Abstract: A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.

Abstract: Disclosed is a manufacturing process and feature licensing system for provisioning personalized (device-unique) licenses to devices, with the following characteristics. The system is secure in that it uses a secure key wrapping mechanism to deliver the LSK to LPS. Another feature is that various network communication links are secured using standard security protocol. Further, application messages, license templates, licenses are digitally signed. The system is also flexible because it is configured to allow multiple manufacturers and to allow various feature configurations via the use of License Template. The system is also scalable, as it is possible to use multiple LPS hosts to serve multiple programming stations. The system is available in that the delegation of license signing capability from CLS to LPS eliminates the dependency on unreliable Internet connections. Redundant LPS hosts provide high level of availability required for high volume license provisioning.

Abstract: A method is provided that permits user to submit a password to the private key that is to be used to decrypt files either at the time of user account setup or at the time of submitting the files. The password is stored securely in the system, permanently or temporarily, and is used later to decrypt the files right before the system is ready to process the files.

Abstract: A system for generating unique digital certificates is provided that generates computed hashes public keys and compares them. The system method computes a hash of a public key, compares the computed hash of the public key with hashes of public keys previously generated, generates the digital certificate having the public key and a device identifier only if the computed hash of the public key does not match any of the hashes of public keys previously generated, and provides the digital certificate.

Abstract: A method and apparatus is provided for managing the eligibility of data signing in an online code signing system. The method is used by a plurality of data publishers in an online code signing system. The method includes defining, by an administrator of the system, a hierarchy of a plurality of entities, and managing, by an administrator of the system, eligibility to designate at least one of a plurality of users to access the at least one configuration entity to sign the data via a plurality of accounts and eligibility to designate at least one of a plurality of managers via owner account to manage user access to sign data for at least one model entity.

Abstract: A method is provided for automatically renewing digital certificates in advance of their expiration in field deployed devices. The method includes generating a certificate renewal request comprising a request for at least one renewed digital certificate according to a renewal paradigm in which the at least one renewed digital certificate is generated before the at least one of the digital certificates expires, providing the certificate renewal request to the offline domain, obtaining, in the online domain from the offline domain, the at least one renewed digital certificate, and transmitting the least one renewed digital certificate to the client domain for storage in the HSM in place of the at least one of the subset of the plurality of digital certificates.

Abstract: A method and apparatus is provided for managing the eligibility of data signing in an online code signing system. The method is used by a plurality of data publishers in an online code signing system. The method includes defining, by an administrator of the system, a hierarchy of a plurality of entities, and managing, by an administrator of the system, eligibility to designate at least one of a plurality of users to access the at least one configuration entity to sign the data via a plurality of accounts and eligibility to designate at least one of a plurality of managers via owner account to manage user access to sign data for at least one model entity.

Abstract: Disclosed is a manufacturing process and feature licensing system for provisioning personalized (device-unique) licenses to devices, with the following characteristics. The system is secure in that it uses a secure key wrapping mechanism to deliver the LSK to LPS. Another feature is that various network communication links are secured using standard security protocol. Further, application messages, license templates, licenses are digitally signed. The system is also flexible because it is configured to allow multiple manufacturers and to allow various feature configurations via the use of License Template. The system is also scalable, as it is possible to use multiple LPS hosts to serve multiple programming stations. The system is available in that the delegation of license signing capability from CLS to LPS eliminates the dependency on unreliable Internet connections. Redundant LPS hosts provide high level of availability required for high volume license provisioning.

Abstract: Disclosed is a manufacturing process and feature licensing system for provisioning personalized (device-unique) licenses to devices. The secure system uses a secure key wrapping mechanism to deliver the LSK to LPS. Another feature is that various network communication links are secured using standard security protocol. Application messages, license templates, licenses are digitally signed. The system is flexible, configured to allow multiple manufacturers and to allow various feature configurations via the use of License Template; scalable, as it is possible to use multiple LPS hosts to serve multiple programming stations; and available in that the delegation of license signing capability from CLS to LPS eliminates the dependency on unreliable Internet connections. Redundant LPS hosts provide high level of availability required for high volume license provisioning.

Abstract: Disclosed is an arrangement to enable customers to provision devices with feature licenses that enable specified features in the devices. The arrangement includes a feature-licensing system for performing feature-licensing processes to provision the devices with feature licenses and a feature-licensing process configuration system.

Abstract: Methods and systems for group licensing of homogeneous and heterogeneous devices features are disclosed. Licensing servers manage the generation and distribution of licenses to devices, and enforce validation rules that prevent granting devices licenses that do not comply with group licensing limits.

