ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder

Release 9.0 - PHP 5.6 syntax support. Security innovations.

Author Message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2756

PostPosted: Thu May 14, 2015 12:21 pm    Post subject: Release 9.0 - PHP 5.6 syntax support. Security innovations. Reply with quote

The much anticipated and awaited version 9 Encoder is released!

Following the habitual changes in language syntax accompanying each major release of PHP, support is included in version 9 for PHP 5.6 language syntax, as well as earlier versions of the PHP language as previously.

The major changes though in version 9 are innovations in code protection. Any type of protection system will use a key of some sort, and the key needs to be known for code execution to be possible. Encoding systems usually store the key buried somewhere in the protected code, which makes sense not just for performance and convenience for the end user, but also the author of the code to be protected, and to be candid, for the developer of the protection system too; in short it's the easy option that everyone uses and it works pretty well, but we've been cognisant of the limitations of this approach and now provide some alternatives.

One new approach is using an external key. This is most useful when the user of the encoded files is trusted, but access to encoded files may be possible by someone untrusted. Using an external key inaccessible to a user who may have access to the protected files prevents then having the key necessary to process the files.

The main innovation in version 9 however is Run-Time (Dynamic) Keys. In following our process of removing protection keys from protected files, even better than having an external key we thought is to have no key present in any files at all, and this is what we've done. Parts of an application can now be encrypted with an arbitrary dynamic key which is not stored anywhere, and instead, the key is algorithmically produced when required by the protected application itself. Dynamic key protected code is specified by adding annotations to the PHP source, and how the key is produced at runtime is up to the developer. There's no limit to the number of different keys, and code that produces a key could itself be protected by a dynamic key, and so on. The possibilities are literally limitless.

For many years now, ionCube is the leading compiled code protection solution for PHP, with the richest range of product features, and according to hackers themselves, the most sophisticated protection. Now even better, the use of encryption and the ability to use dynamic algorithmic keys in ionCube Version 9 rather than static keys introduces exciting new protection opportunities never seen before that are a must for anyone serious about code protection. Explore the possibilities today with an evaluation, or get in touch to find out more.
Back to top
View user's profile Send private message
mx104jK



Joined: 20 May 2015
Posts: 3

PostPosted: Wed May 20, 2015 9:19 pm    Post subject: upgrade grace period? Reply with quote

Good evening,

great to see this news ... but is there an upgrade grace period? I've decided to buy my license in March, and it seems tough to pay for an upgrade just two months later...

Thanks
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2756

PostPosted: Thu May 21, 2015 2:23 pm    Post subject: Reply with quote

Hi

There's a grace period of 45 days and unfortunately you're nearly a month outside of that. We need to have them, but we do find cutoff dates are one of the worst aspects of transacting online because there's always someone who falls a day outside. If you make an exception for that person you should for everyone, and then you've effectively defined a new cutoff. If you extend the cutoff then you need to decide by how much, which becomes the new cutoff, and then there'll be someone who's just outside that. Smile

However, do check your email over the next couple of days because we're sending an email out that may be relevant for you.
_________________
Community Admin
Back to top
View user's profile Send private message
mx104jK



Joined: 20 May 2015
Posts: 3

PostPosted: Thu May 21, 2015 2:49 pm    Post subject: Reply with quote

Thank you for answering so quickly. Good to know the limit.

I understand the issue and agree that 45 days are probably a good magnitude for the free upgrade path. I also agree with the fact that this is a general issue of on-premise software, but I nevertheless prefer on-premise, compared to "cloud" software.

I do not know any really good solution myself, so I will not complain. Wink

Thanks again for clarification.
Back to top
View user's profile Send private message
stevecloud



Joined: 23 Jun 2015
Posts: 1

PostPosted: Tue Jun 23, 2015 3:25 pm    Post subject: Re: Release 9.0 - PHP 5.6 syntax support. Security innovatio Reply with quote

liaison wrote:

One new approach is using an external key. This is most useful when the user of the encoded files is trusted, but access to encoded files may be possible by someone untrusted. Using an external key inaccessible to a user who may have access to the protected files prevents then having the key necessary to process the files.

The main innovation in version 9 however is Run-Time (Dynamic) Keys. In following our process of removing protection keys from protected files, even better than having an external key we thought is to have no key present in any files at all, and this is what we've done. Parts of an application can now be encrypted with an arbitrary dynamic key which is not stored anywhere, and instead, the key is algorithmically produced when required by the protected application itself. Dynamic key protected code is specified by adding annotations to the PHP source, and how the key is produced at runtime is up to the developer. There's no limit to the number of different keys, and code that produces a key could itself be protected by a dynamic key, and so on. The possibilities are literally limitless.


Can someone provide a tutorial or example of using private keys? Using PHP 5.5/apache. The description of it doesn't really help us with implementation. Is there something we put to reference the key inside php.ini, and then during encryption to we use that key? Any sort of step by step documentation about encrypting and also setting up the server would be useful, otherwise this information is unusable in its current form.
Back to top
View user's profile Send private message
alastair



Joined: 23 Feb 2010
Posts: 187

PostPosted: Tue Jun 23, 2015 5:56 pm    Post subject: Reply with quote

Hi,

Are you looking at the GUI documentation or the PDF User Guide? The PDF User Guide at http://www.ioncube.com/sa/USER-GUIDE.pdf gives the most information about the new External and Dynamic Keys, including examples, in Section 4.

I'll explain the two new types of keys briefly below.

External keys are strings or file contents that are located outside the encoded file. At runtime, when the Loader is decoding the file, they may be found through php.ini properties or license file properties or a simple file path.

On the command line an external key could be used with the following option:

--encoding-key 'ini:myprop=/home/dev/mytext.txt'

On the left of the "=" is how the external encoding key will be found at runtime. The "ini" indicates that an ini property will be used whilst "myprop" indicates the base name of the property.

On the right of the "=" is a file path, /home/dev/mytext.txt, that means the PHP Encoder should use the contents of that file when encoding. So there will need to be a file at that location, /home/dev/mytext.txt, for encoding to be successful.

What happens at runtime? The ionCube Loader will look for a php.ini property called "ioncube.loader.key.myprop". The value of that property must then be a path to a file that has the same contents as the file used to encode. If the contents are not the same then decoding will fail.

You can similarly use license properties or just have the path to the file set within the encoded file.

Dynamic keys are not set through any encoder options as such. They are specified as comments in the file like so:

// @ioncube.dk keyfn() -> "secret key"
function protected_fn()
{
}

The annotation "@ioncube.dk" means a dynamic key is being used to protect the following function, here called "protected_fn". The "keyfn()" part means that the "keyfn" function must be executed in order to get the decrypting key. That function must produce the same result as that used to encrypt protected_fn, which in this case will be the string "secret key". If keyfn does produce that result then decoding will be successful but decoding will fail otherwise.


It's best firstly to look at Section 4 of the main User Guidefor more details first but, if you are still stuck, then please use our Support Help Desk at http://support.ioncube.com
_________________
Alastair

ionCube
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum