Abstract: Systems and methods of generating a software module, including: receiving a cryptographic key identification (ID) and a cryptographic operation type from at least one executable program, generating a software module configured to perform the cryptographic operation with a cryptographic key, sending the software module to the at least one executable program, and performing the operation having the cryptographic operation type with the software module, wherein the software module is generated based on at least one of: a transformation of the cryptographic key corresponding to the received cryptographic key ID, and the received cryptographic operation.

Abstract: Systems and methods of verifying runtime integrity with a trusted execution environment (TEE) may include generating, by a processor in communication with the TEE, a secure communication channel between the TEE and at least one executable program attempting to communicate with the TEE, providing, by the processor, a moving target defense (MTD) module to the at least one executable program via the generated secure communication channel, wherein the MTD module comprises disposable polymorphic code, sending over the secured communication channel, by the processor: data, received from the at least one executable program, and a transformed runtime digest of the at least one executable program, and allowing, by the processor, communication with the TEE when the validity of the transformed runtime digest of the corresponding at least one executable program is verified.

Abstract: Systems and methods of generating a software module, including: receiving a cryptographic key identification (ID) and a cryptographic operation type from at least one executable program, generating a software module configured to perform the cryptographic operation with a cryptographic key, sending the software module to the at least one executable program, and performing the operation having the cryptographic operation type with the software module, wherein the software module is generated based on at least one of: a transformation of the cryptographic key corresponding to the received cryptographic key ID, and the received cryptographic operation.

Abstract: Systems and methods of verifying runtime integrity with a trusted execution environment (TEE) may include generating, by a processor in communication with the TEE, a secure communication channel between the TEE and at least one executable program attempting to communicate with the TEE, providing, by the processor, a moving target defense (MTD) module to the at least one executable program via the generated secure communication channel, wherein the MTD module comprises disposable polymorphic code, sending over the secured communication channel, by the processor: data, received from the at least one executable program, and a transformed runtime digest of the at least one executable program, and allowing, by the processor, communication with the TEE when the validity of the transformed runtime digest of the corresponding at least one executable program is verified.

Abstract: Various systems and methods for determining whether to allow or continue to allow access to a protected data asset are disclosed herein. For example, one method involves receiving a request to access a protected data asset, wherein the request is received from a first user device; determining whether to grant access to the protected data asset, wherein the determining comprises evaluating one or more criteria associated with the first user device, and the criteria comprises first information associated with a first policy constraint; and in response to a determination that access to the protected data asset is to be granted, granting access to the protected data asset.

Abstract: Various systems and methods for determining whether to allow or continue to allow access to a protected data asset are disclosed herein. For example, one method involves receiving a request to access a protected data asset, wherein the request is received from a first user device; determining whether to grant access to the protected data asset, wherein the determining comprises evaluating one or more criteria associated with the first user device, and the criteria comprises first information associated with a first policy constraint; and in response to a determination that access to the protected data asset is to be granted, granting access to the protected data asset.

Abstract: In one embodiment, a processing device includes a memory to store an executable program including a multiplicity of encrypted component blocks such that different combinations of blocks selected from the encrypted component blocks are operative when decrypted and executed to perform a same functionally equivalent data transformation, each of the component blocks being operative upon execution to convert input data into output data, and a processor operative to receive a selection of cryptographic keys, decrypt some of the encrypted component blocks using the cryptographic keys such that each one of the some encrypted component blocks is decrypted with a different one of the cryptographic keys yielding a multiplicity of decrypted component blocks, and execute the executable program including the multiplicity of decrypted component blocks to perform the same functionally equivalent data transformation. Related apparatus and methods are also described.

Abstract: A method, system and related apparatus are described, the system comprising a caching-capable element which is part of a data network, which receives a request from a downstream client device, the request including a content request, the content request including a Universal Resource Identifier (URI) and an explicit caching request, the caching request includes a unique content identifier which is independent of the URI, and optional expiration date information, a comparator included at the caching-capable element which compares the caching request against the existing cached content, and if the requested content is cached then the caching-capable element forwards the cached copy of the requested content to the client device, and if the requested content is not cached, then the caching-capable element forwards the request to a further upstream device, and, upon reception of the requested content from the further upstream device, returns the requested content to the requesting downstream device, and caches the

Abstract: In one embodiment, a processing device includes a memory to store an executable program including a multiplicity of encrypted component blocks such that different combinations of blocks selected from the encrypted component blocks are operative when decrypted and executed to perform a same functionally equivalent data transformation, each of the component blocks being operative upon execution to convert input data into output data, and a processor operative to receive a selection of cryptographic keys, decrypt some of the encrypted component blocks using the cryptographic keys such that each one of the some encrypted component blocks is decrypted with a different one of the cryptographic keys yielding a multiplicity of decrypted component blocks, and execute the executable program including the multiplicity of decrypted component blocks to perform the same functionally equivalent data transformation. Related apparatus and methods are also described.

