CN108848064B - Authorization management method and system - Google Patents

Authorization management method and system Download PDF

Info

Publication number
CN108848064B
CN108848064B CN201810510212.2A CN201810510212A CN108848064B CN 108848064 B CN108848064 B CN 108848064B CN 201810510212 A CN201810510212 A CN 201810510212A CN 108848064 B CN108848064 B CN 108848064B
Authority
CN
China
Prior art keywords
authorization
hardware
client
platform
authorization code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810510212.2A
Other languages
Chinese (zh)
Other versions
CN108848064A (en
Inventor
王帮德
王涛
高飞
周冰
张园
赵向东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Jiule Technology Co ltd
Original Assignee
Wuhan Jiule Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Jiule Technology Co ltd filed Critical Wuhan Jiule Technology Co ltd
Priority to CN201810510212.2A priority Critical patent/CN108848064B/en
Publication of CN108848064A publication Critical patent/CN108848064A/en
Application granted granted Critical
Publication of CN108848064B publication Critical patent/CN108848064B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics

Abstract

The embodiment of the application provides an authorization management method and system, a hardware client is additionally arranged, the hardware client decrypts an encrypted platform hardware ID sent by the authorization client after receiving the platform hardware ID, an authorization code is obtained through calculation according to the decrypted platform hardware ID, the authorization code is encrypted to obtain a ciphertext, and the ciphertext is sent to the authorization client. And the authorization client decrypts the ciphertext to obtain an authorization code and sends the authorization code to the embedded platform, and the embedded platform stores the authorization code in the storage device. And after the embedded platform is restarted, generating a verification authorization code to verify the stored authorization code, wherein after the verification is passed, the static library file in the embedded platform can normally work. According to the authorization management scheme, the hardware client is additionally arranged to encrypt the interactive information, so that the risk of cracking the authorization information is reduced, and the defect of increased management cost caused by the need of externally connecting an IC in the prior art is overcome.

Description

Authorization management method and system
Technical Field
The invention relates to the technical field of embedded system development, in particular to an authorization management method and system.
Background
In the development of an embedded system, to realize a function, source code files (.c and.h files, the file language is a computer programming language and can be read) are required to control an embedded system and peripheral equipment thereof so as to realize the corresponding function. To protect the code written by the author, a statically linked library (. a or. lib) may be generated by tool compilation. Thus, only the h-index header file and the static library file need to be provided to support this function. The method can ensure that the developer and the mechanism where the developer is located can be used by other people or other mechanisms on the premise of not revealing source codes. However, the mere provision of the static link library cannot guarantee whether the other side has a legal right, so that the authorization management of the static library file is also necessary. In the prior art, an external IC is usually adopted or an encryption algorithm is adopted to verify authorization, but the mode of externally connecting the IC increases the management cost, and the encryption mode commonly used in the prior art has lower cracking difficulty and poorer safety.
Disclosure of Invention
In view of the above, the present application provides an authorization management method and system to improve the above problem.
The embodiment of the application provides an authorization management method, which is applied to an authorization management system, wherein the authorization management system comprises an authorization client, a hardware client and an embedded platform, and the hardware client and the embedded platform are in communication connection with the authorization client, and the method comprises the following steps:
after receiving an authorization instruction sent by the authorization client, the embedded platform returns a platform hardware ID of the embedded platform to the authorization client;
the authorization client encrypts the platform hardware ID and sends the encrypted platform hardware ID to the hardware client;
the hardware client decrypts the encrypted platform hardware ID, obtains an authorization code by calculation according to the decrypted platform hardware ID, encrypts the authorization code to obtain a ciphertext, and sends the ciphertext to the authorization client;
the authorization client decrypts the ciphertext to obtain an authorization code and sends the authorization code to the embedded platform;
the embedded platform stores the received authorization code in the storage device;
and after the embedded platform is restarted, verifying the authorization code in the storage device, if the authorization code passes the verification, the static library file in the embedded platform normally works, and if the authorization code does not pass the verification, the static library file does not work.
Optionally, after the step of decrypting, by the hardware client, the encrypted platform hardware ID, the method further includes:
and the hardware client updates the stored authorization times of the static library file in the embedded platform and stores the updated authorization times.
Optionally, after the step of decrypting, by the hardware client, the encrypted platform hardware ID, the method further includes:
and the hardware client detects whether the authorization frequency of the static library file in the embedded platform reaches a preset upper limit value, if so, the hardware client judges that the authorization does not pass and ends the authorization process.
Optionally, the step of calculating an authorization code according to the decrypted platform hardware ID includes:
the hardware client generates a random number, and the random number is used as an encryption factor;
and searching for a ciphertext array according to the encryption factor, and carrying out encryption calculation on the ciphertext array and the platform hardware ID to obtain an authorization code.
Optionally, the step of obtaining an authorization code by searching for a ciphertext array according to the encryption factor and performing encryption calculation on the ciphertext array and the platform hardware ID includes:
performing table look-up operation on a prestored encryption table according to the encryption factor to obtain a ciphertext array corresponding to the encryption factor;
calculating by using an encryption function according to the platform hardware ID and the ciphertext array to obtain an authorization array;
and recombining the authorization array, and adding the encryption factor into the specified bit of the recombined authorization array to obtain an authorization code.
Optionally, the step of verifying the authorization code in the storage device after the embedded platform is restarted includes:
after the embedded platform is restarted, obtaining an authorization code corresponding to a platform hardware ID from the storage equipment;
reading the specified position of the authorization code to obtain an encryption factor in the authorization code, and obtaining a verification authorization code according to the encryption factor and the platform hardware ID;
and detecting whether the verification authorization code is consistent with the authorization code, and if so, judging that the verification is passed.
Optionally, the step of obtaining a verification authorization code according to the encryption factor and the platform hardware ID includes:
inquiring a ciphertext table in a stored static library file by using the encryption factor as an index to obtain an encryption array corresponding to the encryption factor;
encrypting the platform hardware ID and the encrypted array by using an encryption algorithm to obtain an authorized array;
and recombining the authorization array, and adding the encryption factor into the specified bit of the recombined authorization array to obtain a verification authorization code.
The embodiment of the present application further provides an authorization management system, where the authorization management system includes an authorization client, and a hardware client and an embedded platform that are in communication connection with the authorization client:
the embedded platform is used for receiving an authorization instruction sent by the authorization client, acquiring a platform hardware ID according to the authorization instruction, and returning the platform hardware ID to the authorization client;
the authorization client is used for encrypting the platform hardware ID and sending the encrypted platform hardware ID to the hardware client;
the hardware client is used for decrypting the encrypted platform hardware ID, obtaining an authorization code by calculation according to the decrypted platform hardware ID, encrypting the authorization code to obtain a ciphertext and sending the ciphertext to the authorization client;
the authorization client is used for decrypting the ciphertext to obtain an authorization code and sending the authorization code to the embedded platform;
the embedded platform is used for storing the received authorization code in the storage device;
the embedded platform is used for verifying the authorization code in the storage device after being restarted, if the authorization code passes the verification, the static library file in the embedded platform normally works, and if the authorization code does not pass the verification, the static library file does not work.
Optionally, the hardware client is further configured to update the stored authorization times of the static library file in the embedded platform, and store the updated authorization times.
Optionally, the hardware client is further configured to detect whether the authorization frequency of the static library file in the embedded platform reaches a preset upper limit value, and if the authorization frequency reaches the preset upper limit value, determine that authorization does not pass, and end the authorization process.
According to the authorization management method and system provided by the embodiment of the application, the hardware client is additionally arranged, the hardware client decrypts the encrypted platform hardware ID sent by the authorization client after receiving the encrypted platform hardware ID, the authorization code is obtained through calculation according to the decrypted platform hardware ID, the authorization code is encrypted to obtain a ciphertext, and the ciphertext is sent to the authorization client. And the authorization client decrypts the ciphertext to obtain an authorization code and sends the authorization code to the embedded platform, and the embedded platform stores the authorization code in the storage device. And after the embedded platform is restarted, generating a verification authorization code to verify the stored authorization code, wherein the static library file in the embedded platform can normally work after the verification is passed. According to the authorization management scheme, the hardware client is additionally arranged to encrypt the interactive information, so that the risk of cracking the authorization information is reduced, and the defect of increased management cost caused by the need of externally connecting an IC in the prior art is overcome.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic view of an application scenario of an authorization management method according to an embodiment of the present application.
Fig. 2 is a flowchart of an authorization management method according to an embodiment of the present application.
Fig. 3 is a flowchart of sub-steps of step S130 in fig. 2.
Fig. 4 is a flowchart of sub-steps of step S150 in fig. 2.
Fig. 5 is a flowchart of the substeps of step S152 in fig. 4.
Fig. 6 is an interaction diagram of an authorization client, a hardware client, and an embedded platform according to an embodiment of the present application.
Icon: 100-an authorized client; 200-a hardware client; 300-embedded platform.
Detailed Description
The inventor has found that the authorization method commonly used in the embedded system in the prior art includes authorization verification by using the encryption IC. However, this method requires an external IC, which increases the cost for using library files. Meanwhile, the external IC generally utilizes random numbers for verification, but the generation of the random numbers needs to depend on platform generation, the static library files cannot be completely controlled, the platform can generate a fixed numerical value after redirecting the random number generation function, the encryption scheme can be broken, the above two points are integrated, and the scheme is not suitable for the authorization of the static library files.
In addition, in the prior art, an authorization client generates an authorization code Key1 by using a hardware ID of an embedded platform, and the embedded device receives the authorization code sent by the client to store the FLASH. In the actual use process, the Key2 is obtained through ID calculation, and whether the authorization is reasonable is judged by comparing the Key1 with the Key 2. However, because the static library runs depending on the platform, the authorization code is stored in the FLASH with the platform, and the ID and the Key are both plaintext for the platform, so the decryption difficulty is low.
Based on the research findings, the embodiment of the invention provides an authorization management scheme, which is characterized in that a hardware client is additionally arranged to encrypt transmitted information, and an authorization code is obtained by utilizing a platform hardware ID and ciphertext data to increase the cracking difficulty of an encryption algorithm, so that effective management of files in a management authorization library is realized.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Fig. 1 is a schematic view of an application scenario of an authorization management method according to an embodiment of the present invention. The scenario includes an authorization management system that includes an authorization client 100, a hardware client 200, and an embedded platform 300. The authorization client 100 is in communication connection with the hardware client 200 and the embedded platform 300 respectively to realize data transmission and interaction. In this embodiment, the authorization client 100 may include a plurality of authorization clients 100, and the plurality of authorization clients 100 are respectively connected to the hardware client 200 and the embedded platform 300 in a communication manner. In this embodiment, the authorization client 100 may include, but is not limited to, a computer, a notebook computer, a smart phone, and other terminal devices, and the hardware client 200 is a specific terminal device for generating an authorization code and counting the authorization times. The embedded platform 300 is a service platform storing static library files.
