Methods for securing one or more license entitlement grants and devices thereof

Description

This application claims the benefit of U.S. Provisional Patent Application Ser. No. 62/008,406, filed Jun. 5, 2014, which is hereby incorporated by reference in its entirety.

FIELD

This technology relates to methods, non-transitory computer readable media and devices that assist with securing one or more entitlement grants.

BACKGROUND

Typically, a multi-tier licensing system has a corporate run entity management device along with a customer premise entity device which ultimately issues licenses to client devices. Since these devices are at the customer site, there is an enhanced risk that a nefarious person might try and change entitlements in the license or licenses which have been purchased, e.g. by adding more licenses, changing the license content, or adding more client devices to licenses. Accordingly, there is a need for better security on for license entitlement grants.

SUMMARY

A method for securing one or more entitlement grants includes transmitting, by an application management computing device, a registration license request encrypted with a first public key to a license server. The registration license request comprises a registration identifier and a second public key. A registration license response is received, by the application management computing device, from the license server. The registration license response comprises one or more license entitlement grants, the second public key, and a first secure signature encrypted with a first private key. The first secure signature is based on at least the one or more license entitlement grants. A first check signature is generated, by the application management computing device, based on at least the one or more license entitlement grants. The first encrypted secure signature is decrypted, by the application management computing device, with the first public key to obtain the first decrypted secure signature. The one or more license entitlement grants are authenticated and integrity is proved, by the application management computing device, when the first decrypted secure signature matches the first check signature. If the signature does not match, the application management computing device rejects the license as tampered.

An application management computing device includes at least one of configurable hardware logic configured to be capable of implementing or a processor coupled to a memory and configured to execute programmed instructions stored in the memory includes transmitting a registration license request encrypted with a first public key to a license server. The registration license request comprises a registration identifier and a second public key. A registration license response is received from the license server. The registration license response comprises one or more license entitlement grants, the second public key, and a first secure signature encrypted with a first private key. The first secure signature is based on at least the one or more license entitlement grants. A first check signature is generated based on at least the one or more license entitlement. The first encrypted secure signature is decrypted with the first public key to obtain the first decrypted secure signature. The one or more license entitlement grants are authenticated and integrity is proved when the first decrypted secure signature matches the first check signature.

A non-transitory computer readable medium having stored thereon instructions for securing one or more entitlement grants comprising machine executable code which when executed by a processor, causes the processor to perform steps includes transmitting a registration license request encrypted with a first public key to a license server. The registration license request comprises a registration identifier and a second public key. A registration license response is received from the license server. The registration license response comprises one or more license entitlement grants, the second public key, and a first secure signature encrypted with a first private key. The first secure signature is based on at least the one or more license entitlement grants. A first check signature is generated based on at least the one or more license entitlement grants. The first encrypted secure signature is decrypted with the first public key to obtain the first decrypted secure signature. The one or more license entitlement grants are authenticated and integrity is proved when the first decrypted secure signature matches the first check signature.

A method for securing one or more entitlement grants includes receiving, by a client computing device, an updated license response comprising one or more license entitlement grants, a second public key, a first secure signature encrypted with a first private key, a dossier and a second secure signature encrypted with a second private key. A second check signature is generated based on at least the one or more license entitlement grants. The second encrypted secure signature is decrypted, by the client computing device, with the second public key to obtain the second decrypted secure signature. The decrypted second secure signature is authenticated, by the client computing device, when the second decrypted secure signature matches the second check signature. A client computing device includes at least one of configurable hardware logic configured to be capable of implementing or a processor coupled to a memory and configured to execute programmed instructions stored in the memory includes receiving an updated license response comprising one or more license entitlement grants, a second public key, a first secure signature encrypted with a first private key, a dossier and a second secure signature encrypted with a second private key. A second check signature is generated based on at least the one or more license entitlement grants. The second encrypted secure signature is decrypted with the second public key to obtain the second decrypted secure signature. The decrypted second secure signature is authenticated when the second decrypted secure signature matches the second check signature.

A non-transitory computer readable medium having stored thereon instructions for securing one or more entitlement grants comprising machine executable code which when executed by a processor, causes the processor to perform steps includes receiving an updated license response comprising one or more license entitlement grants, a second public key, a first secure signature encrypted with a first private key, a dossier and a second secure signature encrypted with a second private key. A second check signature is generated based on at least the one or more license entitlement grants. The second encrypted secure signature is decrypted with the second public key to obtain the second decrypted secure signature. The decrypted second secure signature is authenticated when the second decrypted secure signature matches the second check signature.

