser. It is a convenient way to view<br />
and track license activity and analyze application usage.<br />
<strong>Sentinel</strong> Protection Installer<br />
<strong>Sentinel</strong> Protection Installer can install the <strong>Sentinel</strong> System Driver and <strong>Sentinel</strong><br />
<strong>Keys</strong> Server on a system. These components are typically required by<br />
your customers for running the protected applications.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 271<br />
S
Appendix B – Glossary<br />
Contents Glossary Index Troubleshooting<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server is the network license manager of the <strong>Sentinel</strong> <strong>Keys</strong>. It<br />
maintains a database of the <strong>Sentinel</strong> <strong>Keys</strong> attached to a networked system<br />
and handles the availability, maintenance, sharing, and cancellation of<br />
licenses for its clients.<br />
Secure Update Wizard<br />
The Secure Update Wizard provides a graphical option to your Windowsbased<br />
customers for activating features/applications in the field. It is suitable<br />
for activating trial/demo applications.<br />
Serial Number<br />
272 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
A 32-bit value sequentially assigned per key. It is pre-programmed and cannot<br />
be modified.<br />
Silent Mode<br />
The silent mode denoted by /S in Command-Line CodeCover protection, suppresses<br />
the display of information related to CodeCover features present in<br />
the license template file. For example, source file, destination path, protection<br />
layer level, etc.<br />
Software Key<br />
The scrambled public key used for creating the Secure Communication Tunnel.<br />
It is passed as a parameter in the SFNTGetLicense API function and is<br />
written into the header file.<br />
Software Lock<br />
A decision point in a protected application. The purpose of a software lock is<br />
to verify the presence of the correct <strong>Sentinel</strong> Key. For example, an application<br />
might verify the validity of the signed data or send query data to the<br />
<strong>Sentinel</strong> Key and require a specific response in order to continue execution.
T<br />
<br />
Contents Glossary Index Troubleshooting<br />
Other software locks may simply read the data and compare it to the value<br />
known.<br />
Stand-alone Applications<br />
A stand-alone application is licensed to run on a single computer without<br />
using a network. This type is used most often when an application is used by<br />
a single person on a particular computer. Typically, when you have purchased<br />
a stand-alone application, you will receive a key for each user that<br />
will be running the application.<br />
Stand-alone <strong>Keys</strong><br />
Refers to the <strong>Sentinel</strong> <strong>Keys</strong> with zero (0) hard limit. It is typically connected<br />
to a user’s local workstation, providing access to the protected application<br />
only on a single system.<br />
Symmetric Key Encryption System<br />
The symmetric key encryption systems use a single, common key to encrypt<br />
and decrypt the message (known as the secret key). This is in contrast to the<br />
asymmetric key encryption systems, which use a private key and a public<br />
key to encrypt and decrypt messages, respectively.<br />
Toolkit<br />
The <strong>Sentinel</strong> <strong>Keys</strong> Toolkit is a Java application; which is available for the<br />
Windows platform. It is used for preparing the application protection strategy<br />
and programming hardware keys for your customers and distributors.<br />
See page 33 for more information on Toolkit GUI.<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 273<br />
T
Appendix B – Glossary<br />
Contents Glossary Index Troubleshooting<br />
U<br />
Unidirectional Broadcast Code Generation<br />
The Developer generates this code (Feature/License update [.upw], or New<br />
License Addition [.nlf]) without any request code from the end user, and<br />
broadcasts the code to all the end users possessing <strong>Sentinel</strong> <strong>Keys</strong> with the<br />
same DeveloperID.<br />
Unidirectional Single Target Code Generation<br />
The Developer generates this code (Feature/License update [.upw], or New<br />
License Addition [.nlf]) without any request code from the end user, and<br />
applies the code to a specified <strong>Sentinel</strong> <strong>Hardware</strong> Key with a particular<br />
Serial Number.<br />
Universal Binary<br />
274 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
A universal binary is an executable file that runs natively on both<br />
PowerPC and Intel-based Macintosh computers, which was first introduced<br />
at the 2005 WWDC to ease the transition from the existing PowerPC architecture<br />
to Intel in 2006 and 2007. Universal binaries are fat binaries that<br />
include both PowerPC and x86 versions of a compiled application, allowing<br />
the application to run on both architectures.<br />
Courtesy - en.wikipedia.org<br />
Update Code<br />
Refers to the code generated by the developer against the request code. It<br />
defines the actions that you want to apply on the hardware key.<br />
The update code is generated (a .upw file) under the Key Activator tab of
W<br />
<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 275<br />
W<br />
Contents Glossary Index Troubleshooting<br />
the Toolkit. See page 162 for more information on generating update codes.<br />
USB<br />
Short for Universal Serial Bus. A technology that features one “universal”<br />
plug type for all USB peripheral-to-PC connections. USB replaces all the different<br />
kinds of serial and parallel port connectors with one standardized<br />
plug and port.<br />
USB simplifies the connection of peripherals to computers by providing an<br />
instant, no-hassle way to connect USB peripherals. With USB-equipped PCs<br />
and peripherals are automatically configured and ready for use.<br />
<strong>Sentinel</strong> <strong>Keys</strong> are USB 2.0 compliant.<br />
User limit<br />
A soft limit that restricts the number of users allowed by the hard limit. Otherwise,<br />
the number of users allowed is equivalent to the hard limit.<br />
Write Password<br />
A hexadecimal value that allows writing a feature. It is applicable to all the<br />
features except AES, ECC, and Counter.<br />
You can provide a write password at the time of creating a feature, depending<br />
on the attributes you choose. For example, if you selected the Read-only<br />
attribute, the write password will be ignored.<br />
Working Folder<br />
A directory on your windows system where the Toolkit writes the protection<br />
strategy-related files.<br />
On a supported Windows system, the default working folder is:<br />
\My Documents\<strong>Sentinel</strong> <strong>Keys</strong> .
Appendix B – Glossary<br />
Contents Glossary Index Troubleshooting<br />
Note: On a Windows Vista system, the default working folder is: \Documents\<strong>Sentinel</strong> <strong>Keys</strong> .<br />
.DIS<br />
A Distributor file that contains information related to licenses and features<br />
to be programmed in the end user token using the Key Programming API<br />
library and is bound to a Distributor Key using the File Encryption Key.<br />
.ISV<br />
The *.ISV file contains basic information about the licenses and features, a<br />
protection strategy consists of and to be programmed in the end user token<br />
using the Key Programming API library. Only a Developer, along with a<br />
Developer Key, can generate this file and then program it onto the end user<br />
token.<br />
.NLF<br />
A New License Addition file that is created for a new license addition in the<br />
end user token using the Secure Update library.<br />
*.OPR<br />
276 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
The *.OPR file contains basic information about the licenses and features, a<br />
protection strategy consists of and to be programmed in the end user token<br />
using the Key Programming API library. Only a Developer, along with a<br />
Developer Key, and in the presence of an end user token, can generate this<br />
file. This file is programmed onto the end user token at the fulfillment center.
Appendix C<br />
<strong>Sentinel</strong> <strong>Keys</strong> <strong>Hardware</strong><br />
Specifications<br />
This appendix contains details about the <strong>Sentinel</strong> Key hardware.<br />
<strong>Sentinel</strong> Key - S (Standard) <strong>Hardware</strong> Specifications<br />
EMC and Product Safety Compliance<br />
FCC Part 15, Subpart B, CLASS B<br />
CE EN55022: 1998, CLASS B<br />
EN55024: 1998, CLASS B<br />
VCCI CAN-CSA V3/2001.04 (VCCI)<br />
CISPR 22:1997, CLASS B<br />
UL 94V-0 Material Flammability<br />
Environmental Characteristics<br />
Operating Temperature 0 degree C to 70 degree C<br />
Storage Temperature -55 degree C to 70 degree C<br />
Humidity 5 - 95% RH (non-condensing)<br />
Shock /Vibration 20-50Hz:.19mm DISPL<br />
50-1000Hz: 0.5G ACCEL<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 277
Appendix C – <strong>Sentinel</strong> <strong>Keys</strong> <strong>Hardware</strong> Specifications<br />
Contents Glossary Index Troubleshooting<br />
<strong>Sentinel</strong> Key - S (Standard) <strong>Hardware</strong> Specifications (Continued)<br />
Dimensions<br />
Width 0.630"<br />
Height 0.315"<br />
Depth 2.192"<br />
Weight 0.24 ounces/6.9g (For S, SN, I, D, and DUAL)<br />
0.25 ounces/7.1g (For SX and SN XM)<br />
Electrical Characteristics<br />
Operating Voltage 4.0V - 5.5V<br />
Static Current 20mA max<br />
Operating Current 25mA max<br />
Suspend Current 1mA typ. 1.5mA max<br />
LED Circuit Power Consumption 69mW typ.<br />
Data Retention More than 200 years<br />
Memory Cycle Life 1,000,000 erase/write cycles<br />
External Oscillator Frequencies 12MHz<br />
Internal Oscillator Frequencies 8 MHz<br />
CPU Core Frequencies 48MHz (VDD>4.1V)<br />
8MHz (VDD
Appendix D<br />
Migration from SuperPro<br />
and UltraPro<br />
This appendix describes the suggested migration path for <strong>Sentinel</strong> SuperPro<br />
and UltraPro developers to the much-advanced <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong>. It<br />
is divided into two sequential stages-offering easy upgrades for you and your<br />
customers.<br />
Stage 1 - Distribute <strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong><br />
In Stage 1, you will be creating a customer-base for <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong><br />
by distributing <strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> instead of SuperPro or Ultra-<br />
Pro. These keys have support for your current protection scheme (SuperPro<br />
or UltraPro) and enable seamless migration to your future protection<br />
scheme (<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong>).<br />
All you need to do is:<br />
1. Order <strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> (instead of <strong>Sentinel</strong> SuperPro or<br />
UltraPro <strong>Keys</strong>) through your <strong>Sentinel</strong> sales representative. You need<br />
to be aware of the following:<br />
<strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> are available in USB form factor only<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 279
Appendix D – Migration from SuperPro and UltraPro<br />
Contents Glossary Index Troubleshooting<br />
<strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> are available for stand-alone and<br />
network versions.<br />
280 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
<strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> have 256 cells of memory for use by<br />
your SuperPro or UltraPro implementation so you will receive a<br />
new model number with your kit.<br />
2. Program <strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong> with the same protection<br />
strategy you prepared for SuperPro or UltraPro <strong>Keys</strong>.<br />
SuperPro developers can straightaway program <strong>Sentinel</strong> Dual <strong>Hardware</strong><br />
<strong>Keys</strong> with the protection strategy they prepared for SuperPro<br />
<strong>Keys</strong>. However, <strong>Sentinel</strong> UltraPro developers need to make a small<br />
modification (described below) before they program the design into<br />
Dual <strong>Keys</strong>. Note that in stage 1 you need not do any modifications in<br />
the application code or API implementation:<br />
In the Protection Manager screen, select the project form the<br />
drop-down list that has your design.<br />
Select the design in the Designs list and note down its design ID<br />
(shown in top-middle of the Protection Manager screen).<br />
Click the Duplicate button shown next to the Designs panel. The<br />
Duplicate Design dialog box appears.<br />
Modify the design name, as two designs with same name cannot<br />
co-exist in a project.<br />
Click OK.<br />
Select the duplicated design and right-click to open a short-cut<br />
menu.<br />
Select the option to view design properties. The Design<br />
Properties dialog box appears.<br />
Modify the design ID of the duplicated design same as the existing<br />
design.<br />
Click OK.
Stage 2 - Design New Protection Strategy<br />
Contents Glossary Index Troubleshooting<br />
Attach the <strong>Sentinel</strong> Dual <strong>Hardware</strong> Key to a USB port/hub on your<br />
system.<br />
Click the Build button to prototype the duplicated design.<br />
3. Distribute the latest <strong>Sentinel</strong> System Driver with your protected application<br />
to support <strong>Sentinel</strong> Dual <strong>Hardware</strong> <strong>Keys</strong>. You may allow the<br />
driver to be downloaded from your Website. A copy can be downloaded<br />
from SafeNet Website (http:// www.safenet-inc.com/support/<br />
tech/sentinel.asp).<br />
Stage 2 - Design New Protection Strategy<br />
In stage 2, you will be implementing a new protection strategy using the<br />
<strong>Sentinel</strong> <strong>Keys</strong> Toolkit. This can ideally be done for the upcoming releases of<br />
your software. You need to:<br />
1. Order the <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> development kit through your <strong>Sentinel</strong><br />
sales representative.<br />
2. After installation, use the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit to implement superior<br />
CodeCover and/or high-level Business Layer API protection-including<br />
AES-based encryption/decryption and ECC-based signing/verification.<br />
Note: You will NOT be able to import/re-use your legacy API or CodeCover Super-<br />
Pro or UltraPro code base (prepared using <strong>Sentinel</strong> SuperPro or UltraPro<br />
kits) in the <strong>Sentinel</strong> <strong>Keys</strong> Toolkit. Since the <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> use the<br />
latest security technologies, you will need to implement your new, highly<br />
secure protection strategy from scratch.<br />
Existing (Stage 1) <strong>Customer</strong>s Who Want to Upgrade - You can<br />
upgrade the existing customers to the latest version of your software<br />
remotely, without shipping new hardware keys. 1 The <strong>Sentinel</strong> Dual<br />
1. The upgrade licenses can be generated using a higher version of <strong>Sentinel</strong> <strong>Keys</strong> Toolkit (to<br />
be released later in this year).<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 281
Appendix D – Migration from SuperPro and UltraPro<br />
Contents Glossary Index Troubleshooting<br />
<strong>Hardware</strong> <strong>Keys</strong> can function as <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> to support<br />
your latest software release. You will need to ship them:<br />
New application installer and any associated redistributables<br />
282 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
Upgrade license code (.upw file): After this license code is applied<br />
(using Secure Update utility or any other custom action), the Dual<br />
key will support <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong>-dependent applications.<br />
These license codes can be applied universally to the <strong>Sentinel</strong> Dual<br />
<strong>Hardware</strong> <strong>Keys</strong> distributed in stage 1.<br />
New <strong>Customer</strong>s Who Do Not Have <strong>Sentinel</strong> Dual <strong>Hardware</strong><br />
<strong>Keys</strong> - You can program <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> for customers who<br />
are buying your software for the first-time. You will need to ship<br />
them:<br />
New application installer and any associated redistributables<br />
<strong>Sentinel</strong> <strong>Hardware</strong> Key<br />
Note: The license code can be configured to continue/discontinue the support of<br />
SuperPro or UltraPro-dependent applications that were using the same<br />
key. Hence, the protection for the older versions can remain, if desired. The<br />
<strong>Sentinel</strong> Dual <strong>Hardware</strong> Key can simultaneously support both the <strong>Sentinel</strong><br />
<strong>Keys</strong>-protected applications and SuperPro or UltraPro-protected applications.
Index<br />
Symbols<br />
.req 149<br />
.upw 149, 162<br />
.vxd 236<br />
.wps 206<br />
A<br />
access mode 65, 81, 257<br />
action 157, 257<br />
active, attribute 79<br />
add instances later 80,<br />
120<br />
AES 52, 257<br />
AES, feature<br />
about 52<br />
adding 114<br />
algorithm<br />
AES 257<br />
anti-debugging 56, 83<br />
anti-disassembling 57<br />
anti-dumping 57<br />
anti-reverse<br />
engineering 56<br />
API 257<br />
API Explorer<br />
about 34<br />
API protection 58–136<br />
API samples 134<br />
application protection<br />
API method 58<br />
CodeCover method 55<br />
planning 61–72<br />
ASCII 183, 258<br />
asymmetric key 258<br />
attributes, feature 264<br />
B<br />
Boolean, feature<br />
about 53<br />
adding 129<br />
building template 132<br />
Business Layer API 133<br />
C<br />
cheat counter 160, 170<br />
checklist,<br />
redistributables 223<br />
checksum code 180<br />
Code Morphing 56, 84,<br />
259<br />
code sketch 134, 259<br />
CodeCover SDK<br />
module 56, 84, 171<br />
CodeCover, feature<br />
about 55<br />
adding files 76<br />
customizing CodeCover<br />
error message<br />
title 86<br />
customizing<br />
messages 85<br />
file encryption 87<br />
files supported 100<br />
licensing settings 79<br />
networking settings 80<br />
Protect button 89<br />
security settings 83<br />
command 157, 260<br />
Command-Line CodeCover<br />
Utility 9, 35, 91<br />
options 94<br />
pre-requisites 91<br />
using 92<br />
configuration file<br />
client-side 44, 66,<br />
81–82, 227, 254<br />
server-side 44, 254<br />
conventions, manual xiv<br />
Counter, feature<br />
about 53<br />
adding 121<br />
Custom CodeCover Key 95<br />
customer<br />
redistributables 223<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 283
Index<br />
Contents Glossary Index Troubleshooting<br />
who is? 260<br />
D<br />
data file encryption 84<br />
Data Protection Driver 235<br />
decrypting 261<br />
default instance 119, 198<br />
developer 21, 261<br />
who is? 261<br />
developer ID 261<br />
developer key 21, 45, 261<br />
password-protected 22,<br />
94, 217<br />
device date 160<br />
digital signature 177, 261<br />
disabled algorithms 182<br />
distributor<br />
distributor key 204, 262<br />
redistributables 223<br />
distributor key 45<br />
E<br />
ECC 52, 177, 261–262<br />
ECC, feature<br />
about 52<br />
adding 117<br />
encrypting 262<br />
execution count 262<br />
expiration date 263<br />
expiration time 263<br />
export considerations xviii<br />
exporting license group<br />
file 195<br />
F<br />
feature attributes 264<br />
feature ID 134, 264<br />
feature instance 264<br />
features 60, 264<br />
FEK 264<br />
firmware 264<br />
G<br />
group 53<br />
group layout 63<br />
group<br />
management 187–20<br />
1<br />
group, license 60, 265<br />
groups 187<br />
H<br />
hard limit 63, 265<br />
hardware keys<br />
ordering 45<br />
header file 265<br />
heartbeat 265<br />
Help<br />
System Administrator’s<br />
Help 239<br />
hexadecimal 183, 265<br />
hiding import symbols 84<br />
I<br />
in-line functions 178<br />
instance, feature 264<br />
Integer, feature<br />
about 52<br />
adding 127<br />
K<br />
key exchange 266<br />
Key Programming<br />
APIs 36, 208<br />
implementing 211<br />
steps for using 208<br />
Key Status panel 34<br />
key, secret 266, 270<br />
L<br />
lease, attribute 79<br />
284 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong><br />
<br />
license 266<br />
license addition code 150,<br />
267<br />
License Designer<br />
about 33<br />
license ID 267<br />
License Manager<br />
about 34<br />
Export-File Manager<br />
wizard 209<br />
stand-alone<br />
application 39, 237<br />
license sharing 64, 81,<br />
267<br />
license template 53, 132,<br />
267<br />
limit executions,<br />
attribute 79<br />
M<br />
MAC address 268<br />
metering count, distributor<br />
key<br />
programming 205<br />
updating 161, 206<br />
migration 279<br />
missing <strong>Sentinel</strong> <strong>Keys</strong> 180<br />
models<br />
<strong>Sentinel</strong> Key 25<br />
multi-layering 55, 83, 244<br />
multi-threading 179<br />
N<br />
network applications 268<br />
network keys 24, 268<br />
O<br />
obfuscated code 56, 259<br />
One-Click License<br />
Update 154, 268
P<br />
personal folder 269<br />
piracy attacks 168<br />
private key 269<br />
programming<br />
distributor keys 204<br />
<strong>Sentinel</strong> <strong>Keys</strong> 203<br />
public key 269<br />
public key<br />
cryptography 269<br />
Q<br />
query-response<br />
protection 172,<br />
269–270<br />
Quick CodeCover<br />
about 33<br />
R<br />
Raw Data, feature<br />
about 52<br />
adding 124<br />
read-only, attribute 125,<br />
128<br />
redistributables 223<br />
regulations, export xviii<br />
remote updates,<br />
planning 137–164<br />
request code 149, 270<br />
S<br />
SafeNet Knowledge<br />
Base 243<br />
secret key 266, 270<br />
Secure Update Utility 153,<br />
156, 228<br />
Secure Update<br />
Wizard 156, 164, 230,<br />
272<br />
security for .NET<br />
applications 57, 85<br />
<strong>Sentinel</strong> Dual <strong>Hardware</strong><br />
<strong>Keys</strong> 28, 279<br />
<strong>Sentinel</strong> Extended Memory<br />
<strong>Hardware</strong> Key 27, 218<br />
<strong>Sentinel</strong> Key<br />
about 24, 271<br />
hardware specs 277,<br />
279<br />
models 25<br />
ordering 45<br />
programming 203<br />
protection 16<br />
redistributing 223<br />
<strong>Sentinel</strong> <strong>Keys</strong> Protection<br />
Installer 225<br />
<strong>Sentinel</strong> <strong>Keys</strong> SDK<br />
components 19<br />
<strong>Sentinel</strong> <strong>Keys</strong> Server 28,<br />
227<br />
<strong>Sentinel</strong> Protection<br />
Installer 43, 225–226<br />
serial number 272<br />
SFNTGetLicense 182<br />
sntlconfig 44, 66, 82<br />
sntlconfigsrvr 40, 44, 272<br />
problem 3, 168<br />
solution 4, 6<br />
SP_SERVER_MODE 65<br />
SP_STANDALONE_MODE<br />
65<br />
stand-alone<br />
applications 273<br />
stand-alone keys 24, 273<br />
String, feature<br />
about 52<br />
adding 122<br />
symmetric key 273<br />
Index<br />
Contents Glossary Index Troubleshooting<br />
T<br />
template, license 53, 60,<br />
132, 267<br />
terminal client 57, 68, 81<br />
time tampering 169, 243<br />
tips and tricks 167–183<br />
Toolkit<br />
about 33<br />
screens 33<br />
U<br />
update code 149, 162,<br />
274<br />
Update Manager<br />
about 34<br />
UpdateWizard API 231<br />
USB 274<br />
USB daemon 32<br />
user limit 63, 275<br />
V<br />
verifying data 177<br />
W<br />
working folder 275<br />
write password 275<br />
write-once 125, 128<br />
write-random 125, 129<br />
<strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong> 285
Index<br />
Contents Glossary Index Troubleshooting<br />
286 <strong>Sentinel</strong> <strong>Hardware</strong> <strong>Keys</strong> Developer’s <strong>Guide</strong>