Secure software distribution and installation

US 7,051,211 B1
Filed: 08/21/2000
Issued: 05/23/2006
Est. Priority Date: 08/21/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A system for controlling installation of software, the system comprising:

an installation server, the installation server having access to first and second secret values associated with a copy of the software for installation;

an unencrypted installation client, the installation client incorporating the first secret value; and

an encrypted portion of the software, wherein the encrypted portion of the software is encrypted with a first key value derived from the first and second secret values;

wherein the unencrypted installation client is configured to receive the second secret value from the installation server, to generate the first key value, to decrypt the encrypted portion of the software and to install the software; and

wherein the installation client is further configured to generate a second key value from the first key value and the first secret value, encrypt the decrypted portion of the software with the second key value and store the portion of the software encrypted with the second key value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and computer program products are provide for controlling access to software is provided by the software to be controlled being divided into a first encrypted portion and a second unencrypted portion. The second unencrypted portion has access to, and may even incorporate, a first secret value and a software identification associated with a copy of the software. The first encrypted portion is encrypted with a first key value which is based on the first secret value and a second secret value. The second secret value is obtained and the first key value generated from the obtained second secret value and the first secret value. The first encrypted portion of the software may then be decrypted with the first key value. The software may be installed on a data processing system utilizing the decrypted first encrypted portion of the software.

111 Citations

View as Search Results

39 Claims

1. A system for controlling installation of software, the system comprising:
- an installation server, the installation server having access to first and second secret values associated with a copy of the software for installation;
  
  an unencrypted installation client, the installation client incorporating the first secret value; and
  
  an encrypted portion of the software, wherein the encrypted portion of the software is encrypted with a first key value derived from the first and second secret values;
  
  wherein the unencrypted installation client is configured to receive the second secret value from the installation server, to generate the first key value, to decrypt the encrypted portion of the software and to install the software; and
  
  wherein the installation client is further configured to generate a second key value from the first key value and the first secret value, encrypt the decrypted portion of the software with the second key value and store the portion of the software encrypted with the second key value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A system according to claim 1, wherein the installation server is further configured to generate the first key value and store the first key value as a subsequent second secret value associated with the copy of the software.
  - 3. A system according to claim 2, wherein the installation server is further configured to retain a copy of an initial second secret value associated with the copy of the software and to selectively provide the initial second secret value to the installation client.
  - 4. A system according to claim 2, wherein the installation server is configured to maintain a copy of an original second secret value associated with a first key value utilized to encrypt an initial copy of the software and wherein the installation server is configured to control the number of installations allowed for the copy of the software based on a maximum number of installations and a maximum number of times that the original second secret value may be sent to the installation client.
  - 5. A system according claim 4, wherein the installation server is configured to track the number of times that the copy of the software has been installed and the number of times that the original second secret value is sent to the installation client and wherein the installation server is further configured to reject a request for installation of the copy of the software if the installation results in at least one of the number of times that the copy of the software has been installed exceeding the maximum number of software installations and the number of times that the original second secret value is sent to the installation client exceeds the maximum number of times that the original second secret value may be sent to the installation client.
  - 6. A system according to claim 1, wherein the installation client is configured to decrypt the encrypted portion of the software and encrypt the portion of the software with the second key value without persistently storing the decrypted portion of the software, the second secret value, the first key value or the second key value.
  - 7. A system according to claim 1, wherein the installation client is further configured to replace the encrypted portion of the software with the portion of the software encrypted with the second key value.
  - 8. A system according to claim 7, wherein the encrypted portion of the software comprises a plurality of encrypted blocks and wherein the installation client is further configured to sequentially decrypt ones of the plurality of encrypted blocks with the first key value and sequentially encrypt and store the decrypted plurality of encrypted blocks with the second key value, wherein a next of the plurality of encrypted blocks is decrypted after a previous of the plurality of encrypted blocks is encrypted with the second key value and stored.
  - 9. A system according to claim 1, wherein the installation server is further configured to receive a request for installation of the copy of the software from the installation client and provide the second secret value to the installation client in response to the request for installation of the copy of the software.
  - 10. A system according to claim 9, wherein the installation server is further configured to determine if the requested installation is authorized and provide the second secret value to the installation client if the requested installation is authorized.
  - 11. A system according to claim 1, further comprising a network interconnecting the installation server and the installation client.
  - 12. A system according to claim 11, wherein the network comprises the Internet.
  - 13. A system according to claim 1, wherein the installation client is further configured to copy at least the encrypted portion of the software from a read only storage device to a writeable storage device and to store the portion of the software encrypted with the second key value so as to overwrite the encrypted portion of the software stored on the writeable storage device.

