System for automatic, secure and large scale software license management over any computer network

US 20050289072A1
Filed: 06/29/2004
Published: 12/29/2005
Est. Priority Date: 06/29/2004
Status: Abandoned Application

First Claim

Patent Images

1. An improved and scalable network based license management system that securely controls software licenses for networked or occasionally-networked applications over any local, wide area or wireless network, that allows large numbers of licensed applications, up to several hundred thousand licensed application installations or more, to be concurrently in a license-activated state on behalf of one or a multitude of software vendors, multitudes of their customers and one or a multitude of application programs, whether executing or not, with a networked license server, whether executing or not, and capable of running on a computer with average power and constructed with components of average reliability, such as a personal computer, with no assumptions about the quality of network availability, comprising:

a. A license storage means for storing in non-volatile storage on a server machine;

i. an encrypted floating license key that encodes an overall limit on the number of licenses for a given protected program, together with additional licensing policy information such as features, expiration dates and metering limits. ii. the current activation state and machine location on a network of each activated copy of a license protected program that is activated with said network licensing system, where an activated instance may not necessarily be executing in order to be considered to be activated, and where the activated instance enters an inactive state either upon expiration of an activation lease time limit defined at the time of activation and recorded in said current activation state, or due to an explicit deactivation operation as determined by the application'"'"'s software developer, and where the definition of machine location is determined by the application'"'"'s software developer and may include but is not limited to any combination of a physical machine name, unique machine identification hardware parameters, or logical names defined by a proxy application such as a terminal server or web server. b. A license server computer software program comprising;

i. a license repository comprising said license storage stored in a persistent transactional structure such as a relational database, such that both the license data and license state data stored in said license storage survive program and machine failures without loss of structural integrity, and such that said license server is not required to be running at the same time that said applications or their proxies or agents are running in order to prevent oversubscription of licenses, ii. a license processing module that provides means to process license activation and deactivation requests over a network, said activation and deactivation requests corresponding to requests and releases of leased units of licensing maintained in said license repository and recorded individually in said license repository, the success or failure of such license activation and deactivation requests being dependent on limits and licensing policies maintained in said license repository, and such that a leased activation is automatically and implicitly deactivated upon termination of its release without requiring a cleanup process, and such that upper and lower limits may be specified on the duration of a granted activation lease iii. a network listener module that accepts and responds to said license activation and deactivation requests from applications seeking protection over a local or wide area network and uses said license processing module to implement the requests, said network listener module utilizing a stateless network communication protocol that requires a network connection only for the duration that said license server processes said licensing request. c. A client license library program that provides application programming interfaces to said license enabled applications for the purposes of communicating activation and deactivation requests to said license server and for managing the local generation of encrypted license keys from the activation state for possible local storage and the reconstruction and verification of the activation state from said locally generated key, such that the locally generated key may be saved in non-volatile storage in order to enable an activated program to be in a non-executing state without losing its activation status due to said program not executing, including;

i. application programming interfaces for the purpose of activating a license based on a logical or physical machine identification information such as a machine fingerprint that uniquely identifies the requester'"'"'s location, and for deactivating the license, in conjunction with said license server ii. application programming interfaces for the purpose of introspecting the properties of an activated license including application state information maintained in said license storage by said license server, licensing policy information such as expiration timestamp, and logical client machine identification information iii. application programming interfaces for the purpose of locally generating an encrypted license key from an activation state obtained through said activation application programming interface, and autonomously reconstructing and verifying said locally generated encrypted license key without communicating with said license server, said verification including matching machine fingerprints, validating the license is for the application, and verifying that the activation duration has not expired iv. application programming interfaces for the purpose of validating the client machine'"'"'s system clock against the system clock timestamp returned by said license server during activation. whereby said license server and application are not required to be running or have a continuous network connection in order for license protection to be in effect, whereby said license server can accommodate a number of concurrently-active licenses that are not limited by machine processing power or memory but only by said license repository database capacity, whereby said license server may be hosted at the software vendor'"'"'s premises on behalf of all of said software vendor'"'"'s customers and accessed over the Internet, thereby alleviating said customers of the responsibility of installing and administering said license server at said customers'"'"' premises.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved license management system that enables large-scale, secure and automatic activation and migration of software licenses across computers on any network is disclosed. The system comprises a network license server that maintains detailed licensing limit and state in persistent store, and client libraries that are used by applications to issue activation and deactivation requests to the license server and to securely manage the activation state in local persistent store. An application is protected when it has activated its license for a lease duration. Activation is not constrained to coincide with an application'"'"'s installation or running state. There are two types of licenses: anonymous licenses that exist while the license is activated, and named licenses that have user authentication information and an activation state. One embodiment of the license server is an HTTP protocol based web server application using a relational database management system for persistent storage.

