WO2005064433A1 - Software execution protection using an active entity - Google Patents

Software execution protection using an active entity Download PDF

Info

Publication number
WO2005064433A1
WO2005064433A1 PCT/IB2004/052674 IB2004052674W WO2005064433A1 WO 2005064433 A1 WO2005064433 A1 WO 2005064433A1 IB 2004052674 W IB2004052674 W IB 2004052674W WO 2005064433 A1 WO2005064433 A1 WO 2005064433A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
computer program
static resource
encrypted
entity
Prior art date
Application number
PCT/IB2004/052674
Other languages
French (fr)
Inventor
Nikolco Gidalov
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Priority to JP2006544631A priority Critical patent/JP2007515723A/en
Priority to EP04801471A priority patent/EP1700181A1/en
Priority to US10/596,554 priority patent/US20070198857A1/en
Publication of WO2005064433A1 publication Critical patent/WO2005064433A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/123Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/109Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by using specially-adapted hardware at the client
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/125Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2153Using hardware token as a secondary aspect

Definitions

  • the present invention relates in general to prevention of execution of computer program code, and in particular to encrypting and decrypting static data by using an active entity.
  • Strong execution protection methods can make use of a so called hardware dongie, as an example of one type of active entity, connected to, for instance, a parallel or a serial port, such as the USB (Universal Serial Bus) port or the printer port of, for instance, a PC (Personal Computer).
  • a dongie is typically a passive element but can contain programmable memory loaded with several encryption/decryption keys. Information can be exchanged between the PC and the dongie.
  • Such a dongie can for example be used in the following two ways: 1.
  • a shell program is created around the software to be protected. In the process of creating the shell, the original software is completely or partially encrypted in dependence of the keys from the dongie, after which the encryption is embedded in the shell.
  • the created shell is thus based on the keys from the dongie but also on the algorithm used to decrypt the software.
  • the shell retrieves the keys from the dongie, extracts the encrypted software, decrypts said encrypted software and runs the original software. In the case the dongie is not present or in case a different dongie, containing different keys, is used, the decryption fails. 2. Also, for protection of execution of software, the entry-point of the original program can be replaced with the entry-point of a procedure. A logical function is provided and retrieves the keys from the dongie. Based on the retrieved keys, complex logic is arranged to decide whether the dongie is the correct dongie, or not.
  • the function After a successful dongie identification the function calls the original program entry-point, which enables execution of the original software.
  • the communication content of the different communication sessions between the PC and the dongie is usually the same, which implies that by wiretapping said communication it is possible to retrieve the protocol and the keys, and later emulate the dongie in either hardware or software, without the need for the original dongie.
  • the entry-point of the original program is called, and the original program is provided in the memory as is.
  • the experienced user can write the program back to the portable executable of said program.
  • the methods of the hardware dongie versions as discussed above have the following drawbacks. Firstly, there is a risk that removing all checks of the dongie in the software to be protected can be successful. Secondly, there is a risk that the dongie is emulated by an intruder. There is thus a need for a software execution protection method for which the software cannot be run even after removal of the checks for an active entity, such as a dongie in the software. There is further a need for a method that does not comprise single if-then instructions depending on whether the correct entity is present or not.
  • this object is achieved by a method of encrypting at least part of a computer program element for enabling protecting execution of said computer program element, comprising the steps of: extracting at least one static resource of said computer program element, and encrypting the at least one static resource with a key.
  • this object is also achieved by a computer program encryption device for encrypting at least part of a computer program element for enabling protecting execution of said computer program element, being arranged to: extract at least one static resource of said computer program element, and encrypt the at least one static resource with a key.
  • this object is also achieved by a computer program product comprising a computer readable medium, having thereon computer program code means, to make a computer execute, when said computer program code means is loaded in the computer: extracting of at least one static resource of said computer program element, and encrypting the at least one static resource with a key.
  • a computer program element comprising computer program code means to make a computer execute, when said computer program code means is loaded in the computer: extracting of at least one static resource of said computer program element, and - encrypting the at least one static resource with a key.
  • this object is also achieved by a computer program product comprising a computer readable medium, having thereon computer program code means comprising: at least one static resource encrypted with a key.
  • a computer program element comprising computer program code means comprising: at least one static resource encrypted with a key.
  • this object is also achieved by a method of decrypting at least part of a computer program element for enabling execution of said computer program element, comprising the steps of: obtaining at least one static resource encrypted with a first key, in a first entity, providing said at least one encrypted static resource to a second entity, and obtaining by said first entity said at least one static resource from the second entity, where the encryption according to the first key has been decrypted by using a second key.
  • this object is also achieved by a method of decrypting at least part of a computer program element for enabling execution of said computer program element, comprising the steps of: obtaining at least one encrypted static resource from a first entity, which at least one static resource has been encrypted by using a first key, obtaining a second key, - decrypting said at least one encrypted static resource, by using said second key, and providing said at least one static resource to the first entity.
  • this object is also achieved by a computer program decryption device for decrypting at least part of a computer program element for enabling execution of said computer program element, said device being arranged to: obtain at least one static resource encrypted with a first key, provide said at least one encrypted static resource to a second entity, and obtain from the second entity said at least one static resource, where the encryption according to the first key has been decrypted by using a second key.
  • this object is also achieved by a computer program decryption device for decrypting at least part of a computer program element for enabling execution of said computer program element, arranged to: obtain at least one encrypted static resource from a first entity, which at least one static resource has been encrypted by using a first key, obtain a second key, decrypt said at least one encrypted static resource, by using said second key, and provide said at least one static resource to the first entity.
