Secure software licensing and provisioning using hardware based security engine

US 8,332,631 B2
Filed: 11/22/2010
Issued: 12/11/2012
Est. Priority Date: 11/22/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method of provisioning a license and an application program from a first server to a computing platform over a network, the license being encrypted by the first server using a first public key and including a second key, the application program being encrypted by the first server using the second key, comprising:

receiving a user password by a host application being executed by a processor of the computing system;

deriving, by the host application, a symmetric key at least in part from the user password;

sending the license, by the host application, to a license management firmware component of a hardware-implemented security engine within a chipset of the computer system, in a message signed by the symmetric key;

deriving, by the license management firmware component, the symmetric key at least in part from the user password stored in a secure storage of the hardware-implemented security engine, verifying the signature on the message using the symmetric key, verifying the first server'"'"'s signature on the license, and decrypting the license using a first private key of the license management firmware component corresponding to the first public key to obtain the second key;

sending, by the license management firmware component, the second key to the host application; and

decrypting the application program by the host application using the second key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provisioning a license and an application program from a first server to a computing platform over a network. The host application derives a symmetric key at least in part from a user password, and sends the license to a license management firmware component of a security engine, in a message signed by the symmetric key. The license management firmware component derives the symmetric key at least in part from the user password stored in a secure storage of the security engine, verifies the signature on the message using the symmetric key, verifies the first server'"'"'s signature on the license, decrypts the license using a first private key of the license management firmware component corresponding to the first public key to obtain the second key, and sends the second key to the host application, which decrypts the application program using the second key.

10 Citations

30 Claims

1. A method of provisioning a license and an application program from a first server to a computing platform over a network, the license being encrypted by the first server using a first public key and including a second key, the application program being encrypted by the first server using the second key, comprising:
- receiving a user password by a host application being executed by a processor of the computing system;
  
  deriving, by the host application, a symmetric key at least in part from the user password;
  
  sending the license, by the host application, to a license management firmware component of a hardware-implemented security engine within a chipset of the computer system, in a message signed by the symmetric key;
  
  deriving, by the license management firmware component, the symmetric key at least in part from the user password stored in a secure storage of the hardware-implemented security engine, verifying the signature on the message using the symmetric key, verifying the first server'"'"'s signature on the license, and decrypting the license using a first private key of the license management firmware component corresponding to the first public key to obtain the second key;
  
  sending, by the license management firmware component, the second key to the host application; and
  
  decrypting the application program by the host application using the second key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising connecting to the first server by the computing platform and downloading the host application to the computing platform.
  - 3. The method of claim 2, further comprising activating an authorized communications channel between the first server and the license management firmware component by a capability licensing service component of the security engine prior to receiving the user password.
  - 4. The method of claim 1, further comprising synchronizing the time in the license management firmware component with the time on the first server.
  - 5. The method of claim 4, further comprising, after decrypting the license, verifying by the license management firmware component that a lease time limit for authorized use of the application program has not expired.
  - 6. The method of claim 1, wherein the license comprises a unique identifier of the application program, a lease time limit for authorized use of the application program by the user'"'"'s computing platform, and the second key.
  - 7. The method of claim 1, further comprising not sending the second key from the license management firmware component to the host application if a theft condition has been triggered on the computing platform.

8. A computing platform comprising:
- a processor to execute a host application;
  
  a memory to store the host application; and
  
  a chipset coupled to the processor over an interface, the chipset comprising a hardware-implemented security engine, the security engine including secure storage and a license management firmware component;
  
  wherein the computing platform is configured to provision a license and an application program from a first server to the computing platform over a network, the license being encrypted by the first server using a first public key and including a second key, and the application program being encrypted by the first server using the second key;
  
  wherein the host application, when executed, receives a user password, derives a symmetric key at least in part from the user password, and sends the license to the license management firmware component in a message signed by the symmetric key;
  
  wherein the license management firmware component derives the symmetric key at least in part from the user password stored in the secure storage, verifies the signature on the message using the symmetric key, verifies the first server'"'"'s signature on the license, decrypts the license using a first private key of the license management firmware component corresponding to the first public key to obtain the second key, and sends the second key to the host application; and
  
  wherein the host application, when executed, decrypts the application program using the second key.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computing platform of claim 8, wherein the computing platform connects to the first server and downloads the host application to store in the memory.
  - 10. The computing platform of claim 9, wherein the hardware-implemented security engine comprises a capability licensing service component to activate an authorized communications channel between the first server and the license management firmware component prior to receiving the user password.
  - 11. The computing platform of claim 8, wherein the license management firmware component synchronizes the time in the license management firmware component with the time on the first server.
  - 12. The computing platform of claim 11, wherein, after decrypting the license, the license management firmware component verifies that a lease time limit for authorized use of the application program has not expired.
  - 13. The computing platform of claim 8, wherein the license comprises a unique identifier of the application program, a lease time limit for authorized use of the application program by the user'"'"'s computing platform, and the second key.
  - 14. The computing platform of claim 8, wherein the license firmware component does not send the second key to the host application if a theft condition has been triggered on the computing platform.

