Secure Endpoint Token
Security is a major concern. The ability to secure information when using a computer can be difficult, inconvenient, and not very effective. Being able to ensure that someone with elicit intentions is not able to steal the information or intellectual property, whether from a user of that property or the owner and distributor of that property, can be almost impossible. No matter what system of controls is implemented all have a common weakness. That weakness is generally the need to be installed on a remote piece of hardware. Anytime security software is installed on a remote piece of hardware and then runs in a third-party environment such as Microsoft Windows, it is vulnerable. The vulnerability results from the need of the operating system to leave openings for other products to interoperate as well as to debug when problems arise. But these openings leave open opportunities for a person or system (e.g., virus) with illicit goals to thwart and circumvent whatever system of controls has been created to protect the information and intellectual property.
Dynamic and Random Encryption:
Encryption in use today typically relies on its complexity to thwart any attack. This protection is similar to a person standing in the middle of a field far away from anyone. While they stand alone they are generally safe and secure and no one can attack their data, at some point in time a hacker may take notice and using his virtual weapons take a shot at them from miles away. In this hypothetical, the shot has little chance of hitting the person, so the hacker begins a quest to get closer to the target, every so often taking another shot. Eventually the hacker is very close and his shot hits its mark—unveiling the secret information that was hidden. This is often the case when using the current encryption algorithms and, as most entities do, only change the encryption key periodically over a lengthy period of time. Because of the length of time that the same key is used, it effectively becomes static and a target for a hacker.
Efforts have been made with encryption to make it ever more complex through the actual mathematical algorithm used for such encryption. While this may provide a short-term solution, it is by no means a permanent solution. As hardware improves and become ever more advanced and its speed increases, the math needed to thwart the breaking of encryption will need to become ever more complex.
Encryption can be both cumbersome and processing intensive. A balance if often struck when either the hardware on which the encryption is performed has to be of a level that can handle the strength of encryption needed for a given task or the strength of the encryption has to be reduced to allow less powerful hardware to handle execution of the encryption. In many cases this leads to encryption involving a single algorithm using a single key for all data encryption. This leads to a level of encryption that can be cracked in a very short time regardless of what algorithm is used. To strengthen encryption, the typical strategy is to increase the number of keys used as well as the frequency of how often they change. This works well, but requires either a lot of offline secure data transfer of keys or the initial sharing of a large number of keys which require a lot of storage space.
Since current encryption measures have been shown to be vulnerable to attack, a more complex implementation was needed. It would be desirable to have a system and method that both leverages current infrastructure for popular encryption algorithms as well as introduces a higher level of complexity to the process while allowing for scalability to ensure continued security into the future.
At the same time, any new system and method would ideally be capable of being scaled to function on varying platforms—e.g., as small as a smart chip microprocessor as well as platforms as large as mini- and main-frame computers. It would also be desirable to have a self-contained system that is molecular in design so that it could function without a large amount of management and control. Such a system would ideally be dynamic and constantly changing to make it a very difficult target for black-hat hackers. It would also be desirable to have an appearance to those outside observer as being random and unpredictable.
Since passing encryption parameters or data in the data stream would create a large vulnerability and since alternative channels may still leave this vulnerability as well as introduce issues of synchronization between messages, an alternative solution is needed. Pre-shared data was one option, but in previous implementations, this was usually done in a structured fashion where either a set of encryption keys were pre-shared or other encryption parameters specifically defined were pre-shared. This led to vulnerability in circumstances where a black-hat hacker could discover the pre-shared data and thus become able to decrypt future encrypted data using this discovery.
Persistent Software Integrity
Existing software fails to perform extensive scanning for the specific purposes of locating places within program executables where, for instance, license verification instructions could be inserted. Additionally current software scanning does not look for points where a program could be infected by software instructions having the characteristics of a benign Stealth Execution. Those programs in the marketplace which do scan software programs are typically used and intended to find locations in the software for determining the function of the software and then allowing someone to reverse engineer its actions. This is used for increasing the efficiency of the software, but not to actually insert external instructions or to provide for the insertion of software instructions having the characteristics of a Stealth Execution.
Protecting software systems, assets and intellectual property can be difficult if not impossible. There have been attempts and some sophisticated concepts, but few have had any success. The biggest problem has been that it takes multiple pieces to create a good solution and typically much attention has been directed at the activation or enablement function within the application being protected. In this regard, the prior efforts have been to secure these functions within the application. Solutions such as calculated hashes and checksums as well as encryption of check values and encryption of the program itself have been tried and yet little success has been forthcoming.
Like a chain, good anti-piracy measures have many links and the biggest problem is always the weakest of these links. In all cases this has been the ability to secure the application and prevent removal of the license verification, activation, or enablement functions. Once an application has been “cracked” as it is sometimes called its license verification is disabled and its able to be distributed freely resulting in a severe impact to the owner of that intellectual property.