Protecting Against Cloning

This section describes the protection of your protected application against attempts to clone the physical or virtual machine on which the protected application is installed.

About Clone Protection

One of the methods sometimes employed to enable the unauthorized use of licensed software is machine cloning. Machine cloning involves creating an image of one machine (including your software and its legitimate license) and copying this image to one or more other machines. If there is no way to detect that the new image is running on different hardware than that on which it was originally installed, multiple instances of the software are available even though only a single license was purchased.

Sentinel LDK can detect probable machine cloning and disable protected software that is locked to Sentinel SL keys. Clone detection is effective whether the protected software is installed on a physical machine or on a virtual machine.

NOTE   Cloning is only an issue for Sentinel SL keys. When software is locked to a Sentinel HL key, the physical key must be present in order for the software to run. Even if a machine image, including your software, is cloned, the software cannot run without the Sentinel HL key to which the software license is locked.

Protection against cloning is applied automatically when a protected application is locked to a Sentinel SL key.

For each Feature, you specify whether you want to allow the Feature to be accessible on virtual machines at the time you add the Feature to the Product or when preparing the order for the Product. By default, each Feature is accessible on virtual machines.

The clone protection functionality is tuned to minimize the occurrence of potential false positives (detection of a clone when no cloning exists), and reduce unnecessary calls to your technical support. As a result, it is possible that the clone protection functionality may not detect a cloned machine in every case. However, the possibility of this occurrence is low, especially when physical machines are cloned.

NOTE   It is assumed that a customer’s IT department follows best practices to avoid the collisions that would result from cloned machines that have identical UUID, MAC addresses or hostnames. When software is locked to a Sentinel SL key, the clone protection provided by many of the virtual machine clone protection schemes is based on this premise.

If you are concerned that your customers may be willing to accept collisions in order to attempt to bypass clone protection, consider one of the other Sentinel LDK solutions that provides a different tradeoff of security and convenience and is not affected by such deployment. A remote license (SL AdminMode or Sentinel HL) will provide the higher level of security that you require.

When the Sentinel LDK Run-time Environment detects cloning, it disables the licenses for which clone protection was specified. The end user is unable to log in to the software for which cloned licenses have been detected. The end user must activate the software before it can be used. Other licenses for which clone protection was not specified are not affected and the user may continue to log in and use the applications.

Detection of cloned licenses is recorded in the Sentinel License Manager and displayed in the Sentinel Admin Control Center. For additional information, see the Admin Control Center help system.

For licenses locked to Sentinel SL keys, you enable and manage clone detection at the following points in the Product life cycle:

>During software protection

During protection of your software, use the Sentinel Licensing API to define how your application should behave when machine cloning is detected. For example, the application might display a message telling the end user that the software is disabled due to clone detection and that they should contact your customer services team.

NOTE   If you use only Sentinel LDK Envelope for applying protection, (that is, without incorporating any additional software engineering), software that is disabled due to detection of cloning will return the following message to the end user: Unknown error. H64

>During Product definition:

When defining Products in Sentinel LDK-EMS:

For each Feature, decide whether the Feature should be accessible on virtual machines (this can also be decided during order entry). By default, accessibility on virtual machines is enabled.

>During Product activation:

When Sentinel LDK-EMS detects cloning via the C2V file, it disables the protected application on the end user's machine.

To enable the protected application on the end user's machine, the end user must send a new fingerprint for the machine. This fingerprint can be generated with the RUS utility, or with the GetInfo function in Sentinel Licensing API. Use the fingerprint to generate a new entitlement for the end user.

When you attempt to check in a C2V file, Sentinel LDK-EMS blocks the action if it detects that the C2V file is from a cloned machine. Similarly, you cannot use a C2V file from a cloned machine to create a license update.

You can click View Details in the Check in Key screen to view details of the C2V if required.

Simplified Clone Protection

A clone protection scheme defines which factors are considered by the Sentinel License Manager in order to determine whether a given Sentinel SL key has been cloned. You select the clone protection scheme when you define the Product.

Sentinel LDK offers several different clone protection schemes to protect applications that execute on physical machines and on virtual machines. The schemes are designed to accommodate a variety of circumstances. For example, schemes are available for applications that run on PCs, on Android machines, or on Microsoft Azure virtualization platforms. New schemes are added periodically as environments are added and evolve.

Keeping up with the latest developments in clone protection schemes can be a burden for most vendors. In addition, newer schemes may require that you install more recent versions of the Sentinel LDK Run-time Environment (for SL AdminMode licenses) or API libraries (for SL UserMode licenses) on the end users' machines.

Sentinel LDK provides a mechanism to simplify the process of implementing the most appropriate clone protection scheme for each situation. When you define a Product in Sentinel LDK-EMS, you can specify a clone protection scheme called Platform Default instead of choosing a specific scheme. When the Product license is installed on the end user's machine, Sentinel LDK automatically selects the most appropriate clone protection scheme for the type of operating system and the environment in which the license will be installed. (A similar mechanism is available when using Sentinel LDK License Generation API.)

For advanced users, more information on the Platform Default scheme and other clone protection schemes is available at How Sentinel LDK Detects Machine Cloning.