  • this object is also achieved by a computer program element comprising computer program code means to make a computer execute, when said computer program code means is loaded in the computer: obtaining at least one static resource encrypted with a first key, in a first entity, providing said at least one encrypted static resource to a second entity, and - obtaining by said first entity said at least one static resource from the second entity, where the encryption according to the first key has been decrypted by using a second key.
  • this object is also achieved by a computer program element comprising computer program code means to make a computer execute: obtaining at least one encrypted static resource from a first entity, which at least one static resource has been encrypted by using a first key, obtaining a second key in a second entity, decrypting said at least one encrypted static resource, by using said second key, and providing said at least one static resource to the first entity.
  • the general idea behind the present invention is to protect execution of computer program code by using encrypting of a computer program element of a static resource within said computer program code.
  • the idea further relies on the usage of two entities during decrypting of said encrypted a static resource, wherein communication between said two entities is at least partly encrypted.
  • the present invention has the following advantages:
  • the process of decryption requires a first and a second entity.
  • Claim 2 is directed toward storing the at least one encrypted static resource in said computer element.
  • This claim has the advantage that resources that are needed during execution of a computer program element can be encrypted.
  • Claims 3, 1 1, 18 and 23 are directed toward using a public key and a private key of a public/private key pair. The advantage being that one key is needed to decrypt data that was encrypted by the other key.
  • Claims 4 and 12 are directed toward having the public key in a computer program element and computer program code means, respectively.
  • Claim 5 is directed towards obtaining the private key, corresponding to the public key, and storing said private key in an entity separate from an entity in which a computer program element is provided. This claim has the advantage of dramatically enhancing the security of the protection of execution by enabling separation of the two entities.
  • Claim 6 is directed towards extracting at least one static resource from a position in a computer program element and storing the encrypted resource in said position.
  • Claims 15 and 20 are directed toward obtaining a third key and encrypting/decrypting of at least one static resource by using said third key. These claims carry the advantage that the static resource sent by one entity to another entity, can be encrypted with said third key.
  • Claims 16 and 24 are directed towards using a third key that is a random session key. The advantage with a key being symmetric is that the same key can be used for encryption and decryption, which limits the number of used keys.
  • Claims 17, 21 and 22 are directed towards further using the first key for encrypting/decrypting the third key and the at least one encrypted static resource.
  • Fig. 1 presents a flow-chart of a method of encrypting according to a preferred embodiment of the present invention
  • Fig. 2A presents a flow-chart of a method of decrypting according to a preferred embodiment of the present invention, performed in a device having the computer program code
  • Fig. 2B presents a flow-chart of a method of decrypting according to a preferred embodiment of the present invention
  • Fig. 3 schematically illustrates encryption of a program code according to the present invention
  • Fig. 4 schematically illustrates decryption of a protected program code according to the present invention
  • Fig. 1 presents a flow-chart of a method of encrypting according to a preferred embodiment of the present invention
  • Fig. 2A presents a flow-chart of a method of decrypting according to a preferred embodiment of the present invention, performed in a device having the computer program code
  • Fig. 2B presents a flow-chart of a method of decrypting according to a preferred embodiment
  • FIG. 5 schematically presents a computer and a dongie, which two entities communicate during decrypting of encrypted data
  • Fig. 6 shows a computer program product, having thereon computer program code means, related to the present invention.
  • the present invention relates to protecting execution of computer program code by encrypting and decrypting static resources of said computer program code.
  • the encryption and decryption uses Public Key Cryptography architecture and requires accessing the source code of the computer program code to be protected.
  • two different entities are used in the process of decrypting encrypted information.
  • Fig. 5 presents one embodiment of the present invention of these two different entities.
  • a computer such as a personal computer 52, represents a first entity and an active dongie 54, represents the second entity.
  • a security chip can be used.
  • This security chip can be integrated in the computer platform.
  • the active dongie is typically equipped with a small processor that can run simple symmetric and asymmetric encryption/decryption algorithms.
  • the interface between the two entities, here the computer and the active dongie can be USB (Universal Serial Port), a network, or another communication channel.
  • the communication between the computer and the active dongie is based on the client-server model.
  • the process of decrypting starts within the computer, having loaded decrypted program code, and continues by sending information over the communication channel to the dongie, where the decrypting process further continues, followed by the dongie sending information back to the computer, at which entity the program code eventually can be executed.
  • Fig. 1 presenting a flow-chart of encryption of at least part of a computer program element together with Fig. 3 schematically illustrating encryption of a computer program code.
  • This encryption is typically carried out within a third entity different from the above mentioned two entities.
  • For encrypting program code at least some static data 306, is extracted, step
  • the static data of the original program can be of any type, for instance, strings, definitions, initial variable values, images, constants, format-related static data or other static resources.
  • either one of the two keys can be used to encrypt data, and similarly either one of them can be used to decrypt data, but once one key is chosen to, for example, encrypt data only the other one can be used to decrypt said encrypted data.
  • the static data 306, is encrypted, step 106, by using the public key Kpb 314, as an encryption key, creating the static data encrypted with said public key (Static data)Kpb 310.
  • the dongie, the program code 304 is changed, step 108, to achieve a modified program code 308. This communication channel will thus be used during the decrypting of data, which will be described below.
  • each piece of static data that is extracted, step 102, at a certain position of the program code is replaced by an encrypted copy of said data.
  • This is performed by storing the encrypted data, step 110, in the original program code, preferably but not necessarily at the position at which the non- encrypted data was present in the original program code, 102.
  • the public key Kpb 314 is stored, step 1 12, in the program code to obtain, step 1 16, a protected program code 312.
  • the private key Kpr 316 that corresponds to said public key Kpb 314, is stored in the dongie 318.
