System for automatic, secure and large scale software license management over any computer network
First Claim
1. An improved and scalable network based license management system that securely controls software licenses for networked or occasionally-networked applications over any local, wide area or wireless network, that allows large numbers of licensed applications, up to several hundred thousand licensed application installations or more, to be concurrently in a license-activated state on behalf of one or a multitude of software vendors, multitudes of their customers and one or a multitude of application programs, whether executing or not, with a networked license server, whether executing or not, and capable of running on a computer with average power and constructed with components of average reliability, such as a personal computer, with no assumptions about the quality of network availability, comprising:
- a. A license storage means for storing in non-volatile storage on a server machine;
i. an encrypted floating license key that encodes an overall limit on the number of licenses for a given protected program, together with additional licensing policy information such as features, expiration dates and metering limits. ii. the current activation state and machine location on a network of each activated copy of a license protected program that is activated with said network licensing system, where an activated instance may not necessarily be executing in order to be considered to be activated, and where the activated instance enters an inactive state either upon expiration of an activation lease time limit defined at the time of activation and recorded in said current activation state, or due to an explicit deactivation operation as determined by the application'"'"'s software developer, and where the definition of machine location is determined by the application'"'"'s software developer and may include but is not limited to any combination of a physical machine name, unique machine identification hardware parameters, or logical names defined by a proxy application such as a terminal server or web server. b. A license server computer software program comprising;
i. a license repository comprising said license storage stored in a persistent transactional structure such as a relational database, such that both the license data and license state data stored in said license storage survive program and machine failures without loss of structural integrity, and such that said license server is not required to be running at the same time that said applications or their proxies or agents are running in order to prevent oversubscription of licenses, ii. a license processing module that provides means to process license activation and deactivation requests over a network, said activation and deactivation requests corresponding to requests and releases of leased units of licensing maintained in said license repository and recorded individually in said license repository, the success or failure of such license activation and deactivation requests being dependent on limits and licensing policies maintained in said license repository, and such that a leased activation is automatically and implicitly deactivated upon termination of its release without requiring a cleanup process, and such that upper and lower limits may be specified on the duration of a granted activation lease iii. a network listener module that accepts and responds to said license activation and deactivation requests from applications seeking protection over a local or wide area network and uses said license processing module to implement the requests, said network listener module utilizing a stateless network communication protocol that requires a network connection only for the duration that said license server processes said licensing request. c. A client license library program that provides application programming interfaces to said license enabled applications for the purposes of communicating activation and deactivation requests to said license server and for managing the local generation of encrypted license keys from the activation state for possible local storage and the reconstruction and verification of the activation state from said locally generated key, such that the locally generated key may be saved in non-volatile storage in order to enable an activated program to be in a non-executing state without losing its activation status due to said program not executing, including;
i. application programming interfaces for the purpose of activating a license based on a logical or physical machine identification information such as a machine fingerprint that uniquely identifies the requester'"'"'s location, and for deactivating the license, in conjunction with said license server ii. application programming interfaces for the purpose of introspecting the properties of an activated license including application state information maintained in said license storage by said license server, licensing policy information such as expiration timestamp, and logical client machine identification information iii. application programming interfaces for the purpose of locally generating an encrypted license key from an activation state obtained through said activation application programming interface, and autonomously reconstructing and verifying said locally generated encrypted license key without communicating with said license server, said verification including matching machine fingerprints, validating the license is for the application, and verifying that the activation duration has not expired iv. application programming interfaces for the purpose of validating the client machine'"'"'s system clock against the system clock timestamp returned by said license server during activation. whereby said license server and application are not required to be running or have a continuous network connection in order for license protection to be in effect, whereby said license server can accommodate a number of concurrently-active licenses that are not limited by machine processing power or memory but only by said license repository database capacity, whereby said license server may be hosted at the software vendor'"'"'s premises on behalf of all of said software vendor'"'"'s customers and accessed over the Internet, thereby alleviating said customers of the responsibility of installing and administering said license server at said customers'"'"' premises.
