Protecting Against Cloning

This section describes the protection of your protected application against attempts to clone the physical or virtual machine on which the protected application is installed.

About Clone Protection

One of the methods sometimes employed to enable the unauthorized use of licensed software is machine cloning. Machine cloning involves creating an image of one machine (including your software and its legitimate license) and copying this image to one or more other machines. If there is no way to detect that the new image is running on different hardware than that on which it was originally installed, multiple instances of the software are available even though only a single license was purchased.

Sentinel LDK can detect probable machine cloning and disable protected software that is locked to Sentinel SL keys. Clone detection is effective whether the protected software is installed on a physical machine or on a virtual machine.

NOTE   Cloning is only an issue for Sentinel SL keys. When software is locked to a Sentinel HL key, the physical key must be present in order for the software to run. Even if a machine image, including your software, is cloned, the software cannot run without the Sentinel HL key to which the software license is locked.

Protection against cloning is applied automatically when a protected application is locked to a Sentinel SL key.

For each Feature, you specify whether you want to allow the Feature to be accessible on virtual machines at the time you add the Feature to the Product or when preparing the order for the Product. By default, each Feature is accessible on virtual machines.

The clone protection functionality is tuned to minimize the occurrence of potential false positives (detection of a clone when no cloning exists), and reduce unnecessary calls to your technical support. As a result, it is possible that the clone protection functionality may not detect a cloned machine in every case. However, the possibility of this occurrence is low, especially when physical machines are cloned.

NOTE   It is assumed that a customer’s IT department follows best practices to avoid the collisions that would result from cloned machines that have identical UUID, MAC addresses or hostnames. When software is locked to a Sentinel SL key, the clone protection provided by many of the virtual machine clone protection schemes is based on this premise.

If you are concerned that your customers may be willing to accept collisions in order to attempt to bypass clone protection, consider one of the other Sentinel LDK solutions that provides a different tradeoff of security and convenience and is not affected by such deployment. A remote license (SL AdminMode or Sentinel HL) will provide the higher level of security that you require.

When the Sentinel LDK Run-time Environment detects cloning, it disables the licenses for which clone protection was specified. The end user is unable to log in to the software for which cloned licenses have been detected. The end user must activate the software before it can be used. Other licenses for which clone protection was not specified are not affected and the user may continue to log in and use the applications.

Detection of cloned licenses is recorded in the Sentinel License Manager and displayed in the Sentinel Admin Control Center. For additional information, see the Sentinel Admin Control Center help.

For licenses locked to Sentinel SL keys, you enable and manage clone detection at the following points in the Product life cycle:

>During software protection

During protection of your software, use the Sentinel Licensing API to define how your application should behave when machine cloning is detected. For example, the application might display a message telling the end user that the software is disabled due to clone detection and that they should contact your customer services team.

NOTE   If you use only Sentinel LDK Envelope for applying protection, (that is, without incorporating any additional software engineering), software that is disabled due to detection of cloning will return the following message to the end user: Unknown error. H64

>During Product definition:

When defining Products in Sentinel EMS:

For each Feature, decide whether the Feature should be accessible on virtual machines (this can also be decided during order entry). By default, accessibility on virtual machines is enabled.

>During Product activation:

When Sentinel EMS detects cloning via the C2V file, it disables the protected application on the end user's machine.

To enable the protected application on the end user's machine, the end user must send a new fingerprint for the machine. This fingerprint can be generated with the GetInfo function in Sentinel Licensing API. Use the fingerprint to generate a new entitlement for the end user.

When you attempt to upload a C2V file, Sentinel EMS blocks the action if it detects that the C2V file is from a cloned machine. Similarly, you cannot use a C2V file from a cloned machine to create a license update.

"Platform Default" Clone Protection Scheme

A clone protection scheme defines which factors are considered by the Sentinel License Manager in order to determine whether a given Sentinel SL key has been cloned.

Sentinel LDK employs several different clone protection schemes to protect applications that run on physical machines and on virtual machines. The schemes are designed to accommodate a variety of circumstances. For example, schemes are available for applications that run on PCs, on Android machines, or on Microsoft Azure virtualization platforms. New schemes are added periodically as environments are added and evolve.

When you define a Product in Sentinel EMS, the Platform Default clone protection scheme is applied automatically. This enables Sentinel LDK to automatically select the most appropriate clone protection scheme for the type of operating system and the environment in which the license will be installed.

For more information on the Platform Default scheme, see How Sentinel LDK Detects Machine Cloning.