This technology provides a number of advantages including providing methods, non-transitory computer readable media, and devices that more effectively secure one or more license entitlement grants. Additionally, this technology enables a customer side product in an environment outside of the vendor's operational control that needs to serve as a second tier licensing entity (such as by way of example only the application management computing device illustrated and described herein) to provide tamper-free product/instance licenses. This technology also adds another level of security using private and public keys in manners that prevents the second public key from being replaced in order to alter the license entitlements in the customer premises without requiring any additional communication with the license server beyond what is currently needed, e.g., one per license activation. Further, this technology is able to log and monitor information, e.g. any attempts to tamper with the license entitlements, use of invalid keys, or an invalid dossier, for the purpose of auditing for any potential breach, attempted breach, or actual breach of security.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is block diagram of an example of a network environment with an application management computing device, license server and a plurality of client computing devices;

FIG. 2(a) is a block diagram of an example of the application management computing device illustrated in FIG. 1;

FIG. 2(b) is a block diagram of an example of one of the plurality of client computing devices;

FIG. 3 is a flowchart of an example of a method for securing one or more entitlement grants with an application management computing device;

FIG. 4 is a flowchart of an example of a method for securing one or more entitlement grants with one of the client computing devices; and

FIG. 5 is a timing diagram of the method for securing one or more entitlement grants illustrated in FIGS. 4 and 5.

DETAILED DESCRIPTION

An example of a network environment 10 with an application management computing device 12, a license server 14, and a plurality of client computing devices 16(1)-16(n) is illustrated in FIGS. 1-2(b), although this environment can include other types and numbers of systems, devices, components, and/or elements in other configurations. This technology provides a number of advantages including providing more effective methods, non-transitory computer readable medium, and devices that more effectively and efficiently secure one or more license entitlement grants.

The application management computing device 12 may perform a number of different types of functions, including by way of example managing one or more aspects of securing one or more entitlement grants. The application management computing device 12 in this example includes a processor 20, a memory 22, a communication interface 24, and optional configurable hardware logic 26, which are coupled together by a bus 28 or other link, although other numbers and types of systems, devices, components, and elements in other configurations and locations can be used. The processor 20 in the application management computing device 12 may execute a program of stored instructions for one or more aspects of the present technology as described and illustrated by way of the examples herein, although other types and numbers of processing devices and logic could be used and the processor 20 could execute other numbers and types of programmed instructions.

The memory 22 in the application management computing device 12 may store these programmed instructions for one or more aspects of the present technology as described and illustrated herein, although some or all of the programmed instructions could be stored and/or executed elsewhere. A variety of different types of memory storage devices, such as a random access memory (RAM) and/or read only memory (ROM) in the application management computing device 12 or a floppy disk, hard disk, CD ROM, DVD ROM, or other computer readable medium which is read from and written to by a magnetic, optical, or other reading and writing system that is coupled to the processor 20 in the application management computing device 12, can be used for the memory 22.

The communication interface 24 of the application management computing device 12 operatively couples and facilitates communication with the license server 14 and/or one or more of the client computing devices 16(1)-16(n) via one or more of the communications networks, although other types and numbers of communication networks 18 or systems with other types and numbers of connections and configurations can be used. By way of example only, the one or more communication networks 18 may use TCP/IP over Ethernet and industry-standard protocols, including NFS, CIFS, SOAP, XML, LDAP, and/or SNMP, although other types and numbers of communication networks 18, such as a direct connection, a local area network, a wide area network, each having their own communications protocols, can be used.

The optional configurable hardware logic 26 of the application management computing device 12 may comprise specialized hardware configured to be capable of implementing one or more steps of this technology as illustrated and described with reference to the examples herein. By way of example only, the optional configurable logic 26 may comprise one or more of field programmable gate arrays (FPGAs), field programmable logic devices (FPLDs), application specific integrated circuits (ASICs) and/or programmable logic units (PLUs).

The license server 14 may perform a number of different types of functions, including by way of example securely managing registration identifiers and license entitlement grants. The license server 14 in this example includes a processor, a memory, and a communication interface which are coupled together by a bus or other link and may be configured to be capable of executing a program of stored instructions for one or more aspects of the present technology as described and illustrated by way of the examples herein, although other numbers and types of devices could also be used.

In this particular example, each of the plurality of client computing devices 16(1)-16(n) in this example may include a processor 30, a memory 32, a communication interface 34, and optional configurable hardware logic 36 which are coupled together by a bus 38 or other link, although each of the plurality of client computing devices 16(1)-16(n) could other numbers and types of systems, devices, components, and elements in other configurations. For ease of illustration only one client computing device 16(1) is illustrated in FIG. 2(b) since client computing devices 16(2)-16(n) are the same in structure and operation as client computing device 16(1) in this particular example, although each could have different structures and/or operations. The processor 30 in each of the plurality of client computing devices 16(1)-16(n) may execute a program of stored instructions for one or more aspects of the present technology as described and illustrated by way of the examples herein, although other types and numbers of processing devices and logic could be used and the processor 30 could execute other numbers and types of programmed instructions.

The memory 32 in each of the plurality of client computing devices 16(1)-16(n) may store these programmed instructions for one or more aspects of the present technology as described and illustrated herein, although some or all of the programmed instructions could be stored and/or executed elsewhere. A variety of different types of memory storage devices, such as a random access memory (RAM) and/or read only memory (ROM) in the application management computing device 12 or a floppy disk, hard disk, CD ROM, DVD ROM, or other computer readable medium which is read from and written to by a magnetic, optical, or other reading and writing system that is coupled to the processor 30 in each of the plurality of client computing devices 16(1)-16(n), can be used for the memory 32.

The communication interface 34 in each of the plurality of client computing devices 16(1)-16(n) operatively couples and facilitates communication with the application management computing device 12 and/or license server 14 via one or more of the communications networks, although other types and numbers of communication networks 18 or systems with other types and numbers of connections and configurations can be used. By way of example only, the one or more communication networks 18 may use TCP/IP over Ethernet and industry-standard protocols, including NFS, CIFS, SOAP, XML, LDAP, and/or SNMP, although other types and numbers of communication networks 18, such as a direct connection, a local area network, a wide area network, each having their own communications protocols, can be used.

The optional configurable hardware logic 36 in each of the plurality of client computing devices 16(1)-16(n) may comprise specialized hardware configured to be capable of implementing one or more steps of this technology as illustrated and described with reference to the examples herein. By way of example only, the optional configurable logic 36 may comprise one or more of field programmable gate arrays (FPGAs), field programmable logic devices (FPLDs), application specific integrated circuits (ASICs) and/or programmable logic units (PLUs).

Although examples of the application management computing device 12, the license server 14 and the client computing devices 16(1)-16(n) are described herein, it is to be understood that the devices and systems of the examples described herein are for exemplary purposes, as many variations of the specific hardware and software used to implement the examples are possible, as will be appreciated by those skilled in the relevant art(s). In addition, two or more computing systems or devices can be substituted for any one of the systems in any embodiment of the examples.

The examples may also be embodied as a non-transitory computer readable medium having instructions stored thereon for one or more aspects of the present technology as described and illustrated by way of the examples herein, as described herein, which when executed by a processor, cause the processor to carry out the steps necessary to implement the methods of the examples, as described and illustrated herein.

An example of a method for securing one or more entitlement grants with an application management computing device 12 will now be described with reference to FIGS. 1-3 and 5. Referring more specifically to FIGS. 3 and 5, in this example in step 100, the application management computing device 12 receives an initial license request with a registration identifier from one of the plurality client computing devices 16(1)-16(n), although the initial license request with the registration identifier that identifies what one or more licenses have been acquired could be received from other devices, such as from a management computing device that manages traffic, applications, and/or operations for the plurality of the client computing devices 16(1)-16(n) by way of example only.

In step 102, in response to the received initial license request with the registration identifier, the application management computing device 12 generates a registration license request for one or more license entitlement grants from the license server 14. In this example, the registration license request generated by the application management computing device 12 includes the registration identifier and a second public key, although the registration license request could include other types and/or amounts of other information, such as a second private key by way of example only.

In step 104, the application management computing device 12 encrypts the registration license request and a second public key with a first public key and then transmits the encrypted registration license request to the license server 14, although the registration license request can be secured in other manners and/or transmitted to other devices managing license entitlement grants. In this particular example, the license server 14 is in secure location separate from the application management computing device 12 which may by way of example be deployed only at a customer site where the client computing devices 16(1)-16(n) are located, although other configurations could be used. Additionally, in these examples the private and public keys could be in other locations, such as in reverse locations.

In step 106, the license server 14 decrypts the registration license request received from the application management computing device with a first private key to obtain the registration identifier and the second public key, although the license server 14 could obtain any other necessary information and/or perform other operations. Next, the license server 14 retrieves one or more license entitlement grants associated with the obtained registration identifier, although the license server 14 could obtain other information and/or perform other types and/or numbers of other additional operations. Additionally, the license server 14 retrieves a dossier of the one or more authorized client computing devices 16(1)-16(n) for each of the retrieved license entitlement grant(s) and locks the retrieved dossier to the requesting application management computing device 12, although other types and/or amounts of other information could be obtained.