  • the protected program code 312, obtained thus contains pieces of encrypted static data, which encrypted static data efficiently prevents the program code from being executed, without prior decrypting said static data. It is obvious that only certain parts of the program code elements, that is the ones that are crucial for the execution of the program need to be encrypted. This implies that not all static data needs to be encrypted in order to prohibit the functioning of entire parts of computer program code. By decrypting pieces of the computer program code as such, the computer program code cannot be executed solely by cracking single if-then statements. This is in contrast to shell-like encryption methods, wherein the program code is to a large extent left un-encrypted but a shell preventing execution of said program code is encrypted. By cracking the single shell execution of the program within the shell is enabled.
  • the encrypted static data 406, is then combined, step 204, with the generated random session key Ks 404, after which the combination of encrypted static data 406, and the session key Ks 404, is encrypted, step 206, by using the public key 406, thus generating an encrypted combination ((Static data)Kpb+Ks)Kpb 410, of encrypted static data 406, and said session key Ks 404. Having generated this encrypted combination 410, said encrypted combination 410, is sent, step 208, to the dongie 54.
  • the vertical dotted line A in Fig. 4, denotes the interface between the computer 52 and the dongie 54.
  • the dongie can be connected to the computer by using a port of the computer or by using a connection over a network of any kind, for instance the Internet.
  • the computer then decrypts, step 212, the encrypted static data by using a session key Ks 432.
  • the random session key is a symmetric key, encrypting and decrypting is performed by using the same key. This implies that the random session key 426, the session key 432, and the random session key Ks 404, are the same keys.
  • the static data 434 is obtained, step 214, which static data
  • the dongie 54 firstly obtains, step 216, the private key Kpr 316 in Fig. 3, during the method of encrypting static data. Secondly, it receives, step 218, an encrypted combination ((Static data)Kpb+Ks)Kpb 410, of 1) static data, 406, encrypted with the public key, and 2) the session key Ks 404, where said combination is encrypted with the public key Kpb 408.
  • the dongie has thus obtained decrypted static data.
  • the decrypted static data 424 is again encrypted, step 226, but at this step by using the session key 426, which key is obtained from decrypting the encrypted combination, step 220. Obtained is thus the static data decrypted from the initial encryption performed by using the public key Kpb 314 in Fig. 3, but encrypted by using the session key 426.
  • This encrypted static data (Static Data)Ks 428 is now sent, step 228, from the dongie 54, to the computer 52, over the dongle-computer interface as indicated by B in Fig. 4.
  • this interface B is the dongle-computer USB interface.
  • This interface can however as an alternative contain a network, such as the Internet, another network, with one or more other computers, or a communication channel of any type.
  • Fig. 6 shows a computer program product 62, that has computer program code means stored thereon.
  • This computer program product can be of any type, for instance a
  • CD Compact Disc
  • DVD Digital Versatile Disc
  • solid-state memory solid-state memory
  • hard disk The protecting execution of a computer program code can be used to prevent unauthorized access to any hardware that is controlled by or in some way dependent on said computer program code. Using the proper active entity, i.e. the proper dongie, accordingly authorizes access to said hardware.
  • the invention can further be varied in many ways, as described below.
  • One alternative to the embodiment as presented above is to make use of a security chip as the second entity. It is hence understood that the security chip and said computer are two discrete entities, even though one might be positioned within the other.
  • a security platform involving security chips is the TCPA/Palladium platform, which platform is well suited to be used in this alternative embodiment.
  • protecting execution of a computer program code is enabled by using an active entity of the type of another computer program code.
  • a security chip or a dongie is used for the decryption of encrypted static resources.
  • the order of the steps of the method of encrypting static data can be changed and some steps can even be deleted without deferring from the scope of protection of this present invention.
  • the step of changing program code, step 108 can be performed prior to the step of generating public and private keys, step 104.
  • the method of decrypting static data comprises sending the encrypted data by a computer to a dongie, in which the data is decrypted by using a private key and further returned to the computer. In this embodiment there is no usage of a session key.
  • the method of decrypting static data comprises sending by a computer to a dongie the encrypted data and a session key. The dongie decrypts the static data, encrypts the static data by using the session key and returns the data to the computer. This embodiment does not use the public key to encrypt the combination of the session key and the encrypted static data.
  • the method of decrypting the static data the session key and the encrypted static data are encrypted separately by using the public key.
  • the session key only is encrypted by the computer, whereas the already encrypted static data is sent to the dongie as is.
  • the computer program decryption device is a distributed computer device comprising several computers.
  • the static data extracted at a certain position of a computer program element is stored at a different position of the same or a different computer program element.
  • the unencrypted static data is extracted from the element and is no longer available at its position.
  • the generation of the session key during decrypting encrypted static data is performed by the computer, on order from the program code.
  • the generation of the session key during decrypting encrypted static data is performed by the program code before encountering a new piece of encrypted static data.
  • the first entity is any type of computer, such as a PDA (Personal Digital Assistant), a palm top computer, a lap top computer, a personal computer, a gaming computer, a computer server, or similar. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim.
  • the word “comprising” does not exclude the presence of elements or steps other than those listed in a claim.
  • the word "a” or “an” preceding an element does not exclude the presence of a plurality of such elements.
  • the invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer.
  • a single processor or other (programmable) unit may also fulfill the functions of several means recited in the claims.
  • the device claim enumerating several means several of these means can be embodied by one and the same item of hardware.
  • the mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to encrypting of at least part of a computer program element for enabling protecting execution of said computer program element, comprising extracting at least one static resource of said computer program element (step 102), and encrypting said static resource with a first key (314, step 106), and decrypting of said encrypted static resource, comprising obtaining said static resource (406) encrypted with a first key, in a first entity, providing said encrypted static resource to a second entity (step 208), obtaining said static resource (406) encrypted with a first key (step 218), obtaining a second key (422, step 216), decrypting said encrypted static resource, using said second key (step 222), providing said static resource to the first entity (step 228), and obtaining by said first entity said static resource from the second entity (step 210).

