(19) (11) EP 1 674 963 B1 (12) EUROPEAN PATENT SPECIFICATION (4) Date of publication and mention of the grant of the patent: 13.08.08 Bulletin 08/33 (1) Int Cl.: G06F 21/00 (06.01) (21) Application number: 002486.6 (22) Date of filing: 14.11.0 (4) Secure license management Sicheres Management von Lizenzen Gestion de licences sécurisée (84) Designated Contracting States: AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR () Priority: 22.12.04 US 386 (43) Date of publication of application: 28.06.06 Bulletin 06/26 (73) Proprietor: SAP AG 69190 Walldorf (DE) (72) Inventors: Kilian-Kehr, Roger 64291 Darmstadt (DE) Kuemmerle, Jan 6817 Eppstein (DE) (74) Representative: Müller-Boré & Partner Patentanwälte Grafinger Strasse 2 81671 München (DE) (6) References cited: US-A- 933 498 US-A1-03 037 237 US-A1-04 039 924 US-A1-04 078 72 US-A1-04 093 0 US-A1-04 2 797 "Trusted Computing Platform Alliance (TCPA) Main Specification Version 1.1b" TCPA MAIN SPECIFICATION, 22 February 02 (02-02-22), page COMPLETE332, XP002294897 EP 1 674 963 B1 Note: Within nine months of the publication of the mention of the grant of the European patent in the European Patent Bulletin, any person may give notice to the European Patent Office of opposition to that patent, in accordance with the Implementing Regulations. Notice of opposition shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention). Printed by Jouve, 7001 PARIS (FR)
1 EP 1 674 963 B1 2 Description BACKGROUND [0001] The present disclosure relates to data processing by digital computer, and more particularly to license management. [0002] Software vendors use license management programs, also referred to as license managers, to prevent unauthorized use of the software. The license manager is designed to enforce the conditions of the software license and to prevent access to the software when those conditions are not met. [0003] Unfortunately, the license manager, like any software program, is vulnerable to tampering. Conventional license managers, however, are unable to determine the trustworthiness of the computing environment in which they are running. [0004] US 04/0039924 discloses a system and method for securing a computing device using a master cryptographic key that is bound to the device. The master key is used to derive sensitive data that is transferred to storage that is only accessible in a restricted mode of operation. SUMMARY OF THE INVENTION 2 3 4 0 [000] Methods, systems, and computer program products, implementing techniques for license management. [0006] In one general aspect, a system implementing the techniques comprises a host computer running in a trusted state, and a license manager installed on the host computer. The license manager is configured to provide access to one or more software programs. The one or more software programs are accessible only through the license manager. The license manager is bound to the trusted state of the host computer, such that if the trusted state ceases to exist, then the license manager is not executable and the one or more software programs are not accessible. [0007] The host computer is a TCPA (Trusted Computing Platform Alliance) enabled computer. [0008] The trusted state is established by booting the host computer using a secure boot process. [0009] The host computer includes hardware components and software components. The software components include an operating system. The hardware components include a Core Root of Trust for Measurement (CRTM). The CRTM is a trusted component. [00] The secure boot process involves using the trusted component to verify the trustworthiness of the hardware components before handing system control over to the operating system, which then verifies the integrity of the software components. [0011] The hardware components further include a Trusted Platform Module (TPM). The trustworthiness of the hardware and software components are verified using system configuration data stored in the TPM. [0012] The license manager is partitioned into a dynamic data section and a static code section, the dynamic data section includes data that changes during execution of the license manager, the static code section including data that does not change during execution of the license manager. [0013] The static code section is partitioned into two subsections, a first subsection that stores code for the software programs and a second subsection that stores configuration data for the license manager. [0014] The dynamic data section is protected by a cryptographic key (data key), the static code section is protected by a different cryptographic key (code key). [00] Implementations can include one or more of the following features [0016] The data key and the code key may be protected by a different cryptographic key (external key). The external key may be bound to the trusted state of the host computer. [0017] In another general aspect, a computer program product implementing the techniques is operable to cause data processing apparatus to perform operations including verifying that the host computer is running in a trusted state, receiving a first cryptographic key from the host computer, the first cryptographic key being bound to the trusted state of the host computer, encrypting the license manager using the first cryptographic key, and