To top
Solutions Solutions

云软件安全

Share:

什么是云?

 云是抽象的、虚拟的,替代用户PC,用于存储软件和数据的环境。云计算可以认为包括以下几个层次的服务:

  • 软件即服务 (SaaS): 它是一种通过Intenet提供软件的模式,用户无需购买软件,而是向提供商租用基于Web的软件,来管理企业经营活动。开发商 (ISV)控制管理云服务器,而最终用户可以连入使用存放在该服务器上应用程序。
  • 平台即服务(PaaS): 是指将软件研发的平台作为一种服务,以SaaS的模式提交给用户。Svs管理控制云服务器,单相对于SaaS而言,用户可以自定义云服务器上的程序的业务逻辑.
  • 基础设施即服务(IaaS): 用户能租用设备(虚拟计算机)来运行管理他们自己的程序。

意味着权限和数据保护

用户身份认证

大多数情况下,SaaS和PaaS的许可授权基于per user。系统将计算服务器上当前登录或者创建的用户数。ISV 对服务器负责。CodeMeter® 可为双方,即ISV和用户提供服务。CodeMeter® 创新性的提出了dongle和token的组合解决方案。它不但以许可单元的形式存储访问权限,同样还有用于身份认证的私人密钥,从而取代了传统的用户名/密码。与密码不同,公钥并不需要秘密保存,仅需防止其被恶意篡改即可。

CodeMeter® models
CodeMeter® 方案
(开发灵活)
可移动方案:把登陆权限和密钥存放在一个安全独立的硬件加密狗上,如:CmDongle (USB)
CodeMeter® 绑定PC方案
使用CmActLicense
绑定PC方案:把登陆权限和密钥存放在被绑定的计算机上

对于开发商这意味着解决了权限管理的安全性问题,共享密码将不再可能。而最终用户能有效的保护了数据,密码破解将不再可能。

数据加密

若选择基于SaaS和PaaS的解决方案,首先需要考虑其数据安全性。若如同2011年7月发生在Sony的事件一样,黑客通过可执行的SQL注入,即可轻松地访问用户数据,那么,只有毫无安全意识的用户才会将数据保存至云。

当然,您也可以编写程序脚本用于阻止SQL注入。然而,前提是,您需要预先知道黑客何时进行攻击。显然,更好的办法是数据加密。数据在客户端进行加密,通过数据通讯,上载存储至云。只有带有匹配许可的客户端,如匹配的密钥,才可以对数据进行解密。密钥并非存储在云中的软件,而是存储于用户PC。

如果您想要为客户实施SaaS或者PaaS,WIBU技术支持团队将竭诚为您服务。

保护PaaS逻辑层

对于一个公司来说,保护云中的逻辑层,与数据安全同样重要。CodeMeter® 解决方案确保安全访问,防止源代码的恶意篡改。

作为PaaS的独立软件运营商,我们可以协助您,为您提供量身定制的解决方案。

第三方运营

如果您计划将SaaS或者PaaS解决方案交由合作伙伴运营,那么您需要考虑如下两个问题:

  • 如何保护知识产权免受逆向工程的威胁?
  • 如何管理软件的许可授权?

CodeMeter® 可以为您解决上述两个问题。合作伙伴可以以硬件加密狗CmDongle或者CmActLicense的形式,收到所需数量的许可。通过加密数据或者可执行代码,可以有效地保护软件,防止逆向工程。若无相匹配的许可,则无法运行软件。

许可(dongle或者许可文件)位于指定的许可服务器。服务器为每一个运行的应用程序分配相应的浮动许可。同样,根据不同的需求,您也可以实施冷/热备用许可,"2 out of 3" 服务器解决方案。

保护IaaS解决方案

独立软件运行商(ISV)的任务之一是保护IaaS解决方案。云并非单一的服务器,这意味着,无法将CmActLicense绑定至云服务器,同样,也无法将硬件加密狗CmDongle连接至运服务器。

CodeMeter® 为您提供软件保护和许可管理解决方案。该方案具体包括如下两部分:

  • CodeMeterAct许可特别版(CodeMeter® NoneBind)用于保护您的软件,防止逆向工程。可随时运行软件。
  • 将需要认证的数据编译至您的软件中。相应地,您的应用程序只接受签名的数据。

至此,用户可以按照需求将软件的IaaS版本上载至云。只有当用户使用相匹配的许可时,才可以对数据签名及执行。没有签名的数据,是无法运行您的软件的。

CodeMeter® 针对数据签名,为您提供不同的许可管理模式:

单用户许可:无论是连接至本地PC的CmDongle硬件加密狗,还是绑定到本地PC的CmActLicense。数据上载到云之前,都需要在本地PC上对数据签名。

网络许可:CmDongle硬件加密狗或者CmActLicense位于网络中的许可服务器上。

时间限制型许可CodeMeter® 有三种方式供您选择:固定的到期时间、固定的时间段,或者实际使用时间。每个CmDongle硬件加密狗和CmActLicense中均包含一个内部时钟,用于防止时间操纵。

按使用次数计费型许可:Wibu-Systems模式化的许可管理解决方案特别适用于IaaS解决方案。当数据被签名或者上载到云时,用户所购买的许可数将自动从计数器上减一。您可以自行定义何时何种操作将减少计数器上的许可数。例如,基于一定的操作或者一定的数据量。您可以通过 CodeMeter License Central在线订购许可。更多信息,请参见 CodeMeter License Central

模块化软件保护: 每个功能都配有相应的密钥用于签名,以及软件运行时认证。这意味着,不同的功能可以个性化的激活及许可授权。通过网络,您可以随时随地的对许可进行激活。

Cloud Licenses for Local Applications

In this scenario, your software is a classic desktop application, which you sell to your users either on a traditional CD or as a download. Your user receives not only the software itself, but also an activation code in the form of a ticket that you create with CodeMeter License Central. When creating that ticket, you can determine how many devices the software can operate on at the same time and for how long it can be used without a permanent connection to the Internet.

Your user installs the software on a PC. When it is started for the first time, he or she is asked to enter the ticket. The software contacts CodeMeter License Central and sends the ticket and a fingerprint of the computer (in the form of a WibuCmRaC file) up to the cloud. CodeMeter License Central checks whether the ticket is valid and, if it is, creates a temporary license for an offline cache. The license is returned to the user (by WibuCmRaU file) and imported locally into the CodeMeter Runtime. The ticket is also stored locally, e.g. in the license. Your software then launches and works perfectly without any need for a permanent Internet connection.

Shortly before the temporary license expires in the offline cache, the application phones home to CodeMeter License Central and renews the license.

Should the user install the software on another device, he or she would enter the ticket again. Depending on your choices and settings, your software could react to this in three ways:

  1. The license is moved into a local cache as a temporary offline license, and the software is launched.
  2. The user selects the “old” license, which is automatically flagged as “deactivated” in CodeMeter License Central. A temporary offline license is then created, and the software starts.
  3. The user is notified that the number of licenses has been exceeded and that he or she would either have to deactivate the old license manually or wait for the temporary license to end its set duration.

The second option has proven itself as the best practice: It is flexible enough for the user who can continue to work with the software even after reaching the maximum number of devices, and transparent enough for you as the developer to uncover fraudulent use and take the necessary countermeasures.

Cloud Licenses for SaaS Applications

You can offer your users a SaaS application with unrestricted or temporary licenses for different features. CodeMeter Cloud Lite offers you a simple and lean way of reconciling the online and offline worlds, especially when you are already using CodeMeter for on-premise software and have integrated the license creation processes with your SAP, Salesforce, or any other ERP, CRM or e-commerce system.

The licenses for SaaS applications are created in the same manner that is used for on-premise licenses; they only differ in the binding scheme, using CodeMeter Cloud Lite in the place of CodeMeter SmartBind or CmDongles. A license is created and assigned to a user in a process that does not differ from the activation of a local license – you can even combine both forms. You can integrate your user admin processes with Single-Sign-On solutions like OAuth2 or SAML.

