Activation system architecture

US 9,881,348 B2
Filed: 12/06/2013
Issued: 01/30/2018
Est. Priority Date: 06/25/2007
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

a trusted microchip having a private key;

at least one processing device; and

at least one hardware computer-readable storage media comprising executable instructions that, when executed by the at least one processing device, cause the at least one processing device to;

obtain an entitlement certificate from an entitlement service server, the entitlement certificate including one or more entitlements describing license characteristics of a license for software, the entitlement certificate having a digital signature generated by the entitlement service server with an entitlement service private key;

verify the digital signature of the entitlement certificate using an entitlement service public key corresponding to the entitlement service private key;

after the digital signature of the entitlement certificate has been verified, send the entitlement certificate with the digital signature to a license service server other than the entitlement service server, the license service server generating the license based at least on the entitlement certificate, the license being signed using a license service private key other than the entitlement service private key;

receive the license from the license service server;

attempt verification of the license using a license service public key corresponding to the license service private key;

obtain encrypted binding data associated with the license and unencrypted binding data associated with the license;

provide the encrypted binding data to the trusted microchip and, in response, receive decrypted binding data from the trusted microchip;

perform a comparison of the decrypted binding data obtained from the trusted microchip to the unencrypted binding data associated with the license; and

prevent the software from executing on the computing device unless the verification of the license is successful and the comparison indicates that the decrypted binding data obtained from the trusted microchip matches the unencrypted binding data associated with the license,the trusted microchip being configured to;

use the private key to decrypt the encrypted binding data to derive the decrypted binding data; and

provide the decrypted binding data to the at least one processing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for generating a license for software installed on a device. An entitlement certificate is generated including one or more entitlements describing license characteristics of the software. The one or more entitlements are determined in accordance with first information about the software. The first information includes at least one of a purchase token and package information. A binding certificate in accordance with a binding type for the software is generated. A license in accordance with said binding certificate and said entitlement certificate is generated. The binding certificate identifies an entity to which the license is bound.

59 Citations

View as Search Results

22 Claims

1. A computing device comprising:
- a trusted microchip having a private key;
  
  at least one processing device; and
  
  at least one hardware computer-readable storage media comprising executable instructions that, when executed by the at least one processing device, cause the at least one processing device to;
  
  obtain an entitlement certificate from an entitlement service server, the entitlement certificate including one or more entitlements describing license characteristics of a license for software, the entitlement certificate having a digital signature generated by the entitlement service server with an entitlement service private key;
  
  verify the digital signature of the entitlement certificate using an entitlement service public key corresponding to the entitlement service private key;
  
  after the digital signature of the entitlement certificate has been verified, send the entitlement certificate with the digital signature to a license service server other than the entitlement service server, the license service server generating the license based at least on the entitlement certificate, the license being signed using a license service private key other than the entitlement service private key;
  
  receive the license from the license service server;
  
  attempt verification of the license using a license service public key corresponding to the license service private key;
  
  obtain encrypted binding data associated with the license and unencrypted binding data associated with the license;
  
  provide the encrypted binding data to the trusted microchip and, in response, receive decrypted binding data from the trusted microchip;
  
  perform a comparison of the decrypted binding data obtained from the trusted microchip to the unencrypted binding data associated with the license; and
  
  prevent the software from executing on the computing device unless the verification of the license is successful and the comparison indicates that the decrypted binding data obtained from the trusted microchip matches the unencrypted binding data associated with the license,the trusted microchip being configured to;
  
  use the private key to decrypt the encrypted binding data to derive the decrypted binding data; and
  
  provide the decrypted binding data to the at least one processing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing device of claim 1, wherein the executable instructions, when executed by the at least one processing device, cause the at least one processing device to:
    - obtain at least one of a purchase token or package information relating to the software;
      
      send the at least one of the purchase token or the package information to the entitlement service server; and
      
      receive the entitlement certificate from the entitlement service server in response to the at least one of the purchase token or the package information.
  - 3. The computing device of claim 1, wherein the executable instructions, when executed by the at least one processing device, cause the at least one processing device to:
    - obtain a binding certificate from a binding service server, the binding service server being a different server than the entitlement service server and the license service server; and
      
      send the binding certificate to the license service server, the license service server generating the license based at least on the entitlement certificate and the binding certificate.
  - 4. The computing device of claim 3, wherein the license includes the binding certificate and the encrypted binding data and the unencrypted binding data are obtained from the binding certificate included in the license.
  - 5. The computing device of claim 1, wherein the executable instructions, when executed by the at least one processing device, cause the at least one processing device to:
    - verify the digital signature of the entitlement certificate by comparing a locally-generated value to another value generated by the entitlement service server.
  - 6. The computing device of claim 1, wherein the license is a digital certificate that includes the entitlement certificate.
  - 7. The computing device of claim 6, wherein the entitlement certificate includes criteria for executing the software on the computing device.
  - 8. The computing device of claim 7, wherein the executable instructions, when executed by the at least one processing device, cause the at least one processing device to:
    - prevent the software from executing on the computing device unless the criteria are met.
  - 9. The computing device of claim 1, wherein the trusted microchip is a trusted platform module.
  - 10. The computing device of claim 1, wherein the trusted microchip is configured to prevent exposure of the private key outside of the trusted microchip.

