NewLC - DRM / Security / Payment - Comments

Re: How do I import a RSA Key from file an use it?

SirBaer — Thu, 28 Aug 2008 11:58:27 +0200

Hi, I finally solved it. Stupid mistake, though.
Working Code Snippet:

const CRSAPrivateKeyStandard* privKey = CRSAPrivateKeyStandard::NewLC(iN, iD);
CRSAPKCS1v15Decryptor* dec = CRSAPKCS1v15Decryptor::NewL((CRSAPrivateKey&)privKey);

(iN and iD are RIntegers according to the Crypto-API)

So, I'm out for waterskiing .

Re: API to check if the file is DRM file or not

guruhb — Thu, 17 Jul 2008 08:41:51 +0200

Hi,
use CContent::GetAttribute(EIsProtected, value);
read content access frame work. your application should have DRM capability.
-Guru-

Re: OMA download descriptor

skksundar — Mon, 31 Mar 2008 12:24:58 +0200

yeah thanks for that buddy.

Re: OMA download descriptor

l0rd — Sat, 29 Mar 2008 21:25:52 +0100

Hi,

Here's the link: http://www.forum.nokia.com/info/sw.nokia.com/id/7f489305-4ee7-4835-850c-1029366852e5/Content_Download_And_OMA_DRM_Examples_V2_2_en.zip.html. Next time try to remove '_' characters from query string when using google

Hope this helps.

Damian

Re: OMA download descriptor

skksundar — Sat, 29 Mar 2008 11:02:45 +0100

Can you please tell me where to find the example "Content_Download_And_OMA_DRM_Examples_v2_2_en". I googled for the content but didnt get it anywhere. Am quiet new to this area of development and require some assistance.. Any little help would be of greater appreciation

Thanks

Re: How do they crack our software?(3rd ed)

puterman — Thu, 20 Mar 2008 16:15:14 +0100

One thing that seems to have gone missing from this discussion is that Symbian Signed was never intended to be an anti-cracking mechanism. If you're not used to thinking about computer security, it's easy to make the mistake of thinking of security in binary terms: either there's security or there's no security. However, there are always different aspects of security. One security measure can't protect you from all possible attacks.

Symbian Signed is designed to protect the individual phone user from malicious code, by means of signing the installation package with a signature, identifying the developer. That an application has been signed doesn't mean that it's not malicious. There's nothing preventing me from writing an app that does stuff that's harmful to the user's data and get it Symbian Signed. But when it starts doing harm to users' data, the app will be traceable back to me.

This also illustrates another important basic axiom in computer security, or any sort of security: there's always a tradeoff. Symbian Signed could have been designed to protect the user against any sort of harm ever happening to their data. The testing process would have had to be much more extensive than it is now, and would include eg. code inspection, to ensure that a signed app wouldn't do harm. However, in practice that'd be way too expensive.

The discontinuation of Developer Certificates should help

tonyn — Tue, 18 Mar 2008 18:42:54 +0100

At least it will help for applications that need signed-for capabilities.

Re: symbian 9, security platform, signing

alh — Tue, 26 Feb 2008 10:18:25 +0100

During reading the Symbian guides I haven't found any mentioning, that they demand the developer to be trusted. I don't think Symbian wants to know the business plans, they just want money. And everything can be solved by the appropriate summ of dollars/euro.

I don't think Symbian cares either.
After all, symbian doesn't create any phones, nor do they have any end user contact.

But the guys who do care though, is the device manufacturers and platform creators (s60, uiq, nokia, S-E, samsung, etc).

Nokia for example, writes at one of the pages above: "When the tests are passed, the application will be Symbian Signed. If the application requires DRM and/or TCB capability, a legal agreement [with Nokia] must also be in place before the application can be certified."

The thing is, that the whole platform security depends on that only a few and very select services have the TCB capability.
It doesn't matter if _you_ aren't malicious, they also want to be very sure that you also wont mess anything up, and leaving a big gaping back door open to break the security of the phone.
And if you do... They want to be able to track you down...

But of course it isn't impossible to get.
Just a lot of red tape...

