Secure software service systems and methods

摘要

In one embodiment the present invention includes a method of performing a secure transaction in a software system, such as a software service system, for example. Embodiments of the invention include encoding symmetric keys for securing transactions between a service consumer and service provider. Asymmetric keys are also used for providing additional security during transactions. In one embodiment, license tokens and capability tokens are encoded and passed between a service consumer and service provider for allowing a consumer secure access to authorized services.

主权项

1. A method of performing a secure software service transaction comprising:
performing a first transaction between a software service consumer and a license token service, the first transaction comprising:
receiving, on at least one computer system executing the license token service, a license token request from the software service consumer, andsending, by the at least one computer system executing the license token service, a license token to the software service consumer in response to the license token request, wherein the license token is encrypted by a key shared between the license token service and a security token service; performing a second transaction between the software service consumer and the security token service, the second transaction comprising:
receiving, on at least one computer system executing the security token service, a capability token request from the software service consumer, the capability token request including the encrypted license token and identifying one or more particular software services to be accessed on a backend system,decrypting, by the at least one computer system executing the security token service, the encrypted license token with the key shared between the license token service and a security token service, andsending, by the at least one computer system executing the security token service, a capability token to the software service consumer in response to the capability token request, wherein the capability token is encrypted by a key shared between the security token service and the backend system, the capability token including information identifying the one or more particular software services to be accessed on the backend system; performing a third transaction between the software service consumer and the backend system, the third transaction comprising:
receiving, on at least one computer system executing the backend system, a service request from the software service consumer, the service request including the encrypted capability token,decrypting, by the at least one computer system executing the backend system, the capability token with the key shared between the security token service and the backend system,generating, by the at least one computer system executing the backend system, a new capability token including information identifying the one or more particular software services to be accessed on the backend system,sending, by the at least one computer system executing the backend system, the new capability token to the software service consumer,receiving, on the at least one computer system executing the backend system, a service request from the software service consumer comprising the new capability token and an identification of the one or more particular software services to be accessed on the backend system, andexecuting, by the at least one computer system executing the backend system, the service request on the one or more particular software services to be accessed on the backend system.