Abstract: A change-tolerant method of generating a fingerprint of a computing environment based on asset parameters associated components of the computing environment. Asset parameters are grouped into multiple subsets based on characteristics of the components. A share is generated for each asset parameter of the category to produce a plurality of shares. A secret sharing algorithm is applied to the subsets to generate a plurality of candidate identifiers corresponding to the plurality of subsets of shares. A candidate identifier is selected from the plurality of candidate identifiers as a final identifier for each category based at least in part on a frequency of occurrence of that candidate identifier. The final identifiers are combined into a fingerprint corresponding to the computing environment, wherein the fingerprint is provides verification of the plurality of components without requiring individual verification of any shares in the plurality of shares.

Abstract: Systems, methods, and storage media implemented by a computer for enabling tracking of software are disclosed. Exemplary implementations may: receive marking input code corresponding to a computer program; identify locations of the marking input code that can be modified in ways that preserve functionality of the computer program; choose at least one code transformation with associated intrinsic constants; derive derived constants from the specific intrinsic constants; apply the at least one chosen code transformation, including injecting the derived constants into the marking input code; saving the results of the above steps on computer readable media as marked code; and save metadata including a list of the derived constants on computer readable media in a file that is separate from the marked code.

Abstract: A change-tolerant method of generating a fingerprint of a computing environment based on asset parameters associated components of the computing environment. Asset parameters are grouped into multiple subsets based on characteristics of the components. A share is generated for each asset parameter of the category to produce a plurality of shares. A secret sharing algorithm is applied to the subsets to generate a plurality of candidate identifiers corresponding to the plurality of subsets of shares. A candidate identifier is selected from the plurality of candidate identifiers as a final identifier for each category based at least in part on a frequency of occurrence of that candidate identifier. The final identifiers are combined into a fingerprint corresponding to the computing environment, wherein the fingerprint is provides verification of the plurality of components without requiring individual verification of any shares in the plurality of shares.

Abstract: Systems, methods, and storage media implemented by a computer for enabling tracking of software are disclosed. Exemplary implementations may: receive marking input code corresponding to a computer program; identify locations of the marking input code that can be modified in ways that preserve functionality of the computer program; choose at least one code transformation with associated intrinsic constants; derive derived constants from the specific intrinsic constants; apply the at least one chosen code transformation, including injecting the derived constants into the marking input code; saving the results of the above steps on computer readable media as marked code; and save metadata including a list of the derived constants on computer readable media in a file that is separate from the marked code.

Abstract: Embodiments of the invention provide an improved method and an improved receiver for obtaining a control word. Two or more subkeys are obtained in a receiver. Each subkey was encrypted under control of a key received in an entitlement message or transformed under control of a seed received in an entitlement message. After decryption or transformation, the subkeys are combined to obtain the control word. Typically at least one of the entitlement messages is a positive entitlement message and at least one of the entitlement messages is a negative entitlement message. Embodiments of the invention can be used in a conditional access system such as a Pay-TV system.

Abstract: The invention provides a system and a method for securely providing a secret data from a sender to one or more receivers. The receiver uses a sequence of functions originating from a hierarchy of functions to migrate the secret data from an input transform space to an output transform space using a mathematical transformation under control of one or more seeds. The seeds are provided to the receiver by the sender. The sender conditionally allows the receiver to obtain the secret data by controlling the seeds.

Abstract: A method of protecting the execution of a cryptographic hash function, such as SHA-256, in a computing environment where inputs, outputs and intermediate values can be observed. The method consists of encoding input messages so that hash function inputs are placed in a transformed domain, and then applying a transformed cryptographic hash function to produce an encoded output digest; the transformed cryptographic hash function implements the cryptographic hash function in the transformed domain.

Abstract: Embodiments of the invention provide an improved method and an improved receiver for obtaining a control word. Two or more subkeys are obtained in a receiver. Each subkey was encrypted under control of a key received in an entitlement message or transformed under control of a seed received in an entitlement message. After decryption or transformation, the subkeys are combined to obtain the control word. Typically at least one of the entitlement messages is a positive entitlement message and at least one of the entitlement messages is a negative entitlement message. Embodiments of the invention can be used in a conditional access system such as a Pay-TV system.

Abstract: A digital signature generation (DSG) process which provides resistance against white box attackers is disclosed. This is done by applying specially selected data transformations to the inputs, outputs and internal parameters of the algorithm. In particular, the signatory's private key does not appear in the clear in our protected implementation. Our new white box implementation produces signatures that are compatible with signatures created by conventional implementations; thus our solution facilitates interoperability and can be used as a drop-in replacement for conventional implementations. In particular, we describe transformations to the key (d) and the generator domain parameter (usually denoted G or g) of the digital signature generation processes, such that embodiments of the invention can produce signed messages which appear to a verifier as if the key (d) was used, without actually ever using the key (d).

Abstract: A system and method for producing a massive number of diverse program instances so as to deter differential attacks, collusion, and similar hostile actions. Code portions are shown to be defined in various manners, instantiated, and aggregated. The system and method establishes a very large number of program instances that may be deployed. Furthermore, testing is accomplished over a minimal set of instances to provide for high test coverage and high confidence over the fully deployed in stance set without incurring a high penalty.

Abstract: Embodiments of the invention provide an improved method and an improved receiver for obtaining a control word. Two or more subkeys are obtained in a receiver. Each subkey was encrypted under control of a key received in an entitlement message or transformed under control of a seed received in an entitlement message. After decryption or transformation, the subkeys are combined to obtain the control word. Typically at least one of the entitlement messages is a positive entitlement message and at least one of the entitlement messages is a negative entitlement message. Embodiments of the invention can be used in a conditional access system such as a Pay-TV system.

Abstract: The invention provides a system and a method for securely providing a secret data from a sender to one or more receivers. The receiver uses a sequence of functions originating from a hierarchy of functions to migrate the secret data from an input transform space to an output transform space using a mathematical transformation under control of one or more seeds. The seeds are provided to the receiver by the sender. The sender conditionally allows the receiver to obtain the secret data by controlling the seeds.

Abstract: The invention provides a system and a method for securely providing a secret data from a sender to one or more receivers. The receiver uses a sequence of functions originating from a hierarchy of functions to migrate the secret data from an input transform space to an output transform space using a mathematical transformation under control of one or more seeds. The seeds are provided to the receiver by the sender. The sender conditionally allows the receiver to obtain the secret data by controlling the seeds.

Abstract: A method of protecting the execution of a cryptographic hash function, such as SHA-256, in a computing environment where inputs, outputs and intermediate values can be observed. The method consists of encoding input messages so that hash function inputs are placed in a transformed domain, and then applying a transformed cryptographic hash function to produce an encoded output digest; the transformed cryptographic hash function implements the cryptographic hash function in the transformed domain.

Abstract: A development suite for generating files, such as DRM-protected files, using white-box cryptography. The suite consists of a code generation tool, a data transformation engine, and a white-box data generation tool, and a white-box library. In the white-box cryptography context, the data transformation engine is used to protect the boundary between the cryptographic operation and the surrounding code. In particular, the data transformation engine is used to apply data transformations to the inputs to and outputs from the cryptographic operations. If the user specifies that transformations are required via a white-box parameterization file, the code generation tool puts the information specified by the user into a form the data transformation engine understands, namely as qualifiers on data variables and function prototypes. The data transformation engine then applies the specified transformations, and passes information to the data generation tool regarding which transformations were chosen.

Abstract: A system and method for producing a massive number of diverse program instances so as to deter differential attacks, collusion, and similar hostile actions. Code portions are shown to be defined in various manners, instantiated, and aggregated. The system and method establishes a very large number of program instances that may be deployed. Furthermore, testing is accomplished over a minimal set of instances to provide for high test coverage and high confidence over the fully deployed instance set without incurring a high testing penalty.

Abstract: A digital signature generation (DSG) process which provides resistance against white box attackers is disclosed. This is done by applying specially selected data transformations to the inputs, outputs and internal parameters of the algorithm. In particular, the signatory's private key does not appear in the clear in our protected implementation. Our new white box implementation produces signatures that are compatible with signatures created by conventional implementations; thus our solution facilitates interoperability and can be used as a drop-in replacement for conventional implementations. In particular, we describe transformations to the key (d) and the generator domain parameter (usually denoted G or g) of the digital signature generation processes, such that embodiments of the invention can produce signed messages which appear to a verifier as if the key (d) was used, without actually ever using the key (d).

Abstract: A development suite for generating files, such as DRM-protected files, using white-box cryptography. The suite consists of a code generation tool, a data transformation engine, and a white-box data generation tool, and a white-box library. In the white-box cryptography context, the data transformation engine is used to protect the boundary between the cryptographic operation and the surrounding code. In particular, the data transformation engine is used to apply data transformations to the inputs to and outputs from the cryptographic operations. If the user specifies that transformations are required via a white-box parameterization file, the code generation tool puts the information specified by the user into a form the data transformation engine understands, namely as qualifiers on data variables and function prototypes. The data transformation engine then applies the specified transformations, and passes information to the data generation tool regarding which transformations were chosen.

Abstract: The invention provides a system and a method for securely providing a secret data from a sender to one or more receivers. The receiver uses a sequence of functions originating from a hierarchy of functions to migrate the secret data from an input transform space to an output transform space using a mathematical transformation under control of one or more seeds. The seeds are provided to the receiver by the sender. The sender conditionally allows the receiver to obtain the secret data by controlling the seeds.

Abstract: Embodiments of the invention provide an improved method and an improved receiver for obtaining a control word. Two or more subkeys are obtained in a receiver. Each subkey was encrypted under control of a key received in an entitlement message or transformed under control of a seed received in an entitlement message. After decryption or transformation, the subkeys are combined to obtain the control word. Typically at least one of the entitlement messages is a positive entitlement message and at least one of the entitlement messages is a negative entitlement message. Embodiments of the invention can be used in a conditional access system such as a Pay-TV system.