Commercial self-extracting archives: security, principles of work

    One of the serious problems in the field of development and dissemination of information technology is the protection of copyright for such intellectual property objects as software, audio, video materials and any other information that can be presented in electronic form. Owners of such objects are forced to resort to various means of protection against copying and unauthorized distribution, which often have at times more value than the objects of protection themselves.

    However, in some cases, the problem arises of the commercial distribution of digital content, which has a fairly low cost, and therefore it is not economically feasible to use expensive means of protection. In connection with this situation, the intellectual property market has recently appeared available (in fact, free of charge) for any user, including those who do not have any special skills, means of protecting the content, allowing to profit from the distribution of intellectual property. The principle of operation of such tools is based on the creation of a self-extracting archive [1] (hereinafter CPA) (English self-extracting archive, abbreviated as “SFX archive”), which requires the appropriate payment for the extraction of files and the subsequent input of a keyword (code).
    The founder of the commercial CPA service was the program from the ZipCoin service, and it appeared in 2009. The projects following it picked up the idea and began to develop this direction.

    General information about the CPA

    It should be noted that the CPA is still not a means of protection against unauthorized distribution and copying of information, since packaged objects of intellectual property after a lump-sum payment and unpacking of protective equipment do not contain and, accordingly, can be uncontrolledly distributed. Therefore, when it comes to paid CPAs, first of all, we mean a convenient, simple, almost free method for the commercial distribution of information without the use of expensive means of protection.
    Payment for unpacking a commercial CPA can be made in any way possible for the user, such as electronic money transfer (Webmoney, Yandex.Money, RBK-money, PayPal, Money@Mail.ru, Moneymail RUR, EasyPay, etc. [3]), payment by SMS, transfer to a bank card. Opportunities The variety of payment methods directly depends on the capabilities of the “intermediary” performing the function of an arbiter in settlements between the “information owner” and the end user. As a rule, as a payment for mediation, a certain commission is charged for operations performed.
    Often, such “intermediaries” use the services of services - payment systems [4], which provide their services for receiving and paying payments in almost any electronic currency, via SMS messages, through various money transfer systems, payment terminals, and bank cards. An example of such services is the Robokassa system (http://robokassa.ru/), LiqPAY (http://liqpay.com), AvisoSMS (http://avisosms.ru/), a1pay (http: // a1pay. com /).
    Currently, there are the following services on the market that provide CPA services:
    1. WebZipMoney (http://webzipmoney.ru/, 2010).
    2. ZipMonster (http://zipmonster.ru/, 2010).
    3. CashMagnat (http://cashmagnat.ru/, 2010).
    4. FILECASH (http://filecash.su/, 2009).
    5. ZIPS (http://zipseller.ru/, 2010).
    6. ZipCoin (http://zipcoin.ru/, 2009).


    Functional diagram of the service of commercial self-extracting archives

    A typical commercial CPA support service, as a rule, consists of the following elements:
    1. Client program.
    2. Web service for partner service.
    3. Database.
    4. Payment service.
    5. Web directory (file storage).

    The client program provides the ability to pack files of any format in the CPA, using subsequently during unpacking the mechanism for extracting packed data after payment and entering a keyword.
    A web service is necessary for registering partners using a client program for packing files and their further commercial distribution. The web service should have the following functions:
    • provide detailed information about the rules, current tariffs, system features
    • provide registration of partners
    • keep statistical records of the number of calls / purchases of archives, their cost
    • provide the client program with the necessary data for working with archives (information about the partner, archive, keywords, etc.)
    • provide administrative functions, such as adding, editing, deleting, locking archives and / or partners,
    • provide payment of funds for payment of archives, accounting of settlement operations.

    In the service database, as a rule, detailed information about packed archives, partner data, statistical and billing information is stored.
    A payment service carries out using a payment system a set of procedures that ensure the transfer of money from a user to a web service with the subsequent redistribution of funds between web services as a commission-fee for mediation and payment for acquiring content to a partner.
    The web directory is used to advertise and distribute relevant content. This can be a program directory, a catalog of audio or video materials, file storages, etc.

    Below, in figure 1, a typical functional diagram of a commercial CPA service is presented:

    The service operation algorithm can be divided into the following stages:
    1. Registration of a partner.
    2. Download partner program.
    3. Creating archives.
    4. Publication of archives.
    5. User upload archive.
    6. Initialization of the payment process.
    7. Money transfer support.
    8. Keyword formation.
    9. Receiving, entering a keyword and unpacking the archive.


    image

    Fig. 1 Functional diagram of the commercial service.