CodeMeter Cloud Lite comes with a simple API to check active licenses, which would access the SaaS applications, verify the available licenses, and determine which functions are available for how long.

Authentication for SaaS Applications

On top of its comprehensive licensing and powerful software protection capabilities, CodeMeter comes equipped with a third star trait: The private keys used for authentication can be stored securely on a CmDongle or a computer-bound CmActLicense. This makes CodeMeter the right choice for user authentication in SaaS scenarios.

The solution can be integrated via the CodeMeter API, specifically when you supply your users with a dedicated local application that works in tandem with a SaaS application in the cloud. The SaaS software creates a challenge that the local application responds to by signing it with the private key kept in the local license. Up in the cloud, the SaaS application uses the public key to verify the identity of the user, with the users’ identities managed and recorded in the cloud according to your specific needs.

For browser applications, client certificates have established themselves as the standard solution. A middleware is used to transfer standard x.509 certificates on a CmDongle. Two standardized interfaces (PKCS#11 and Microsoft CSP) are available for applications like Internet Explorer, Firefox, Chrome, Safari, Outlook, or VPN clients to use these certificates. Some applications might only need a valid certificate to allow access to the SaaS application. Others can extract more granular data like user names, organizations, or other attributes to identify named users or user groups. If you wish to control access to your SaaS application with this level of certainty, you need to create, manage, and always keep track of the necessary client certificates, which need to be known to the SaaS application. Vice versa, the certificate with which the SaaS application identifies itself to the user should be a server certificate created by a trusted certification authority (e.g. VersiSign or GlobalSign).

Standard Applications in Private Clouds

A private cloud would typically be a farm of virtual machines operated in a company’s own data center or at a specialized provider on other hardware known neither to you nor to the user. It might not even have USB interfaces to connect to. Again, CodeMeter has the capabilities needed to handle this scenario and protect your rights as the developer of the software. You have several options at your disposal:

  1. CodeMeter connected to the SEH Dongle ServerUSBoverEthernet: Your user is given a license in the form of a CmDongle. Common USBoverEthernet products can now be used to connect that CmDongle to the virtual machine in question – many data centers have this technology as standard practice. You do not have to make any changes to your software or to your established distribution methods.
  2. Network Server: Your user operates a network server in the data center. CodeMeter connected to a Rasberry PiCodeMeter offers a special lean CodeMeter Runtime for such servers, designed to operate even on Raspberry Pis. The CmDongle is hooked up by USB to that server. Your software only has to support the CodeMeter networking protocol (CmLAN), which implies only a minor change in the configurations for your software. You still deliver your software in the standard manner.
  3. Server in the Cloud: A CmWAN server can be operated by you directly or by your users. The licenses can then be kept in the LAN, WLAN, or the cloud, using CmDongles or CmActLicenses on the CmWAN server. As with the network server, your software needs to support the right protocols, and the distribution processes still remain unchanged.
  4. SmartBind with VM Move: You create a SmartBind license with a “loose” level of tolerance. This makes sure that the license remains intact when the virtual machine it is kept on is relocated in the cloud. It would be invalidated when the virtual machine is copied. Alternatively, you could define the machine SID as the binding property. You do not need to change anything in how you integrate the system in your application; all you need to do is create special licenses for the users who will run your software in their private clouds.
  5. Licensing with CodeMeter Cloud Lite: You can leave the licensing of your software to CodeMeter Cloud Lite. Your application would be given a Protection Only license to prevent reverse engineering and regularly check the Wibu cloud to see whether the license is still valid or whether it is being used elsewhere. This type of licensing requires some changes to your software and a permanent Internet connection between the user’s private cloud and the Wibu cloud. The creation of the license itself is not made more difficult: all it needs is the addition of CodeMeter Cloud Lite as another binding property.