15. A method of provisioning a license and an application program from a first server to a computing platform over a network comprising:
- receiving, by a host application being executed by a processor on the computing platform, the license and the application program from the first server, the license being encrypted by the first server using a public key of a license management firmware component of a hardware-implemented security engine within a chipset of the computing platform, the application program being encrypted by the first server using a license encryption key generated by the first server, the encrypted license being signed by the first server'"'"'s private key, and storing the signed, encrypted license and the encrypted application program in a memory of the computing platform;
  
  obtaining a password from a user of the computing platform by the host application;
  
  deriving, by the host application, a symmetric key at least in part from the password, and signing a message including the signed, encrypted license with the symmetric key;
  
  sending the message from the host application to the license management firmware component of the hardware-implemented security engine;
  
  deriving, by the license management firmware component, the symmetric key at least in part from the password;
  
  verifying, by the license management firmware component, a signature on the message using the symmetric key;
  
  if the message signature verifies correctly, verifying a signature of the encrypted license using the first server'"'"'s public key;
  
  if the license signature verifies correctly, decrypting the encrypted license using the license management firmware component'"'"'s private key;
  
  extracting, by the license management firmware component, the license encryption key from the license, and sending the license encryption key to the host application; and
  
  decrypting, by the host application using the license encryption key, the encrypted application program, and allowing access to the application program on the computing platform.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The method of claim 15, further comprising the following steps prior to deriving the symmetric key by the license management firmware component:
    - receiving a password from a user of the computing platform by the host application;
      
      encrypting, by the host application, the password with the public key of the license management firmware component;
      
      sending, by the host application, the encrypted password to a second server, the second server being coupled to the computing platform over the network;
      
      receiving, by the license management firmware component, the encrypted password being signed by the second server'"'"'s private key; and
      
      verifying, by the license management firmware component, a signature of the encrypted password;
      
      if the signature verifies correctly, decrypting the encrypted password using the license management firmware component'"'"'s private key, and storing the password in a secure storage within the security engine.
  - 17. The method of claim 15, further comprising connecting to the first server by the computing platform and downloading the host application to the computing platform.
  - 18. The method of claim 17, further comprising activating an authorized communications channel between the first server and the license management firmware component by a capability licensing service component of the security engine prior to receiving the user password.
  - 19. The method of claim 15, further comprising synchronizing the time in the license management firmware component with the time on the first server.
  - 20. The method of claim 19, further comprising, after decrypting the license, verifying by the license management firmware component that a lease time limit for authorized use of the application program has not expired.
  - 21. The method of claim 15, wherein the license comprises a unique identifier of the application program, a lease time limit for authorized use of the application program by the user'"'"'s computing platform, and the license encryption key.
  - 22. The method of claim 15, further comprising not sending the license encryption key from the license management firmware component to the host application if a theft condition has been triggered on the computing platform.

23. A computing platform comprising:
- a processor to execute a host application;
  
  a memory to store the host application; and
  
  a chipset coupled to the processor over an interface, the chipset comprising a hardware-implemented security engine, the security engine including secure storage and a license management firmware component;
  
  wherein the computing platform provisions a license and an application program from a first server over a network;
  
  wherein the host application receives the license and the application program from the first server, the license being encrypted by the first server using a public key of a license management firmware component of a hardware-implemented security engine within a chipset of the computing platform, the application program being encrypted by the first server using a license encryption key generated by the first server, the encrypted license being signed by the first server'"'"'s private key, stores the signed, encrypted license and the encrypted application program in the memory, obtains a password from a user, derives a symmetric key at least in part from the password, signs a message including the signed, encrypted license with the symmetric key, and sends the message to the license management firmware component;
  
  wherein the license management firmware component derives the symmetric key at least in part from the password, verifies a signature on the message using the symmetric key;
  
  if the message signature verifies correctly, verifies a signature of the encrypted license using the first server'"'"'s public key;
  
  if the license signature verifies correctly, decrypts the encrypted license using the license management firmware component'"'"'s private key, extracts the license encryption key from the license, and sends the license encryption key to the host application; and
  
  wherein the host application decrypts the encrypted application program using the license encryption key and allows access to the application program on the computing platform.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The computing platform of claim 23, wherein the license management firmware component receives a password from a user of the computing platform by the host application, and encrypts the password with the public key of the license management firmware component;
    - wherein the host application sends the encrypted password to a second server, the second server being coupled to the computing platform over the network; and
      
      wherein the license management firmware component receives the encrypted password signed by the second server'"'"'s private key, verifies a signature of the encrypted password, if the signature verifies correctly, decrypts the encrypted password using the license management firmware component'"'"'s private key, and stores the password in a secure storage within the security engine.
  - 25. The computing platform of claim 23, wherein the computing platform connects to the first server and downloads the host application to store in the memory.
  - 26. The computing platform of claim 25, wherein the hardware-implemented security engine comprises a capability licensing service component to activate an authorized communications channel between the first server and the license management firmware component prior to receiving the user password.
  - 27. The computing platform of claim 23, wherein the license management firmware component synchronizes the time in the license management firmware component with the time on the first server.
  - 28. The computing platform of claim 27, wherein, after decrypting the license, the license management firmware component verifies that a lease time limit for authorized use of the application program has not expired.
  - 29. The computing platform of claim 23, wherein the license comprises a unique identifier of the application program, a lease time limit for authorized use of the application program by the user'"'"'s computing platform, and the second key.
  - 30. The computing platform of claim 23, wherein the license firmware component does not send the second key to the host application if a theft condition has been triggered on the computing platform.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Dadu, Saurabh, Poornachandran, Rajesh, Prakash, Gyan, Aissi, Selim, Khosravi, Hormuzd M.
Primary Examiner(s)
Maung, Zarni

Application Number

US12/951,853
Publication Number

US 20120131345A1
Time in Patent Office

750 Days
Field of Search

713/156, 713/171, 709223-229
US Class Current

713/156
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/105   Arrangements for software l...

H04L 2209/60   Digital content management,...

H04L 2463/061   applying further key deriva...

H04L 2463/101   applying security measures ...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/123   received data contents, e.g...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3228   One-time or temporary data,...

H04L 9/3247   involving digital signatures

Secure software licensing and provisioning using hardware based security engine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Secure software licensing and provisioning using hardware based security engine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links