transferring the encrypted license manager to the host computer. [0018] Implementations can include one or more of the following features. Verifying that the host computer is running in a trusted state may include performing a remote attestation process on the host computer. [0019] Performing a remote attestation process on the host computer may include: receiving system configuration data from the host computer and comparing the received system configuration data to a set of known system configurations. [00] The license manager may be partitioned into a dynamic data section and a static code section, the dynamic data section may include data that changes during execution of the license manager, the static code section including data that does not change during execution of the license manager. [0021] Encrypting the license manager using the first cryptographic key may include encrypting the dynamic data section using a second cryptographic key, encrypting the static code section using a third cryptographic key, and encrypting the first and second cryptographic keys using the first cryptographic key. [0022] The techniques can be implemented to realize one or more of the following advantages. The license manager is secure from tampering. A trusted state is established on the host computer before the license manager is installed on the host computer. As long as the trusted state exists, the license manager can be assured that the hosting environment does not contain any rouge 2
3 EP 1 674 963 B1 4 programs that attempt to prevent the license manager from working correctly. One implementation provides all of the above advantages. [0023] Details of one or more implementations are set forth in the accompanying drawings and in the description below. Further features, aspects, and advantages will become apparent from the description, the drawings, and the claims. BRIEF DESCRIPTION OF THE DRAWINGS [0024] FIG. 1 illustrates a system for secure license management. FIG. 2 illustrates a TCPA-enabled host computer. FIG. 3 illustrates a license manager. FIG. 4 illustrates a key container. FIG. illustrates a process for transferring the license manager and the key container to the host computer. [002] Like reference numbers and designations in the various drawings indicate like elements. DETAILED DESCRIPTION 2 3 4 0 [0026] As shown in FIG. 1, a system 0 includes a license manager 1 for managing the use of one or more software programs 1. The license manager 1 enforces certain conditions of use, as defined by one or more software licenses 1 associated with each software program 1. The software programs 1 are only accessible through the license manager 1. Thus, if the license manager 1 is not running, then the software programs 1 are not accessible. [0027] The license manager 1 and the software programs 1 are installed on a host computer 1. [0028] Prior to installing the license manager 1 on the host computer 1, a trusted state 0 is established on the host computer 1. [0029] The license manager 1 is then bound to this trusted state 0 so that the license manager 1 can only operate while the trusted state 0 exists. If the trusted state 0 ceases to exist, then the license manager 1 cannot operate and the one or more software programs 1 cannot be accessed. [00] The trusted state 0 is established by booting the host computer 1 using a secure boot process. In one implementation, the secure boot process requires that the host computer 1 be a TCPA-enabled computer. TCPA (Trusted Computing Platform Alliance) is an initiative led by various computing companies (e.g., Advanced Micro Devices, Hewlett-Packard, Intel, IBM, Microsoft, Sony, Sun) to implement technologies for trusted computing. This group of companies, also known as the Trusted Computing Group has published a TCPA specification (available at http://www.trustedcomputinggroup.org) that describes the technologies developed by this group. [0031] As shown in FIG. 2, a TCPA-enabled host computer 0 includes two TCPA components, a Core Root of Trust for Measurement (CRTM) 2 and a Trusted Platform Module (TPM) 2. [0032] In one implementation, the trusted platform module 2 is a computer chip (e.g., a smartcard) that is hard-wired to provide certain functions, for example, key generation and controlled access to the generated keys. The trusted platform module 2 includes a set of memory registers known as platform configuration registers (PCRs) 2. The platform configuration registers 2 store system configuration data 2. The system configuration data 2 can be metrics taken from various hardware and software components of the host computer 1. As will be described below, these metrics will be used during the secure boot process to verify the trustworthiness of the host computer 1. [0033] The CRTM 2 is the only portion of the host computer 1 that can be trusted initially, that is, before the trusted state 0 is established on the host computer 1. In one implementation, the CRTM 2 is the BIOS (Basic Input/Output System) of the host computer 1. Alternatively, the CRTM 2 makes up only a portion of the host computer s BIOS. [0034] The CRTM 2 begins executing when the host computer 0 is started. The CRTM 2 verifies the integrity of the hardware components before handing system control over to the operating system. The operating