Abstract: A system and method for issuing a license for a device through a license server is provided. A server receives identification information for a device that communicates to the server if a first license binding identity and/or a first display identity has changed. A previous license for the device is revoked and a previous license credit is returned to a user's credit pool if the first license binding identity and/or the first display identity has changed. A license request is received, which includes a second license binding identity identifying the device. If the second license binding identity is the same as the first license binding identity, the previous license for the device is issued. If the second license binding identity is not the same as the first license binding identity, a new license for the device is issued and a new license credit is deducted from the user's credit pool.

Abstract: Methods and systems are provided for managing feature licenses for pools or groups of devices. In an embodiment, a method of licensing features for a device in a license pool or group includes receiving, at the device, a license capacity request; determining, based on the reply to the license capacity request, if the device in the license pool or group is compliant with the feature license configuration; if the device is noncompliant with the feature license configuration: transmitting a generate license request message having a desired feature license configuration; receiving a feature license request from the device; and updating the noncompliant device with a compliant feature license.

Abstract: Methods and systems for group licensing of homogeneous and heterogeneous devices features is disclosed. Licensing servers manage the generation and distribution of licenses to devices, and enforce validation rules that prevent granting devices licenses that do not comply with group licensing limits.

Abstract: A method enables selected features of a software product residing on an end user electronic device with a license delivered from a licensing provider to a service provider of the end user electronic device. The method includes requesting at least one license to authorize a first service provider. An encrypted installation key uniquely associated with the first service provider is received as well as an authorization agent module for installation on one or more authorization agent devices associated with the first service provider. The encrypted installation key and the authorization agent module are installed on the authorization agent devices. A device-unique identifier (DUID) is generated for each authorization agent device based on hardware characteristics of the respective authorization agent devices. The DUID and the encrypted installation key are sent from the authorization agent device to a licensing provider to obtain the requested license.

Abstract: A system and method for issuing a license for a device through a license server is provided. A server receives identification information for a device that communicates to the server if a first license binding identity and/or a first display identity has changed. A previous license for the device is revoked and a previous license credit is returned to a user's credit pool if the first license binding identity and/or the first display identity has changed. A license request is received, which includes a second license binding identity identifying the device. If the second license binding identity is the same as the first license binding identity, the previous license for the device is issued. If the second license binding identity is not the same as the first license binding identity, a new license for the device is issued and a new license credit is deducted from the user's credit pool.

Abstract: Disclosed is an arrangement to enable customers to provision devices with feature licenses that enable specified features in the devices. The arrangement includes a feature-licensing system for performing feature-licensing processes to provision the devices with feature licenses and a feature-licensing process configuration system.

Abstract: A method and apparatus for provisioning devices. One method includes authenticating a first customer as an authenticated user and receiving from a first customer a first request to establish a credit record for a specified number of upgraded feature licenses. The upgraded feature licenses are obtainable from a third party supplier and are associated with components available from the third party supplier. The credit record includes feature credits to be made available to the first customer to obtain the upgraded feature licenses from the third party supplier. A second request is received from the first customer to release the feature credits to a credit pool associated with the first customer so that the feature credits are available to the first customer. The upgraded feature licenses are generated and the credit pool associated with the first customer is debited for the number of credits needed to obtain the upgraded feature licenses.

Abstract: A method for providing a secure automated feature license update is disclosed. This method may be performed at a central license server. A license template including features for enablement on a device is generated. The license template is sent to an authorized user. A license update request is received from an entity. An updated license is generated by the central license server. A response is sent to the entity. A method for providing a secure automated feature license update is disclosed. This method may be performed at a device, e.g. an end-user device. A first feature set of a current license of a device is compared with a second feature set of a license template received by the device. A license update request is generated when there is a difference between the first feature set and the second feature set. The license update request is sent to a license server.

Abstract: Disclosed is a manufacturing process and feature licensing system for provisioning personalized (device-unique) licenses to devices. The secure system uses a secure key wrapping mechanism to deliver the LSK to LPS. Another feature is that various network communication links are secured using standard security protocol. Application messages, license templates, licenses are digitally signed. The system is flexible, configured to allow multiple manufacturers and to allow various feature configurations via the use of License Template; scalable, as it is possible to use multiple LPS hosts to serve multiple programming stations; and available in that the delegation of license signing capability from CLS to LPS eliminates the dependency on unreliable Internet connections. Redundant LPS hosts provide high level of availability required for high volume license provisioning.