METHOD AND SYSTEM FOR CONTROL OF CODE EXECUTION ON A GENERAL PURPOSE COMPUTING DEVICE AND CONTROL OF CODE EXECUTION IN A RECURSIVE SECURITY PROTOCOL

US 20130238902A1
Filed: 04/02/2013
Published: 09/12/2013
Est. Priority Date: 06/20/2002
Status: Active Grant

First Claim

Patent Images

1. A method for controlling the execution of code on an endpoint device comprising:

receiving a first bitstream at a device;

obtaining a first key corresponding to the first bitsteam, wherein the first key was created by hashing the first bitstream and encrypting the hashed first bitstream;

authenticating the first bitstream using hardware at the device operable to access a first secret key specific to the device which is stored in the hardware of the device and is accessible when the device is executing in secure mode, wherein authenticating the first bitstream comprises;

hashing the first bitstream;

generating a second key by encrypting the hashed first bitstream, wherein the encryption of the hashed first bitstream is done in the hardware of the device and the hardware attempts to access the first secret key specific to the device and uses the result of the access in the encryption;

comparing the generated second key with the first key; and

if the second key and the first key match, executing the first bitstream on the processor in secured mode.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of systems and methods which provide highly specific control over the execution of general-purpose code block are disclosed. These embodiments may allow the exact circumstances under which a given code block is allowed to execute to be determined with specificity. Such a control mechanism may be coupled with embodiments of a data hiding system and method, based for example, on an ordered execution of a set of code segments implemented via recursive execution. When embodiments of these systems and methods are utilized together an unencumbered generality as well as a level of protection against attack that surpasses many other security systems may be obtained.

Citations

17 Claims

1. A method for controlling the execution of code on an endpoint device comprising:
- receiving a first bitstream at a device;
  
  obtaining a first key corresponding to the first bitsteam, wherein the first key was created by hashing the first bitstream and encrypting the hashed first bitstream;
  
  authenticating the first bitstream using hardware at the device operable to access a first secret key specific to the device which is stored in the hardware of the device and is accessible when the device is executing in secure mode, wherein authenticating the first bitstream comprises;
  
  hashing the first bitstream;
  
  generating a second key by encrypting the hashed first bitstream, wherein the encryption of the hashed first bitstream is done in the hardware of the device and the hardware attempts to access the first secret key specific to the device and uses the result of the access in the encryption;
  
  comparing the generated second key with the first key; and
  
  if the second key and the first key match, executing the first bitstream on the processor in secured mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first bitstream comprises a first encryption engine, and executing the first bitstream comprises decrypting encrypted digital content associated with the first bitstream using the first encryption engine and the first secret key specific to the device and the execution of the first bitstream is done in secure mode.
  - 3. The method of claim 2, wherein if the second key and the first key do not match:
    - determining if the first bitstream is encrypted and if the first bitstream is encrypted;
      
      obtaining a second bitstream;
      
      authenticating the second bitstream using the hardware at the device operable to access the first secret key specific to the device which is stored in the hardware, wherein authenticating the second bitstream comprises;
      
      obtaining a third key corresponding to the second bitsteam, wherein the third key was created by hashing the second bitstream and encrypting the hashed second bitstream;
      
      hashing the second bitstream;
      
      generating a fourth key by encrypting the hashed second bitstream, wherein the encryption of the hashed second bitstream is done in the hardware of the device and the hardware attempts to access the first secret key specific to the device and uses the result of this access in the encryption;
      
      comparing the generated fourth key with the third key; and
      
      if the fourth key and the third key match, executing the second bitstream on the processor in secured mode.
  - 4. The method of claim 3, wherein the second bitstream comprises a second encryption engine, and executing the second bitstream comprises decrypting both the first bitstream and the encrypted digital content with the second encryption engine using the first secret key specific to the device, wherein the execution of the second bitstream is done in secure mode.
  - 5. The method of claim 4, wherein the authentication of the second bitstream and execution of the second bitstream is done before the execution of the first bitstream.
  - 6. The method of claim 5, further comprising authenticating the first bitstream after the execution of the second bitstream and before the execution of the first bitstream.
  - 7. The method of claim 6, wherein the first bitstream, second bitstream, encrypted digital content, first key and third key were received in a message, the message generated by:
    - encrypting the digital content with the first encryption engine of the first bitstream;
      
      generating the first key by hashing the first bitstream and encrypting the hashed first bitstream with the first secret key specific to the device;
      
      associating the first key, first bitstream and encrypted digital content;
      
      encrypting the associated the first key, first bitstream and encrypted digital content with the second encryption engine of the second bitstream;
      
      generating the third key by hashing the second bitstream and encrypting the hashed second bitstream with the first secret key specific to the device;
      
      associating the first decryption algorithm with the first encrypted bitstream; and
      
      associating the third key, second bitstream and encrypted associated first key, first bitstream and encrypted digital content.

