Software protection method utilizing hidden application code in a protection dynamic link library object

US 20030097577A1
Filed: 11/18/2002
Published: 05/22/2003
Est. Priority Date: 11/20/2001
Status: Active Grant

First Claim

Patent Images

1. A method of protecting software from unauthorized use, comprising the steps of:

(a) encrypting a first portion (C) of a compiled application code (A) according to an encryption key (K) to produce an encrypted code (C*);

(b) storing the encrypted code (C*) in a dynamic link library (DLL) associated with the software application;

(c) generating a value (Ck) derived from at least a part of the compiled application code (A);

(d) generating a second value (K*) derived from the value (Ck) and the encryption key (K); and

(e) storing the second value (K*) in a hardware security device.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method in which the operating system of the user computer loads the software application and a DLL having a portion of the application execution code stored therein into memory is disclosed. At selected points during its execution, the software application calls the DLL to execute a portion of the application code that was saved into the DLL before delivery to the end user. Since this code is encrypted and the encryption key is stored in a hardware security device and not in the DLL or the software application, the application code portion cannot be executed without recovering the key.

Citations

68 Claims

1. A method of protecting software from unauthorized use, comprising the steps of:
- (a) encrypting a first portion (C) of a compiled application code (A) according to an encryption key (K) to produce an encrypted code (C*);
  
  (b) storing the encrypted code (C*) in a dynamic link library (DLL) associated with the software application;
  
  (c) generating a value (Ck) derived from at least a part of the compiled application code (A);
  
  (d) generating a second value (K*) derived from the value (Ck) and the encryption key (K); and
  
  (e) storing the second value (K*) in a hardware security device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The method of claim 1, wherein the value (Ck) is derived from at least a part of a second portion (A)-(C) of the compiled application code (A).
  - 3. The method of claim 1, further comprising the steps of compiling an uncompiled application code to produce the compiled application code (A);
    - and selecting the first portion (C) of the compiled application code (A) for encryption and storage in the DLL.
  - 4. The method of claim 1, further comprising the step of generating an encryption key K.
  - 5. The method of claim 1, wherein the encryption key K is randomly generated.
  - 6. The method of claim 1, wherein the encryption key K is a symmetric key.
  - 7. The method of claim 1, wherein the value (Ck) is a checksum derived from at least a part of the compiled application code (A).
  - 8. The method of claim 1, wherein the second value (K*) is derived according to K*=K XOR (Ck).
  - 9. The method of claim 1, further comprising the steps of:
    - (f) generating the value (Ck) derived from the at least a part of the compiled application code (A);
      
      (g) generating a random number (R);
      
      (h) generating a third value (X) from the value (Ck) and the random number (R);
      
      (j) transmitting the third value (X) to the hardware security device;
      
      (k) generating a fifth value (Y) from the third value (X) and the second value (K*);
      
      (l) transmitting the fifth value (Y) to the DLL;
      
      (m) computing a seventh value (K′
      
      ) from the fifth value (Y) and the random number (R); and
      
      (n) decrypting the encrypted code (C*) using the seventh value (K′
      
      ).
  - 10. The method of claim 9, wherein:
    - the value (Ck) generated in step (c) is derived from at least a part of a second portion (A)-(C) of the compiled application code (A); and
      
      the value (Ck) generated in step (f) is derived from at least a part of the second portion (A)-(C) of the compiled application code (A).
  - 11. The method of claim 9, wherein steps (f) and (h) are performed in the DLL.
  - 12. The method of claim 9, wherein steps (f)-(h) are performed in the DLL.
  - 13. The method of claim 9, wherein:
    - the value (Ck) is generated in step (c) is a checksum derived from at least a part of a second portion (A)-(C) of the compiled application code (A); and
      
      the value (Ck) generated in step (f) is a checksum derived from at least a part of the second portion (A)-(C) of the compiled application code (A).
  - 14. The method of claim 9, wherein the third value X=Ck XOR R.
  - 15. The method of claim 9, wherein:
    - step (k) is performed in the hardware security device; and
      
      step (m) is performed by the DLL.
  - 16. The method of claim 9, wherein:
    - step (k) is performed in the hardware security device; and
      
      steps (m) and (n) are performed by the DLL.
  - 17. The method of claim 9, further comprising the step of calling the DLL from the software application to execute the first portion of the application code (C).
  - 18. The method of claim 9, wherein:
    - the method further comprises the steps of;
      
      generating a key pair having a public key K_puand private key K_pr;
      
      storing the private key K_prin a memory of a hardware security device;
      
      storing the public key K_pu;
      