Citations

15 Claims

1. An improved and scalable network based license management system that securely controls software licenses for networked or occasionally-networked applications over any local, wide area or wireless network, that allows large numbers of licensed applications, up to several hundred thousand licensed application installations or more, to be concurrently in a license-activated state on behalf of one or a multitude of software vendors, multitudes of their customers and one or a multitude of application programs, whether executing or not, with a networked license server, whether executing or not, and capable of running on a computer with average power and constructed with components of average reliability, such as a personal computer, with no assumptions about the quality of network availability, comprising:
- a. A license storage means for storing in non-volatile storage on a server machine;
  
  i. an encrypted floating license key that encodes an overall limit on the number of licenses for a given protected program, together with additional licensing policy information such as features, expiration dates and metering limits. ii. the current activation state and machine location on a network of each activated copy of a license protected program that is activated with said network licensing system, where an activated instance may not necessarily be executing in order to be considered to be activated, and where the activated instance enters an inactive state either upon expiration of an activation lease time limit defined at the time of activation and recorded in said current activation state, or due to an explicit deactivation operation as determined by the application'"'"'s software developer, and where the definition of machine location is determined by the application'"'"'s software developer and may include but is not limited to any combination of a physical machine name, unique machine identification hardware parameters, or logical names defined by a proxy application such as a terminal server or web server. b. A license server computer software program comprising;
  
  i. a license repository comprising said license storage stored in a persistent transactional structure such as a relational database, such that both the license data and license state data stored in said license storage survive program and machine failures without loss of structural integrity, and such that said license server is not required to be running at the same time that said applications or their proxies or agents are running in order to prevent oversubscription of licenses, ii. a license processing module that provides means to process license activation and deactivation requests over a network, said activation and deactivation requests corresponding to requests and releases of leased units of licensing maintained in said license repository and recorded individually in said license repository, the success or failure of such license activation and deactivation requests being dependent on limits and licensing policies maintained in said license repository, and such that a leased activation is automatically and implicitly deactivated upon termination of its release without requiring a cleanup process, and such that upper and lower limits may be specified on the duration of a granted activation lease iii. a network listener module that accepts and responds to said license activation and deactivation requests from applications seeking protection over a local or wide area network and uses said license processing module to implement the requests, said network listener module utilizing a stateless network communication protocol that requires a network connection only for the duration that said license server processes said licensing request. c. A client license library program that provides application programming interfaces to said license enabled applications for the purposes of communicating activation and deactivation requests to said license server and for managing the local generation of encrypted license keys from the activation state for possible local storage and the reconstruction and verification of the activation state from said locally generated key, such that the locally generated key may be saved in non-volatile storage in order to enable an activated program to be in a non-executing state without losing its activation status due to said program not executing, including;
  
  i. application programming interfaces for the purpose of activating a license based on a logical or physical machine identification information such as a machine fingerprint that uniquely identifies the requester'"'"'s location, and for deactivating the license, in conjunction with said license server ii. application programming interfaces for the purpose of introspecting the properties of an activated license including application state information maintained in said license storage by said license server, licensing policy information such as expiration timestamp, and logical client machine identification information iii. application programming interfaces for the purpose of locally generating an encrypted license key from an activation state obtained through said activation application programming interface, and autonomously reconstructing and verifying said locally generated encrypted license key without communicating with said license server, said verification including matching machine fingerprints, validating the license is for the application, and verifying that the activation duration has not expired iv. application programming interfaces for the purpose of validating the client machine'"'"'s system clock against the system clock timestamp returned by said license server during activation. whereby said license server and application are not required to be running or have a continuous network connection in order for license protection to be in effect, whereby said license server can accommodate a number of concurrently-active licenses that are not limited by machine processing power or memory but only by said license repository database capacity, whereby said license server may be hosted at the software vendor'"'"'s premises on behalf of all of said software vendor'"'"'s customers and accessed over the Internet, thereby alleviating said customers of the responsibility of installing and administering said license server at said customers'"'"' premises.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The license management system of claim 1 wherein said license repository is implemented as a relational database and license checking operations are implemented with relational calculus operators, whereby said license repository requires no cleanup procedures for expired license activation leases, whereby said license repository may be readily used to produce reports using the SQL relational query language and using off-the-shelf SQL-based reporting tools
  - 3. The license management system of claim 1 that incorporates an audit trail means comprising:
    - a. an audit trail table in said license repository b. an audit processing module that updates said table with details of license activation and license administration events c. an audit reporting module that permits searches and retrievals of auditing events whereby audits may be conducted, retrospective analysis may be performed and historical reports may be generated using reporting tools or said audit reporting module
  - 4. The license management system of claim 1 that incorporates a host access control means comprising:
    - a. a host access control table in said repository, said table containing access control rules based on regular expressions for allowing or denying access to individual client machines or groups of machines b. host access control processing logic that permits licensing requests from a client machine ID provided said machine ID matches at least one access control rule allowing access, and does not match any access control rule denying access whereby selective access to client machines may be accomplished when said license management system is hosted and accessed over public networks such as the Internet.
  - 5. The license management system of claim 1 incorporating a license sub-grouping means comprising:
    - a. a license domain entity in said license repository, where a given product license may have one or more named license administration domains, said domains having license activations assigned to them instead of to said product, and said domains being assigned individual license policies and constraints that apply to license activations assigned to it b. said client library capable of accepting a domain name parameter to an activation request call c. said license processing module incorporating means to associate client requests with respective said domains whereby license activations may be grouped, each group having its individual licensing policies and constraints for a number of purposes including but not limited to assigning priorities, defining roles, and grouping license activations by customers assigned customer identifiers.
  - 6. The license management system of claim 5 incorporating means for licensing named users, comprising:
    - a. a named-user qualifier for said license administration domain entity in said license repository, to distinguish named-user from anonymous-user purpose of said license administration domain entity instance, so that only instances of the associated type of license activation belong to respective said domain b. a named-user entity in said license repository where an instance of said license administration domain entity having said named-user qualifier may have zero or more instances of said named-user entity, said named user entity being uniquely identified by a user name and having as dependent attributes at a minimum an activated status indicating whether said named user is in an activated state, a machine ID attribute indicating the identity of the client machine from which the user has been activated, a timestamp indicating when the activation occurred, and an activation lease duration numeric value indicating the activation lease duration that was granted by said license processing module, and having as a dependent attribute an optional password specifier for user authentication c. license administration means for adding, updating and removing said named users from said license repository d. said client library capable of accepting username and optional password parameters e. said license processing module incorporating means for associating and authenticating user name and optional password with said named user in said repository, for updating activation state and parameters of said named user entry in said license repository, and for determining activation state of said named user entry based on current system clock whereby user licenses can be preassigned to and associated with named users via login names, product serial numbers and similar real-world entities so users can migrate their licenses among multiple machines without being able to be activated on more than one machine at any point in time.