system then verifies the integrity of the software components. The verification of the hardware and software components is performed using the system configuration data 2 stored in the platform configuration registers 2 of the trusted platform module 2. The metrics are a reflection of how the system components are configured. If the system configuration is tampered with or otherwise modified, the metrics will reflect this change. If any changes to the hardware or software components are detected by either the CRTM 2 or the operating system, then the boot process is stopped. Once the boot process has been completed, a trusted state 0 has been established on the host computer 1. Once the trusted state 0 has been established, the license manager 1 can be installed on the host computer 1. [003] As shown in FIG. 3, in one implementation, the license manager 1 is partitioned into a dynamic data section 3 and a static code section 3. Optionally, the license manager 1 can contain a third partition, metadata section 3, for storing metadata about the license manager 1. For example, the metadata can include information identifying the software programs 1 managed by the license manager 1, and the authorized users of these programs 1. [0036] The dynamic data section 3 contains data that the license manager 1 needs to perform its functions. This data is dynamic, meaning that its value changes during execution of the license manager 1. For ex- 3
EP 1 674 963 B1 6 ample, this data can include a counter value that counts the number of times a software program 1 has been executed. [0037] The static code section 3 contains code that is required by the software programs 1 to run. The static code section 3 also contains configuration data that is required by the license manager 1. For example, the configuration data may indicate which network port and which host address (e.g., license.xxx.com) will be used by the license manager 1. The static code section 3 can be partitioned into two subsections, one subsection to store the software program code and the other subsection to store the license manager configuration data. [0038] In one implementation, the license manager 1 is protected by one or more cryptographic keys. These keys are stored in a key container 0, shown in FIG. 4. The key container 0 contains a data key 4 that is used to encrypt the dynamic data section 3 of the license manager 1 and a code key 4 that is used to encode the static code section 3 of the license manager 1. The data key 4 and the code key 4 are different cryptographic keys. [0039] The key container 0 also contains a certificate 4 obtained from a certifying agency. This certificate is used to authenticate the static code section 3. The dynamic data section 3 is not authenticated because the data stored in the dynamic data section 3 is expected to change. [00] The entire key container 0 is protected by a cryptographic key that will be referred to as the external key 4. The external key 4 is generated by the trusted platform module 2 and stored within the trusted platform module 2. If the host computer 1 is not running in a trusted state 0, the trusted platform module 2 will not release the external key 4. [0041] In one implementation, the external key 4 is an asymmetric key whereas the data key 4 and code key 4 are symmetric keys. Alternatively, the data key 4 and code key 4 can also by asymmetric keys. In this specification, the data key 4 and the code key 4 will be referred to collectively as the internal keys. [0042] FIG. illustrates a process 00 for transferring the license manager 1 to the host computer 1. This process is performed only after the trusted state 0 has been established on the host computer 1. [0043] Typically, this process is triggered by the user of the host computer 1 making contact with the manufacturer of the software program 1 to request that the license manager 1 for the software program 1 be transferred to the host computer 1. [0044] Before allowing this transfer to occur, the manufacturer verifies the trustworthiness of the host computer 1 using a remote attestation process. As part of the remote attestation process, the manufacturer s computer sends a challenge to the host computer 1 (step ). [004] In response to this challenge, the host computer 2 3 4 0 1 sends to the manufacturer s computer a signed version of the system configuration data 2. The purpose of signing the data is to attest to the authenticity of the data. As part of the response, the host computer 1 also sends the external key 4 to the manufacturer s computer (step ). More specifically what is sent is only the public part of the external key 4. The private part is retained within the trusted platform module 2. [0046] Upon receiving signed configuration data and the external key 4, the manufacturer verifies the trustworthiness of the host computer 1, for example, by comparing the host computer s system configuration to system configurations for computer systems known to be trusted. [0047] Once the trustworthiness of the host computer 1 has been verified, the manufacturer s computer generates the internal keys (data key 4 and code key 4) (step ) and encrypts the license manager 1 using the internal keys (step 0). The internal keys are generated specifically for each installation of the license manager 1 and are different for each installation. [0048] The manufacturer then stores the internal keys 4, 4 in the key container 0 and encrypts the key container using the external key 4 (step 60). The manufacturer then sends the encrypted key container 0 and the encrypted license manager 1 to the host computer 1 (step 70). [0049] The host computer 1 unlocks the key container 0 using the private part of the external key 4 and retrieves the internal keys from inside the key container 0. The host computer 1 then unlocks the license manager 1 using the internal keys and installs the license manager (step 80). [000] As previously mentioned, the external key 4 is bound to the trusted state 0. Thus, if the host computer 1 is no longer running in the trusted state 0, then the host computer 1 will be unable to unlock the key container 0 and gain access to the license manager 1. [001] The various implementations of the invention and all of the functional operations described in this specification can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structural means disclosed in this specification and structural equivalents thereof, or in combinations of them. The invention can be implemented as one or more computer program products, i.e., one or more computer programs tangibly embodied in an information carrier, e.g., in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program (also known as a program, software, software application, or code) can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing 4
7 EP 1 674 963 B1 8 2 3 4 0 environment. A computer program does not necessarily correspond to a file. A program can be stored in a portion of a file that holds other programs or data, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code). A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network. [002] The processes and logic flows described in this specification, including the method steps of the invention, can be performed by one or more programmable processors executing one or more computer programs to perform functions of the invention by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus of the invention can be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit). [003] Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry. [004] To provide for interaction with a user, the invention can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer. Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input. [00] The invention can be implemented in a computing system that includes a back-end component (e.g., a data server), a middleware component (e.g., an application server), or a front-end component (e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the invention), or any combination of such back-end, middleware, and front-end components. The components of the system can be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network ("LAN") and a wide area network ("WAN"), e.g., the Internet. [006] The computing system can include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. [007] The invention has been described in terms of particular implementations, but other implementations are within the scope of the following claims. For example, the operations can be performed in a different order and still achieve desirable results. In certain implementations, multitasking and parallel processing may be preferable. Claims 1. A system (0) comprising: a host computer running (1) in a trusted state (0), wherein the host computer is a TCPA (Trusted Computing Platform Alliance) enabled computer and wherein the trusted state is established by booting the host computer using a secure boot process; and wherein: the host computer includes hardware components and software components, the software components including an operating system, the hardware components including a Core Root of Trust for Measurement (CRTM), the CRTM being a trusted component; and the secure boot process involves using the trusted component to verify the trustworthiness of the hardware components before handing system control over to the operating system, which then verifies the integrity of the software components; and wherein: the hardware components further include a Trusted Platform Module (TPM); and the trustworthiness of the hardware and software components is verified using system configuration data stored in the TPM;
9 EP 1 674 963 B1 and a license manager (1) installed on the host computer, the license manager configured to provide access to one or more software programs, the one or more software programs being accessible only through the license manager, the license manager being bound to the trusted state of the host computer, such that if the trusted state ceases to exist, then the license manager is not executable and the one or more software programs are not accessible, wherein the license manager is partitioned into a dynamic data section (3) and a static code section (3), the dynamic data section including data that changes during execution of the license manager and containing data that the license manager (1) needs to perform its functions, the static code section including data that does not change during execution of the license manager and containing code that is required by at least one of the one or more software programs to run and configuration data that is required by the license manager (1), wherein the static code section (3) is partitioned into two subsections, a first subsection that stores code for the software programs and a second subsection that stores configuration data for the license manager (1); and the dynamic data section being protected by a cryptographic key (data key) (4), the static code section being protected by a different cryptographic key (code key) (4). 2. The system of claim 1, wherein the data key and the code key are protected by a different cryptographic key (external key) (4). 3. The system of claim 2, wherein the external key (4) is bound to the trusted state (0) of the host computer (1). 4. A computer program product, tangibly embodied in an information carrier, the computer program product being operable to cause data processing apparatus to perform operations comprising: verifying that a host computer (1) is running in a trusted state (0); receiving a first cryptographic key (4) from a host computer, the first cryptographic key being bound to a trusted state of the host computer; encrypting a license manager (1) using the first cryptographic key; and transferring the encrypted license manager to the host computer; wherein the license manager is partitioned into a dynamic data section (3) and a static code 2 3 4 0 section (3), the dynamic data section including data that changes during execution of the license manager and containing data that the license manager (1) needs to perform its functions, the static code section including data that does not change during execution of the license manager and containing code that is required by at least one of the one or more software programs to run and configuration data that is required by the license manager (1), wherein the static code section (3) is partitioned into two subsections, a first subsection that stores code for the software programs and a second subsection that stores configuration data for the license manager (1); and wherein encrypting the license manager using the first cryptographic key (4) includes encrypting the dynamic data section using a second cryptographic key (4), encrypting the static code section using a third cryptographic key (4), and encrypting the first and second cryptographic keys using the first cryptographic key.. The computer program product of claim 4, wherein verifying that the host computer is running in a trusted state includes performing a remote attestation process on the host computer. 6. The computer program product of claim, wherein performing a remote attestation process on the host computer includes: receiving system configuration data from the host computer; and comparing the received system configuration data to a set of known system configurations. 7. A method for transferring a license manager to a host computer, the method comprising: verifying that a host computer (1) is running in a trusted state (0); receiving a cryptographic key from a host computer, the cryptographic key being bound to a trusted state of the host computer; encrypting a license manager (1) using the cryptographic key; and transferring the encrypted license manager to the host computer; wherein the license manager is partitioned into a dynamic data section (3) and a static code section (3), the dynamic data section including data that changes during execution of the license manager and containing data that the license manager (1) needs to perform its functions, the static code section including data that does not change during execution of the license manager and containing code that is required 6
11 EP 1 674 963 B1 12 by at least one of the one or more software programs to run and configuration data that is required by the license manager (1), wherein the static code section (3) is partitioned into two subsections, a first subsection that stores code for the software programs and a second subsection that stores configuration data for the license manager (1); and wherein encrypting the license manager (1) using the first cryptographic key includes encrypting the dynamic data section (3) using a second cryptographic key (4), encrypting the static code section (3) using a third cryptographic key (4), and encrypting the first and second cryptographic keys using the first cryptographic key (4). 8. The method of claim 7, wherein verifying that the host computer is running in a trusted state includes performing a remote attestation process on the host computer. 9. The method of claim 8, wherein performing a remote attestation process on the host computer includes: receiving system configuration data from the host computer; and comparing the received system configuration data to a set of known system configurations. 