System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection
First Claim
1. A computerized method for decrypting an encrypted object having a predetermined format that is received by an electronic device, the method comprising:
- performing, by a processor, one or more logical operations at least on (i) data associated with a first data string expected at a first location within the encrypted object having the predetermined format and (ii) data within the encrypted object at the first location to recover data associated with a portion of a cryptographic key from the encrypted object;
conducting, by the processor, one or more logical operations at least on (i) the data associated with the portion of the cryptographic key and (ii) a first portion of the encrypted object at a second location within the encrypted object to produce a result, wherein the second location being different than the first location and the result includes a portion of data associated with a plaintext version of a second data string that is expected at the second location;
responsive to the result including data associated with the plaintext version of the second data string, conducting one or more logical operations by the processor at least on (i) a second portion of the encrypted object and (ii) the data associated with the plaintext version of the second data string expected at the second location to recover data associated with the cryptographic key, wherein the recovered data associated with the cryptographic key includes the data associated with the portion of the cryptographic key; and
decrypting, by the processor, the encrypted object using the cryptographic key to produce a decrypted object.
7 Assignments
0 Petitions
Accused Products
Abstract
A decryption scheme for recover of a decrypted object without a cryptographic key is described. First, logical operation(s) are conducted on data associated with a first data string expected at a first location within an object having the predetermined format and data within the encrypted object at the first location to recover data associated with a portion of a cryptographic key from the encrypted object. Thereafter, logical operation(s) are conducted on that data and a first portion of the encrypted object at a second location to produce a result. Responsive to the result including data associated with the plaintext version of the second data string, logical operation(s) are conducted on a second portion of the encrypted object and the data associated with the plaintext version of the second data string to recover data associated with the cryptographic key. Thereafter, the encrypted object may be decrypted using the cryptographic key.
-
Citations
35 Claims
-
1. A computerized method for decrypting an encrypted object having a predetermined format that is received by an electronic device, the method comprising:
-
performing, by a processor, one or more logical operations at least on (i) data associated with a first data string expected at a first location within the encrypted object having the predetermined format and (ii) data within the encrypted object at the first location to recover data associated with a portion of a cryptographic key from the encrypted object; conducting, by the processor, one or more logical operations at least on (i) the data associated with the portion of the cryptographic key and (ii) a first portion of the encrypted object at a second location within the encrypted object to produce a result, wherein the second location being different than the first location and the result includes a portion of data associated with a plaintext version of a second data string that is expected at the second location; responsive to the result including data associated with the plaintext version of the second data string, conducting one or more logical operations by the processor at least on (i) a second portion of the encrypted object and (ii) the data associated with the plaintext version of the second data string expected at the second location to recover data associated with the cryptographic key, wherein the recovered data associated with the cryptographic key includes the data associated with the portion of the cryptographic key; and decrypting, by the processor, the encrypted object using the cryptographic key to produce a decrypted object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer readable medium that includes software that, when executed by a processor, decrypts an encrypted object having a predetermined format, comprising:
-
performing one or more logical operations at least on data associated with a first data string expected at a first location within an object having the predetermined format and data within the encrypted object at the first location to recover data associated with a portion of a cryptographic key from the encrypted object; conducting one or more logical operations at least on the data associated with the cryptographic key and a first portion of the encrypted object at a second location within the encrypted object to produce a result, wherein the second location being different than the first location and the result includes a portion of data associated with a plaintext version of a second data string that is expected at the second location; responsive to the result including data associated with the plaintext version of the second data string, conducting one or more logical operations at least on a second portion of the encrypted object and the data associated with the plaintext version of the second data string expected at the second location to recover data associated with the cryptographic key, wherein the recovered data associated with the cryptographic key includes the data associated with the portion of the cryptographic key; and decrypting the encrypted object using the cryptographic key to produce a decrypted object. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. An electronic device, comprising:
-
one or more hardware processors; and a memory communicatively coupled to the one or more hardware processors, the memory including one or more software modules that, upon execution by the one or more hardware processors, conducts a first scanning operation on an encrypted object to recover a decrypted object, wherein the first scanning operation comprises performing one or more logical operations at least on data associated with a first data string expected at a first location within an object having the predetermined format and data within the encrypted object at the first location to recover data associated with a portion of a cryptographic key from the encrypted object, conducting one or more logical operations at least on the data associated with the cryptographic key and a first portion of the encrypted object at a second location within the encrypted object to produce a result, wherein the second location being different than the first location and the result includes a portion of data associated with a plaintext version of a second data string that is expected at the second location, responsive to the result including data associated with the plaintext version of the second data string, conducting one or more logical operations at least on a second portion of the encrypted object and the data associated with the plaintext version of the second data string expected at the second location to recover data associated with the cryptographic key, wherein the recovered data associated with the cryptographic key includes the data associated with the portion of the cryptographic key, and decrypting the encrypted object using the cryptographic key to produce the decrypted object. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
Specification