What is a Crypto-Box?
Crypto-box® is the name of a product produced by Marx Software Security, plus the associated security system. The product is a USB stick that contains encrypt and decrypt security keys that allow software to be used. The system requires the key to physically be in place for the software to operate. The Crypto-box name was previously used for an open source project along the same lines.
The principle of Crypto-box® is a combination of encryption built into software and decryption via a physical USB stick. In effect, the USB stick acts as a key that is needed to unlock the software. Software developers can encrypt their application and supply the USB stick to customers.
The main advantage of Crypto-box® is that it is extremely difficult, if not impossible, to run illegal copies of the software it protects. The design of the USB stick means that the stick itself cannot be copied. This means that even if somebody copies the software, it will effectively be useless to them.
Another advantage of the system is that it is easier to control licensing. Many software applications are sold with a license to use on one machine at any time, but can be legitimately copied onto multiple machines, such as a home desktop PC and a notebook. With Crypto-box, the need to have the USB stick in the machine makes it physically impossible to run the software on two machines simultaneously. Where software is licensed for use across a company, the system can be customized so that a single USB stick can allow the software to work across a corporate network.
The Crypto-box® system uses the Advanced Encryption Standard. This is an extremely secure encryption system that is not only the standard system for US federal government agencies, but is the first publicly available system approved for use with classified documents. AES uses three separate keys, which are 128, 192, and 256 bits long respectively. Each additional bit makes the encryption twice as hard to bypass through sheer guesswork.
The name Crypto-box was once used for an open source project designed to allow either an external hard drive or a second PC to store the data used on a primary PC. The software from the project acts as a barrier between the two devices and allows an extra layer of protection and encryption to prevent unauthorized access. This project was renamed CryptoNAS in 2007 because of trademark issues.
@MrMoody - I think the Crypto-box is useful for its encryption standard alone. Judging from the article, it uses a very high encryption standard. I don’t think any hacker could break it. I don’t know what the standards are for the soft keys, but I think that degree of encryption plus the fact that it’s a physical device make it a perfect solution.
@allenJo - The main reason, I believe, is that these devices have to be shipped to the end user, whereas the software itself can be downloaded easily off the Internet.
That’s a double edged sword actually. On the one hand, you want to be able to make software accessible over the Internet, so that potentially millions of people can download it. On the other hand, they can’t use it without the hardware key, which can’t be downloaded over the Internet.
So what do you do? You bypass the hardware key and go with the soft key approach. It’s a necessary evil for most software developers unfortunately.
@everetra - I think it’s a great concept. Frankly, I don’t know why every single software manufacturer on the market doesn’t use dongles.
It’s impossible to emulate USB dongle keys, whereas it’s very easy to create duplicate soft licenses. There are actually key generators on the Internet that will let you create soft licenses for software products.
It’s the reason that software piracy is so rampant and it costs billions of dollars a year. So I ask the obvious question – why doesn’t everyone use dongles?
I have to say, I have never heard the term “Crypto-box” before. However, I am very familiar with the concept, as I work in the software industry.
It’s a USB key for software, and the generic term for it is “dongle.” It’s a funny name, I know, but that’s what it’s called. It’s a foolproof method for securing your software.
Anyone who uses your product must have the dongle otherwise the software won’t work. We use dongles for our main product line, and if customers want additional licenses for the product, they have to order more keys.
We charge a unit cost for each of these keys and make a little extra gravy money on the side that way too – although the keys themselves don’t cost that much. We buy them from a supplier of dongle keys.
Post your comments