      the step of transmitting the third value to the hardware security device comprises the steps of;
      
      encrypting the third value with the public key K_puto produce a fourth value (X*);
      
      decrypting the fourth value (X*) using the private key K_prto produce the third value (X); and
      
      the step of transmitting the fifth value to the DLL comprises the steps of;
      
      encrypting the fifth value (Y) according to the private key K_prto produce a sixth value (Y*); and
      
      decrypting the sixth value (Y*) with the public key K_puto produce the fifth value (Y).
  - 19. The method of claim 18, wherein the public key K_puis stored in the DLL.
  - 20. The method of claim 18, wherein the public key K_puis stored in the software application.
  - 21. The method of claim 18, wherein the step of encrypting the third value (X) with the public key K_puto produce a fourth value (X*) is performed in the DLL.
  - 22. The method of claim 18, wherein the step of decrypting the fourth value (X*) using the private key K_prto produce the third value (X) is performed in the hardware security device.
  - 23. The method of claim 9, further comprising the step of:
    - executing the decrypted code (C) to produce a result; and
      
      re-encrypting the decrypted code (C) according to the encryption key (K).
  - 24. The method of claim 23, wherein the steps of executing the decrypted code (C) to produce a result and re-encrypting the decrypted code (C) according to the encryption key (K) are performed by the DLL.
  - 25. The method of claim 23, further comprising the step of:
    - saving the result after executing the decrypted code (C) and before re-encrypting the decrypted code (C) according to the encryption key (K).

26. A method of protecting a software application expressed in application code from unauthorized use, comprising the steps of:
- (a) generating a value (Ck) derived from a least a part from a complied application code (A);
  
  (b) generating a random number (R);
  
  (c) generating a third value X from the from the value (Ck) and the random number (R);
  
  (d) generating a fifth value (Y) from the third value (X) and a second value (K*), wherein the second value (K*) is derived from the value (Ck) and an encryption key (K) used to encrypt a portion (C) of the compiled application code (A) to produce an encrypted code (C*) before the software application is distributed to a user;
  
  (e) computing a seventh value (K′
  
  ) from the fifth value (Y) and the random number (R);
  
  (f) decrypting the encrypted portion (C) of the compiled application code (A) using the seventh value (K′
  
  ).
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. The method of claim 26, wherein the value (Ck) is derived at least in part from at least part of a second portion (A)-(C) of a compiled application code (A), wherein the second portion (A)-(C) is a portion remaining after the portion (C) of the compiled application code (A) is removed.
  - 28. The method of claim 26, wherein the value (Ck) is a checksum of at least part of the compiled application code (A).
  - 29. The method of claim 26, wherein steps (a) and (c) are performed in a dynamic link library (DLL).
  - 30. The method of claim 26, wherein steps (a)-(c) are performed in a dynamic link library (DLL).
  - 31. The method of claim 26, wherein steps (a)-(c) and (e)-(f) are performed in a dynamic link library (DLL).
  - 32. The method of claim 26, wherein the fifth value is generated in a hardware security device and the method further comprises the steps of:
    - transmitting the third value (X) to the hardware security device after generating the third value (X) from the value (Ck) and the random number (R); and
      
      transmitting the fifth value (Y) from the hardware security device to a dynamic link library (DLL) after generating the fifth value (Y) from the third value (X) and the second value (K*).
  - 33. The method of claim 32, wherein:
    - the DLL stores a public key K_pu;
      
      the hardware key includes a private key K_pr;
      
      the step of transmitting the third value to the hardware security device comprises the steps of;
      
      encrypting the third value with the public key K_puto produce a fourth value X*;
      
      decrypting the fourth value X* using the private key K_prto produce the third value X; and
      
      the step of transmitting the fifth value to the DLL comprises the steps of;
      
      encrypting the fifth value (Y) according to the private key K_prto produce a sixth value (Y*); and
      
      decrypting the sixth value (Y*) according to the public key K_puto produce the fifth value (Y).
  - 34. The method of claim 33, wherein:
    - the step of encrypting the third value with the public key to produce a fourth value and the step of decrypting the sixth value (Y*) to produce the fifth value (Y) are performed in the DLL; and
      
      the step of decrypting the fourth value (X*) using the private key to produce the third value X and the step of encrypting the fifth value (Y) according to the public key K_puto produce a sixth value (Y*) are performed in the hardware security device.