2 wobei: der Hostcomputer Hardwarekomponenten und Softwarekomponenten beinhaltet, die Softwarekomponenten ein Betriebssystem beinhalten, die Hardwarekomponenten einen CRTM (Core Root of Trust for Measurement CRTM, Vertrauenskernpunkt zur Messung) beinhalten, der CRTM eine vertrauenswürdige Komponente ist; und der sichere Bootprozess mit einer Verwendung der vertrauenswürdigen Komponente zum Verifizieren der Vertrauenswürdigkeit der Hardwarekomponenten vor einem Weiterreichen der Systemsteuerung an das Betriebssystem, das sodann die Integrität der Softwarekomponenten verifiziert, einhergeht; und die Hardwarekomponenten des Weiteren einen TPM (Trusted Platform Module TPM, Modul für vertrauenswürdige Plattformen) beinhalten; und die Vertrauenswürdigkeit der Hardwareund Softwarekomponenten unter Verwendung von in dem TPM gespeicherten Systemkonfigurationsdaten verifiziert wird; und einen Lizenzverwalter (1), der auf dem Hostcomputer installiert ist, wobei der Lizenzverwalter dafür ausgelegt ist, einen Zugang zu einem oder mehreren Softwareprogrammen bereitzustellen, das eine oder die mehreren Softwareprogramme lediglich durch den Lizenzverwalter zugänglich sind, der Lizenzverwalter an den vertrauenswürdigen Zustand des Hostcomputers gebunden ist, sodass dann, wenn der vertrauenswürdige Zustand zu existieren aufhört, der Lizenzverwalter nicht ausführbar ist und das eine oder die mehreren Softwareprogramme nicht zugänglich sind, Patentansprüche 1. System (0), umfassend: einen Hostcomputer (1), der in einem vertrauenswürdigen Zustand (0) läuft, wobei der Hostcomputer ein TCPA-fähiger (Trusted Computing Platform Alliance TCPA, Allianz für vertrauenswürdige Rechnerplattformen) Computer ist und wobei der vertrauenswürdige Zustand durch Booten des Hostcomputers unter Verwendung eines sicheren Bootprozesses hergestellt wird; und wobei: 3 4 0 wobei der Lizenzverwalter in einen dynamischen Datenabschnitt (3) und einen statischen Codeabschnitt (3) partitioniert ist, der dynamische Datenabschnitt Daten, die sich während der Ausführung des Lizenzverwalters ändern, beinhaltet und Daten, die der Lizenzverwalter (1) zur Durchführung seiner Funktionen benötigt, enthält, der statische Codeabschnitt Daten, die sich während der Ausführung des Lizenzverwalters nicht ändern, beinhaltet und Code, der von wenigstens einem des einen oder der mehreren Softwareprogramme zum Laufen benötigt wird, und Konfigurationsdaten, die von dem Lizenzverwalter (1) benötigt werden, enthält, wobei der statische Codeabschnitt (3) in zwei Unterabschnitte partitioniert ist, nämlich einen ersten Unterabschnitt, der Code für die Softwareprogramme speichert, und einen zweiten Unterabschnitt, der Konfigurationsdaten für den Lizenzverwalter (1) speichert; und der dynamische Datenabschnitt durch einen kryptografischen Schlüssel (Datenschlüssel) (4) geschützt ist, der statische Codeabschnitt durch einen anderen kryptografischen Schlüssel (Codeschlüssel) (4) geschützt ist. 7
13 EP 1 674 963 B1 14 2. System nach Anspruch 1, wobei der Datenschlüssel und der Codeschlüssel durch einen anderen kryptografischen Schlüssel (externen Schlüssel) (4) geschützt sind. 3. System nach Anspruch 2, wobei der externe Schlüssel (4) an den vertrauenswürdigen Zustand (0) des Hostcomputers (1) gebunden ist. 4. Computerprogrammerzeugnis, das physisch in einem Informationsträger verkörpert ist, wobei das Computerprogrammerzeugnis betreibbar ist, um eine Datenverarbeitungsvorrichtung zu veranlassen, Operationen durchzuführen, die umfassen: Verifizieren, dass ein Hostcomputer (1) in einem vertrauenswürdigen Zustand (0) läuft; Empfangen eines ersten kryptografischen Schlüssels (4) von einem Hostcomputer, wobei der erste kryptografische Schlüssel an einen vertrauenswürdigen Zustand des Hostcomputers gebunden ist; Verschlüsseln eines Lizenzverwalters (1) unter Verwendung des ersten kryptografischen Schlüssels; und Übertragen des verschlüsselten Lizenzverwalters an den Hostcomputer; wobei der Lizenzverwalter in einen dynamischen Datenabschnitt (3) und einen statischen Codeabschnitt (3) partitioniert ist, der dynamische Datenabschnitt Daten, die sich während der Ausführung des Lizenzverwalters ändern, beinhaltet und Daten, die der Lizenzverwalter (1) zur Durchführung seiner Funktionen benötigt, enthält, der statische Codeabschnitt Daten, die sich während der Ausführung des Lizenzverwalters nicht ändern, beinhaltet und Code, der von wenigstens einem des einen oder der mehreren Softwareprogramme zum Laufen benötigt wird, und Konfigurationsdaten, die von dem Lizenzverwalter (1) benötigt werden, enthält, wobei der statische Codeabschnitt (3) in zwei Unterabschnitte partitioniert ist, nämlich einen ersten Unterabschnitt, der Code für die Softwareprogramme speichert, und einen zweiten Unterabschnitt, der Konfigurationsdaten für den Lizenzverwalter (1) speichert; und wobei das Verschlüsseln des Lizenzverwalters unter Verwendung des ersten kryptografischen Schlüssels (4) ein Verschlüsseln des dynamischen Datenabschnittes unter Verwendung eines zweiten kryptografischen Schlüssels (4), ein Verschlüsseln des statischen Codeabschnittes unter Verwendung eines dritten kryptografischen Schlüssels (4) und ein Verschlüsseln der ersten und zweiten kryptografischen Schlüssel unter Verwendung des ersten 2 3 4 0 kryptografischen Schlüssels beinhaltet.. Computerprogrammerzeugnis nach Anspruch 4, wobei das Verifizieren, dass der Hostcomputer in einem vertrauenswürdigen Zustand läuft, ein Durchführen eines Fernnachweisprozesses auf dem Hostcomputer beinhaltet. 6. Computerprogrammerzeugnis nach Anspruch, wobei das Durchführen eines Fernnachweisprozesses auf dem Hostcomputer beinhaltet: Empfangen von Systemkonfigurationsdaten von dem Hostcomputer; und Vergleichen der empfangenen Systemkonfigurationsdaten mit einer Menge von bekannten Systemkonfigurationen. 7. Verfahren zum Übertragen eines Lizenzverwalters auf einen Hostcomputer, wobei das Verfahren umfasst: Verifizieren, dass ein Hostcomputer (1) in einem vertrauenswürdigen Zustand (0) läuft; Empfangen eines kryptografischen Schlüssels von einem Hostcomputer, wobei der kryptografische Schlüssel an einen vertrauenswürdigen Zustand des Hostcomputers gebunden ist; Verschlüsseln eines Lizenzverwalters (1) unter Verwendung des kryptografischen Schlüssels; und Übertragen des verschlüsselten Lizenzverwalters an den Hostcomputer; wobei der Lizenzverwalter in einen dynamischen Datenabschnitt (3) und einen statischen Codeabschnitt (3) partitioniert ist, der dynamische Datenabschnitt Daten, die sich während der Ausführung des Lizenzverwalters ändern, beinhaltet und Daten, die der Lizenzverwalter (1) zur Durchführung seiner Funktionen benötigt, enthält, der statische Codeabschnitt Daten, die sich während der Ausführung des Lizenzverwalters nicht ändern, beinhaltet und Code, der von wenigstens einem des einen oder der mehreren Softwareprogramme zum Laufen benötigt wird, und Konfigurationsdaten, die von dem Lizenzverwalter (1) benötigt werden, enthält, wobei der statische Codeabschnitt (3) in zwei Unterabschnitte partitioniert ist, nämlich einen ersten Unterabschnitt, der Code für die Softwareprogramme speichert, und einen zweiten Unterabschnitt, der Konfigurationsdaten für den Lizenzverwalter (1) speichert; und wobei das Verschlüsseln des Lizenzverwalters (1) unter Verwendung des ersten kryptografischen Schlüssels ein Verschlüsseln des dynamischen Datenabschnittes (3) unter Verwen- 8
EP 1 674 963 B1 16 dung eines zweiten kryptografischen Schlüssels (4), ein Verschlüsseln des statischen Codeabschnittes (3) unter Verwendung eines dritten kryptografischen Schlüssels (4) und ein Verschlüsseln der ersten und zweiten kryptografischen Schlüssel unter Verwendung des ersten kryptografischen Schlüssels (4) beinhaltet. 8. Verfahren nach Anspruch 7, wobei das Verifizieren, dass der Hostcomputer in einem vertrauenswürdigen Zustand läuft, ein Durchführen eines Fernnachweisprozesses auf dem Hostcomputer beinhaltet. 9. Verfahren nach Anspruch 8, wobei das Durchführen eines Fernnachweisprozesses auf dem Hostcomputer beinhaltet: Empfangen von Systemkonfigurationsdaten von dem Hostcomputer; und Vergleichen der empfangenen Systemkonfigurationsdaten mit einer Menge von bekannten Systemkonfigurationen. Revendications 1. Système (0) comportant : un ordinateur hôte s exécutant (1) dans un état sécurisé (0), dans lequel l ordinateur hôte est un ordinateur capable de fonctionner en TCPA (Alliance de plateformes informatiques sécurisées) et dans lequel l état sécurisé est établi en démarrant l ordinateur hôte en utilisant un processus de démarrage sécurisé ; et dans lequel : l ordinateur hôte inclut des composants matériels et des composants logiciels, les composants logiciels incluant un système d exploitation, les composants matériels incluant une racine de noyau de mesure sécurisée (CRTM), la CRTM étant un composant sécurisé ; et le processus de démarrage sécurisé implique l utilisation du composant sécurisé pour vérifier la crédibilité des composants matériels avant de remettre la commande système au système d exploitation, qui vérifie ensuite l intégrité des composants logiciels ; et dans lequel : les composants matériels incluent de plus un module de plateforme sécurisée (TPM) ; et 2 3 4 0 la crédibilité des composants matériels et logiciels est vérifiée en utilisant des données de configuration système mémorisées dans le TPM ; et un gestionnaire de licences (1) installé sur l ordinateur hôte, le gestionnaire de licences étant configuré pour fournir accès à un ou plusieurs programmes logiciels, le ou les programmes logiciels étant accessibles seulement par l intermédiaire du gestionnaire de licences, le gestionnaire de licences étant restreint à l état sécurisé de l ordinateur hôte, de sorte que si l état sécurisé cesse d exister, alors le gestionnaire de licences n est pas exécutable et le ou les programmes logiciels ne sont pas accessibles, dans lequel le gestionnaire de licences est partitionné en une section de données dynamiques (3) et une section de code statique (3), la section de données dynamiques incluant des données qui changent durant l exécution du gestionnaire de licences et contenant des données dont le gestionnaire de licences (1) a besoin pour exécuter ses fonctions, la section de code statique incluant des données qui ne changent pas durant l exécution du gestionnaire de licences et contenant du code qui est requis par au moins l un du ou des programmes logiciels pour s exécuter et des données de configuration qui sont requises par le gestionnaire de licences (1), dans lequel la section de code statique (3) est partitionnée en deux soussections, une première sous-section qui mémorise du code pour les programmes logiciels et une seconde sous-section qui mémorise des données de configuration pour le gestionnaire de licences (1) ; et la section de données dynamiques étant protégée par une clé cryptographique (clé de données) (4), la section de code statique étant protégée par une clé cryptographique différente (clé de code) (4). 2. Système selon la revendication 1, dans lequel la clé de données et la clé de code sont protégées par une clé cryptographique différente (clé externe) (4). 3. Système selon la revendication 2, dans lequel la clé externe (4) est restreinte à l état sécurisé (0) de l ordinateur hôte (1). 4. Produit de programme informatique, mis en oeuvre de manière tangible dans un support d informations, le produit de programme informatique étant opérationnel pour amener un dispositif de traitement de données à exécuter des opérations comportant : 9