14. A method of controlling access to software by a data processing system, comprising:
- providing a copy of the software, the software being divided into a first encrypted portion and a second unencrypted portion, the second unencrypted portion having access to a first secret value and a software identification associated with the copy of the software and wherein the first encrypted portion is encrypted with a first key value which is based on the first secret value and a second secret value associated with the software identification of the copy of the software;
  
  obtaining the second secret value;
  
  generating the first key value from the obtained second secret value and the first secret value;
  
  decrypting the first encrypted portion of the software utilizing the first key value;
  
  generating a second key value from the first key value and the first secret value;
  
  encrypting the decrypted first encrypted portion of the software with the second key value; and
  
  storing the first encrypted portion of the software encrypted with the second key value.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. A method according to claim 14, further comprising installing the software on a data processing system utilizing the decrypted first encrypted portion of the software.
  - 16. A method according to claim 14, wherein the step of storing the first encrypted portion comprises overwriting a stored copy of the first encrypted portion of the software encrypted with the first key value.
  - 17. A method according to claim 14, wherein the step of obtaining the second secret value comprises the steps of:
    - requesting the second secret value from a network server; and
      
      receiving the second secret value from the network server in response to the request for the second secret value.
  - 18. A method according to claim 17, wherein the step of requesting the second secret value from the network server comprises transmitting a request for the second secret value containing the identification of the copy of the software.
  - 19. A method according to claim 18, further comprising the step of obtaining user information and wherein the request for the second secret value further contains the obtained user information.
  - 20. A method according to claim 19, wherein the user information comprises at least one of identification of a data processing system on which the software is to be installed and identification of a user associated with the copy of the software.
  - 21. A method according to claim 17, further comprising the steps of:
    - determining if the request for the second secret value is for an authorized installation of the copy of the software; and
      
      sending the second secret value only if the request is for an authorized installation of the copy of the software.
  - 22. A method according to claim 21, wherein the determination of whether the request is for an authorized installation of the software is based on at least one of the identification of the copy of the software, an identification of a user of the software, an identification of a processing system on which the software is to be installed, an authorized number of installations for the copy of the software and a number of previous installations of the copy of the software.
  - 23. A method according to claim 21, further comprising the step of tracking the number of times that the copy of the software has been installed;
    - andwherein the determination of whether the request is for an authorized installation comprises the step of determining if the number of times that the copy of the software has been installed exceeds a maximum number of times that the software is authorized for installation.

24. A method of controlling access to software by a data processing system, comprising:
- providing a copy of the software, the software being divided into a first encrypted portion and a second unencrypted portion, the second unencrypted portion having access to a first secret value and a software identification associated with the copy of the software and wherein the first encrypted portion is encrypted with a first key value which is based on the first secret value and a second secret value associated with the software identification of the copy of the software;
  
  obtaining the second secret value;
  
  generating the first key value from the obtained second secret value and the first secret value;
  
  decrypting the first encrypted portion of the software utilizing the first key value;
  
  generating the first key value based on the first and second secret values at the network server; and
  
  associating the first key value with the identification of the copy of the software as an updated second secret value to be provided in response to a subsequent request for the second secret value.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. A method according to claim 24, further comprising the steps of:
    - copying the first encrypted portion of the software from a read only media to a writeable storage media;
      
      generating a second key value from the first key value and the first secret value;
      
      encrypting the decrypted first encrypted portion of the software with the second key value; and
      
      storing the first encrypted portion of the software encrypted with the second key value on the writeable storage media.
  - 26. A method according to claim 25, further comprising the steps of:
    - maintaining a copy of the second secret value as an initial second secret value; and
      
      selectively providing the initial second secret value in response to a request for the second secret value.
  - 27. A method according to claim 26, wherein the step of obtaining the second secret value comprises the steps of:
    - requesting the second secret value from a network server; and
      
      receiving the second secret value from the network server in response to the request for the second secret value.
  - 28. A method according to claim 27, further comprising the steps of:
    - determining if the request for the second secret value is for an authorized installation of the copy of the software; and
      
      sending the second secret value only if the request is for an authorized installation of the copy of the software.
  - 29. A method according to claim 28, further comprising the step of tracking the number of times that the copy of the software has been installed;
    - andwherein the determination of whether the request is for an authorized installation comprises the step of determining if the number of times that the copy of the software has been installed exceeds a maximum number of times that the software is authorized for installation.
  - 30. A method according to claim 29, further comprising the steps of:
    - determining if the request for installation is a request to resynchronize secret values utilized to generate the first key value; and
      
      providing the initial second secret value if the request for installation is a request to resynchronize secret values.
  - 31. A method according to claim 30, further comprising the step of tracking the number of times that the initial second secret value has been provided;
    - andwherein the determination of whether the request is for an authorized installation further comprises the step of determining if the number of times that the second secret value has been provided exceeds a maximum number of times that the second secret value is authorized to be provided.

32. A method of controlling access to software by a data processing system, comprising:
- providing a copy of the software, the software being divided into a first encrypted portion and a second unencrypted portion, the second unencrypted portion having access to a first secret value and a software identification associated with the copy of the software and wherein the first encrypted portion is encrypted with a first key value which is based on the first secret value and a second secret value associated with the software identification of the copy of the software;
  
  obtaining the second secret value;
  
  generating the first key value from the obtained second secret value and the first secret value;
  
  decrypting the first encrypted portion of the software utilizing the first key value;
  
  encrypting the first encrypted portion of the software as a plurality of encrypted blocks;
  
  wherein the step of decrypting the first encrypted portion of the software comprises decrypting an encrypted block of the plurality of encrypted blocks with the first key value;
  
  wherein the step of encrypting the decrypted first encrypted portion of the software comprises encrypting the decrypted block with the second key value;
  
  wherein the step of storing the first encrypted portion of the software encrypted with the second key value comprises storing the block encrypted with the second key value; and
  
  wherein the block of the plurality of encrypted blocks is decrypted, encrypted and stored before a next block of the plurality of blocks is decrypted, encrypted and stored.

33. A method of controlling software installation by a data processing system, comprising:
- associating a software identification and first and second secret values with a copy of the software;
  
  receiving a request for installation of the software on a data processing system, wherein the request identifies the software identification of the copy of the software;
  
  determining the second secret value associated with the software identification;
  
  determining if the installation of the copy of the software to be installed is authorized;
  
  sending the second secret value to the data processing system if the installation of the copy of the software to be installed is authorized;
  
  generating a first key value from the first and second secret values associated with the copy of the software; and
  
  associating the first key value with the software identification of the copy of the software as an updated second secret value.
- View Dependent Claims (34, 35)
- - 34. A method according to claim 33, wherein the determination of whether the installation of the copy of the software is authorized is based on at least one of the identification of the copy of the software, an identification of a user of the software, an identification of a processing system on which the software is to be installed, an authorized number of installations for the copy of the software and a number of previous installations of the copy of the software.
  - 35. A method according to claim 33, wherein the step of associating the first key value with the software identification of the copy of the software as an updated second secret value comprises the step of replacing the second secret value associated with the software identification of the copy of the software with the first key value.