    At the stage of partner registration, personal data and payment information about the partner are recorded and entered into the database. The partner is provided with a unique number and registration data for entering the “personal account” on the web service.
    After registration by the partner, independently or through third parties, steps 2-4 are carried out. At the same time, at the stage of creating the archive, the partner indicates its cost, name, as well as additional information about the archive.
    After the potential user downloads the archive, if he agrees to the purchase of the content embedded in the archive, the payment process is initiated. At this stage, the client program built into the archive sends a request to the web service shown in Figure 1. The request indicates the unique characteristics of the archive.
    The web service together with the payment service provide the transfer and redistribution of funds:
    • remuneration of the web service in the amount of the declared commission;
    • commission to the payment service;
    • commission to payment systems;
    • affiliate reward for digital content.

    After a successful money transfer, the web service generates a keyword (code) and sends it to the client program. Information about the purchase is entered into the database and is subsequently displayed in the form of partner sales statistics and web service statistics.
    The client program receives the code, checks its correctness and then initiates the process of unpacking the content, after which the user gets access to it.

    Description of the approach to the protection of digital content in self-extracting archives.

    A self-extracting archive is a file (a computer program) that combines the archive and executable code to unpack it. Such archives, unlike conventional ones, do not require a separate program for unpacking them (obtaining the source files from which they are created) if the executable code can be executed on the specified operating system.
    As a rule, commercial CPAs use the features of the PE format [5] - the format of executable files, object code, and dynamic libraries used in 32- and 64-bit versions of the Microsoft Windows operating system, which allow embedding data at the end of the file. The generalized structure of the PE file is shown in Figure 2. For example, the format of the executable EXE file allows you to append absolutely any data to the end of the program file, while the program will work as before. In fact, the capabilities of computer steganography and steganographic data hiding in the format of an executable file are used [6]. These features are in PE format and are used by some CPA services.

    image

    Fig. 2 Generalized PE file format

    Figure 3 shows a possible layout of a CPA.


    image

    Fig. 3. CPA layout option

    Thus, the CPA work technology can be reduced to the following steps:
    1. Launch the program and enter the partner credentials for access to the CPA web service using the client program.
    2. Select the necessary files with their parameters.
    3. Packaging selected in files in CPA.
    3.1. Writing the source program code to the target CPA file.
    3.2. A request to the web service about the unique parameters of the archive (archive identifier, keyword).
    3.3. Record in CPA the marker of the beginning of the header of the embedded data after the source code.
    3.4. Formation and recording of the header of the embedded data.
    3.5. Archiving digital content.
    3.6. Digital content encryption.
    3.7. Writing the received data to the target file.

    It should be noted that the resistance to cracking the CPA is significantly affected by the selected encryption algorithm, key length and key generation algorithm. In addition, CPAs are not without such a drawback as storing the key in the clear form for the archive in the header of the archive.
    As a rule, the simplest addition modulo 2 "" operation is used as encryption, the key length does not exceed 256 bits, and the encryption algorithm comes down to calculating the hash sum on the web server using the MD5 algorithm depending on the unique characteristics of the CPA. Based on this, it can be concluded that the use of commercial CPA is inappropriate for digital content that is of high value and cost and can only be used in limited cases, when hacking does not lead to serious losses.
    Publicly available sources already mention hacking of similar commercial CPAs (for example, “Hacking ZipCoin Paid Archives” - www.it-world.kz/?p=999 - accessed 02/23/2011), which causes serious damage to the partners of these systems.

    REFERENCES

    1. Self-extracting archive. [Electronic resource]. URL: ru.wikipedia.org/wiki/SFX (accessed February 23, 2011) ...
    2. Electronic money [Electronic resource.] URL: ru.wikipedia.org/wiki/Electronic money (accessed February 23, 2011) ...
    3. Format executable files. [Electronic resource]. URL: www.intuit.ru/department/pl/cil/3 (accessed February 23, 2011) ...
    4. Payment system. [Electronic resource]. URL:ru.wikipedia.org/wiki/Payment_system (accessed February 23, 2011) ...
    5. Micheal J. O'Leary, The Portable Executable Format. Microsoft [Electronic resource]. URL: www.nikse.dk/petxt.html (accessed February 23, 2011 ).
    6. I. V. Nechta, Steganography in files of Portable Executable format, Vestnik SibGUTI. 2009. No 1.

    Also popular now: