Method and system for enforcing access to a computing resource using a licensing attribute certificate

US 7,356,692 B2
Filed: 03/15/2005
Issued: 04/08/2008
Est. Priority Date: 03/08/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method of enforcing access by a computer application to a computing resource controlled by a trusted computing base, comprising the steps of:

generating enforcement data regarding allowable usage of said computing resource;

embedding said enforcement data in a licensing attribute certificate;

cryptographically binding said licensing attribute certificate to said computing resource using a private key;

associating said licensing attribute certificate with said computer application; and

authenticating in said trusted computing base the use of said computing resource by said computer application using a public hey corresponding to said private key, wherein access to the computing resource is restricted to computer applications authenticated by said trusted computing base.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A licensing attribute certificate enables a trusted computing base to enforce access to a computing resource by a computer application. The licensing attribute certificate can contain enforcement data which limits the use of the computing resource. The licensing attribute certificate can also contain information allowing for the tracking of licensing data about the use of the computing resource. The use of a licensing attribute certificate to enforce access to a computing resource can allow products to be fielded which have their capability limited to a specific subset of functions. The enforcement data, the licensing data, and the data limiting the application to a specific subset of functions are cryptographically bound to the computing resource using a licensing attribute certificate according to the invention. Prior to allowing access to the computing resource by the computer application, a trusted computing base strongly authenticates that usage via the licensing attribute certificate.

57 Citations

View as Search Results

48 Claims

1. A method of enforcing access by a computer application to a computing resource controlled by a trusted computing base, comprising the steps of:
- generating enforcement data regarding allowable usage of said computing resource;
  
  embedding said enforcement data in a licensing attribute certificate;
  
  cryptographically binding said licensing attribute certificate to said computing resource using a private key;
  
  associating said licensing attribute certificate with said computer application; and
  
  authenticating in said trusted computing base the use of said computing resource by said computer application using a public hey corresponding to said private key, wherein access to the computing resource is restricted to computer applications authenticated by said trusted computing base.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. A method as in claim 1, wherein said generating step comprises generating enforcement data in response to a request message for a licensing attribute certificate received from a user.
  - 3. A method as in claim 2, wherein said generating step is performed by a vendor.
  - 4. A method as in claim 1, wherein said binding step comprises computing a digital signature on said enforcement data.
  - 5. A method as in claim 4, wherein said generating step comprises generating library attribute data.
  - 6. A method as in claim 5, wherein said generating step comprises generating token attribute data.
  - 7. A method as in claim 6, wherein said library attribute data comprises accessible tokens data and subfunctionality data.
  - 8. A method as in claim 7, wherein said generating step comprises generating enforcement data corresponding to a particular set of access rights, comprising the steps of:
    - determining appropriate content of token attribute data; and
      
      determining appropriate content of library attribute data.
  - 9. A method as in claim 8, wherein said binding step comprises:
    - computing a second digital signature on said token attribute data; and
      
      including said second digital signature in said licensing attribute data.
  - 10. A method as in claim 9, wherein the same private key is used to compute said second digital signature as that used to compute said first digital signature.
  - 11. A method as in claim 10, wherein said private key used to compute said first and second digital signatures is a private key of a vendor of a library.
  - 12. A method as in claim 9, wherein a different private key is used to compute said second digital signature from that used to compute said first digital signature.
  - 13. A method as in claim 12, wherein said private key used to compute said second digital signature is tho private key of a vendor of said computing resource.
  - 14. A method as in claim 1, wherein said binding step comprises encrypting said enforcement data with a private key.
  - 15. A method as in claim 1, wherein said associating step comprises compiling computer application source code with said licensing attribute certificate.
  - 16. A method as in claim 1, wherein said associating step comprises providing an entry identifying said licensing attribute certificate in a system registry of a computer operating system.
  - 17. A method as in claim 1, wherein said trusted computing base comprises a computer operating system.
  - 18. A method as in claim 1, wherein said trusted computing base comprises a cryptographic token.
  - 19. A method as in claim 1, wherein said licensing attribute certificate comprises an attribute certificate in X.509 attribute certificate format.
  - 20. A method as in claim 1, wherein said authenticating step comprises authenticating with a public key received in X.509 identity certificate format.
  - 21. A method as in claim 1, further comprising the steps of:
    - updating a usage database within said trusted computing base in accordance with the usage of said computing resource;
      
      validating said usage database against said enforcement data regarding alinwahie usage of said computing resource; and
      
      disallowing usage of said computing resource if said validating step fails.
  - 22. A method as in claim 21, wherein said usage data comprises a maximum number of accesses by said computer application to said computing resource.
  - 23. A method as in claim 21, wherein said usage data comprises a maximum number of cryptographic operations to be performed by said computing resource.
  - 24. A method as in claim 23, wherein said trusted computing base comprises a cryptographic token.
  - 25. A method as in claim 24, wherein cryptographic token comprises a PCMCIA card.
  - 26. A method as in claim 24, wherein cryptographic token comprises a smart card.
  - 27. A method as in claim 1, wherein said authenticating step further comprises authenticating in said trusted computing base the use of said computing resource by said computer application using supplemental enforcement data.
  - 28. A method as in claim 27, wherein the supplemental enforcement data comprises library supplemental enforcement data.