36. A system for controlling access to software by a data processing system, comprising:
- means for providing a copy of the software, the software being divided into a first encrypted portion and a second unencrypted portion, the second unencrypted portion having access to a first secret value and a software identification associated with the copy of the software and wherein the first encrypted portion is encrypted with a first key value which is based on the first secret value and a second secret value associated with the software identification of the copy of the software;
  
  means for obtaining the second secret value;
  
  means for generating the first key value from the obtained second secret value and the first secret value;
  
  means for decrypting the first encrypted portion of the software utilizing the first key value;
  
  means for generating a second key value from the first key value and the first secret value;
  
  means for encrypting the decrypted first encrypted portion of the software with the second key value; and
  
  means for storing the first encrypted portion of the software encrypted with the second key value.

37. A system for controlling software installation by a data processing system, comprising:
- means for associating a software identification and first and second secret values with a copy of the software;
  
  means for receiving a request for installation of the software on a data processing system, wherein the request identifies the software identification of the copy of the software;
  
  means for determining the second secret value associated with the software identification;
  
  means for determining if the installation of the copy of the software to be installed is authorized; and
  
  means for sending the second secret value to the data processing system if the installation of the copy of the software to be installed is authorized;
  
  means for generating a first key value from the first and second secret values associated with the copy of the software; and
  
  means for associating the first key value with the software identification of the copy of the software as an updated second secret value.

38. A computer program product for controlling access to software comprising:
- a computer readable storage media having computer readable program code embodied therein, the computer readable program code comprising;
  
  computer readable program code which provides a copy of the software, the software being divided into a first encrypted portion and a second unencrypted portion, the second unencrypted portion having access to a first secret value and a software identification associated with the copy of the software and wherein the first encrypted portion is encrypted with a first key value which is based on the first secret value and a second secret value associated with the software identification of the copy of the software;
  
  computer readable program code which obtains the second secret value;
  
  computer readable program code which generates the first key value from the obtained second secret value and the first secret value;
  
  computer readable program code which decrypts the first encrypted portion of the software utilizing the first key value;
  
  computer readable program code which generates a second key value from the first key value and the first secret value;
  
  computer readable program code which encrypts the decrypted first encrypted portion of the software with the second key value; and
  
  computer readable program code which stores the first encrypted portion of the software encrypted with the second key value.

39. A computer program product for controlling software installations, comprising:
- a computer readable storage media having computer readable program code embodied therein, the computer readable program code comprising;
  
  computer readable program code which associates a software identification and first and second secret values with a copy of the software;
  
  computer readable program code which receives a request for installation of the software on a data processing system, wherein the request identifies the software identification of the copy of the software;
  
  computer readable program code which determines the second secret value associated with the software identification;
  
  computer readable program code which determines if the installation of the copy of the software to be installed is authorized; and
  
  computer readable program code which sends the second secret value to the data processing system if the installation of the copy of the software to be installed is authorized;
  
  computer readable program code which generates a first key value from the first and second secret values associated with the copy of the software; and
  
  computer readable program code which associates the first key value with the software identification of the copy of the software as an updated second secret value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Peyravian, Mohammad, Zunic, Nevenko, Roginsky, Allen Leonid, Matyas, Stephen Michael Jr.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Dada, Beemnet W.

Application Number

US09/642,685
Time in Patent Office

2,101 Days
Field of Search

713/187, 713/200, 713/201, 713/190, 713/193, 380/201, 380/277, 380/286, 705/56, 705/57, 705/59, 705/51, 717/174, 717176-178
US Class Current

713/187
CPC Class Codes

G06F 21/10   Protecting distributed prog...

H04L 9/08   Key distribution or managem...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0891   Revocation or update of sec...

Secure software distribution and installation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

111 Citations

39 Claims

Specification

Use Cases

Quick Links

Others

Secure software distribution and installation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

39 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others