Re: symbian 9, security platform, signing

rbrunner — Sat, 23 Feb 2008 09:11:06 +0100

I will.

By all means, do. Don't let a few fairy-tale-addicted cowards in this forum stand in the way to your luck.

Will you report back the result? Regardless of outcome? Would be very nice.

Re: symbian 9, security platform, signing

Hex — Fri, 22 Feb 2008 16:41:45 +0100

I at least wouldn't even dare to contact them and apply for TCB - the holy grail of Symbian - without a very convincing business plan and an impressive track record in the mobile scene that shows that I am serious.

From the conversations I have had with Nokia, you will need to submit a business plan/case AND a development plan to assess the feasability of the design.

During reading the Symbian guides I haven't found any mentioning, that they demand the developer to be trusted. I don't think Symbian wants to know the business plans, they just want money. And everything can be solved by the appropriate summ of dollars/euro.

You can start by sending a request to (IIRC)

I will.
It seems to me that nobody ever tried to request such capabilities, because there are too many fairy tails about difficulties, and no success stories.

Re: symbian 9, security platform, signing

paul — Wed, 20 Feb 2008 19:13:47 +0100

Basically at the barest minimum you need to be a Symbian Partner AND a Nokia Launchpad or Pro member for them to even look at TCB.

The reason it that these can serverly compromize the phone and the API's you need are under a Symbian Partner licence so you need to have a solid business record with them before they will talk to you.

From the conversations I have had with Nokia, you will need to submit a business plan/case AND a development plan to assess the feasability of the design.

You can start by sending a request to (IIRC)

Re: symbian 9, security platform, signing

rbrunner — Wed, 20 Feb 2008 18:02:31 +0100

I don't see any non-trivial question right now.

This page
http://developer.symbian.com/main/signed/
tells quite clearly that for publisher IDs it's TrustCenter who is running the show now, and Verisign is out.

And the following link that N/A gave a few posts above already quite nicely sums up Nokia's policy for granting special capabilities:
http://www.forum.nokia.com/main/technical_services/testing/cap_granting.html

Maybe you are sad because there is probably a very real danger that you won't be able to convince Nokia to deal with you. I at least wouldn't even dare to contact them and apply for TCB - the holy grail of Symbian - without a very convincing business plan and an impressive track record in the mobile scene that shows that I am serious.

Re: symbian 9, security platform, signing

Hex — Wed, 20 Feb 2008 16:55:44 +0100

Heh... the experts have finished As I ask some nontrivial question - there's no answer. It's sad, very sad...

Re: symbian 9, security platform, signing

Hex — Tue, 19 Feb 2008 17:11:00 +0100

I've downloaded "The complete guide to Symbian Signed". As I understand, I need "Express signed" to be able to request TCB and other previledged capabilities. In the guide they say that I need to buy the publisher ID from Trust Center:
https://www.trustcenter.de/cs-bin/PublisherID.cgi/en/155102

The publisher ID is also provided by Verisign at step 2
http://www.verisign.com/products-services/security-services/code-signing/symbian-content-signing/

What is the difference between these publisher ID's?

Re: symbian 9, security platform, signing

Hex — Tue, 19 Feb 2008 14:15:00 +0100

I never heard that the DRM, AllFiles and TCB capabilities have a price, where you pay the price and then get it. I think how to treat you will be decided on a case-by-case basis by the "powers that be".

For Windows Mobile there were two types of code signing:
1) code signing for applications that don't need previledged API.
2) code signing for applications that uses previledged API.

Furthermore, if you write a driver for Symbian, are you sure that you will be able to use it, regardless of capabilities? I am not sure, but as far as I know Nokia's 3rd edition phones won't load drivers from anything than ROM. If this is true, are you ready to produce ROM images containing your driver and flash a limited number of phones with it?
Just out of curiositiy: What driver is it anyway? What in a phone or connected to a phone needs a driver?

I want to make File system plugin. It should be loaded by RFs::AddFileSystem(). It should be able to be loaded from C:\Sys\.
I've dumped security information for efat32.fsy by petran and found out, that to make my own FSY I'll need:
TCB
CommDD
PowerMgmt
ProtServ
DiskAdmin
AllFiles