35. An apparatus of protecting software from unauthorized use, comprising:
- (a) means for encrypting a first portion (C) of a compiled application code (A) according to an encryption key (K) to produce an encrypted code (C*);
  
  (b) means for storing the encrypted code (C*) in a dynamic link library (DLL) associated with the software application;
  
  (c) means for generating a value (Ck) derived from at least a part of the compiled application code (A);
  
  (d) means for generating a second value (K*) derived from the value (Ck) and the encryption key (K); and
  
  (e) means for storing the second value (K*) in a hardware security device.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 36. The apparatus of claim 35, wherein the value (Ck) is derived from at least a part of a second portion (A)-(C) of the compiled application code (A).
  - 37. The apparatus of claim 35, further comprising:
    - means for compiling an uncompiled application code to produce the compiled application code (A); and
      
      means for selecting the first portion (C) of the compiled application code (A) for encryption and storage in the DLL.
  - 38. The apparatus of claim 35, further comprising means for generating an encryption key K.
  - 39. The apparatus of claim 35, wherein the encryption key K is randomly generated.
  - 40. The apparatus of claim 35, wherein the encryption key K is a symmetric key.
  - 41. The apparatus of claim 35, wherein the value (Ck) is a checksum derived from at least a part of the compiled application code (A).
  - 42. The apparatus of claim 35, wherein the second value (K*) is derived according to K*=K XOR (Ck).
  - 43. The apparatus of claim 35, further comprising:
    - (f) means for generating the value (Ck) derived from the at least a part of the compiled application code (A);
      
      (g) means for generating a random number (R);
      
      (h) means for generating a third value (X) from the value (Ck) and the random number (R);
      
      (j) means for transmitting the third value (X) to the hardware security device;
      
      (k) means for generating a fifth value (Y) from the third value (X) and the second value (K*);
      
      (l) means for transmitting the fifth value (Y) to the DLL;
      
      (m) means for computing a seventh value (K′
      
      ) from the fifth value (Y) and the random number (R); and
      
      (n) means for decrypting the encrypted code (C*) using the seventh value (K′
      
      ).
  - 44. The apparatus of claim 43, wherein:
    - the value (Ck) is derived from at least a part of the second portion (A)-(C) of the compiled application code (A).
  - 45. The apparatus of claim 43, wherein the means for generating the value (Ck) derived from the at least a part of the compiled application code (A) and the means for generating a random number (R) comprises the DLL.
  - 46. The apparatus of claim 43, wherein the means for generating the value (Ck) derived from the at least a part of the compiled application code (A), for generating a random number (R), and for generating a third value (X) from the value (Ck) and the random number (R) comprises the DLL.
  - 47. The apparatus of claim 43, wherein:
    - the value (Ck) is a checksum derived from at least a part of the second portion (A)-(C) of the compiled application code (A).
  - 48. The apparatus of claim 43, wherein the third value X=Ck XOR R.
  - 49. The apparatus of claim 43, wherein:
    - the means for generating a fifth value (Y) from the third value (X) and the second value (K*) comprises the hardware security device; and
      
      the means for computing a seventh value (K′
      
      ) from the fifth value (Y) and the random number (R) comprises the DLL.
  - 50. The apparatus of claim 43, wherein:
    - the means for generating a fifth value (Y) from the third value (X) and the second value (K*) comprises the hardware security device; and
      
      the means for computing a seventh value (K′
      
      ) from the fifth value (Y) and the random number (R), and the means for decrypting the encrypted code (C*) using the seventh value (K′
      
      ) comprises the DLL.
  - 51. The apparatus of claim 43, further comprising means for calling the DLL from the software application to execute the first portion of the application code (C).
  - 52. The apparatus of claim 43, wherein:
    - the apparatus further comprises;
      
      means for generating a key pair having a public key K_puand private key K_pr;
      
      means for storing a private key K_prin a memory of a hardware security device;
      
      means for storing the public key K_pu;
      
      the means for transmitting the third value to the hardware security device comprises;
      
      means for encrypting the third value with the public key K_puto produce a fourth value (X*);
      
      means for decrypting the fourth value (X*) using the private key K_prto produce the third value (X); and
      
      the means for transmitting the fifth value to the DLL comprises;
      
      means for encrypting the fifth value (Y) according to the private key K_prto produce a sixth value (Y*); and
      
      means for decrypting the sixth value (Y*) with the public key K_puto produce the fifth value (Y).
  - 53. The apparatus of claim 52, wherein the public key K_puis stored in the DLL.
  - 54. The apparatus of claim 52, wherein the public key K_puis stored in the software application.
  - 55. The apparatus of claim 52, wherein the means for encrypting the third value (X) with the public key K_puto produce a fourth value (X*) comprises the DLL.
  - 56. The apparatus of claim 52, wherein the means for decrypting the fourth value (X*) using the private key K_prto produce the third value (X) comprises the hardware security device.
  - 57. The apparatus of claim 43, further comprising:
    - means for executing the decrypted code (C) to produce a result; and
      
