Software protection method utilizing hidden application code in a protection dynamic link library object

US 7,320,075 B2
Filed: 11/18/2002
Issued: 01/15/2008
Est. Priority Date: 11/20/2001
Status: Active Grant

First Claim

Patent Images

1. A method of protecting a software application from unauthorized use, the method comprising:

preparing the software application using a computer having a processor and a hardware security device including a secure coprocessor; and

executing the prepared software on an end-user computer having a processor;

wherein the preparing software application comprises;

(a) encrypting a first portion (C) of a compiled application code (A) according to an encryption key (K) using the computer processor to produce an encrypted code (C*);

(b) storing the encrypted code (C*) in a dynamic link library (DLL) executed by the computer processor and associated with the software application;

(c) generating a value (Ck) derived from at least a part of the compiled application code (A);

(d) generating a second value (K*) derived from the value (Ck) and the encryption key (K);

(e) storing the second value (K*) in the hardware security device; and

executing the prepared software on the end-user computer comprises;

(f) generating the value (Ck) derived from the at least a part of the compiled application code (A) with the processor of the end-user computer;

(k) generating a fifth value (Y) with the secure coprocessor based on the second value (K*);

(l) transmitting the fifth value (Y) from the hardware security device to the DLL;

(m) computing a seventh value (K′

) with the processor of the end user computer from the fifth value (Y);

(n) decrypting the encrypted code (C*) with the processor of the end user computer using the seventh value (K′

); and

(o) executing the decrypted code (C) with the processor of the end user computer.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method in which the operating system of the user computer loads the software application and a DLL having a portion of the application execution code stored therein into memory is disclosed. At selected points during its execution, the software application calls the DLL to execute a portion of the application code that was saved into the DLL before delivery to the end user. Since this code is encrypted and the encryption key is stored in a hardware security device and not in the DLL or the software application, the application code portion cannot be executed without recovering the key.

Citations

49 Claims

1. A method of protecting a software application from unauthorized use, the method comprising:
- preparing the software application using a computer having a processor and a hardware security device including a secure coprocessor; and
  
  executing the prepared software on an end-user computer having a processor;
  
  wherein the preparing software application comprises;
  
  (a) encrypting a first portion (C) of a compiled application code (A) according to an encryption key (K) using the computer processor to produce an encrypted code (C*);
  
  (b) storing the encrypted code (C*) in a dynamic link library (DLL) executed by the computer processor and associated with the software application;
  
  (c) generating a value (Ck) derived from at least a part of the compiled application code (A);
  
  (d) generating a second value (K*) derived from the value (Ck) and the encryption key (K);
  
  (e) storing the second value (K*) in the hardware security device; and
  
  executing the prepared software on the end-user computer comprises;
  
  (f) generating the value (Ck) derived from the at least a part of the compiled application code (A) with the processor of the end-user computer;
  
  (k) generating a fifth value (Y) with the secure coprocessor based on the second value (K*);
  
  (l) transmitting the fifth value (Y) from the hardware security device to the DLL;
  
  (m) computing a seventh value (K′
  
  ) with the processor of the end user computer from the fifth value (Y);
  
  (n) decrypting the encrypted code (C*) with the processor of the end user computer using the seventh value (K′
  
  ); and
  
  (o) executing the decrypted code (C) with the processor of the end user computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein the value (Ck) is derived from at least a part of a second portion (A)-(C) of the compiled application code (A).
  - 3. The method of claim 1, further comprising the steps of compiling an uncompiled application code to produce the compiled application code (A);
    - and selecting the first portion (C) of the compiled application code (A) for encryption and storage in the DLL.
  - 4. The method of claim 1, further comprising the step of generating an encryption key K.
  - 5. The method of claim 1, wherein the encryption key K is randomly generated.
  - 6. The method of claim 1, wherein the encryption key K is a symmetric key.
  - 7. The method of claim 1, wherein the value (Ck) is a checksum derived from at least a part of the compiled application code (A).
  - 8. The method of claim 1, wherein the second value (K*) is derived according to K*=K XOR (Ck).
  - 9. The method of claim 1, wherein:
    - the value (Ck) generated in step (c) is derived from at least a part of a second portion (A)-(C) of the compiled application code (A); and
      
      the value (Ck) generated in step (f) is derived from at least a part of the second portion (A)-(C) of the compiled application code (A).
  - 10. The method of claim 1, wherein:
    - the value (Ck) is generated in step (c) is a checksum derived from at least a part of a second portion (A)-(C) of the compiled application code (A); and
      
      the value (Ck) generated in step (f) is a checksum derived from at least a part of the second portion (A)-(C) of the compiled application code (A).
  - 11. The method of claim 1, wherein, executing the protected software further comprises, after step (f) and before step (k):
    - (g) generating a random number (R);
      
      (h) generating a third value (X) from the value (Ck) and the random number (R); and
      
      (j) transmitting the third value (X) to the hardware security device;
      
      wherein, step (k) further comprises using the third value (X) and the second value (K*) to generate a fifth value (Y) with the secure coprocessor; and
      
      wherein, step (m) further comprises the fifth value (Y) and the random number (R) to compute a seventh value (K′
      