In step 108, the license server 14 generates a first secure signature using a hash sum of the one or more retrieved license entitlement grants, the retrieved dossier and the second public key, although the first secure signature can be generated in other manners and based on other types and/or amounts of information, such as other combinations of more or less of the one or more retrieved license entitlement grants, the retrieved dossier and/or the second public key could be used. The license server 14 encrypts the first secure signature with a first private key, although other approaches for securing the first signature could be used.

In step 110, the license server 14 generates a registration license response which includes the one or more retrieved license entitlement grants, the dossier, the second public key, and the first encrypted secure signature, although the registration license response can include other types and/or amounts of information. Once the registration license response is generated, the license server 14 transmits the registration license response to the application management computing device 12, although the response could be transmitted to other types of devices which are involved in securing the license entitlement grants.

In step 112, the application management computing device 12 receives the registration license response and locally generates the first check signature based on the retrieved license entitlement grants and the dossier which are in the received registration license response from the license server 14 and the second public key which the application management computing device 12 already has obtained from memory 22 or from another storage location, although other approaches could be used. In this particular example, the application management computing device 12 locally generates the first check signature using a hash sum of the retrieved license entitlement grants, the dossier and the second public key, although like the first secure signature, the first check signature also can be generated in other manners and based on other types and/or amounts of information.

In step 114, the application management computing device 12 decrypts the first encrypted secure signature with the first public key and determines if there is authentication based on a comparison of the decrypted first secure signature against the locally generated first check signature to see if they match. If the application management computing device 12 determines there is not a match, then the No branch is taken to step 116 and the one or more license entitlement grants are not provided and in this particular example the method ends. If in step 114 the application management computing device 12 determines there is a match, then the Yes branch is taken to step 118.

In step 118, the application management computing device 12 determines if the dossier in the received registration license response from the license server matches the dossier obtained from decrypting the first encrypted signature to determine if there is a match, although other approaches for verifying the dossier can be used. If in step 118 there is not a match, then the No branch is taken to step 118 where this particular example of the method ends. If in step 118 there is a match, then there is verification and the Yes branch is taken to step 120, although other approaches for obtaining verification can be used.

In step 120, the application management computing device 12 generates a second secure signature based on the license entitlement grants, the second public key, the first encrypted secure signature, and another dossier with a list of the specific one of the client computing devices 16(1)-16(n) for a particular license entitlement grant(s), although the second secure signature can be generated in other manners and based on other types and/or amounts of information. In this particular example, the application management computing device 12 uses a hash sum of the license entitlement grants, the second public key, the first encrypted secure signature, and the dossier to generate the second secure signature, although again the second secure signature can be generated in other manners and based on other types and/or amounts of information, such as optional additional entitlements. Once the second secure signature is generated, the application management computing device 12 encrypts the second secure signature with a second private key.

In step 122, the application management computing device 12 generates a supplemental license response comprising the one or more entitlement grants, the second public key, the first secure signature, the dossier from the license server 14, the dossier from step 120 above, and the second secure signature to be transmitted to the specific one of the client computing devices 16(1)-16(n), although the response could have other types and/or amounts of information could be used and/or could be transmitted to other devices, such as a management computing device which manages the operation of the client computing devices 16(1)-16(n) by way of example only.

In step 124, the application management computing device 12 transmits the generated supplemental license response to the specific one of the client computing devices 16(1)-16(n), although the client computing devices could for example have received a license unsolicited by the application management computing device (a push operation).

An example of a method for securing one or more entitlement grants with one of the client computing devices 16(1)-16(n) will now be described with reference to FIGS. 1-2, 4 and 5. Referring more specifically to FIGS. 4 and 5, in step 200 an updated license response comprising the one or more entitlement grants, the second public key, the first secure signature, the dossier from the license server 14, the dossier from step 120, and the second secure signature is received and decrypted with the second public key by the specific one of the client computing devices 16(1)-16(n), although other types of devices could receive the response and process as described with the example herein, such as a management computing device that manages traffic, applications, and/or operations for the plurality of the client computing devices 16(1)-16(n) by way of example only.

In step 202, the specific one of the client computing devices 16(1)-16(n) locally generates a second check signature based on the license entitlement grants, the second public key, the first encrypted secure signature, and the dossier from step 120 received from the application management computing device 12 in the updated license response, although the second check signature can be generated in other manners and based on other types and/or amounts of information, such as with the dossier from the license server 14 by way of example only. In this particular example, the specific one of the client computing devices 16(1)-16(n) uses a hash sum of the license entitlement grants, the second public key, the first encrypted secure signature, and the dossier from step 120 to generate the second check signature, although again the second check signature can be generated in other manners and based on other types and/or amounts of information.