      means for re-encrypting the decrypted code (C) according to the encryption key (K).
  - 58. The apparatus of claim 57, wherein the means for executing the decrypted code (C) to produce a result and re-encrypting the decrypted code (C) according to the encryption key (K) comprises the DLL.
  - 59. The apparatus of claim 57, further comprising:
    - means for saving the result after executing the decrypted code (C) and before re-encrypting the decrypted code (C) according to the encryption key (K).

60. An apparatus for protecting a software application from unauthorized use, comprising:
- a first software module executing in a developer computer, the first software module for encrypting a first portion (C) of a compiled application code (A) according to an encryption key (K) to produce an encrypted code (C*);
  
  storing the encrypted code (C*) in a dynamic link library (DLL) associated with the software application;
  
  generating a value (Ck) derived from at least a part of the compiled application code (A);
  
  generating a second value (K*) derived from the value (Ck) and the encryption key (K); and
  
  means for storing the second value (K*) in a hardware security device.
- View Dependent Claims (61, 62, 63, 64)
- - 61. The apparatus of claim 60, wherein the value (Ck) is derived from at least a part of a second portion (A)-(C) of the compiled application code (A).
  - 62. The apparatus of claim 60, wherein the value (Ck) is a checksum derived from at least a part of the compiled application code (A).
  - 63. The apparatus of claim 60, wherein the second value (K*) is derived according to K*=K XOR (Ck).
  - 64. The apparatus of claim 60, further comprising:
    - a DLL, the DLL for generating the value (Ck) derived from the at least a part of the compiled application code (A);
      
      generating a random number (R);
      
      generating a third value (X) from the value (Ck) and the random number (R);
      
      transmitting the third value (X) to the hardware security device;
      
      a hardware security device, the hardware security device for generating a fifth value (Y) from the third value (X) and the second value (K*);
      
      transmitting the fifth value (Y) to the DLL;
      
      wherein the DLL further computes a seventh value (K′
      
      ) from the fifth value (Y) and the random number (R) and decrypts the encrypted code (C*) using the seventh value (K′
      
      ).

65. An apparatus for protecting a software application expressed in software application code from unauthorized use, comprising:
- a dynamic link library (DLL), the DLL for generating a value (Ck) derived from a least a part from a complied application code (A);
  
  generating a random number (R);
  
  generating a third value X from the from the value (Ck) and the random number (R);
  
  a hardware security device, the hardware security device for generating a fifth value (Y) from the third value (X) and a second value (K*), wherein the second value (K*) is derived from the value (Ck) and an encryption key (K) used to encrypt a portion (C) of the compiled application code (A) to produce an encrypted code (C*) before the software application is distributed to a user;
  
  wherein the DLL further computes a seventh value (K′
  
  ) from the fifth value (Y) and the random number (R) and decrypts the encrypted portion (C) of the compiled application code (A) using the seventh value (K′
  
  ).
- View Dependent Claims (66, 67)
- - 66. The apparatus of claim 65, wherein the value (Ck) is a checksum of the application code.
  - 67. The apparatus of claim 65, wherein:
    - the DLL further transmits the third value (X) to the hardware security device after generating the third value (X) from the value (Ck) and the random number (R); and
      
      the hardware security device further transmits the fifth value (Y) from the hardware security device to a DLL after generating the fifth value (Y) from the third value (X) and the second value (K*).

68. A method of protecting a software application from unauthorized user, comprising the steps of:
- encrypting a portion of the compiled application code (C) according to an encryption key (K) to produce an encrypted code (C*);
  
  storing the encrypted code (C*) in a dynamic link library (DLL) associated with the software application; and
  
  storing a key (K*) usable to decrypt the encrypted code (C*) in a memory secure from the unauthorized user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS CPL USA, Inc. (Thales SA)
Original Assignee
Rainbow Technologies, Inc. (Thales SA)
Inventors
Elteto, Laszlo, Sotoodeh, Mehdi, Grove, Brian Douglas

Granted Patent

US 7,320,075 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/109 by using specially-adapted ...

G06F 21/125 by manipulating the program...

Software protection method utilizing hidden application code in a protection dynamic link library object

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

68 Claims

Specification

Solutions

Use Cases

Quick Links

Software protection method utilizing hidden application code in a protection dynamic link library object

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

68 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links