Abstract: A secure cloud-based node-locking service with built-in attack detection to eliminate fuzzing, cloning and other attacks is disclosed. White-box base files are securely stored on the cloud service and are not vulnerable to accidental leakage. A secure cloud-based dynamic secret encoding service reduces the risk of exposure of unprotected secrets and other sensitive data.

Abstract: A method and apparatus, and system for providing device credentials to a plurality of devices is disclosed.

Abstract: A system and method for provisioning confidential data such as unique credentials is described. The technique initializes a whitebox cryptographic software module to a particular PKI client to soft-lock whitebox cryptographic operations to the particular PKI client and uniquely encrypting the credentials with a node-locking key (NLK) derivable from a digital certificate.

Abstract: A secure cloud-based node-locking service with built-in attack detection to eliminate fuzzing, cloning and other attacks is disclosed. White-box base files are securely stored on the cloud service and are not vulnerable to accidental leakage. A secure cloud-based dynamic secret encoding service reduces the risk of exposure of unprotected secrets and other sensitive data.

Abstract: A secure cloud-based node-locking service with built-in attack detection to eliminate fuzzing, cloning and other attacks is disclosed. White-box base files are securely stored on the cloud service and are not vulnerable to accidental leakage. A secure cloud-based dynamic secret encoding service reduces the risk of exposure of unprotected secrets and other sensitive data.

Abstract: A cloud-based system and method for encrypting media content is disclosed. The system comprises a key server microservice, for receiving control word requests and for generating encoded control words and a software encryption microservice, communicatively coupled to the key server microservices, the encryption microservice for receiving the media content, for generating the control word requests, for receiving the encoded control words, and for white-box encrypting the media content according to the generated encoded control words.

Abstract: A secure cloud-based node-locking service with built-in attack detection to eliminate fuzzing, cloning and other attacks is disclosed. White-box base files are securely stored on the cloud service and are not vulnerable to accidental leakage. A secure cloud-based dynamic secret encoding service reduces the risk of exposure of unprotected secrets and other sensitive data.

Abstract: A method and video decoder system using the method are provided for identifying video frames in an encoded or encrypted video stream without performing decoding or decryption. The method includes: receiving a video data stream comprised of a plurality of transport stream (TS) packets; detecting a first video frame in the video data stream, wherein detection of the first video frame includes registering a last checked position at the start of the video data stream, examining bytes in a next TS packet to identify a predetermined pattern indicating a network abstraction layer (NAL) unit, repeating the examining step until two TS packets have been identified that include an NAL unit, wherein the last checked position is updated after each examining step, and identifying a video frame based on a position of the NAL unit identified in the two TS packets; and repeating the detecting step for a plurality of additional video frames in the video data stream.

Abstract: A method and video decoder system using the method are provided for identifying video frames in an encoded or encrypted video stream without performing decoding or decryption. The method includes: receiving a video data stream comprised of a plurality of transport stream (TS) packets; detecting a first video frame in the video data stream, wherein detection of the first video frame includes registering a last checked position at the start of the video data stream, examining bytes in a next TS packet to identify a predetermined pattern indicating a network abstraction layer (NAL) unit, repeating the examining step until two TS packets have been identified that include an NAL unit, wherein the last checked position is updated after each examining step, and identifying a video frame based on a position of the NAL unit identified in the two TS packets; and repeating the detecting step for a plurality of additional video frames in the video data stream.

Abstract: A method and system provide the ability to enforce application protection in the cloud. A request to register an application is received in a registration tool executing within a cloud computing environment. The registration tool collects application information data and protection policy settings, and registers the application by returning, to a build-time environment, a secure protection authorization (SPA) certificate that authorizes the application to be built. A build registration tool executing in the cloud computing environment receives, from a cloud protection toolchain executing in the build-time environment, signed build-data that includes the SPA and build information for a build of the application. After determining, in the cloud, that the SPA is authenticate, developer credentials are authorized, and the build information is valid, the build registration tool responds to the cloud protection toolchain that the build for the application is authorized.

Abstract: A method and system provide the ability to dynamically verify an executable. Encrypted build data and developer permissions are received from a first developer into a build registration tool within a secure cloud computing environment. The encrypted build data includes a build identification (ID), a dynamic code signing certificate (CER), and developer credentials. The build registration tool authenticates the developer credentials based on developer permissions. A dynamic code signing tool (within the secure cloud computing environment) decrypts the encrypted build data and activates the executable by dynamically signing the executable to obtain a dynamic code signature (SEC). The SEC is delivered for runtime deployment.

Abstract: A method for whitebox cryptography is provided for computing an algorithm (m,S) with input m and secret S, using one or more white-box encoded operations. The method includes accepting an encoded input c, where c=Enc(P,m); accepting an encoded secret S?, where S?=Enc(P,S); performing one or more operations on the encoded input c and the encoded secret S? modulo N to obtain an encoded output c?; and decoding the encoded output c? with the private key p to recover an output m? according to m?=Dec(p,c?), such that m?=(m,S).

Abstract: A method and video decoder system using the method are provided for identifying video frames in an encoded or encrypted video stream without performing decoding or decryption. The method includes: receiving a video data stream comprised of a plurality of transport stream (TS) packets; detecting a first video frame in the video data stream, wherein detection of the first video frame includes registering a last checked position at the start of the video data stream, examining bytes in a next TS packet to identify a predetermined pattern indicating a network abstraction layer (NAL) unit, repeating the examining step until two TS packets have been identified that include an NAL unit, wherein the last checked position is updated after each examining step, and identifying a video frame based on a position of the NAL unit identified in the two TS packets; and repeating the detecting step for a plurality of additional video frames in the video data stream.

Abstract: A method is provided to dynamically encode data at runtime with a tagged data element in a program associated with an obfuscation algorithm randomly selected during runtime. Instructions for invoking the obfuscation algorithm are generated when a compiler encounters the tagged variable in the source code. At runtime, unencoded data is encoded by the obfuscation algorithm when the unencoded data is copied to the tagged data element; encoded data is re-encoded by the obfuscation algorithm when the encoded data is copied from a differently tagged data element to the tagged data element, wherein the differently tagged data element is associated with a different obfuscation algorithm; and encoded data is decoded by the obfuscation algorithm when the encoded data is copied from the tagged data element to an untagged data element.

Abstract: A method and system are provided for processing a media stream including at least a portion of a media program in a player executed by a computer. The player is configured for: (a) receiving the media stream, wherein the media stream is comprised of one or more chunks; (b) subdividing the chunks into one or more packets, wherein one or more of the packets include video data; (c) obfuscating or de-obfuscating at least some of the video data; and (d) concatenating the video data into one or more frames for playback by the player.

Abstract: Systems and methods are provided for digital rights management of licensed media content. Client library components and server library components provide digital rights management services. A client-side hosting application accesses client library functionality through invocation of client application programming interfaces (APIs). A server-side hosting application accesses server library functionality through invocation of server APIs. Licenses for specific media content can be requested and issued, and appropriately licensed media content can be played. Client and server library components can function essentially absent direct communication, such as that employing a transport layer. Communications between client and server library components can be carried by the hosting applications.

Abstract: A method for whitebox cryptography is provided for computing an algorithm (m,S) with input m and secret S, using one or more white-box encoded operations. The method includes accepting an encoded input c, where c=Enc(P,m); accepting an encoded secret S?, where S?=Enc(P,S); performing one or more operations on the encoded input c and the encoded secret S? modulo N to obtain an encoded output c?; and decoding the encoded output c? with the private key p to recover an output m? according to m?=Dec(p,c?), such that m?=(m,S).

Abstract: A method and system are provided for securely storing and retrieving live off-disk media programs. Events delineate media segments, each of which are encrypted with a different key so as to be streamable to a remote device via digital living network alliance (DLNA) or HTTP live streaming protocols. Media segments and identifiers for managing the storage and retrieval of such media segments are compatible with live streaming data structures, obviating the need to re-encrypt data streams.

Abstract: A method and system are provided for processing a media stream including at least a portion of a media program in a player executed by a computer. The player is configured for: (a) receiving the media stream, wherein the media stream is comprised of one or more chunks; (b) subdividing the chunks into one or more packets, wherein one or more of the packets include video data; (c) obfuscating or de-obfuscating at least some of the video data; and (d) concatenating the video data into one or more frames for playback by the player.

Abstract: A source device determines content rights for encrypted content in the first encoding standard using a first rights data file. The source device creates a second rights data file for transcoded content in the second encoding standard. The source device performs a key management operation including communicating a decryption key for the encrypted content in the first encoding standard to a transcoder. The source device transfers the encrypted content in the first encoding standard to the transcoder. The transcoder decrypts the encrypted content, transcodes the content from the first encoding standard to the content in the second encoding standard, and re-encrypts the content in the second encoding standard using a second encryption key. The transcoder then transfers the encrypted content in the second encoding standard to an indicated device.