8. A system for controlling the execution of code, comprising:
- a device, comprising;
  
  a processor;
  
  first hardware for storing a first secret key;
  
  second hardware operable to;
  
  access the first secret key when the processor is executing in secured mode, and implement an encryption algorithm using the first secret keya computer readable storage media comprising instructions executable by the processor for;
  
  receiving a first bitstream at the device;
  
  obtaining a first key corresponding to the first bitsteam, wherein the first key was created by hashing the first bitstream and encrypting the hashed first bitstream;
  
  authenticating the first bitstream using the second hardware at the device wherein authenticating the first bitstream comprises;
  
  hashing the first bitstream;
  
  generating a second key by encrypting the hashed first bitstream, wherein the encryption of the hashed first bitstream is done in the second hardware of the device and the second hardware attempts to access the first secret key specific to the device and uses the result of the access in the encryption;
  
  comparing the generated second key with the first key; and
  
  if the second key and the first key match, executing the first bitstream on the processor in secured mode.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the first bitstream comprises a first encryption engine, and executing the first bitstream comprises decrypting encrypted digital content associated with the first bitstream using the first encryption engine and the first secret key specific to the device and the execution of the first bitstream is done in secure mode.
  - 10. The system of claim 9, wherein if the second key and the first key do not match the instructions are further operable for:
    - determining if the first bitstream is encrypted and if the first bitstream is encrypted;
      
      obtaining a second bitstream;
      
      authenticating the second bitstream using the second hardware at the device operable to access the first secret key specific to the device which is stored in the first hardware, wherein authenticating the second bitstream comprises;
      
      obtaining a third key corresponding to the second bitsteam, wherein the third key was created by hashing the second bitstream and encrypting the hashed second bitstream;
      
      hashing the second bitstream;
      
      generating a fourth key by encrypting the hashed second bitstream, wherein the encryption of the hashed second bitstream is done in the second hardware of the device and the second hardware attempts to access the first secret key specific to the device and uses the result of this access in the encryption;
      
      comparing the generated fourth key with the third key; and
      
      if the fourth key and the third key match, executing the second bitstream on the processor in secured mode.
  - 11. The system of claim 10, wherein the second bitstream comprises a second encryption engine, and executing the second bitstream comprises decrypting both the first bitstream and the encrypted digital content with the second encryption engine using the first secret key specific to the device, wherein the execution of the second bitstream is done in secure mode.
  - 12. The system of claim 11, wherein the authentication of the second bitstream and execution of the second bitstream is done before the execution of the first bitstream.
  - 13. The system of claim 12, wherein the instructions are operable for authenticating the first bitstream after the execution of the second bitstream and before the execution of the first bitstream.
  - 14. The system of claim 13, wherein the first bitstream, second bitstream, encrypted digital content, first key and third key were received in a message, the message generated by:
    - encrypting the digital content with the first encryption engine of the first bitstream;
      
      generating the first key by hashing the first bitstream and encrypting the hashed first bitstream with the first secret key specific to the device;
      
      associating the first key, first bitstream and encrypted digital content;
      
      encrypting the associated the first key, first bitstream and encrypted digital content with the second encryption engine of the second bitstream;
      
      generating the third key by hashing the second bitstream and encrypting the hashed second bitstream with the first secret key specific to the device;
      
      associating the first decryption algorithm with the first encrypted bitstream; and
      
      associating the third key, second bitstream and encrypted associated first key, first bitstream and encrypted digital content.

15. A non-transitory computer readable media, comprising instructions executable by a processor for controlling the execution of code on an endpoint device, including instructions executable for:
- receiving a first bitstream at a device;
  
  obtaining a first key corresponding to the first bitsteam, wherein the first key was created by hashing the first bitstream and encrypting the hashed first bitstream;
  
  authenticating the first bitstream using hardware at the device operable to access a first secret key specific to the device which is stored in the hardware of the device and is accessible when the device is executing in secure mode, wherein authenticating the first bitstream comprises;
  
  hashing the first bitstream;
  
  generating a second key by encrypting the hashed first bitstream, wherein the encryption of the hashed first bitstream is done in the hardware of the device and the hardware attempts to access the first secret key specific to the device and uses the result of the access in the encryption;
  
  comparing the generated second key with the first key; and
  
  if the second key and the first key match, executing the first bitstream on the processor in secured mode.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, wherein the first bitstream comprises a first encryption engine, and executing the first bitstream comprises decrypting encrypted digital content associated with the first bitstream using the first encryption engine and the first secret key specific to the device and the execution of the first bitstream is done in secure mode.
  - 17. The computer readable media of claim 16, wherein if the second key and the first key do not match the instructions are further operable for:
    - determining if the first bitstream is encrypted and if the first bitstream is encrypted;
      
      obtaining a second bitstream;
      
      authenticating the second bitstream using the hardware at the device operable to access the first secret key specific to the device which is stored in the hardware, wherein authenticating the second bitstream comprises;
      
      obtaining a third key corresponding to the second bitsteam, wherein the third key was created by hashing the second bitstream and encrypting the hashed second bitstream;
      
      hashing the second bitstream;
      
      generating a fourth key by encrypting the hashed second bitstream, wherein the encryption of the hashed second bitstream is done in the hardware of the device and the hardware attempts to access the first secret key specific to the device and uses the result of this access in the encryption;
      
      comparing the generated fourth key with the third key; and
      
      if the fourth key and the third key match, executing the second bitstream on the processor in secured mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Torus Ventures LLC (Jeffrey M. Gross)
Original Assignee
Rubicon Labs, Inc.
Inventors
Oxford, William V.

Granted Patent

US 9,705,677 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/121   Restricting unauthorised ex...

G06F 21/51   at application loading time...

G06F 2221/2107   File encryption

H04L 2209/60   Digital content management,...

H04L 63/0428   wherein the data content is...

H04L 63/0478   applying multiple layers of...

H04L 63/06   for supporting key manageme...

H04L 63/12   Applying verification of th...

H04L 9/14   using a plurality of keys o...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

METHOD AND SYSTEM FOR CONTROL OF CODE EXECUTION ON A GENERAL PURPOSE COMPUTING DEVICE AND CONTROL OF CODE EXECUTION IN A RECURSIVE SECURITY PROTOCOL

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR CONTROL OF CODE EXECUTION ON A GENERAL PURPOSE COMPUTING DEVICE AND CONTROL OF CODE EXECUTION IN A RECURSIVE SECURITY PROTOCOL

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links