0 Assignments
0 Petitions
Accused Products
Abstract
An improved license management system that enables large-scale, secure and automatic activation and migration of software licenses across computers on any network is disclosed. The system comprises a network license server that maintains detailed licensing limit and state in persistent store, and client libraries that are used by applications to issue activation and deactivation requests to the license server and to securely manage the activation state in local persistent store. An application is protected when it has activated its license for a lease duration. Activation is not constrained to coincide with an application'"'"'s installation or running state. There are two types of licenses: anonymous licenses that exist while the license is activated, and named licenses that have user authentication information and an activation state. One embodiment of the license server is an HTTP protocol based web server application using a relational database management system for persistent storage.
-
Citations
15 Claims
-
1. An improved and scalable network based license management system that securely controls software licenses for networked or occasionally-networked applications over any local, wide area or wireless network, that allows large numbers of licensed applications, up to several hundred thousand licensed application installations or more, to be concurrently in a license-activated state on behalf of one or a multitude of software vendors, multitudes of their customers and one or a multitude of application programs, whether executing or not, with a networked license server, whether executing or not, and capable of running on a computer with average power and constructed with components of average reliability, such as a personal computer, with no assumptions about the quality of network availability, comprising:
-
a. A license storage means for storing in non-volatile storage on a server machine;
i. an encrypted floating license key that encodes an overall limit on the number of licenses for a given protected program, together with additional licensing policy information such as features, expiration dates and metering limits. ii. the current activation state and machine location on a network of each activated copy of a license protected program that is activated with said network licensing system, where an activated instance may not necessarily be executing in order to be considered to be activated, and where the activated instance enters an inactive state either upon expiration of an activation lease time limit defined at the time of activation and recorded in said current activation state, or due to an explicit deactivation operation as determined by the application'"'"'s software developer, and where the definition of machine location is determined by the application'"'"'s software developer and may include but is not limited to any combination of a physical machine name, unique machine identification hardware parameters, or logical names defined by a proxy application such as a terminal server or web server. b. A license server computer software program comprising;
i. a license repository comprising said license storage stored in a persistent transactional structure such as a relational database, such that both the license data and license state data stored in said license storage survive program and machine failures without loss of structural integrity, and such that said license server is not required to be running at the same time that said applications or their proxies or agents are running in order to prevent oversubscription of licenses, ii. a license processing module that provides means to process license activation and deactivation requests over a network, said activation and deactivation requests corresponding to requests and releases of leased units of licensing maintained in said license repository and recorded individually in said license repository, the success or failure of such license activation and deactivation requests being dependent on limits and licensing policies maintained in said license repository, and such that a leased activation is automatically and implicitly deactivated upon termination of its release without requiring a cleanup process, and such that upper and lower limits may be specified on the duration of a granted activation lease iii. a network listener module that accepts and responds to said license activation and deactivation requests from applications seeking protection over a local or wide area network and uses said license processing module to implement the requests, said network listener module utilizing a stateless network communication protocol that requires a network connection only for the duration that said license server processes said licensing request. c. A client license library program that provides application programming interfaces to said license enabled applications for the purposes of communicating activation and deactivation requests to said license server and for managing the local generation of encrypted license keys from the activation state for possible local storage and the reconstruction and verification of the activation state from said locally generated key, such that the locally generated key may be saved in non-volatile storage in order to enable an activated program to be in a non-executing state without losing its activation status due to said program not executing, including;
