Software protection device and method

US 20030110388A1
Filed: 11/22/2002
Published: 06/12/2003
Est. Priority Date: 12/04/1996
Status: Active Grant

First Claim

Patent Images

1. A hardware key, communicably coupleable with a computer, for enabling a user to execute software on the computer, the hardware key comprising:

a memory for storing data used in translating a command message into a response messages to enable execution of the software on the computer, the memory comprising a plurality of storage locations;

a processor coupled to the memory, the processor interpreting the command messages and generating the response message, the processor comprising a memory manager module logically segmenting the memory into at least one protected segment and controlling access to the protected segment by selectively mapping processor commands to the memory storage locations external to the protected segment.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for protecting computer software from unauthorized execution or duplication using a hardware key is disclosed. The apparatus comprises a means for communicating with the computer to receive command messages from the computer in the hardware key and to provide response messages to the computer, a memory for storing data for translating command messages into response messages enabling software execution, and a processor coupled to the communicating means for translating command messages into response messages using the data stored in the memory. The processor further comprises a memory manager, including means for logically segmenting the memory storing the data into at least one protected segment, and a means for controlling access to the protected segment.

84 Citations

View as Search Results

32 Claims

1. A hardware key, communicably coupleable with a computer, for enabling a user to execute software on the computer, the hardware key comprising:
- a memory for storing data used in translating a command message into a response messages to enable execution of the software on the computer, the memory comprising a plurality of storage locations;
  
  a processor coupled to the memory, the processor interpreting the command messages and generating the response message, the processor comprising a memory manager module logically segmenting the memory into at least one protected segment and controlling access to the protected segment by selectively mapping processor commands to the memory storage locations external to the protected segment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The apparatus of claim 1, wherein the processor is capable of addressing all of the memory storage locations.
  - 3. The hardware key of claim 2, wherein the memory manager abstracts all storage in the memory to virtual address spaces, and provides macros to access the virtual address spaces.
  - 4. The apparatus of claim 2, wherein the memory manager comprises means for programmably logically segmenting the memory.
  - 5. The apparatus of claim 4, wherein the memory storage locations internal to the protected segment are addressed by by a virtual address in a continuous address space formed by concatenation of address space threholds.
  - 6. The apparatus of claim 1 wherein the software comprises an encrypted segment stored in the memory and a plaintext segment stored in the host computer, and the processor comprises a translator comprising:
    - means for decrypting the encrypted segment into plaintext instructions according to a plaintext encryption key (CC0) stored in the protected segment before the hardware key is supplied to the user; and
      
      means for performing the plaintext instructions to generate the response message.
  - 7. The apparatus of claim 6, wherein the plaintext encryption key is stored in the protected segment by a software developer.
  - 8. The apparatus of claim 6, wherein the encrypted segment is stored in the protected segment before the hardware key is supplied to the user.
  - 9. The apparatus of claim 6, wherein the encrypted segment is stored external to the hardware key before the hardware key is supplied to the user and is communicated from the computer to the hardware key after the hardware key is supplied to the user.
  - 10. The apparatus of claim 1, wherein the processor further comprises a programming interface module comprising:
    - means for accessing the protected memory segment; and
      
      means for storing data in the protected memory segment.
  - 11. The apparatus of claim 10, wherein:
    - the software comprises a first segment encrypted acording to an encryption key (CC0) and a second segment; and
      
      the data includes customer specific security data including the encryption key (CC0).
  - 12. The apparatus of claim 10, further comprising means for erasing the protected memory segment whenever the protected memory segment is accessed
  - 13. The apparatus of claim 10, wherein the means for accessing the protected memory segment and for storing data in the protected memory segment further comprises a developer hardware key.
  - 14. The apparatus of claim 1, wherein the processor comprises a translator further comprising:
    - a message decryptor for decrypting command messages from the host computer; and
      
      a message encryptor for encrypting response messages.
  - 15. The apparatus of claim 1, further comprising an application interface linked to the software for translating executable software command instructions into command messages, the application interface stored in the memory of and executed by the computer.
  - 16. The apparatus of claim 15, wherein the application interface comprises a client library for encrypting command messages from the computer, and for decrypting command messages to the computer.
  - 17. The apparatus of claim 1 wherein the memory and the processor are implemented in a single application specific integrated circuit.
  - 18. The apparatus of claim 1 wherein the data comprises instructions defining a plurality of command class modules, and the translator comprises a command class dispatcher for routing command messages to the command class module according to the command message.
  - 19. The apparatus of claim 1 wherein the processor further comprises a license manager, the license manager comprising:
    - means for storing license data in the protected memory segment, the license data comprising means for determining whether a client is authorized to access the software;
      
      means for retrieving license data from the protected memory segment when the client is authorized to access the software; and
      
      means for transmitting the license data to the computer.
  - 20. The apparatus of claim 19, wherein the license manager further comprises means for encrypting the retrieved license data.
  - 21. The apparatus of claim 19 wherein the means for determining whether a client should be granted access to the software comprises a means for determining the number of clients permitted to use the software and a means for determining the number of clients using the software.

