Secure software licensing and provisioning using hardware based security engine
First Claim
1. A method of provisioning a license and an application program from a first server to a computing platform over a network, the license being encrypted by the first server using a first public key and including a second key, the application program being encrypted by the first server using the second key, comprising:
- receiving a user password by a host application being executed by a processor of the computing system;
deriving, by the host application, a symmetric key at least in part from the user password;
sending the license, by the host application, to a license management firmware component of a hardware-implemented security engine within a chipset of the computer system, in a message signed by the symmetric key;
deriving, by the license management firmware component, the symmetric key at least in part from the user password stored in a secure storage of the hardware-implemented security engine, verifying the signature on the message using the symmetric key, verifying the first server'"'"'s signature on the license, and decrypting the license using a first private key of the license management firmware component corresponding to the first public key to obtain the second key;
sending, by the license management firmware component, the second key to the host application; and
decrypting the application program by the host application using the second key.
1 Assignment
0 Petitions
Accused Products
Abstract
Provisioning a license and an application program from a first server to a computing platform over a network. The host application derives a symmetric key at least in part from a user password, and sends the license to a license management firmware component of a security engine, in a message signed by the symmetric key. The license management firmware component derives the symmetric key at least in part from the user password stored in a secure storage of the security engine, verifies the signature on the message using the symmetric key, verifies the first server'"'"'s signature on the license, decrypts the license using a first private key of the license management firmware component corresponding to the first public key to obtain the second key, and sends the second key to the host application, which decrypts the application program using the second key.
10 Citations
30 Claims
-
1. A method of provisioning a license and an application program from a first server to a computing platform over a network, the license being encrypted by the first server using a first public key and including a second key, the application program being encrypted by the first server using the second key, comprising:
-
receiving a user password by a host application being executed by a processor of the computing system; deriving, by the host application, a symmetric key at least in part from the user password; sending the license, by the host application, to a license management firmware component of a hardware-implemented security engine within a chipset of the computer system, in a message signed by the symmetric key; deriving, by the license management firmware component, the symmetric key at least in part from the user password stored in a secure storage of the hardware-implemented security engine, verifying the signature on the message using the symmetric key, verifying the first server'"'"'s signature on the license, and decrypting the license using a first private key of the license management firmware component corresponding to the first public key to obtain the second key; sending, by the license management firmware component, the second key to the host application; and decrypting the application program by the host application using the second key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computing platform comprising:
-
a processor to execute a host application; a memory to store the host application; and a chipset coupled to the processor over an interface, the chipset comprising a hardware-implemented security engine, the security engine including secure storage and a license management firmware component; wherein the computing platform is configured to provision a license and an application program from a first server to the computing platform over a network, the license being encrypted by the first server using a first public key and including a second key, and the application program being encrypted by the first server using the second key; wherein the host application, when executed, receives a user password, derives a symmetric key at least in part from the user password, and sends the license to the license management firmware component in a message signed by the symmetric key; wherein the license management firmware component derives the symmetric key at least in part from the user password stored in the secure storage, verifies the signature on the message using the symmetric key, verifies the first server'"'"'s signature on the license, decrypts the license using a first private key of the license management firmware component corresponding to the first public key to obtain the second key, and sends the second key to the host application; and wherein the host application, when executed, decrypts the application program using the second key. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method of provisioning a license and an application program from a first server to a computing platform over a network comprising:
-
receiving, by a host application being executed by a processor on the computing platform, the license and the application program from the first server, the license being encrypted by the first server using a public key of a license management firmware component of a hardware-implemented security engine within a chipset of the computing platform, the application program being encrypted by the first server using a license encryption key generated by the first server, the encrypted license being signed by the first server'"'"'s private key, and storing the signed, encrypted license and the encrypted application program in a memory of the computing platform; obtaining a password from a user of the computing platform by the host application; deriving, by the host application, a symmetric key at least in part from the password, and signing a message including the signed, encrypted license with the symmetric key; sending the message from the host application to the license management firmware component of the hardware-implemented security engine; deriving, by the license management firmware component, the symmetric key at least in part from the password; verifying, by the license management firmware component, a signature on the message using the symmetric key;
if the message signature verifies correctly, verifying a signature of the encrypted license using the first server'"'"'s public key;
if the license signature verifies correctly, decrypting the encrypted license using the license management firmware component'"'"'s private key;extracting, by the license management firmware component, the license encryption key from the license, and sending the license encryption key to the host application; and decrypting, by the host application using the license encryption key, the encrypted application program, and allowing access to the application program on the computing platform. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. A computing platform comprising:
-
a processor to execute a host application; a memory to store the host application; and a chipset coupled to the processor over an interface, the chipset comprising a hardware-implemented security engine, the security engine including secure storage and a license management firmware component; wherein the computing platform provisions a license and an application program from a first server over a network; wherein the host application receives the license and the application program from the first server, the license being encrypted by the first server using a public key of a license management firmware component of a hardware-implemented security engine within a chipset of the computing platform, the application program being encrypted by the first server using a license encryption key generated by the first server, the encrypted license being signed by the first server'"'"'s private key, stores the signed, encrypted license and the encrypted application program in the memory, obtains a password from a user, derives a symmetric key at least in part from the password, signs a message including the signed, encrypted license with the symmetric key, and sends the message to the license management firmware component; wherein the license management firmware component derives the symmetric key at least in part from the password, verifies a signature on the message using the symmetric key;
if the message signature verifies correctly, verifies a signature of the encrypted license using the first server'"'"'s public key;
if the license signature verifies correctly, decrypts the encrypted license using the license management firmware component'"'"'s private key, extracts the license encryption key from the license, and sends the license encryption key to the host application; andwherein the host application decrypts the encrypted application program using the license encryption key and allows access to the application program on the computing platform. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification