Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for key space division and sub-key derivation for mixed media digital rights management content and secure digital asset distribution. A system practicing the exemplary method derives a set of family keys from a master key associated with an encrypted media asset using a one-way function, wherein each family key is uniquely associated with a respective client platform type, wherein the master key is received from a server account database, and identifies a client platform type for a client device and a corresponding family key from the set of family keys. The system encrypts an encrypted media asset with the corresponding family key to yield a platform-specific encrypted media asset, and transmits the platform-specific encrypted media asset to the client device. Thus, different client devices receive device-specific encrypted assets which can be all derived based on the same master key.

Abstract: In one embodiment, a unique (or quasi unique) identifier can be received by an application store, or other on-line store, and the store can create a signed receipt that includes data desired from the unique identifier. This signed receipt is then transmitted to a device that is running the application obtained from the on-line store and the device can verify the receipt by deriving the unique (or quasi-unique) identifier from the signed receipt and comparing the derived identifier with the device identifier stored on the device, or the vendor identifier assigned to the application vendor.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for obfuscating a computer program. A system configured to practice the method identifies a set of executable instructions at a first location in an instruction section of the computer program and identifies a second location in a data section of the computer program. Then the system moves the set of executable instructions to the second location and patches references in the computer program to the set of executable instructions to point to the second location. The instruction section of the computer program can be labeled as _TEXT,_text and the data section of the computer program is labeled as _DATA,_data. The set of executable instructions can include one or more non-branching instructions optionally followed by a branching instruction. The placement of the first and second locations can be based on features of a target computing architecture, such as cache size.

Abstract: A cryptographic process (such as the AES cipher) which uses table look up operations (TLUs) is hardened against reverse engineering attacks intended to recover the table contents and thereby the cipher key. This hardening involves removing any one-to-one correspondence between the TLU inputs and outputs, by altering the output of the TLU dynamically, e.g. at each execution (call) of the TLU. This is done by increasing the size of the tables, applying a dynamically determined mask value to the table input and/or output, or using an inverse of the table.

Abstract: A method and an apparatus that provides a hard problem based hashing mechanism to improve security of hash functions are described. The hashing mechanism can include a custom padding and/or a post processing to a hashed value strengthened via operations specifying a hard problem. In one embodiment, a new hash function may be provided or defined directly without introducing or relying on existing hash functions to embed security features based on this hard problem. The new hash functions can be used in usual constructions implying hash functions. For example, the standard HMAC construction could be applied on these hash functions, standard signature algorithms or authentication protocol, etc.

Abstract: Disclosed herein are systems, methods, and computer readable-media for obfuscating code. The method includes extracting a conditional statement from a computer program, creating a function equivalent to the conditional statement, creating a pointer that points to the function, storing the pointer in an array of pointers, replacing the conditional statement with a call to the function using the pointer at an index in the array, and during runtime of the computer program, dynamically calculating the index corresponding to the pointer in the array. In one aspect, a subset of instructions is extracted from a path associated with the conditional statement and the subset of instructions is placed in the function to evaluate the conditional statement. In another aspect, the conditional statement is replaced with a call to a select function that (1) calculates the index into the array, (2) retrieves the function pointer from the array using the index, and (3) calls the function using the function pointer.

Abstract: An asymmetric (dual key) data obfuscation process, based on the well known ElGamal cryptosystem algorithm, and which uses multiplicative cyclic groups to transform (obfuscate) digital data for security purposes. In the present system the data need not be a member of the cyclic group, unlike in the ElGamal cryptosystem algorithm. Also, any one of several additional mathematical data transformations are further applied to the transformed data, thereby enhancing security of the transformed data.

Abstract: A method and an apparatus that generate a plurality of elements randomly as a split representation of an input used to provide an output data cryptographically representing an input data are described. The input may correspond to a result of a combination operation on the elements. Cryptographic operations may be performed on the input data and the elements to generate a plurality of data elements without providing data correlated with the key. The combination operation may be performed on the data elements for the output data.

Abstract: First source code of a computer program having a plurality of lines of instructions is received. An obfuscation process is performed on the first source code, including at least two of a shuffling operation, a fertilizing operation, an aggregating operation, and a neutralizing operation. Second source code is generated based on the obfuscation process, where the second source code, when executed by a processor, produces an identical result as the first source code.

Abstract: Disclosed herein are systems, computer-implemented methods, and non-transitory computer-readable storage media for obfuscating code, such as instructions and data structures. Also disclosed are non-transitory computer-readable media containing obfuscated code. In one aspect, a preprocessing tool (i.e. before compilation) identifies in a source program code a routine for replacement. The tool can be a software program running on a computer or an embedded device. The tool then selects a function equivalent to the identified routine from a pool of functions to replace the identified routine. A compiler can then compile computer instructions based on the source program code utilizing the selected function in place of the identified routine. In another aspect, the tool replaces data structures with fertilized data structures. These approaches can be applied to various portions of source program code based on various factors. A software developer can flexibly configure how and where to fertilize the source code.

Abstract: Methods, media and systems that use an encoded opaque pointer in an API between a client process and a library process. An encoded opaque pointer, in one embodiment, can be received by the library process from the client process, and the library process can decode the opaque pointer to obtain an address in memory containing a data structure pointed to by the opaque pointer. The library process can operate on the data structure to create a revised or processed data structure, stored in the same or different address in heap memory or stack memory, and the library process can encode and return a new opaque pointer, for the processed data structure, to the client process.

Abstract: In the field of computer enabled cryptography, such as a keyed block cipher having a plurality of rounds, the cipher is hardened against an attack by a protection process which obscures the cipher states and/or the round keys using the properties of group field automorphisms and applying multiplicative masks (instead of conventional XOR masks) to the states of the cipher, for encryption or decryption. This is especially advantageous in a “White Box” environment where an attacker has full access to the cipher algorithm, including the algorithm's internal state during its execution. This method and the associated computing apparatus are useful for protection against known attacks on “White Box” ciphers, by eliminating XOR operations with improved masking techniques and increasing complexity of reverse engineering and of attacks.

Abstract: Disclosed herein are systems, computer-implemented methods, and computer-readable storage media for obfuscating data based on a discrete logarithm. A system practicing the method identifies a clear value in source code, replaces the clear value in the source code with a transformed value based on the clear value and a discrete logarithm, and updates portions of the source code that refer to the clear value such that interactions with the transformed value provide a same result as interactions with the clear value. This discrete logarithm approach can be implemented in three variations. The first variation obfuscates some or all of the clear values in loops. The second variation obfuscates data in a process. The third variation obfuscates data pointers, including tables and arrays. The third variation also preserves the ability to use pointer arithmetic.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for key space division and sub-key derivation for mixed media digital rights management content and secure digital asset distribution. A system practicing the exemplary method derives a set of family keys from a master key associated with an encrypted media asset using a one-way function, wherein each family key is uniquely associated with a respective client platform type, wherein the master key is received from a server account database, and identifies a client platform type for a client device and a corresponding family key from the set of family keys. The system encrypts an encrypted media asset with the corresponding family key to yield a platform-specific encrypted media asset, and transmits the platform-specific encrypted media asset to the client device. Thus, different client devices receive device-specific encrypted assets which can be all derived based on the same master key.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for asset lease management. The system receives, from a client device associated with a user profile, a lease start request for an asset for which the user profile is authorized. The system identifies a number of available slots for progressively downloading content. If the number of available slots is greater than zero, the system assigns an available slot from the number of available slots to the client device to yield an assigned slot. The system transmits security information, a lease key, and a lease duration associated with the assigned slot to the client device in response to the lease start request, wherein the security information and lease key allow the client device to start a progressive download of the asset for the lease duration. At the end of the lease, the system terminates the lease and releases the assigned slot.

Abstract: In the context of a computer client-server architecture, typically used in the Internet for communicating between a server and applications running on user computers (clients), a method is provided for enhancing security in the context of digital rights management (DRM) where the server is an untrusted server that may not be secure, but the client is secure. This method operates to authenticate the server to the client and vice versa to defeat hacking attacks intended to obtain confidential information. Values passed between the server and the client include encrypted random numbers, authentication values and other verification data generated using cryptographic techniques including double encryption.

Abstract: A software version control system manages versioned applications in a client-server computing system environment. Thereby this is a management system for computer application (software) distribution where a number of client devices coupled to a server may be executing different versions of a particular computing application. The system manages updates to the applications and enforces rules or policies to use the most recent version whenever possible.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for generating a hash based on the Collatz conjecture. The Collatz conjecture is based on a set of operations for a given number n that are performed iteratively on n, with one operation performed if n is even, and another operation performed if n is odd. Operating on an input value according to the Collatz conjecture for a specified number of iterations produces an output value that can then be used as a hash in a cryptographic function. The hash function performs steps according to the Collatz conjecture, or a modification thereof, on the value n for r iterations, and outputs a resulting hash value. The hash function can apply more complex variations, such as adding multiplication, addition, modulo or other operation(s) in the even and/or odd operations. The hash value can be used to pad blocks of a message.

Abstract: Disclosed herein are systems, methods, and computer readable-media for obfuscating array contents in a first array, the method comprising dividing the first array into a plurality of secondary arrays having a combined total size equal to or greater than the first array, expanding each respective array in the plurality of the secondary arrays by a respective multiple M to generate a plurality of expanded arrays, and arranging data elements within each of the plurality of expanded arrays such that a data element located at an index I in a respective secondary array is located at an index I*M, wherein M is the respective multiple M in an associated expanded array, wherein data in the first array is obfuscated in the plurality of expanded arrays. One aspect further splits one or more of the secondary arrays by dividing individual data elements in a plurality of sub-arrays. The split sub-arrays may contain more data elements than the respective secondary array.

Abstract: Disclosed herein are systems, computer-implemented methods, and non-transitory computer-readable storage media for obfuscating code, such as instructions and data structures. Also disclosed are non-transitory computer-readable media containing obfuscated code. In one aspect, a preprocessing tool (i.e. before compilation) identifies in a source program code a routine for replacement. The tool can be a software program running on a computer or an embedded device. The tool then selects a function equivalent to the identified routine from a pool of functions to replace the identified routine. A compiler can then compile computer instructions based on the source program code utilizing the selected function in place of the identified routine. In another aspect, the tool replaces data structures with fertilized data structures. These approaches can be applied to various portions of source program code based on various factors. A software developer can flexibly configure how and where to fertilize the source code.