Abstract: Systems, methods, and data structures permit data to be protected with complex keys and allow users to access the protected data using only a simple user id and password.

Abstract: A secure repository individualized for a hardware environment and a method and system for providing the same. The secure repository includes a hidden cryptographic key and code that applies the key without requiring access to a copy of the key. The code that implements the secure repository is generated in a manner that is at least partly based on a hardware ID associated with the hardware environment in which the secure repository is to be installed, and may also be based on a random number. Cryptographic functions implemented by the secure repository include decryption of encrypted information and validation of cryptographically signed information. The secure repository may be coupled to an application program, which uses cryptographic services provided by the secure repository, by way of a decoupling interface that provides a common communication and authentication interface for diverse types of secure repositories.

Abstract: Methods and systems for software obfuscation are disclosed. In one exemplary embodiment, the obfuscation includes integrating the checker code with product code to form integrated code. The product code includes a first portion that provides desired functionalities to a software product, while the checker code includes a second portion that protects the product code from unlicensed use. A generated pseudorandom value is used to select one or more instruction sequences of the integrated code. Following the selection, the instruction sequences may be replaced with equivalent instruction sequences to form a new integrated code. Alternatively, the original integrated code is transformed into new integrated code when the selected instruction sequences are optimized. Additionally, the new integrated code may be compared to the original integrated code by generating output states from each integrated code.

Abstract: Oblivious checking of a digital good is performed by identifying a plurality of key instructions within a function of a digital good. Each key instruction is an instruction that possibly modifies a register or a flag. An extra instruction is then inserted into the function for each of the key instructions. The extra instructions each correspond to one of the key instructions and modify a register in a deterministic fashion based on the corresponding key instruction. A set of inputs to the function are then identified that result in different valid computation paths in the function being taken. A checksum for the function is then generated by using a mapping function which maps the contents of the register to the set of inputs.

Abstract: Implementation of software tamper resistance via integrity checks is described. In one implementation, a tamper resistance tool receives an input program code and generates a tamper-resistant program code using integrity checks. The integrity checks are generated by processing the input program code, and the integrity checks are inserted in various locations in the input program code. Values of the integrity checks are computed during program execution to determine whether a section of the program has been tampered with. Values of the integrity checks may be stored and accessed at any point during execution of the program.

Abstract: Apparatus and methods for implementing software protection using code overlapping are disclosed. In one implementation, a combination block comprising a first sub-block of instructions with one or more interspersed obfuscation instructions is received. The obfuscation instructions interspersed among sequentially executable instructions of the first sub-block of instructions can include instructions from other sub-blocks as well as control instructions configured to guide a processor to execute all of the instructions in first sub-block of instructions in sequence. The obfuscation instructions are replaced with one or more replacement instructions. The replacement instructions can be of a same bit-length as the replaced obfuscation instructions. Moreover, the replacement instructions can include integrity checks configured to check for tampering with instructions and/or runtime program state in the first sub-block and/or the combination block.

Abstract: Techniques for authenticating biometric parameters via biometric hashing are described. In one implementation, a biometric parameter of a user (e.g., fingerprint image, blood-vessel pattern, retina scan, etc.) is captured. One or more biometric hashes are produced from the biometric parameter. To generate hashes that appear random, pseudorandom metrics are applied over the biometric parameter. The hashes are stored in association with user information that can be employed to authenticate the user. Subsequently, during authentication, a new biometric parameter is captured and hashes are computed from the parameter. The new biometric hashes are then compared with the predetermined stored hashes. If any of the new hashes are found to be identical, or sufficiently similar, to one or more of the predetermined biometric hashes, the biometric parameter is deemed valid and the user is authenticated.

Abstract: Techniques for authenticating biometric parameters via biometric hashing are described. In one implementation, a biometric parameter of a user (e.g., fingerprint image, blood-vessel pattern, retina scan, etc.) is captured. One or more biometric hashes are produced from the biometric parameter. To generate hashes that appear random, pseudorandom metrics are applied over the biometric parameter. The hashes are stored in association with user information that can be employed to authenticate the user. Subsequently, during authentication, a new biometric parameter is captured and hashes are computed from the parameter. The new biometric hashes are then compared with the predetermined stored hashes. If any of the new hashes are found to be identical, or sufficiently similar, to one or more of the predetermined biometric hashes, the biometric parameter is deemed valid and the user is authenticated.

Abstract: Implementation of graph-based tamper resistance modeling for software protection is described. In one implementation, paths of execution of a program are modeled as a graph having nodes and edges. A tamper resistance tool receives an input program code corresponding to the program and generates a tamper-resistant program code using integrity checks. Values for the integrity checks are computed during program execution and are compared to pre-computed values to determine whether a section of the program has been tempered with. Values of the integrity checks may be accessed at any point in time during execution of the program.