  - 7. The license management system of claim 6 that incorporates means for automatically transferring application installation information when said named users migrate their licenses to new machines, comprising:
    - a. said named user entity in said license repository having a general purpose user parameters attribute that can accommodate reasonable-sized application state information b. said client libraries incorporating means to receive and make available to protected application said user parameter information returned from said license server in response to said license activation request c. said client libraries incorporating means to accept user parameter information to deactivation application programming interface call from protected application for sending to said license server as part of processing said deactivation request d. said license processing module incorporating means to retrieve said user parameter information from said named user entry during processing of said activation request to send to client, and to save said user parameter information received from client in said named user entry during processing of said deactivation request whereby a user may conveniently and automatically transfer application settings including but not limited to user preferences when migrating the respective license to a new machine.
  - 8. The license management system of claim 1 wherein said license management system incorporates a weighted licensing system comprising:
    - a. said encrypted floating license key means that encodes a weighted user limit representing a limit on the sum of weightages of license activation requests instead of a limit on the count of license activation requests b. said license activation request means specifying a weightage value that counts towards the weighted user limit instead of a count of 1 whereby said activations may be charged according to the underlying value of the business function, thereby permitting the vendor to sell aggregate licenses across multiple business functions of differing values
  - 9. The license management system of claim 1 incorporating a centrally-managed license activation lease duration control means comprising:
    - a. minimum and maximum license activation duration specification attributes in said license repository such that minimum duration may be as low as zero and as high as infinity, and maximum duration may be as low as zero and as high as infinity b. license processing module means incorporating license activation grant procedure that ensures granted duration is no less than said minimum license activation duration and no more than said maximum license activation duration specification attribute whereby said license management system can be used to both limit long license activation leases and to limit the frequency with which users may migrate licenses across machines and thus limit the degree to which said user licenses can be shared among multiple individuals over time
  - 10. The license management system of claim 1 wherein said license server may manage a multitude of said license repositories whereby said license management system may be used by a provider of license management services on behalf of a multitude of software vendors having a multitude of customers, each having a multitude of licenses for a multitude of protected applications
  - 11. The license management system of claim 1 incorporating means for securely managing activation and deactivation of application installations having no network connectivity to said license server, comprising:
    - a. A proxy licensing means that has network connectivity to said license server and acts on behalf of said disconnected application installation for the purpose of requesting and releasing license activations, comprising i. a system fingerprint comprising an encryption of said machine fingerprint, activation lease duration and other parameters provided by said disconnected application requesting activation such that the user cannot manufacture said system fingerprint or tamper with it ii. a user interface means for receiving said system fingerprint from said disconnected application requesting activation via detachable storage media or other means such as email iii. a proxy activation means that decrypts said system fingerprint to obtain licensing parameters supplied by said disconnected application and performs an activation request on behalf of said disconnected application, and encrypts the resulting activation state to produce an encrypted license key for return to said disconnected application via detachable storage media or other means such as email iv. a return receipt comprising an encryption of said encrypted license key surrendered by said disconnected application as part of its deactivation, together with any parameters said disconnected application wishes to return to license server for a subsequent activation when said activation is for a named user, such that an end user cannot manufacture or tamper with said return receipt and it can only be produced by said disconnected application itself v. a proxy deactivation means that decrypts said return receipt to obtain said license token and deactivates the license associated with said license token if it is valid and feeds back the status to the user
  - 12. The license management system of claim 11 wherein the proxy activation and deactivation means are implemented with web self-service pages managed by said license server and accessed over the Internet from a web browser
  - 13. The license management system of claim 11 incorporating means for automatically utilizing an available network connection or switching to disconnected mode upon detection of network communication failure, comprising:
    - a. said client library incorporating means for detecting specific network communication error conditions during activation and deactivation b. said protected application incorporating means for using said client library API calls to act on communication errors to switch to operate in disconnected mode whereby protected application may be distributed as a single binary program for deployment in all types of networked environments and for automatic adaptation to varying conditions of network connectivity during the lifetime of its deployment