Description

Software execution protection using an active entity
The present invention relates in general to prevention of execution of computer program code, and in particular to encrypting and decrypting static data by using an active entity.
Strong execution protection methods can make use of a so called hardware dongie, as an example of one type of active entity, connected to, for instance, a parallel or a serial port, such as the USB (Universal Serial Bus) port or the printer port of, for instance, a PC (Personal Computer). A dongie is typically a passive element but can contain programmable memory loaded with several encryption/decryption keys. Information can be exchanged between the PC and the dongie. Such a dongie can for example be used in the following two ways: 1. For protection of execution of software, a shell program is created around the software to be protected. In the process of creating the shell, the original software is completely or partially encrypted in dependence of the keys from the dongie, after which the encryption is embedded in the shell. The created shell is thus based on the keys from the dongie but also on the algorithm used to decrypt the software. When the shell is started, it retrieves the keys from the dongie, extracts the encrypted software, decrypts said encrypted software and runs the original software. In the case the dongie is not present or in case a different dongie, containing different keys, is used, the decryption fails. 2. Also, for protection of execution of software, the entry-point of the original program can be replaced with the entry-point of a procedure. A logical function is provided and retrieves the keys from the dongie. Based on the retrieved keys, complex logic is arranged to decide whether the dongie is the correct dongie, or not. After a successful dongie identification the function calls the original program entry-point, which enables execution of the original software. There are however several disadvantages with the mentioned methods: The communication content of the different communication sessions between the PC and the dongie is usually the same, which implies that by wiretapping said communication it is possible to retrieve the protocol and the keys, and later emulate the dongie in either hardware or software, without the need for the original dongie. After the dongie is identified, the entry-point of the original program is called, and the original program is provided in the memory as is. The experienced user can write the program back to the portable executable of said program. There is usually one, or several, if-instructions in the dongie checking code, which can be easily replaced by using a reversed logic. Security tools in general and hardware dongles are moreover discussed in G. Hachez, "A comparative study of software protection tools suited for E-commerce with contributions to software watermarking and smart cards" Doctor's Thesis, UCL, Louvain-La- Neuve, Belgium, March, 2003. According to this document recent hardware dongie versions can be plugged into a USB port and usually embed a CPU of a smart card. These versions contain a small micro-controller that will return a different value to each challenge. The software will regularly interrogate the dongie with a challenge and verify that the answer is correct. The most advanced dongles contain a small micro-controller with a small amount of memory. In this case some critical parts of the software are executed within the dongie. The methods of the hardware dongie versions as discussed above have the following drawbacks. Firstly, there is a risk that removing all checks of the dongie in the software to be protected can be successful. Secondly, there is a risk that the dongie is emulated by an intruder. There is thus a need for a software execution protection method for which the software cannot be run even after removal of the checks for an active entity, such as a dongie in the software. There is further a need for a method that does not comprise single if-then instructions depending on whether the correct entity is present or not.
It is an object of the present invention to provide protecting execution of a computer program element by using encryption of static resources of said computer program element. According to a first aspect of the present invention, this object is achieved by a method of encrypting at least part of a computer program element for enabling protecting execution of said computer program element, comprising the steps of: extracting at least one static resource of said computer program element, and encrypting the at least one static resource with a key. According to a second aspect of the present invention, this object is also achieved by a computer program encryption device for encrypting at least part of a computer program element for enabling protecting execution of said computer program element, being arranged to: extract at least one static resource of said computer program element, and encrypt the at least one static resource with a key. According to a third aspect of the present invention, this object is also achieved by a computer program product comprising a computer readable medium, having thereon computer program code means, to make a computer execute, when said computer program code means is loaded in the computer: extracting of at least one static resource of said computer program element, and encrypting the at least one static resource with a key. According to a fourth aspect of the present invention, this object is also achieved by a computer program element comprising computer program code means to make a computer execute, when said computer program code means is loaded in the computer: extracting of at least one static resource of said computer program element, and - encrypting the at least one static resource with a key. According to a fifth aspect of the present invention, this object is also achieved by a computer program product comprising a computer readable medium, having thereon computer program code means comprising: at least one static resource encrypted with a key. According to a sixth aspect of the present invention, this object is also achieved by a computer program element comprising computer program code means comprising: at least one static resource encrypted with a key. According to a seventh aspect of the present invention, this object is also achieved by a method of decrypting at least part of a computer program element for enabling execution of said computer program element, comprising the steps of: obtaining at least one static resource encrypted with a first key, in a first entity, providing said at least one encrypted static resource to a second entity, and obtaining by said first entity said at least one static resource from the second entity, where the encryption according to the first key has been decrypted by using a second key. According to a eighth aspect of the present invention, this object is also achieved by a method of decrypting at least part of a computer program element for enabling execution of said computer program element, comprising the steps of: obtaining at least one encrypted static resource from a first entity, which at least one static resource has been encrypted by using a first key, obtaining a second key, - decrypting said at least one encrypted static resource, by using said second key, and providing said at least one static resource to the first entity. According to a ninth aspect of the present invention, this object is also achieved by a computer program decryption device for decrypting at least part of a computer program element for enabling execution of said computer program element, said device being arranged to: obtain at least one static resource encrypted with a first key, provide said at least one encrypted static resource to a second entity, and obtain from the second entity said at least one static resource, where the encryption according to the first key has been decrypted by using a second key. According to a tenth aspect of the present invention, this object is also achieved by a computer program decryption device for decrypting at least part of a computer program element for enabling execution of said computer program element, arranged to: obtain at least one encrypted static resource from a first entity, which at least one static resource has been encrypted by using a first key, obtain a second key, decrypt said at least one encrypted static resource, by using said second key, and provide said at least one static resource to the first entity. According to a eleventh aspect of the present invention, this object is also achieved by a computer program product comprising a computer readable medium, having thereon computer program code means, to make a computer execute, when said program code means is loaded in the computer: obtaining at least one static resource encrypted with a first key, in a first entity, providing said at least one encrypted static resource to a second entity, and obtaining by said first entity said at least one static resource from the second entity, where the encryption according to the first key has been decrypted by using a second key. According to a twelfth aspect of the present invention, this object is also achieved by a computer program element comprising computer program code means to make a computer execute, when said computer program code means is loaded in the computer: obtaining at least one static resource encrypted with a first key, in a first entity, providing said at least one encrypted static resource to a second entity, and - obtaining by said first entity said at least one static resource from the second entity, where the encryption according to the first key has been decrypted by using a second key. According to a thirteenth aspect of the present invention, this object is also achieved by a computer program product comprising a computer readable medium, having thereon computer program code means, to make a computer execute, when said program code means is loaded in the computer: obtaining at least one encrypted static resource from a first entity, which at least one static resource has been encrypted by using a first key, obtaining a second key in a second entity, - decrypting said at least one encrypted static resource, by using said second key, and providing said at least one static resource to the first entity. According to a fourteenth aspect of the present invention, this object is also achieved by a computer program element comprising computer program code means to make a computer execute: obtaining at least one encrypted static resource from a first entity, which at least one static resource has been encrypted by using a first key, obtaining a second key in a second entity, decrypting said at least one encrypted static resource, by using said second key, and providing said at least one static resource to the first entity. The general idea behind the present invention is to protect execution of computer program code by using encrypting of a computer program element of a static resource within said computer program code. The idea further relies on the usage of two entities during decrypting of said encrypted a static resource, wherein communication between said two entities is at least partly encrypted. The present invention has the following advantages:
1. It provides protecting execution of a computer program code by encrypting at least one static resource that is crucial for the execution of said computer program code.
2. The process of decryption requires a first and a second entity.
3. The computer program code cannot be executed within the first entity even after removal of requests for the second entity. Direction of the dependent claims and the advantages thereof: Claim 2 is directed toward storing the at least one encrypted static resource in said computer element. This claim has the advantage that resources that are needed during execution of a computer program element can be encrypted. Claims 3, 1 1, 18 and 23 are directed toward using a public key and a private key of a public/private key pair. The advantage being that one key is needed to decrypt data that was encrypted by the other key. Claims 4 and 12 are directed toward having the public key in a computer program element and computer program code means, respectively. These claims have the advantage of enabling the usage of a secure private key for decrypting data that have been encrypted by using the public key. Claim 5 is directed towards obtaining the private key, corresponding to the public key, and storing said private key in an entity separate from an entity in which a computer program element is provided. This claim has the advantage of dramatically enhancing the security of the protection of execution by enabling separation of the two entities. Claim 6 is directed towards extracting at least one static resource from a position in a computer program element and storing the encrypted resource in said position.
This is advantageous as firstly, the original information is not available and secondly, no other part or element is affected by the storing of the encrypted resource. Claims 15 and 20 are directed toward obtaining a third key and encrypting/decrypting of at least one static resource by using said third key. These claims carry the advantage that the static resource sent by one entity to another entity, can be encrypted with said third key. Claims 16 and 24 are directed towards using a third key that is a random session key. The advantage with a key being symmetric is that the same key can be used for encryption and decryption, which limits the number of used keys. Claims 17, 21 and 22 are directed towards further using the first key for encrypting/decrypting the third key and the at least one encrypted static resource. This has the advantage that the third key can be sent encrypted from one entity to the other, enabling enhanced security of the encryption of the static data by using the third key. These and other aspects of the invention will be apparent from and elucidated with reference to the embodiments described hereinafter. It should be emphasized that the term "comprises/comprising" when used in this specification is taken to specify the presence of stated features, integers, steps or components, but does not preclude the presence or addition of one or more other features, integers, steps, components or groups thereof.
The present invention will be more clearly understood from the following description of the preferred embodiments of the invention read in conjunction with the attached drawings, in which: Fig. 1 presents a flow-chart of a method of encrypting according to a preferred embodiment of the present invention; Fig. 2A presents a flow-chart of a method of decrypting according to a preferred embodiment of the present invention, performed in a device having the computer program code; Fig. 2B presents a flow-chart of a method of decrypting according to a preferred embodiment of the present invention; Fig. 3 schematically illustrates encryption of a program code according to the present invention; Fig. 4 schematically illustrates decryption of a protected program code according to the present invention; Fig. 5 schematically presents a computer and a dongie, which two entities communicate during decrypting of encrypted data; Fig. 6 shows a computer program product, having thereon computer program code means, related to the present invention. The present invention relates to protecting execution of computer program code by encrypting and decrypting static resources of said computer program code. The encryption and decryption uses Public Key Cryptography architecture and requires accessing the source code of the computer program code to be protected. According to one embodiment of the present invention two different entities are used in the process of decrypting encrypted information. Fig. 5 presents one embodiment of the present invention of these two different entities. A computer such as a personal computer 52, represents a first entity and an active dongie 54, represents the second entity. These two entities are arranged to send/receive information during the decrypting steps of the process. Instead of a dongie, a security chip can be used. This security chip can be integrated in the computer platform. The active dongie is typically equipped with a small processor that can run simple symmetric and asymmetric encryption/decryption algorithms. The interface between the two entities, here the computer and the active dongie, can be USB (Universal Serial Port), a network, or another communication channel. The communication between the computer and the active dongie is based on the client-server model. Before the computer program code to be protected is distributed on the market, at least part of the static data are extracted and encrypted by using the public key of the active dongie, and replaced in the source code as encrypted data. Upon compilation and running the computer program code, only the dongie with the corresponding private key can decrypt the data prior to using the data in the computer program code. As is described below, encryption is typically carried out elsewhere independent of said computer. As is well known for a person skilled in the art encrypting and decrypting of information are related to each other, in a way similar to a key and a lock, being related. Here, the process of encrypting is performed so that a communication channel between the computer and the dongie is established for decrypting the encrypted data. According to one embodiment of the present invention the process of decrypting starts within the computer, having loaded decrypted program code, and continues by sending information over the communication channel to the dongie, where the decrypting process further continues, followed by the dongie sending information back to the computer, at which entity the program code eventually can be executed. The invention will now be described starting by referring to Fig. 1 presenting a flow-chart of encryption of at least part of a computer program element together with Fig. 3 schematically illustrating encryption of a computer program code. This encryption is typically carried out within a third entity different from the above mentioned two entities. For encrypting program code, at least some static data 306, is extracted, step
102, from the original program code 302. The remains of said original program code 302, that is the original program code 302, without the extracted static data 306, here represented by the program code 304, is thus also created. In this embodiment the static data of the original program can be of any type, for instance, strings, definitions, initial variable values, images, constants, format-related static data or other static resources. Having extracted the static data 306, a first and a second key in the form of a pair of encryption/decryption keys (a public key Kpb 314, and a private key Kpr 316) is generated, step 104. As is well known to a person skilled in the art, either one of the two keys can be used to encrypt data, and similarly either one of them can be used to decrypt data, but once one key is chosen to, for example, encrypt data only the other one can be used to decrypt said encrypted data. Here, the static data 306, is encrypted, step 106, by using the public key Kpb 314, as an encryption key, creating the static data encrypted with said public key (Static data)Kpb 310. In order to provide the communication channel mentioned above, between the first entity, the computer and a second entity, the dongie, the program code 304, is changed, step 108, to achieve a modified program code 308. This communication channel will thus be used during the decrypting of data, which will be described below. According to this embodiment of the present invention, each piece of static data that is extracted, step 102, at a certain position of the program code, is replaced by an encrypted copy of said data. This is performed by storing the encrypted data, step 110, in the original program code, preferably but not necessarily at the position at which the non- encrypted data was present in the original program code, 102. Having stored the encrypted static data in the program code, the public key Kpb 314, is stored, step 1 12, in the program code to obtain, step 1 16, a protected program code 312. The private key Kpr 316, that corresponds