Abstract: In the fields of data security and system reliability and qualification, this disclosure is of a method, system and apparatus for verifying or authenticating a device to a host using a zero-knowledge based authentication technique which includes a keyed message authentication code such as an HMAC or keyed cipher function and which operates on secret information shared between the host and the device. This is useful both for security purposes and also to make sure that a device such as a computer peripheral or accessory or component is qualified to be interoperable with the host.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for key space division and sub-key derivation for mixed media digital rights management content and secure digital asset distribution. A system practicing the exemplary method derives a set of family keys from a master key associated with an encrypted media asset using a one-way function, wherein each family key is uniquely associated with a respective client platform type, wherein the master key is received from a server account database, and identifies a client platform type for a client device and a corresponding family key from the set of family keys. The system encrypts an encrypted media asset with the corresponding family key to yield a platform-specific encrypted media asset, and transmits the platform-specific encrypted media asset to the client device. Thus, different client devices receive device-specific encrypted assets which can be all derived based on the same master key.

Abstract: In one embodiment, a unique (or quasi unique) identifier can be received by an application store, or other on-line store, and the store can create a signed receipt that includes data desired from the unique identifier. This signed receipt is then transmitted to a device that is running the application obtained from the on-line store and the device can verify the receipt by deriving the unique (or quasi-unique) identifier from the signed receipt and comparing the derived identifier with the device identifier stored on the device, or the vendor identifier assigned to the application vendor.

Abstract: Methods, media and systems that use an encoded opaque pointer in an API between a client process and a library process. An encoded opaque pointer, in one embodiment, can be received by the library process from the client process, and the library process can decode the opaque pointer to obtain an address in memory containing a data structure pointed to by the opaque pointer. The library process can operate on the data structure to create a revised or processed data structure, stored in the same or different address in heap memory or stack memory, and the library process can encode and return a new opaque pointer, for the processed data structure, to the client process.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for key space division and sub-key derivation for mixed media digital rights management content and secure digital asset distribution. A system practicing the exemplary method derives a set of family keys from a master key associated with an encrypted media asset using a one-way function, wherein each family key is uniquely associated with a respective client platform type, wherein the master key is received from a server account database, and identifies a client platform type for a client device and a corresponding family key from the set of family keys. The system encrypts an encrypted media asset with the corresponding family key to yield a platform-specific encrypted media asset, and transmits the platform-specific encrypted media asset to the client device. Thus, different client devices receive device-specific encrypted assets which can be all derived based on the same master key.

Abstract: A software version control system manages versioned applications in a client-server computing system environment. Thereby this is a management system for computer application (software) distribution where a number of client devices coupled to a server may be executing different versions of a particular computing application. The system manages updates to the applications and enforces rules or policies to use the most recent version whenever possible.

Abstract: In the context of a computer client-server architecture, typically used in the Internet for communicating between a server and applications running on user computers (clients), a method is provided for enhancing security in the context of digital rights management (DRM) where the server is an untrusted server that may not be secure, but the client is secure. This method operates to authenticate the server to the client and vice versa to defeat hacking attacks intended to obtain confidential information. Values passed between the server and the client include encrypted random numbers, authentication values and other verification data generated using cryptographic techniques including double encryption.

Abstract: Disclosed herein are systems, methods, and computer readable-media for obfuscating array contents in a first array, the method comprising dividing the first array into a plurality of secondary arrays having a combined total size equal to or greater than the first array, expanding each respective array in the plurality of the secondary arrays by a respective multiple M to generate a plurality of expanded arrays, and arranging data elements within each of the plurality of expanded arrays such that a data element located at an index I in a respective secondary array is located at an index I*M, wherein M is the respective multiple M in an associated expanded array, wherein data in the first array is obfuscated in the plurality of expanded arrays. One aspect further splits one or more of the secondary arrays by dividing individual data elements in a plurality of sub-arrays. The split sub-arrays may contain more data elements than the respective secondary array.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for obfuscating data via a pseudo-random polymorphic tree. A server, using a seed value shared with a client device, generates a tag stream according to a byte-string algorithm. The server passes the tag stream and the data to be transmitted to the client device through a pseudo-random polymorphic tree serializer to generate a pseudo-random polymorphic tree, which the server transmits to the client device. The client device, using the same seed and byte-string algorithm, generates the same tag stream as on the server. The client passes that tag stream and the received pseudo-random polymorphic tree through a pseudo-random polymorphic tree parser to extract the data. Data to be transmitted from the server to the client device is hidden in a block of seemingly random data, which changes for different seed values. This approach obfuscates data and has low processing overhead.

Abstract: In the fields of data security and system reliability and qualification, this disclosure is of a method, system and apparatus for verifying or authenticating a device to a host using a zero-knowledge based authentication technique which includes a keyed message authentication code such as an HMAC or keyed cipher function and which operates on secret information shared between the host and the device. This is useful both for security purposes and also to make sure that a device such as a computer peripheral or accessory or component is qualified to be interoperable with the host.

Abstract: A method for distributing content. The method distributes a single media storage structure to a device (e.g., a computer, portable player, etc.). The media storage structure includes first and second pieces of encrypted content. Based on whether the device is allowed to access the first piece of content, the second piece of content, or both, the method provides the device with a set of keys for decrypting the pieces of the content that the device is able to access. The provided set of keys might include one or more keys for decrypting only one of the two encrypted pieces of content. Alternatively, it might include one or more keys for decrypting both encrypted pieces of content. For instance, the selected set of keys might include a first key for decrypting the first encrypted piece and a second key for decrypting the second encrypted piece.

Abstract: A method for distributing content. The method distributes a single media storage structure to a device (e.g., a computer, portable player, etc.). The media storage structure includes first and second pieces of encrypted content. Based on whether the device is allowed to access the first piece of content, the second piece of content, or both, the method provides the device with a set of keys for decrypting the pieces of the content that the device is able to access. The provided set of keys might include one or more keys for decrypting only one of the two encrypted pieces of content. Alternatively, it might include one or more keys for decrypting both encrypted pieces of content. For instance, the selected set of keys might include a first key for decrypting the first encrypted piece and a second key for decrypting the second encrypted piece.

Abstract: A method for distributing content. The method distributes a single media storage structure to a device (e.g., a computer, portable player, etc.). The media storage structure includes first and second pieces of encrypted content. Based on whether the device is allowed to access the first piece of content, the second piece of content, or both, the method provides the device with a set of keys for decrypting the pieces of the content that the device is able to access. The provided set of keys might include one or more keys for decrypting only one of the two encrypted pieces of content. Alternatively, it might include one or more keys for decrypting both encrypted pieces of content. For instance, the selected set of keys might include a first key for decrypting the first encrypted piece and a second key for decrypting the second encrypted piece.

Abstract: Some embodiments provide an account-based DRM system for distributing content. The system includes several devices that are associated with an account and a set of DRM computers that receives a request to access a piece of content on the devices associated with the account. The DRM computer set then generates a several keys for the devices, where each particular key of each particular device allows the particular device to access the piece of content on the particular device. In some embodiments, the DRM computer set sends the content and keys to one device (e.g., a computer), which is used to distribute the content and the key(s) to the other devices associated with the account. In some embodiments, the DRM computer set individually encrypts each key in a format that is used during its transport to its associated device and during its use on this device.

Abstract: In a Digital Rights Management (DRM) system, cryptographic keys for decrypting distributed assets (such as audio or video media) are distributed using an offline (e.g., non-Internet) method for distribution of the key generation process, with an implicit authorization to use the distributed key generation process. This is used to update an asset key for use by a client such as a media player when a key formula for generating the key for decrypting an asset has been compromised, such as by hackers.

Abstract: Some embodiments of the invention provide a content-distribution system for distributing content under a variety of different basis. For instance, in some embodiments, the content-distribution system distributes device-restricted content and device-unrestricted content. Device-restricted content is content that can only be played on devices that the system associates with the particular user. Device-unrestricted content is content that can be played on any device without any restrictions. However, for at least one operation or service other than playback, device-unrestricted content has to be authenticated before this operation or service can be performed on the content. In some embodiments, the system facilitates this authentication by specifying a verification parameter for a piece of device-unrestricted content.

Abstract: Method and apparatus to prevent hacking of encrypted audio or video content during playback. Hackers, using a debugging attachment or other tools, can illicitly access encrypted data in memory in a playback device when the data is decrypted during playback and momentarily stored in digital form. This hacking is defeated here by methodically “poisoning” the encrypted data so that it is no longer playable by a standard decoder. The poisoning involves deliberate alteration of certain bit values. On playback, the player invokes a special secure routine that provides correction of the poisoned bit values, for successful playback.

Abstract: Some embodiments of the invention provide a method for distributing content over a network. The method distributes a single media storage structure to a device (e.g., a computer, portable player, etc.) that connects to the network. The media storage structure includes first and second pieces of encrypted content. Based on whether the device is allowed to access the first piece of content, the second piece of content, or both, the method provides the device with a set of keys for decrypting the pieces of the content that the device is able to access. The provided set of keys might include one or more keys for decrypting only one of the two encrypted pieces of content. Alternatively, it might include one or more keys for decrypting both encrypted pieces of content. For instance, the selected set of keys might include a first key for decrypting the first encrypted piece and a second key for decrypting the second encrypted piece.

Abstract: Disclosed herein are systems, computer-implemented methods, and computer-readable storage media for call path enforcement. The method includes tracking, during run-time, a run-time call order for a series of function calls in a software program, and when executing a protected function call during run-time, allowing or causing proper execution of a protected function call only if the run-time call order matches a predetermined order. The predetermined order can be an expected run-time call order based on a programmed order of function calls in the software program. The method can include maintaining an evolving value associated with the run-time call order and calling the protected function by passing the evolving value and function parameters corrupted based on the evolving value. The protected function uncorrupts the corrupted parameters based on the passed evolving value and an expected predetermined call order. A buffer containing the uncorrupted parameters can replace the corrupted parameters.

Abstract: Method and apparatus to prevent hacking of encrypted audio or video content during playback. Hackers, using a debugging attachment or other tools, can illicitly access encrypted data in memory in a playback device when the data is decrypted during playback and momentarily stored in digital form. This hacking is defeated here by methodically “poisoning” the encrypted data so that it is no longer playable by a standard decoder. The poisoning involves deliberate alteration of certain bit values. On playback, the player invokes a special secure routine that provides correction of the poisoned bit values, for successful playback.