11. A method performed by a computing device, the method comprising:
- by a processing device of the computing device;
  
  obtaining an entitlement certificate from an entitlement service server, the entitlement certificate including one or more entitlements describing license characteristics of a license for software and having a digital signature generated by the entitlement service server using an entitlement service private key;
  
  verifying the digital signature of the entitlement certificate using an entitlement service public key corresponding to the entitlement service private key;
  
  after the digital signature of the entitlement certificate has been verified, sending the entitlement certificate with the digital signature to a license service server other than the entitlement service server;
  
  obtaining a license from the license service server, the license being signed using a license service private key other than the entitlement service private key;
  
  obtaining encrypted binding data associated with the license and unencrypted binding data associated with the license; and
  
  providing the encrypted binding data to a trusted microchip of the computing device;
  
  by the trusted microchip, decrypting the encrypted binding data with a private key and outputting decrypted binding data to the processing device; and
  
  by the processing device;
  
  performing a comparison of the decrypted binding data obtained from the trusted microchip to the unencrypted binding data associated with the license;
  
  attempting verification of the license using a license service public key corresponding to the license service private key; and
  
  preventing the software from executing on the computing device unless the verification of the license is successful and the comparison indicates the decrypted binding data obtained from the trusted microchip matches the unencrypted binding data associated with the license.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, further comprising:
    - obtaining a public key certificate for the trusted microchip of the computing device;
      
      sending the public key certificate for the trusted microchip of the computing device to a binding service server other than the entitlement service server and the license service server;
      
      receiving an encrypted number from the binding service server;
      
      decrypting the encrypted number using the trusted microchip of the computing device to obtain a decrypted number;
      
      providing the decrypted number to the binding service server; and
      
      responsive to providing the decrypted number to the binding service server, receiving, from the binding service server, a binding certificate certifying an identity of the trusted microchip.
  - 13. The method of claim 12, further comprising:
    - sending the binding certificate certifying the identity of the trusted microchip to the license service server,wherein the license service server sends the license to the computing device responsive to receiving the binding certificate and the entitlement certificate.
  - 14. The method of claim 13, wherein the license includes the binding certificate and the entitlement certificate, the binding certificate includes the encrypted number as the encrypted binding data, and the binding certificate includes an unencrypted form of the encrypted number as the unencrypted binding data.

15. A computing device comprising:
- a processing device; and
  
  a trusted microchip having a private key,the processing device being configured to;
  
  obtain an entitlement certificate having a digital signature from an entitlement service server, the entitlement certificate indicating circumstances under which software may be executed on the computing device;
  
  verify the digital signature of the entitlement certificate using an entitlement service key;
  
  after verifying the digital signature of the entitlement certificate, send the entitlement certificate and the digital signature of the entitlement certificate to a license service server other than the entitlement service server;
  
  obtain a license from the license service server, the license service server generating the license based at least on the entitlement certificate, the license identifying the circumstances under which software may be executed on the computing device;
  
  obtain encrypted binding data associated with the license and unencrypted binding data associated with the license;
  
  provide the encrypted binding data to the trusted microchip and, in response, receive decrypted binding data from the trusted microchip;
  
  perform a comparison of the decrypted binding data obtained from the trusted microchip to the unencrypted binding data associated with the license; and
  
  enforce the license on the computing device by preventing the software from executing on the computing device unless the circumstances are met and the comparison indicates the decrypted binding data obtained from the trusted microchip matches the unencrypted binding data associated with the license,the trusted microchip being configured to use the private key to perform a decryption of the encrypted binding data and output the decrypted binding data to the processing device.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The computing device of claim 15, the circumstances indicated by the entitlement certificate comprising an expiration date of the license.
  - 17. The computing device of claim 15, wherein the processing device is further configured to:
    - obtain the encrypted binding data and the unencrypted binding data from the license.
  - 18. The computing device of claim 17, the unencrypted binding data comprising an unencrypted number and the encrypted binding data comprising an encrypted number obtained by encrypting the unencrypted number.
  - 19. The computing device of claim 18, wherein the license includes a binding certificate certifying an identity of the trusted microchip.
  - 20. The computing device of claim 19, wherein the binding certificate includes the unencrypted number and the encrypted number.
  - 21. The computing device of claim 20, wherein the processing device is configured to:
    - prior to obtaining the license, obtain the binding certificate by;
      
      receiving the encrypted number from a binding service server and providing the encrypted number to the trusted microchip, the trusted microchip decrypting the encrypted number with the private key to obtain the unencrypted number;
      
      sending the unencrypted number to the binding service server; and
      
      receiving the binding certificate from the binding service server in response to sending the unencrypted number; and
      
      send the binding certificate to the license service server, the license service server including the binding certificate in the license.
  - 22. The computing device of claim 15, wherein the processing device is further configured to:
    - verify a digital signature of the license using a public key of the license service server and prevent the software from executing on the computing device until the digital signature of the license is verified.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Hughes, Aidan T., Baxter, Alexander V., Kenworthy, Mark, Frank, Alexander, Szimmetat, Oliver
Primary Examiner(s)
Hayes, John
Assistant Examiner(s)
Fenstermacher, Jason

Application Number

US14/099,426
Publication Number

US 20140095394A1
Time in Patent Office

1,516 Days
Field of Search

None
US Class Current
CPC Class Codes

G06Q 2220/18   Licensing

G06Q 30/06   Buying, selling or leasing ...

G06Q 50/184   Intellectual property manag...

G06Q 99/00   Subject matter not provided...

Activation system architecture

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Activation system architecture

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others