14. A network license management system that securely controls software licenses for completely disconnected, occasionally-networked or networked applications over private and public networks for the purpose of preventing spoofing of the license server and cloning of license server floating license keys by vendors'"'"' customers, comprising:
- a. a license server means that accepts one or more product-specific encrypted floating license keys and manages license activation and deactivation requests over a private or public network. b. a client library means that enables an application to issue license activation and deactivation requests to said license server for the purpose of license protection. c. a public key cryptography based secure communication means comprising i. public key encryption library means comprising;
  
  1. means to enable any application to generate a public key from a secret key 2. means to enable said license management system to generate a private key from said secret key using an access-control password parameter known only to software vendor, and such that said public key and said secret key for a common secret key have substantially differing values 3. means to enable any application to encrypt a clear text string with a public key to produce a public-key-encrypted cipher text that can only be decrypted with the corresponding private key, and to decrypt a private-key-encrypted cipher text string with a public key to produce the original clear text 4. means to enable said license management system to encrypt a clear text string with a private key to produce a private-key-encrypted cipher text that can only be decrypted with the corresponding public key and to decrypt a public-key-encrypted cipher text string with a private key to produce the original clear text, using an access-control password parameter known only to software vendor ii. encrypted floating license key generation means for allowing vendor to pre-specify a product-specific secret password that is embedded in said encrypted floating license key and from which a public key is generated and made available to vendor'"'"'s development staff and from which a secret key is implicitly derived by said license server software at run time and is unavailable to vendor or vendor'"'"'s customers. iii. said client library incorporating means to accept said product public key parameter and use said encryption library to encrypt all messages to said license server with said product public key and to decrypt all messages from said license server with said product public key iv. said license server incorporating means to obtain said product private key using said encryption library and said secret password in said floating license key, and to use said product private key to decrypt all messages from said client library with said product private key and to encrypt all messages to said client library with said product private key whereby said messages between said client library and said license server are secure from eavesdropping and tampering, whereby said messages between said client library and said license server are secure from substitution by a spoofed server or spoofed client, whereby said encrypted floating license key is secure from substitution with a floating license key generated by other than the software vendor who provided said product public key to said protected application and said floating license key to said license server.

15. A network license management system that securely controls software licenses for completely disconnected and occasionally-networked applications for the purpose of preventing end users from oversubscribing time limited licenses, comprising:
- a. a license server means that manages license activation and deactivation requests over a network, success of said activation and deactivation requests being contingent on client system clock being within a specified tolerance of said license server system clock b. a client library means that enables an application to issue license activation and deactivation requests to said license server for the purpose of license protection, and transmits client system clock information to said license server c. a client library means that enables a protected application to save said license activation state in local persistent store, with activation timestamp embedded in said saved state d. a client library means that enables said saved license activation state to be restored in normal or activation state so that state restoration procedure during activation verifies server activation clock against client clock to be within a specified tolerance and to occur within a specified key shelf life and initializes a hidden file with the current client timestamp, and so that normal restoration procedure verifies existence of hidden file and that contents of said hidden file represent a time that is behind current system clock whereby protected applications that use said network license server for activation are secure from system clock tampering at the time of license activation even if the client operating system installation is reinitialized whereby said protected applications are secure from system clock tampering while running autonomously

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vinay Sabharwal
Original Assignee
Vinay Sabharwal
Inventors
Sabharwal, Vinay

Application Number

US10/879,541
Publication Number

US 20050289072A1
Time in Patent Office

Days
Field of Search
US Class Current

705/59
CPC Class Codes

G06F 21/10 Protecting distributed prog...

G06F 21/121 Restricting unauthorised ex...

System for automatic, secure and large scale software license management over any computer network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System for automatic, secure and large scale software license management over any computer network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links