to said public key Kpb 314, is stored in the dongie 318. The protected program code 312, obtained thus contains pieces of encrypted static data, which encrypted static data efficiently prevents the program code from being executed, without prior decrypting said static data. It is obvious that only certain parts of the program code elements, that is the ones that are crucial for the execution of the program need to be encrypted. This implies that not all static data needs to be encrypted in order to prohibit the functioning of entire parts of computer program code. By decrypting pieces of the computer program code as such, the computer program code cannot be executed solely by cracking single if-then statements. This is in contrast to shell-like encryption methods, wherein the program code is to a large extent left un-encrypted but a shell preventing execution of said program code is encrypted. By cracking the single shell execution of the program within the shell is enabled. In the following will be described decrypting of encrypted computer program code upon execution of the encrypted program code. As mentioned above, in order to prevent execution of program code by an unauthorized party without the access to the dongie, encryption of critical program code elements is sufficient. Without the ability to execute key parts of the program code the function of the program code is not realized, at least not in full. As only critical parts are encrypted, the unencrypted parts can however be executed. Upon executing the program code, the method that is described below is used for each piece of program code element. For each such piece, a communication session is started and information is communicated over the communication channel between the computer and the dongie. Moreover, for each such session a session key is generated as will be explained in more detail below. In the following a more detailed description of decrypting static data, upon executing computer program code, is outlined, with reference being made to Figs. 2A, 2B, 4 and 5. According to this embodiment of the present invention, performing execution of the protected computer program code 402, is started in the computer. In the protected computer program code the computer locates static data (Static data)Kpb 406, encrypted with the public key Kpb 314, from Fig. 3. Also, the computer retrieves the stored public key Kpb 408, in the protected computer program code. Having encountered encrypted static data, a third key in the form of a random session key Ks 404, is generated, step 202. The encrypted static data 406, is then combined, step 204, with the generated random session key Ks 404, after which the combination of encrypted static data 406, and the session key Ks 404, is encrypted, step 206, by using the public key 406, thus generating an encrypted combination ((Static data)Kpb+Ks)Kpb 410, of encrypted static data 406, and said session key Ks 404. Having generated this encrypted combination 410, said encrypted combination 410, is sent, step 208, to the dongie 54. The vertical dotted line A, in Fig. 4, denotes the interface between the computer 52 and the dongie 54. The dongie can be connected to the computer by using a port of the computer or by using a connection over a network of any kind, for instance the Internet. Subsequently, in step 210, the computer 52, receives from the dongie 54=412, static data (Static data)Ks 430, decrypted from the public key Kpb 314, from Fig. 3, but encrypted with a random session key Ks 426. The computer then decrypts, step 212, the encrypted static data by using a session key Ks 432. As the random session key is a symmetric key, encrypting and decrypting is performed by using the same key. This implies that the random session key 426, the session key 432, and the random session key Ks 404, are the same keys. Upon decrypting, the static data 434, is obtained, step 214, which static data
434, is used upon request during the execution of the program code 436. Above was described the method in a computer of decrypting encrypted static data. Below is now described the method in the dongie of decrypting encrypted static data. According to this embodiment of the present invention the dongie 54, firstly obtains, step 216, the private key Kpr 316 in Fig. 3, during the method of encrypting static data. Secondly, it receives, step 218, an encrypted combination ((Static data)Kpb+Ks)Kpb 410, of 1) static data, 406, encrypted with the public key, and 2) the session key Ks 404, where said combination is encrypted with the public key Kpb 408. From the dongie 54, said encrypted combination ((Static data)Kpb+Ks)Kpb 414, and the private key Kpr 416, are extracted. Now, by using the private key 416, the encrypted combination 414, is decrypted, step 220, generating the session key Ks 420, and the static data (Static data)Kpb 418, encrypted with the public key Kpb 408. Following this decryption, the encrypted static data 418, is decrypted, step 222, by again using the private key Kpr 422, which is the same key as referred to the private key 416. Upon this decrypting, step 222, decrypted static data 424, is obtained, step 224. The dongie has thus obtained decrypted static data. Now the decrypted static data 424, is again encrypted, step 226, but at this step by using the session key 426, which key is obtained from decrypting the encrypted combination, step 220. Obtained is thus the static data decrypted from the initial encryption performed by using the public key Kpb 314 in Fig. 3, but encrypted by using the session key 426. This encrypted static data (Static Data)Ks 428, is now sent, step 228, from the dongie 54, to the computer 52, over the dongle-computer interface as indicated by B in Fig. 4. According to one embodiment of the present invention this interface B is the dongle-computer USB interface. This interface can however as an alternative contain a network, such as the Internet, another network, with one or more other computers, or a communication channel of any type. Fig. 6 shows a computer program product 62, that has computer program code means stored thereon. This computer program product can be of any type, for instance a
Compact Disc (CD), a diskette, a Digital Versatile Disc (DVD), solid-state memory, or a hard disk. The protecting execution of a computer program code can be used to prevent unauthorized access to any hardware that is controlled by or in some way dependent on said computer program code. Using the proper active entity, i.e. the proper dongie, accordingly authorizes access to said hardware. The invention can further be varied in many ways, as described below. One alternative to the embodiment as presented above is to make use of a security chip as the second entity. It is hence understood that the security chip and said computer are two discrete entities, even though one might be positioned within the other. One example of a security platform involving security chips is the TCPA/Palladium platform, which platform is well suited to be used in this alternative embodiment. In another embodiment of the present invention protecting execution of a computer program code is enabled by using an active entity of the type of another computer program code. This is thus an alternative to the embodiments in which a security chip or a dongie is used for the decryption of encrypted static resources. In a different embodiment the order of the steps of the method of encrypting static data can be changed and some steps can even be deleted without deferring from the scope of protection of this present invention. For instance, the step of changing program code, step 108, can be performed prior to the step of generating public and private keys, step 104. In another embodiment of the present invention, the method of decrypting static data comprises sending the encrypted data by a computer to a dongie, in which the data is decrypted by using a private key and further returned to the computer. In this embodiment there is no usage of a session key. In yet another embodiment of the present invention, the method of decrypting static data comprises sending by a computer to a dongie the encrypted data and a session key. The dongie decrypts the static data, encrypts the static data by using the session key and returns the data to the computer. This embodiment does not use the public key to encrypt the combination of the session key and the encrypted static data. In yet another embodiment of the present invention the method of decrypting the static data the session key and the encrypted static data are encrypted separately by using the public key. There is hence no encrypted combination of session key and encrypted static data. In an alternative of the embodiment as mentioned above, the session key only is encrypted by the computer, whereas the already encrypted static data is sent to the dongie as is. In yet another embodiment the computer program decryption device is a distributed computer device comprising several computers. In yet another embodiment of the present invention, the static data extracted at a certain position of a computer program element is stored at a different position of the same or a different computer program element. The unencrypted static data is extracted from the element and is no longer available at its position. In still yet another embodiment the generation of the session key during decrypting encrypted static data, is performed by the computer, on order from the program code. In still yet another embodiment, the generation of the session key during decrypting encrypted static data, is performed by the program code before encountering a new piece of encrypted static data. In still yet another embodiment, the first entity is any type of computer, such as a PDA (Personal Digital Assistant), a palm top computer, a lap top computer, a personal computer, a gaming computer, a computer server, or similar. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps other than those listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. A single processor or other (programmable) unit may also fulfill the functions of several means recited in the claims. In the device claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims

CLAIMS:
1. A method of encrypting at least part of a computer program element for enabling protecting execution of said computer program element, comprising the steps of: extracting at least one static resource (306) of said computer program element (step 102), and - encrypting the at least one static resource (306) with a key (314, step 106).
2. Method of encrypting according to claim 1 , further comprising the step of: storing the at least one encrypted static resource (310) in said computer program element (step 1 10).
3. Method of encrypting according to claim 1, in which the key (314) is a public key of a public/private key pair.
4. Method of encrypting according to claim 3, further comprising the step of: - storing the public key (314) in a computer program element (step 1 12).
5. Method of encrypting according to claim 3, further comprising the step of: obtaining the corresponding private key (316), and storing said private key (316) in an entity (318) separate from an entity in which the computer program element is provided (step 1 14).
6. Method of encrypting according to claim 1, wherein the step of extracting (step 102) comprises extracting the at least one static resource (306) from a certain position in the program element and the step of storing (step 1 10) comprises storing the encrypted static resource (310) in said position.
7. Computer program encryption device for encrypting at least part of a computer program element for enabling protecting execution of said computer program element, arranged to: extract at least one static resource (306) of said computer program element (302, step 106), and encrypt the at least one static resource (306) with a key (314, step 106).
8. Computer program product comprising a computer readable medium, having thereon computer program code means, to make a computer execute, when said program code means is loaded in the computer: extracting of at least one static resource (306) of said computer program element (302, step 102), and - encrypting the at least one static resource (306) with a key (314, step 106).
9. Computer program element comprising computer program code means to make a computer execute, when said computer program code means is loaded in a computer, extracting of at least one static resource (306) of said computer program element (302, step 102) and encrypting the at least one static resource (306) with a key (314, step 106).
10. Computer program product comprising a computer readable medium, having thereon computer program code means comprising: - at least one static resource encrypted with a key (310).
1 1. Computer program product according to claim 10, where said key (314) is a public key of a public/private key pair.
12. Computer program product according to claim 1 1, wherein said computer program code means further comprises: said public key (314).
13. Computer program element comprising computer program code means comprising: at least one static resource encrypted with a key (310).
14. Method of decrypting at least part of a computer program element for enabling execution of said computer program element (402), comprising the steps of: obtaining at least one static resource (406) encrypted with a first key (314), in a first entity (52), providing said at least one encrypted static resource (406) to a second entity (54, step 208), and - obtaining by said first entity (52) said at least one static resource (430) from the second entity (54, step 210), where the encryption according to the first key (314) has been decrypted using a second key (422).
15. Method of decrypting, according to claim 14, further comprising the step of: - obtaining a third key (step 202), decrypting the at least one encrypted static resource (430), by using the third key (step 212), wherein which the step of providing (step 208) comprises providing the third key (404) and said at least one encrypted static resource (406, 410) to the second entity (54), and the step of obtaining (step 210) by said first entity (52) said at least one static resource
(430) from the second entity (54), comprises obtaining the at least one static resource encrypted (430) with the third key (426), so that the computer program element can be executed.
16. Method of decrypting, according to claim 14, in which the third key (404, 432) is a random session key.
17. Method of decrypting, according to claim 14, further comprising the step of: obtaining the first key (408), - encrypting the third key (408) and said at least one encrypted static resource
(406), by using said first key(408, step 206), and in which the step of providing (step 208) said at least one encrypted static resource (410) to the second entity (54) comprises providing said third key (404) and said at least one encrypted static resource (406), both encrypted (410) by using the first key (408).
18. Method of decrypting, according to claim 14, in which the first key (314, 408) and the second key (316) is the public and the private key, respectively, of a public/private key pair.
19. Method of decrypting at least part of a computer program element for enabling execution of said computer program element, comprising the steps of: obtaining at least one encrypted static resource (414) from a first entity (52, step 218), which at least one static resource (306) has been encrypted by using a first key (314), obtaining a second key (416, step 216), decrypting said at least one encrypted static resource (418), by using said second key (416, step 222), and providing said at least one static resource (424) to the first entity (52, step 228).
20. Method of decrypting, according to claim 19, further comprising the step of: obtaining a third key (420) from the first entity (52), encrypting the at least one static resource (424) by using the third key (426), and in which the step of providing (step 228) said at least one static resource
(428) to the first entity (52) comprises providing said at least one static resource (428) encrypted with the third key (426).
21. Method of decrypting, according to claim 20, wherein the at least one encrypted static resource (406) and the third key (404), are obtained encrypted (414), which encryption has been made using the first key (314).
22. Method of decrypting, according to claim 21, further comprising the step of: decrypting by using the second key (416) , the encrypted (414) at least one encrypted static resource (406) and the third key (404, step 220).
23. Method of decrypting according to claim 19, in which the first key (314) and the second key (416, 422) is the public and the private key, respectively, of a public/private key pair.
24. Method of decrypting according to claim 19, in which the third key (420, 426) is a random session key.
25. Computer program decryption device (52) for decrypting at least part of a computer program element (402) for enabling execution of said computer program element, said device being arranged to: obtain at least one static resource (406) encrypted with a first key (314), provide said at least one encrypted static resource (406) to a second entity (54, step 208), and obtain from the second entity (54) said at least one static resource (430, step
210), where the encryption according to the first key (314) has been decrypted by using a second key (422).
26. Computer program decryption device (54) for decrypting at least part of a computer program element for enabling execution of said computer program element, said device being arranged to: obtain at least one encrypted static resource (414) from a first entity (52, step 218), which at least one static resource (414) has been encrypted by using a first key (314), obtain a second key (416, step 216), decrypt said at least one encrypted static resource (418) by using the second key (422, step 222), and provide said at least one static resource (424) to the first entity (52, step 228).
27. Computer program product comprising a computer readable medium, having thereon computer program code means, to make a computer execute, when said computer program code means is loaded in the computer: obtaining at least one static resource (406) encrypted with a first key (314), in a first entity (52), providing said at least one encrypted static resource (406) to a second entity (54, step 208), and obtaining by said first entity (52) said at least one static resource (430) from the second entity (54, step 210), where the encryption according to the first key (314) has been decrypted by using a second key (422).
28. Computer program element comprising computer program code means to make a computer execute, when said computer program code means is loaded in the computer: obtaining at least one static resource (406) encrypted with a first key (314), in a first entity (52), providing said at least one encrypted static resource (406) to a second entity (54, step 208), and - obtaining by said first entity (52) said at least one static resource (430) from the second entity (54, step 210), where the encryption according to the first key (314) has been decrypted by using a second key (422).
29. Computer program product comprising a computer readable medium, having thereon computer program code means, to make a computer execute, when said program code means is loaded in the computer: obtaining at least one encrypted static resource (414) from a first entity (52, step 218), which at least one static resource (414) has been encrypted by using a first key (314), - obtaining a second key (416) in a second entity (54, step 216), decrypting said at least one encrypted static resource (418) by using the second key (422, step 222), and providing said at least one static resource (424) to the first entity (52, step 228).
30. Computer program element comprising computer program code means to make a computer execute: obtaining at least one encrypted static resource (414) from a first entity (52, step 218), which at least one static resource (414) has been encrypted by using a first key (314), obtaining a second key (416) in a second entity (54, step 216), decrypting said at least one encrypted static resource (418) by using the second key (422, step 222), and providing said at least one static resource (424) to the first entity (52, step 228).
PCT/IB2004/052674 2003-12-22 2004-12-06 Software execution protection using an active entity WO2005064433A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2006544631A JP2007515723A (en) 2003-12-22 2004-12-06 Software execution protection using active entities
EP04801471A EP1700181A1 (en) 2003-12-22 2004-12-06 Software execution protection using an active entity
US10/596,554 US20070198857A1 (en) 2003-12-22 2004-12-06 Software execution protection using an active entity