In step 204, the specific one of the client computing devices 16(1)-16(n) decrypts the second secure signature with a second public key and determines authentication based on a comparison of the decrypted second secure signature against the locally generated second check signature for a match. If the decrypted second signature and the locally generated second signature do not match, then there is no authentication and the No branch is taken to step 208 where this particular example of the method ends. If the decrypted second signature and the locally generated second signature do match, then there is authentication and the Yes branch is taken to step 206.

In step 206, the specific one of the client computing devices 16(1)-16(n) determines if there is integrity based on a comparison for a match of the dossier from step 120 obtained from the decrypted second secure signature against dossier from step 120 received in the response by the specific one of the client computing devices 16(1)-16(n). If there is no match, then there is no integrity and the No branch is taken to step 208 where this particular example of the method ends. If there is a match, then there is authentication and the Yes branch is taken to step 210.

In step 210, the initially requesting one of the client computing devices 16(1)-16(n) locally generates the first check signature based on the retrieved license entitlement grants in the registration license response, the dossier received from the license server 14 and the second public key, although other approaches could be used. In this particular example, the initially requesting one of the client computing devices 16(1)-16(n) locally generates the first check signature using a hash sum of the retrieved license entitlement grants, the dossier received from the license server 14, and the second public key, although the first check signature can be generated in other manners and based on other types and/or amounts of information.

In step 212, the first encrypted secure signature is decrypted with the first public key by the initially requesting one of the client computing devices 16(1)-16(n). Next, the initially requesting one of the client computing devices 16(1)-16(n) compares the decrypted first secure signature against the locally generated first check signature from step 210.

In step 214, the initially requesting one of the client computing devices 16(1)-16(n) determines if there is authentication based on the comparison of the decrypted first secure signature and the locally generated first check signature to determine if there is match. If the initially requesting one of the client computing devices 16(1)-16(n) determines that decrypted first secure signature does not match the locally generated first check signature then there is no authentication and no integrity (that is, the contents have been tampered with) and the No branch is taken to step 208 where the one or more license entitlement grants are not provided and this particular example of the method ends. If the initially requesting one of the client computing devices 16(1)-16(n) determines that the decrypted first secure signature does match the locally generated first check signature then there is authentication and integrity (contents are not tampered with) and the Yes branch is taken to step 216. When the Yes branch is taken, it indirectly validates the integrity of the second secure public key used to validate the second check signature from the license server through the application management computing device.

In step 216, the initially requesting one of the client computing devices 16(1)-16(n) determines if the specific one of the client computing devices 16(1)-16(n) matches one on the list of authorized users in the dossier. If specific one of the client computing devices 16(1)-16(n) is not on the list in the dossier, then the No branch is taken to step 208 and this particular method ends. If the specific one of the client computing devices 16(1)-16(n) is the same as one of the authorized client computing device(s) on the list in the dossier, then the Yes branch is taken and then in step 218 the license entitlement grant(s) are provided, i.e. verified, for the authorized one of the client computing device(s) 16(1)-16(n) and this particular example of the method can end.

As illustrated and described by way of the examples herein, this technology provides methods, non-transitory computer readable media, and devices that more effectively secure one or more license entitlement grants. Additionally, this technology enables a customer side product that needs to serve as a second tier licensing entity to provide tamper-free product/instance licenses. This technology also adds another level of security using private and public keys in manners that prevents the key from being replaced in order to alter the license entitlements in the customer premises without requiring any additional communication with the license server beyond what is currently needed, e.g., one per license activation. Further, this technology is able to log and monitor information, e.g. any attempts to tamper with the license entitlements, use of invalid keys, or an invalid dossier, for the purpose of auditing for any potential breach, attempted breach, or actual breach of security.

Having thus described the basic concept of the invention, it will be rather apparent to those skilled in the art that the foregoing detailed disclosure is intended to be presented by way of example only, and is not limiting. Various alterations, improvements, and modifications will occur and are intended to those skilled in the art, though not expressly stated herein. These alterations, improvements, and modifications are intended to be suggested hereby, and are within the spirit and scope of the invention. Additionally, the recited order of processing elements or sequences, or the use of numbers, letters, or other designations therefore, is not intended to limit the claimed processes to any order except as may be specified in the claims. Accordingly, the invention is limited only by the following claims and equivalents thereto.