      ) with the processor of the end-user computer.
  - 12. The method of claim 11, wherein steps (f) and (h) are performed by the DLL.
  - 13. The method of claim 11, wherein steps (f)-(h) are performed by the DLL.
  - 14. The method of claim 11, wherein the third value X=Ck XOR R.
  - 15. The method of claim 11, further comprising the step of calling the DLL from the software application to execute the first portion of the application code (C) using the end-user computer processor.
  - 16. The method of claim 11, wherein:
    - the method further comprises the steps of;
      
      generating a key pair having a public key K_puand private key K_pr;
      
      storing the private key K_prin a memory of a hardware security device; and
      
      storing the public key K_pu;
      
      the step of transmitting the third value to the hardware security device comprises the steps of;
      
      encrypting the third value with the public key K_puto produce a fourth value (X*); and
      
      decrypting the fourth value (X*) using the private key K_prto produce the third value (X); and
      
      the step of transmitting the fifth value to the DLL comprises the steps of;
      
      encrypting the fifth value (Y) according to the private key K_prto produce a sixth value (Y*); and
      
      decrypting the sixth value (Y*) with the public key K_puto produce the fifth value (Y).
  - 17. The method of claim 16, wherein the public key K_puis stored in the DLL.
  - 18. The method of claim 16, wherein the public key K_puis stored in the software application.
  - 19. The method of claim 16, wherein the step of encrypting the third value (X) with the public key K_puto produce a fourth value (X*) is performed by the DLL using the computer processor.
  - 20. The method of claim 16, wherein the step of decrypting the fourth value (X*) using the private key K_prto produce the third value (X) is performed by the hardware security device.
  - 21. The method of claim 11, further comprising the step of re-encrypting the decrypted code (C) according to the encryption key (K).
  - 22. The method of claim 21, further comprising the step of:
    - saving the result after executing the decrypted code (C) and before re-encrypting the decrypted code (C) according to the encryption key (K).

23. An apparatus of protecting a software application from unauthorized use, comprising a software preparation means and a software execution means, wherein:
- the software preparation means comprises;
  
  (a) means for encrypting a first portion (C) of a compiled application code (A) according to an encryption key (K) on a computer having a processor to produce an encrypted code (C*);
  
  (b) means for storing the encrypted code (C*) in a dynamic link library (DLL) executed by the computer processor and associated with the software application;
  
  (c) means for generating a value (Ck) derived from at least a part of the compiled application code (A);
  
  (d) means for generating a second value (K*) derived from the value (Ck) and the encryption key (K);
  
  (e) means for storing the second value (K*) in a hardware security device having a secure coprocessor; and
  
  the software execution means comprises;
  
  (f) means for generating the value (Ck) derived from the at least a part of the compiled application code (A) on an end-user computer having a processor;
  
  (k) means for generating a fifth value (Y) with the secure coprocessor based on the second value (K*);
  
  (l) means for transmitting the fifth value (Y) from the hardware security device to the DLL;
  
  (m) means for computing a seventh value (K′
  
  ) with the processor of the end-user computer from the fifth value (Y); and
  
  (n) means for decrypting the encrypted code (C*) with the processor of the end-user computer using the seventh value (K′
  
  ); and
  
  (o) means for executing the decrypted code (C) with the processor of the end-user computer.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 24. The apparatus of claim 23, wherein the value (Ck) is derived from at least a part of a second portion (A)-(C) of the compiled application code (A).
  - 25. The apparatus of claim 23, further comprising:
    - means for compiling an uncompiled application code to produce the compiled application code (A); and
      
      means for selecting the first portion (C) of the compiled application code (A) for encryption and storage in the DLL.
  - 26. The apparatus of claim 23, further comprising means for generating an encryption key K.
  - 27. The apparatus of claim 23, wherein the encryption key K is randomly generated.
  - 28. The apparatus of claim 23, wherein the encryption key K is a symmetric key.
  - 29. The apparatus of claim 23, wherein the value (Ck) is a checksum derived from at least a part of the compiled application code (A).
  - 30. The apparatus of claim 23, wherein the second value (K*) is derived according to K*=K XOR (Ck).
  - 31. The apparatus of claim 23, wherein:
    - the value (Ck) is derived from at least a part of the second portion (A)-(C) of the compiled application code (A).
  - 32. An apparatus of claim 23, wherein the software execution means further comprises:
    - (g) means for generating a random number (R);
      
      (h) means for generating a third value (X) from the value (Ck) and the random number (R); and
      
      (j) means for transmitting the third value (X) to the hardware security device;
      
      wherein, (k) further comprises using the third value (X) and the second value (K*) to generate the fifth value (Y); and
      
      wherein, (m) further comprises using the fifth value (Y) and the random number (R) to compute the seventh value (K′
      