Abstract: A computer-implementable method includes providing an instruction set architecture that comprises features to generate diverse copies of a program, using the instruction set architecture to generate diverse copies of a program and providing a virtual machine for execution of one of the diverse copies of the program. Various exemplary methods, devices, systems, etc., use virtualization for diversifying code and/or virtual machines to thereby enhance software security.

Abstract: An implementation of a technology, described herein, for facilitating the protection computer-executable instructions, such as software. At least one implementation, described herein, may generate integrity signatures of multiple sets of computer-executable instructions based upon the output trace and/or an execution trace of such sets. With at least one implementation, described herein, a determination may be made about whether two or more of such sets are unaltered duplicates by comparing integrity signatures of such sets. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.

Abstract: An implementation of a technology is described herein for deriving robust non-local characteristics and quantizing such characteristics for blind watermarking of a digital good.

Abstract: An implementation of a technology is described herein for deriving robust non-local characteristics and quantizing such characteristics for blind watermarking of a digital good.

Abstract: A network-based data protection scheme for a mobile device utilizes encryption techniques and a remote key server that stores encryption keys on behalf of the mobile device. The mobile device stores encrypted data, preferably having no unencrypted counterpart stored therewith. On an as-needed basis, the mobile device requests a decryption key (or an encrypted version of a decryption key) from the key server, where the decryption key can be used by the mobile device to decrypt the encrypted information. The key server transmits the decryption key to the mobile device after authenticating the user of the mobile device.

Abstract: A portion of a digital good is selected to be used as a substitution box (S-box) in encrypting at least another portion of a digital good. The digital good being encrypted can be the same digital good, or alternatively a different digital good, than the digital good from which the portion used as an S-box is obtained. During the encryption process, the S-box is used to substitute values of the portion being encrypted with new values (a process also referred to as “scrambling”).

Abstract: A method, apparatus, and article of manufacture for providing secure and opaque type libraries to automatically provide secure variables within a programming module. A system for providing secure and opaque type libraries to automatically provide secure variables within a programming module. The system includes an OTL selection module, an OTL substitution module, an OTL type library database, a compiler module; and a linker module to create an executable processing module. The OTL selection module randomly selects or generates one of the possible variable obfuscation functions for each declared secure variable. The OTL substitution module substitutes the separate instance of the selected variable obfuscation function for every reference to the declared secure variable. The OTL type library database receives queries from the OTL selection module a database to identify of possible variable obfuscation functions applicable for the variable type corresponding to the declared secure variables.

Abstract: Break-Once, Run-everywhere (BORE) resistant software configurations and digital goods and content distribution methods and arrangements are provided for use in computer systems and networks. An initial digital good is selectively divided into at least two portions. The first portion is provided to a destination computer, for example, via a CD ROM, floppy disk, or pre-loaded on a hard disk drive. The second portion is operatively modified within a source computer based on unique data associated with the destination computer. The modified second portion is then provided to the destination computer, for example, over a network, along with a key that can be used to operatively modify the first portion to be compatible with the modified second portion.

Abstract: An implementation of a technology, described herein, for facilitating the protection computer-executable instructions, such as software. At least one implementation, described herein, may generate integrity signatures of one or more program modules—which are sets of computer-executable instructions—based upon a trace of activity during execution of such modules and/or near-replicas of such modules. With at least one implementation, described herein, the execution context of an execution instance of a program module is considered when generating the integrity signatures. With at least one implementation, described herein, a determination may be made about whether a module is unaltered by comparing integrity signatures. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.

Abstract: A watermark encoding system encodes an audio signal with both a strong and a weak watermark. The strong watermark identifies the content producer and is designed to survive all typical kinds of processing and malicious attacks. The weak watermark identifies the content as an original and is designed to be significantly removed as a result of most normal signal processing (other than A/D and D/A). The watermark encoding system has a converter to convert an audio signal into frequency and phase components and a mask processor to determine a hearing threshold for corresponding frequency components. The watermark encoding system also has a pattern generator to generate both the strong and weak watermarks and a watermark insertion unit to selectively insert either the strong or weak watermark into the audio signal. The watermark insertion unit adds the strong watermark to the audio signal when the signal exceeds the hearing threshold by a buffer value (e.g.

Abstract: A watermark encoding system encodes an audio signal with both a strong and a weak watermark. The strong watermark identifies the content producer and is designed to survive all typical kinds of processing and malicious attacks. The weak watermark identifies the content as an original and is designed to be significantly removed as a result of most normal signal processing (other than A/D and D/A). The watermark encoding system has a converter to convert an audio signal into frequency and phase components and a mask processor to determine a hearing threshold for corresponding frequency components. The watermark encoding system also has a pattern generator to generate both the strong and weak watermarks and a watermark insertion unit to selectively insert either the strong or weak watermark into the audio signal. The watermark insertion unit adds the strong watermark to the audio signal when the signal exceeds the hearing threshold by a buffer value (e.g.