Abstract: A software diversity system including an executable provider to provide an executable program including component blocks such that different combinations of blocks are operative to perform a functionally encryption keys functionally equivalent data transformation, a cipher to encrypt the component blocks with cryptographic keys, a key selector to select a first selection of keys for a first device, such that the first selection is operative to decrypt a first combination of the blocks operative when executed to perform the same functionally equivalent data transformation, and select a second selection of keys for a second device, such that the second selection is operative to decrypt a second combination of the blocks operative when executed to perform the same functionally equivalent data transformation, and a transfer module to prepare for transfer the first and second selection of cryptographic keys for transfer to the first and second device, respectively. Related apparatus and methods are also included.

Abstract: A method and system of securing content is described, the method including establishing communication between a secure module source and a content rendering device, loading a dynamically generated pseudo-unique secure module to the content rendering device from the secure module source, establishing communication between the secure module source and the dynamically generated pseudo-unique secure module, and transferring a decryption key from the secure module source to the dynamically generated pseudo-unique secure module, thereby enabling decryption of encrypted content, the encrypted content being encrypted according to the decryption key. Related methods and apparatus are also described.

Abstract: A software diversity system including an executable provider to provide an executable program including component blocks such that different combinations of blocks are operative to perform a functionally encryption keys functionally equivalent data transformation, a cipher to encrypt the component blocks with cryptographic keys, a key selector to select a first selection of keys for a first device, such that the first selection is operative to decrypt a first combination of the blocks operative when executed to perform the same functionally equivalent data transformation, and select a second selection of keys for a second device, such that the second selection is operative to decrypt a second combination of the blocks operative when executed to perform the same functionally equivalent data transformation, and a transfer module to prepare for transfer the first and second selection of cryptographic keys for transfer to the first and second device, respectively. Related apparatus and methods are also included.

Abstract: A method and system for associating metadata with an encrypted content item, the method including receiving metadata for association with a content item, receiving an entitlement control packet (ECP) associated with the content item, applying a cryptographic hash function to the ECP, thereby generating an ECP hash value, combining the ECP hash value with the metadata, thereby creating a data control object, performing a cryptographic operation on the data control object, thereby generating cryptographic integrity data, and joining the cryptographic integrity data to the data control object after the cryptographic operation, wherein usage of the content by the recipient is dependent on both a validation of the ECP hash value and a validation of the cryptographic integrity data. Related apparatus and methods are also described.

Abstract: A method and system of securing content is described, the method including establishing communication between a secure module source and a content rendering device, loading a dynamically generated pseudo-unique secure module to the content rendering device from the secure module source, establishing communication between the secure module source and the dynamically generated pseudo-unique secure module, and transferring a decryption key from the secure module source to the dynamically generated pseudo-unique secure module, thereby enabling decryption of encrypted content, the encrypted content being encrypted according to the decryption key. Related methods and apparatus are also described.

Abstract: A method for controlling access to content, the method comprising: receiving content in an area in which access to the content is blacked out, the content corresponding to a blacked out event; preventing display of the content at the time of receipt; recording the received content; and allowing access to the recorded content after a time criterion is met, wherein the time criterion comprises an elapse of a predetermined period of time measured from a specified one of the following: commencement of the blacked out event and termination of the blacked out event.

Abstract: A method and system of securing content is described, the method including establishing communication between a secure module source and a content rendering device, loading a dynamically generated pseudo-unique secure module to the content rendering device from the secure module source, establishing communication between the secure module source and the dynamically generated pseudo-unique secure module, and transferring a decryption key from the secure module source to the dynamically generated pseudo-unique secure module, thereby enabling decryption of encrypted content, the encrypted content being encrypted according to the decryption key. Related methods and apparatus are also described.

Abstract: A method for controlling access to content, the method comprising: receiving content in an area in which access to the content is blacked out, the content corresponding to a blacked out event; preventing display of the content at the time of receipt; recording the received content; and allowing access to the recorded content after a time criterion is met, wherein the time criterion comprises an elapse of a predetermined period of time measured from a specified one of the following: commencement of the blacked out event and termination of the blacked out event.

Abstract: A method for controlling access to content, including preventing access to content that corresponds to a blacked out event, until at least one of a time criterion and payment criterion is met. Related methods and apparatus are also disclosed.

Abstract: A method for controlling access to content, including preventing access to content that corresponds to a blacked out event, until at least one of a time criterion and payment criterion is met. Related methods and apparatus are also disclosed.