29. A system for enforcing access by a computer application to a computing resource controlled by a trusted computing base, comprising:
- means for generating enforcement data regarding allowable usage of said computing resource;
  
  means for embedding said enforcement data in a licensing attribute certificate;
  
  means for cryptographically binding said licensing attribute certificate to said computing resource using a private key;
  
  means for associating said licensing attribute certificate with said computer application; and
  
  the trusted computing base being operable to authenticate the use of said computing resource by said computer application using a public key corresponding to said private key, wherein the computing resource is arranged to be accessible only to computer applications authenticated by said trusted computing base.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. A system as in claim 29, wherein said computing resource comprises a cryptographic operating on a cryptographic token.
  - 31. A system as in claim 30, wherein said cryptographic token comprises a PCMCIA card.
  - 32. A system as in claim 30, wherein said cryptographic token comprises a smart card.
  - 33. A system as in claim 29, wherein said trusted computing base comprises a PCMCIA card.
  - 34. A system as in claim 29, wherein said trusted computing base comprises a smart card.

35. A method of forming a licensing attribute certificate for enforcing access by a computer application to a computing resource, access to the computing resource being restricted to computer applications authenticated by a trusted computing base, the method comprising the steps of:
- generating enforcement data regarding allowable usage of said computing resource;
  
  embedding said enforcement data in said licensing attribute certificate;
  
  cryptographically binding said licensing attribute certificate to said computing resource using a private key; and
  
  associating said licensing attribute certificate with said computer application, wherein the licensing attribute certificate is authenticatable by the trusted computing base, using a public key corresponding to said private key, to enable access by the computer application to the computing resource.
- View Dependent Claims (36, 37, 38, 39, 40, 41)
- - 36. A method as in claim 35, wherein said generating step comprises generating enforcement data in response to a request message for a licensing attribute certificate received from a user.
  - 37. A method as in claim 36, wherein said generating step is performed by a vendor.
  - 38. A method as in claim 35, wherein said generating step comprises generating library attribute data.
  - 39. A method as in claim 38, wherein said generating step comprises generating token attribute data.
  - 40. A method as in claim 38, wherein said library attribute data comprises accessible tokens data and subfunctionality data.
  - 41. A method as in claim 40, wherein said generating step comprises generating enforcement data corresponding to a particular set of access rights, comprising the stops of:
    - determining appropriate content of token attribute data; and
      
      determining appropriate content of library attribute data.

42. A system for forming a licensing attribute certificate for enforcing access by a computer application to a computing resource, access to the computing resource being restricted to computer applications authenticated by a trusted computing base, comprising:
- means for generating enforcement data regarding allowable usage of said computing resource;
  
  means for embedding said enforcement data in said licensing attribute certificate;
  
  means for cryptographically binding said licensing attribute certificate to said computing resource using a private key; and
  
  means for associating said licensing attribute certificate with said computer application, wherein the licensing attribute certificate is authenticatable by the trusted computing base, using a public key corresponding to said private key, to enable access by the computer application to the computing resource.
- View Dependent Claims (43, 44, 45, 46, 47, 48)
- - 43. A system as in claim 42, wherein said means for generating said enforcement data comprises means operable to respond to a request message for a licensing attribute certificate received from a user.
  - 44. A system as in claim 43, wherein a vendor operates said means for generating said enforcement data.
  - 45. A system as in claim 42, wherein said means operable to generate said enforcement data comprises means operable to generate library attribute data.
  - 46. A system as in claim 45, wherein said means operable to generate said enforcement data comprises means operable to generate token attribute data.
  - 47. A system as in claim 46, wherein said means operable to generate library attribute data comprises means operable to generate accessible tokens data and sub-functionality data.
  - 48. A system as in claim 47, wherein said means operable to generate said enforcement data comprises means operable to generate enforcement data corresponding to a particular set of access rights, comprising:
    - means operable to determine appropriate content of token attribute data; and
      
      means operable to determine appropriate content of library attribute data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SPEX Technologies, Inc.
Original Assignee
Spyrus, Inc.
Inventors
Housley, Russell D., Bialick, William P., Moore, Charles R. J., Linsenbardt, Duane J.
Primary Examiner(s)
SMITHERS, MATTHEW

Application Number

US11/081,792
Publication Number

US 20050262553A1
Time in Patent Office

1,120 Days
Field of Search

726/10, 713/169
US Class Current

713/156
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/335   for accessing specific reso...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2221/2115   Third party

H04L 2209/56   Financial cryptography, e.g...

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

Method and system for enforcing access to a computing resource using a licensing attribute certificate

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

57 Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for enforcing access to a computing resource using a licensing attribute certificate

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links