17 EP 1 674 963 B1 18 la vérification qu un ordinateur hôte (1) s exécute dans un état sécurisé (0) ; la réception d une première clé cryptographique (4) depuis un ordinateur hôte, la première clé cryptographique étant restreinte à un état sécurisé de l ordinateur hôte ; le cryptage d un gestionnaire de licences (1) en utilisant la première clé cryptographique ; et le transfert du gestionnaire de licences crypté à l ordinateur hôte ; dans lequel le gestionnaire de licences est partitionné en une section de données dynamiques (3) et une section de code statique (3), la section de données dynamiques incluant des données qui changent durant l exécution du gestionnaire de licences et contenant des données dont le gestionnaire de licences (1) a besoin pour exécuter ses fonctions, la section de code statique incluant des données qui ne changent pas durant l exécution du gestionnaire de licences et contenant du code qui est requis par au moins l un du ou des programmes logiciels pour s exécuter et des données de configuration qui sont requises par le gestionnaire de licences (1), dans lequel la section de code statique (3) est partitionnée en deux soussections, une première sous-section qui mémorise du code pour les programmes logiciels et une seconde sous-section qui mémorise des données de configuration pour le gestionnaire de licences (1) ; et dans lequel le cryptage du gestionnaire de licences en utilisant la première clé cryptographique (4) inclut le cryptage de la section de données dynamiques en utilisant une deuxième clé cryptographique (4), le cryptage de la section de code statique en utilisant une troisième clé cryptographique (4), et le cryptage des première et deuxième clés cryptographiques en utilisant la première clé cryptographique.. Produit de programme informatique selon la revendication 4, dans lequel la vérification que l ordinateur hôte s exécute dans un état sécurisé inclut l exécution d un processus d attestation à distance sur l ordinateur hôte. 6. Produit de programme informatique selon la revendication, dans lequel l exécution d un processus d attestation à distance sur l ordinateur hôte inclut : la réception de données de configuration système depuis l ordinateur hôte ; et la comparaison des données de configuration système reçues à un ensemble de configurations système connues. 7. Procédé pour transférer un gestionnaire de licences 2 3 4 0 vers un ordinateur hôte, le procédé comprenant : la vérification qu un ordinateur hôte (1) s exécute dans un état sécurisé (0) ; la réception d une clé cryptographique depuis une ordinateur hôte, la clé cryptographique étant restreinte à un état sécurisé de l ordinateur hôte ; le cryptage d un gestionnaire de licences (1) en utilisant la clé cryptographique ; et le transfert du gestionnaire de licences crypté vers l ordinateur hôte ; dans lequel le gestionnaire de licences est partitionné en une section de données dynamiques (3) et une section de code statique (3), la section de données dynamiques incluant des données qui changent durant l exécution du gestionnaire de licences et contenant des données dont le gestionnaire de licences (1) a besoin pour exécuter ses fonctions, la section de code statique incluant des données qui ne changent pas durant l exécution du gestionnaire de licences et contenant du code qui est requis par au moins l un du ou des programmes logiciels pour s exécuter et des données de configuration qui sont requises par le gestionnaire de licences (1), dans lequel la section de code statique (3) est partitionnée en deux soussections, une première sous-section qui mémorise du code pour les programmes logiciels et une seconde sous-section qui mémorise des données de configuration pour le gestionnaire de licences (1) ; et dans lequel le cryptage du gestionnaire de licences (1) en utilisant la première clé cryptographique inclut le cryptage de la section de données dynamiques (3) en utilisant une deuxième clé cryptographique (4), le cryptage de la section de code statique (3) en utilisant une troisième clé cryptographique (4), et le cryptage des première et deuxième clés cryptographiques en utilisant la première clé cryptographique (4). 8. Procédé selon la revendication 7, dans lequel la vérification que l ordinateur hôte s exécute dans un état sécurisé inclut l exécution d un processus d attestation à distance sur l ordinateur hôte. 9. Procédé selon la revendication 8, dans lequel l exécution d un processus d attestation à distance sur l ordinateur hôte inclut : la réception de données de configuration système depuis l ordinateur hôte ; et la comparaison des données de configuration système reçues à un ensemble de configurations système connues.
EP 1 674 963 B1 11
EP 1 674 963 B1 12
EP 1 674 963 B1 13
EP 1 674 963 B1 14
EP 1 674 963 B1 REFERENCES CITED IN THE DESCRIPTION This list of references cited by the applicant is for the reader s convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard. Patent documents cited in the description US 0039924 A [0004]