      ).
  - 33. The apparatus of claim 32, wherein the means for generating the value (Ck) derived from the at least a part of the compiled application code (A) and the means for generating a random number (R) comprises the DLL and the processor of the end-user computer.
  - 34. The apparatus of claim 32, wherein the means for generating the value (Ck) derived from the at least a part of the compiled application code (A), for generating a random number (R), and for generating a third value (X) from the value (Ck) and the random number (R) comprises the DLL and the processor of the end-user computer.
  - 35. The apparatus of claim 23, wherein:
    - the value (Ck) is a checksum derived from at least a part of the second portion (A)-(C) of the compiled application code (A).
  - 36. The apparatus of claim 32, wherein the third value X=Ck XOR R.
  - 37. The apparatus of claim 32, wherein:
    - the means for generating a fifth value (Y) from the third value (X) and the second value (K*) comprises the hardware security device; and
      
      the means for computing a seventh value (K′
      
      ) from the fifth value (Y) and the random number (R) comprises the DLL and the processor of the end-user computer.
  - 38. The apparatus of claim 32, wherein:
    - the means for generating a fifth value (Y) from the third value (X) and the second value (K*) comprises the hardware security device; and
      
      the means for computing a seventh value (K′
      
      ) from the fifth value (Y) and the random number (R), and the means for decrypting the encrypted code (C*) using the seventh value (K′
      
      ) comprises the DLL and the processor of the end-user computer.
  - 39. The apparatus of claim 23, further comprising means for calling the DLL from the software application to execute the first portion of the application code (C) using the processor of the end-user computer.
  - 40. The apparatus of claim 32, wherein:
    - the apparatus further comprises;
      
      means for generating a key pair having a public key K_puand private key K_pr;
      
      means for storing a private key K_prin a memory of a hardware security device; and
      
      means for storing the public key K_pu;
      
      the means for transmitting the third value to the hardware security device comprises;
      
      means for encrypting the third value with the public key K_puto produce a fourth value (X*); and
      
      means for decrypting the fourth value (X*) using the private key K_prto produce the third value (X); and
      
      the means for transmitting the fifth value to the DLL comprises;
      
      means for encrypting the fifth value (Y) according to the private key K_prto produce a sixth value (Y*); and
      
      means for decrypting the sixth value (Y*) with the public key K_puto produce the fifth value (Y).
  - 41. The apparatus of claim 40, wherein the public key K_puis stored in the DLL.
  - 42. The apparatus of claim 40, wherein the public key K_puis stored in the software application.
  - 43. The apparatus of claim 32, further comprising means for re-encrypting the decrypted code (C) according to the encryption key (K).
  - 44. The apparatus of claim 43, wherein the means for re-encrypting the decrypted code (C) according to the encryption key (K) comprises the DLL and the computer processor.
  - 45. The apparatus of claim 43, further comprising:
    - means for saving the result after executing the decrypted code (C) and before re-encrypting the decrypted code (C) according to the encryption key (K).

46. An apparatus for protecting a software application from unauthorized use, comprising:
- a first software module executing in a developer computer, the first software module for encrypting a first portion (C) of a compiled application code (A) according to an encryption key (K) to produce an encrypted code (C*);
  
  storing the encrypted code (C*) in a dynamic link library (DLL) associated with the software application;
  
  generating a value (Ck) derived from at least a part of the compiled application code (A);
  
  generating a second value (K*) derived from the value (Ck) and the encryption key (K);
  
  means for storing the second value (K*) in a hardware security device;
  
  the DLL executing in an end-user computer, the DLL for generating the value (Ck) derived from the at least a part of the compiled application code (A);
  
  generating a random number (R);
  
  generating a third value (X) from the value (Ck) and the random number (R);
  
  transmitting the third value (X) to a hardware security device, the hardware security device including a secure co-processor for generating a fifth value (Y) from the third value (X) and the second value (K*);
  
  transmitting the fifth value (Y) to the DLL;
  
  wherein the DLL further computes a seventh value (K′
  
  ) from the fifth value (Y) and the random number (R) and decrypts the encrypted code (C*) using the seventh value (K′
  
  ).
- View Dependent Claims (47, 48, 49)
- - 47. The apparatus of claim 46, wherein the value (Ck) is derived from at least a part of a second portion (A)-(C) of the compiled application code (A).
  - 48. The apparatus of claim 46, wherein the value (Ck) is a checksum derived from at least a part of the compiled application code (A).
  - 49. The apparatus of claim 46, wherein the second value (K*) is derived according to K*=K XOR (Ck).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS CPL USA, Inc. (Thales SA)
Original Assignee
SafeNet Incorporated (Thales SA)
Inventors
Grove, Brian Douglas, Elteto, Laszlo, Sotoodeh, Mehdi
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
REZA, MOHAMMAD W

Application Number

US10/298,701
Publication Number

US 20030097577A1
Time in Patent Office

1,884 Days
Field of Search

713189-193, 713/171
US Class Current

713/191
CPC Class Codes

G06F 21/109 by using specially-adapted ...

G06F 21/125 by manipulating the program...

Software protection method utilizing hidden application code in a protection dynamic link library object

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Software protection method utilizing hidden application code in a protection dynamic link library object

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links