22. A method of protecting software executable by a computer from unauthorized access by a user, wherein the software is segmented into a first segment encrypted according to a first encryption key (CC0) and a second software segment (plaintext) comprising the steps of:
- coupling a hardware key to the computer, executing the second software segment in the computer;
  
  decrypting the first software segment in the hardware key using the first encryption key stored in a secure memory of the hardware key unreadable by the user, wherein the software encryption key is stored in the secure memory in plaintext before the hardware key is supplied to the user;
  
  executing the decrypted software segment to produce a response message transmitting a response message to the computer.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The method of claim 22, wherein the first software segment is stored in the hardware key.
  - 24. The method of claim 22, wherein the first software segment is stored the computer, and the method further comprises the step of transmitting the software segment to the hardware key.
  - 25. The method of claim 24, further comprising the steps of:
    - encrypting the encrypted software segment according to a second (CC1) encryption key before transmitting the encrypted software segment from the computer to the hardware key;
      
      decrypting the encrypted and encrypted software segment according to the second (CC1) encryption key, wherein the second encryption key is stored in the secure memory of the hardware key; and
      
      wherein the step of transmitting the response message to the computer comprises the step of encrypting the response message according to the second encryption key.
  - 26. The method of claim 22, wherein the software was encrypted by a software developer device storing the first encryption key in a developer device secure memory.
  - 27. The method of claim 26, wherein the developer device secure memory is unreadable by the software developer.
  - 28. The method of claim 22, wherein the software was encrypted by a customer specific encryption key.

29. A method of securing software executable on a computer, comprising the steps of:
- storing an encrypted first software segment and a second software segment in a host computer communicatively coupled to a hardware key comprising a hardware key processor and a second hardware key memory having the first encryption key stored therein;
  
  wherein the encrypted software segment is generated by performing the steps of segmenting the software into a first and a second software segment;
  
  transmitting the first software segment to a first hardware key communicatively coupled to a developer computer, the first hardware key comprising a first hardware key processor and a first hardware key memory, the first hardware key memory having a secure segment with the first encryption key stored therein;
  
  encrypting the first software segment using the first encryption key and the first hardware key processor; and
  
  receiving an encrypted first software segment from the first hardware key;
  
  transmitting the encrypted first software segment to the hardware key;
  
  decrypting the encrypted first software segment using the first encryption key to produce first software segment instructions;
  
  storing the first software segment instructions in a secure portion of the second hardware key memory;
  
  performing the first software segment instructions by the second hardware key processor to produce a response message; and
  
  transmitting the response message to the host computer.
- View Dependent Claims (30, 31, 32)
- - 30. The method of claim 29, wherein the response message is encrypted before transmission to the host computer.
  - 31. The method of claim 29 further comprising the steps of:
    - transmitting the encrypted first software segment from the first hardware key to a second hardware key, the second hardware key comprising a second hardware key processor and a second hardware key memory having a secure segment with the first encryption key stored therein; and
      
      storing the encrypted first software segment in the secure segment.
  - 32. The method of claim 31, further comprising the steps of:
    - storing the second software segment in a host computer communicatively coupled to a second hardware key comprising a second hardware key processor and a second hardware key memory having the first encryption key securely stored therein;
      
      decrypting the encrypted first software segment using the first encryption key to produce first software segment instructions;
      
      storing the first software segment instructions in a secure portion of the second hardware key memory;
      
      performing the first software segment instructions by the second hardware key processor to produce a response message; and
      
      transmitting the response message to the host computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SafeNet Incorporated (Thales SA)
Original Assignee
Rainbow Technologies, Inc. (Thales SA)
Inventors
Tibbetts, Reed H., Sotoodeh, Mehdi, Godding, Patrick N., Nixon, Roger Graham, Spiewek, Alain Raymond, Pavlin, Dominique Vincent

Granted Patent

US 7,024,564 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/190
CPC Class Codes

G06F 21/123   by using dedicated hardware...

G06Q 20/0855   involving a third party

Y10S 707/99953   Recoverability

Y10S 707/99956   File allocation

Software protection device and method

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Software protection device and method

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others