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP03104884 2003-12-22
EP03104884.6 2003-12-22

Publications (1)

Publication Number Publication Date
WO2005064433A1 true WO2005064433A1 (en) 2005-07-14

Family

ID=34717217

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2004/052674 WO2005064433A1 (en) 2003-12-22 2004-12-06 Software execution protection using an active entity

Country Status (6)

Country Link
US (1) US20070198857A1 (en)
EP (1) EP1700181A1 (en)
JP (1) JP2007515723A (en)
KR (1) KR20060127007A (en)
CN (1) CN1898623A (en)
WO (1) WO2005064433A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012126077A1 (en) 2011-03-21 2012-09-27 Irdeto Canada Corporation System and method for securely binding and node-locking program execution to a trusted signature authority
EP2506174A1 (en) * 2011-03-30 2012-10-03 Irdeto Corporate B.V. Enabling a software application to be executed on a hardware device
EP2629225A1 (en) 2012-02-14 2013-08-21 Thomson Licensing System, devices and methods for collaborative execution of a software application comprising at least one encrypted instruction

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8650127B1 (en) * 2006-01-06 2014-02-11 Apple Inc. Digital rights management for computer program code
US20080229115A1 (en) * 2007-03-16 2008-09-18 Microsoft Corporation Provision of functionality via obfuscated software
US9274923B2 (en) * 2008-03-25 2016-03-01 Wind River Systems, Inc. System and method for stack crawl testing and caching
JP5356718B2 (en) * 2008-04-22 2013-12-04 株式会社 エヌティーアイ Electronic key system
US9177488B2 (en) * 2008-08-11 2015-11-03 International Business Machines Corporation Method, system and program product for securing data written to a storage device coupled to a computer system
KR101224717B1 (en) * 2008-12-26 2013-01-21 에스케이플래닛 주식회사 Method for Protecting Software License, System, Server, Terminal And Computer-Readable Recording Medium with Program therefor
US10944866B2 (en) 2011-02-15 2021-03-09 David Goren Systems and methods of transferring user information to different devices
US8676258B2 (en) * 2011-02-15 2014-03-18 David Goren Systems and methods of transferring user information to different devices
CN108011879B (en) * 2017-11-30 2020-10-16 广州酷狗计算机科技有限公司 File encryption and decryption method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0886409A2 (en) * 1997-05-01 1998-12-23 Digital Vision Laboratories Corporation Information providing system
WO2001018807A2 (en) * 1999-09-03 2001-03-15 Koninklijke Philips Electronics N.V. Recovery of a master key from recorded published material
US6266416B1 (en) * 1995-07-13 2001-07-24 Sigbjoernsen Sigurd Protection of software against use without permit
WO2001065366A1 (en) * 2000-03-02 2001-09-07 Alarity Corporation System and method for process protection
US20030196102A1 (en) * 2002-04-16 2003-10-16 Sony Computer Entertainment America Inc. Method and system for using tamperproof hardware to provide copy protection and online security

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7380120B1 (en) * 2001-12-12 2008-05-27 Guardian Data Storage, Llc Secured data format for access control

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6266416B1 (en) * 1995-07-13 2001-07-24 Sigbjoernsen Sigurd Protection of software against use without permit
EP0886409A2 (en) * 1997-05-01 1998-12-23 Digital Vision Laboratories Corporation Information providing system
WO2001018807A2 (en) * 1999-09-03 2001-03-15 Koninklijke Philips Electronics N.V. Recovery of a master key from recorded published material
WO2001065366A1 (en) * 2000-03-02 2001-09-07 Alarity Corporation System and method for process protection
US20030196102A1 (en) * 2002-04-16 2003-10-16 Sony Computer Entertainment America Inc. Method and system for using tamperproof hardware to provide copy protection and online security

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2689375A1 (en) * 2011-03-21 2014-01-29 Irdeto B.V. System and method for securely binding and node-locking program execution to a trusted signature authority
US9754115B2 (en) 2011-03-21 2017-09-05 Irdeto B.V. System and method for securely binding and node-locking program execution to a trusted signature authority
WO2012126077A1 (en) 2011-03-21 2012-09-27 Irdeto Canada Corporation System and method for securely binding and node-locking program execution to a trusted signature authority
EP2689375A4 (en) * 2011-03-21 2014-08-20 Irdeto Bv System and method for securely binding and node-locking program execution to a trusted signature authority
CN103608820B (en) * 2011-03-30 2017-05-03 爱迪德技术有限公司 Computer realizing method and hardware for enabling a software application to be executed on a hardware device
CN103608820A (en) * 2011-03-30 2014-02-26 耶德托公司 Enabling a software application to be executed on a hardware device
WO2012130658A1 (en) * 2011-03-30 2012-10-04 Irdeto Corporate B.V. Enabling a software application to be executed on a hardware device
EP2506174A1 (en) * 2011-03-30 2012-10-03 Irdeto Corporate B.V. Enabling a software application to be executed on a hardware device
US9910970B2 (en) 2011-03-30 2018-03-06 Irdeto B.V. Enabling a software application to be executed on a hardware device
EP3518128A1 (en) * 2011-03-30 2019-07-31 Irdeto B.V. Enabling a software application to be executed on a hardware device
US10552588B2 (en) 2011-03-30 2020-02-04 Irdeto B.V. Enabling a software application to be executed on a hardware device
EP2629223A1 (en) * 2012-02-14 2013-08-21 Thomson Licensing System, devices and methods for collaborative execution of a software application comprising at least one encrypted instruction
US20140140504A1 (en) * 2012-02-14 2014-05-22 Thomson Licensing System, devices and methods for collaborative execution of a software application comprising at least one encrypted instruction
EP2629225A1 (en) 2012-02-14 2013-08-21 Thomson Licensing System, devices and methods for collaborative execution of a software application comprising at least one encrypted instruction

Also Published As

Publication number Publication date
EP1700181A1 (en) 2006-09-13
CN1898623A (en) 2007-01-17
KR20060127007A (en) 2006-12-11
JP2007515723A (en) 2007-06-14
US20070198857A1 (en) 2007-08-23

Similar Documents

Publication Publication Date Title
US6266416B1 (en) Protection of software against use without permit
EP2267628B1 (en) Token passing technique for media playback devices
KR100362219B1 (en) Method and system for distributing programs using tamper resistant processor
US7835521B1 (en) Secure keyboard
US20020083318A1 (en) Method and system for software integrity control using secure hardware assist
JP2002077137A (en) System and method for protection of digital works
US7802109B2 (en) Trusted system for file distribution
WO2004006075A1 (en) Open type general-purpose attack-resistant cpu, and application system thereof
JP2007013433A (en) Method for transmitting/receiving encrypted data and information processing system
JP2002077136A (en) System and method for protection of digital works
JP2000151583A (en) Access capability authentication method, device, and method and device for generating certification auxiliary information
JP4353651B2 (en) Method for generating an anonymized electronic work from an electronic work, and method for protecting the electronic work during conversion into presentation data
US20070198857A1 (en) Software execution protection using an active entity
EP2629223A1 (en) System, devices and methods for collaborative execution of a software application comprising at least one encrypted instruction
US6651169B1 (en) Protection of software using a challenge-response protocol embedded in the software
KR20230175184A (en) Computer file security encryption methods, decryption methods and readable storage media
US20190044709A1 (en) Incorporating software date information into a key exchange protocol to reduce software tampering
Mana et al. A framework for secure execution of software
JP7527538B2 (en) User Protection License
CN107688729B (en) Application program protection system and method based on trusted host
Nützel et al. How to increase the security of Digital Rights Management systems without affecting consumer’s security
US7174464B1 (en) Method of making a user piece of software secure by means of a processing and secret memorizing unit, and a system constituting an application thereof
JP2004046640A (en) Method for concealing password data, software program, and information terminal device
US11748459B2 (en) Reducing software release date tampering by incorporating software release date information into a key exchange protocol
CN118551351A (en) Intelligent software anti-leakage system based on kernel encryption and role authority control

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200480038321.5

Country of ref document: CN

AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2004801471

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2006544631

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 10596554

Country of ref document: US

Ref document number: 2007198857

Country of ref document: US

WWE Wipo information: entry into national phase

Ref document number: 1020067012376

Country of ref document: KR

NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Ref document number: DE

WWE Wipo information: entry into national phase

Ref document number: 2716/CHENP/2006

Country of ref document: IN

WWP Wipo information: published in national office

Ref document number: 2004801471

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1020067012376

Country of ref document: KR

WWP Wipo information: published in national office

Ref document number: 10596554

Country of ref document: US

WWW Wipo information: withdrawn in national office

Ref document number: 2004801471

Country of ref document: EP