i. application programming interfaces for the purpose of activating a license based on a logical or physical machine identification information such as a machine fingerprint that uniquely identifies the requester'"'"'s location, and for deactivating the license, in conjunction with said license server ii. application programming interfaces for the purpose of introspecting the properties of an activated license including application state information maintained in said license storage by said license server, licensing policy information such as expiration timestamp, and logical client machine identification information iii. application programming interfaces for the purpose of locally generating an encrypted license key from an activation state obtained through said activation application programming interface, and autonomously reconstructing and verifying said locally generated encrypted license key without communicating with said license server, said verification including matching machine fingerprints, validating the license is for the application, and verifying that the activation duration has not expired iv. application programming interfaces for the purpose of validating the client machine'"'"'s system clock against the system clock timestamp returned by said license server during activation. whereby said license server and application are not required to be running or have a continuous network connection in order for license protection to be in effect, whereby said license server can accommodate a number of concurrently-active licenses that are not limited by machine processing power or memory but only by said license repository database capacity, whereby said license server may be hosted at the software vendor'"'"'s premises on behalf of all of said software vendor'"'"'s customers and accessed over the Internet, thereby alleviating said customers of the responsibility of installing and administering said license server at said customers'"'"' premises. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A network license management system that securely controls software licenses for completely disconnected, occasionally-networked or networked applications over private and public networks for the purpose of preventing spoofing of the license server and cloning of license server floating license keys by vendors'"'"' customers, comprising:
-
a. a license server means that accepts one or more product-specific encrypted floating license keys and manages license activation and deactivation requests over a private or public network. b. a client library means that enables an application to issue license activation and deactivation requests to said license server for the purpose of license protection. c. a public key cryptography based secure communication means comprising i. public key encryption library means comprising;
1. means to enable any application to generate a public key from a secret key 2. means to enable said license management system to generate a private key from said secret key using an access-control password parameter known only to software vendor, and such that said public key and said secret key for a common secret key have substantially differing values 3. means to enable any application to encrypt a clear text string with a public key to produce a public-key-encrypted cipher text that can only be decrypted with the corresponding private key, and to decrypt a private-key-encrypted cipher text string with a public key to produce the original clear text 4. means to enable said license management system to encrypt a clear text string with a private key to produce a private-key-encrypted cipher text that can only be decrypted with the corresponding public key and to decrypt a public-key-encrypted cipher text string with a private key to produce the original clear text, using an access-control password parameter known only to software vendor ii. encrypted floating license key generation means for allowing vendor to pre-specify a product-specific secret password that is embedded in said encrypted floating license key and from which a public key is generated and made available to vendor'"'"'s development staff and from which a secret key is implicitly derived by said license server software at run time and is unavailable to vendor or vendor'"'"'s customers. iii. said client library incorporating means to accept said product public key parameter and use said encryption library to encrypt all messages to said license server with said product public key and to decrypt all messages from said license server with said product public key iv. said license server incorporating means to obtain said product private key using said encryption library and said secret password in said floating license key, and to use said product private key to decrypt all messages from said client library with said product private key and to encrypt all messages to said client library with said product private key whereby said messages between said client library and said license server are secure from eavesdropping and tampering, whereby said messages between said client library and said license server are secure from substitution by a spoofed server or spoofed client, whereby said encrypted floating license key is secure from substitution with a floating license key generated by other than the software vendor who provided said product public key to said protected application and said floating license key to said license server.
-
-
15. A network license management system that securely controls software licenses for completely disconnected and occasionally-networked applications for the purpose of preventing end users from oversubscribing time limited licenses, comprising:
-
a. a license server means that manages license activation and deactivation requests over a network, success of said activation and deactivation requests being contingent on client system clock being within a specified tolerance of said license server system clock b. a client library means that enables an application to issue license activation and deactivation requests to said license server for the purpose of license protection, and transmits client system clock information to said license server c. a client library means that enables a protected application to save said license activation state in local persistent store, with activation timestamp embedded in said saved state d. a client library means that enables said saved license activation state to be restored in normal or activation state so that state restoration procedure during activation verifies server activation clock against client clock to be within a specified tolerance and to occur within a specified key shelf life and initializes a hidden file with the current client timestamp, and so that normal restoration procedure verifies existence of hidden file and that contents of said hidden file represent a time that is behind current system clock whereby protected applications that use said network license server for activation are secure from system clock tampering at the time of license activation even if the client operating system installation is reinitialized whereby said protected applications are secure from system clock tampering while running autonomously
-
Specification