Please refer to fig. 2, which is a flowchart illustrating an authorization management method applied to the authorization management system according to an embodiment of the present invention. It should be noted that the method provided by the present invention is not limited by the specific sequence shown in fig. 2 and described below. The respective steps shown in fig. 2 will be described in detail below.
Step S110, after receiving the authorization instruction sent by the authorization client 100, the embedded platform 300 returns the platform hardware ID of the embedded platform 300 to the authorization client 100.
In this embodiment, the authorization management may be divided into two steps, namely, initialization and use management, and in the initialization process, the user of the authorization client 100 may send an authorization instruction to the embedded platform 300 through the authorization client 100. The embedded platform 300 is a complex of hardware and software, the embedded platform 300 stores static library files, and the static library files can be copied, so that authorization management needs to be performed on the embedded platform 300, and after authorization is passed, the static library files in the embedded platform 300 can normally work, so that the static library files are prevented from being used indefinitely. Each of the embedded platforms 300 has a unique platform hardware ID. After receiving the authorization instruction sent by the authorization client 100, the embedded platform 300 returns the platform hardware ID of the embedded platform 300 to the authorization client 100.
Step S120, the authorization client 100 encrypts the platform hardware ID, and sends the encrypted platform hardware ID to the hardware client 200.
In step S130, the hardware client 200 decrypts the encrypted platform hardware ID, calculates an authorization code according to the decrypted platform hardware ID, encrypts the authorization code to obtain a ciphertext, and sends the ciphertext to the authorization client 100.
After receiving the platform hardware ID returned by the embedded platform 300, the authorization client 100 encrypts the platform hardware ID, for example, by using a symmetric encryption algorithm, an asymmetric encryption algorithm, or a Hash encryption algorithm. The encrypted platform hardware ID is sent to the hardware client 200.
After receiving the encrypted platform hardware ID, the hardware client 200 may decrypt the platform hardware ID by using a decryption algorithm corresponding to the authorization client 100.
After obtaining the decrypted platform hardware ID, the hardware client 200 calculates an authorization code according to the decrypted platform hardware ID. It should be noted that, in this embodiment, after the hardware client 200 decrypts the platform hardware ID, the authorization times of the static library file in the embedded platform 300 may also be managed. Optionally, the hardware client 200 stores the authorization times of the static library file in the embedded platform 300, and continuously updates the authorization times. Therefore, after the hardware client 200 decrypts the received platform hardware ID, the authorization times of the static library file stored in the embedded platform 300 may be updated, and the updated authorization times may be stored.
In this embodiment, in order to effectively ensure that the static library file in the embedded platform 300 is used in an effective range, in this embodiment, the hardware client 200 may manage the authorization times of the static library file in the embedded platform 300. As can be seen from the above, the hardware client 200 stores the authorization times of the static library file in the embedded platform 300, so that after obtaining the platform hardware ID, the hardware client 200 can detect whether the authorization times of the static library file in the embedded platform 300 reach the preset upper limit value. If the preset upper limit value is reached, the authorization is judged to be failed so as to end the authorization process. If the authorization times of the static library file in the embedded platform 300 do not reach the authorization upper limit value, the subsequent process can be continued. Optionally, the hardware client 200 calculates an authorization code according to the decrypted platform hardware ID, encrypts the authorization code to obtain a ciphertext, and sends the ciphertext to the authorization client 100. Similarly, the encryption process may employ any one of symmetric encryption, asymmetric encryption, or a Hash encryption algorithm.
Referring to fig. 3, in this embodiment, the step of the hardware client 200 calculating the authorization code according to the decrypted platform hardware ID may be performed by the following sub-steps:
in step S131, the hardware client 200 generates a random number, and uses the random number as an encryption factor.
And S132, searching to obtain a ciphertext array according to the encryption factor, and performing encryption calculation on the ciphertext array and the platform hardware ID to obtain an authorization code.
In this embodiment, the hardware client 200 stores a ciphertext list including a plurality of constant arrays, and the hardware client 200 may generate a random number as the encryption factor n. The encryption factor N is used as an index to search the ciphertext list in the hardware client 200 to obtain the ciphertext array N [ N ] corresponding to the encryption factor N. And, the searched ciphertext array N [ N ] and platform hardware ID may be encrypted for computation to obtain the authorization code.
In this embodiment, the authorized array Key _ value may be calculated by using an encryption algorithm F (ID, N [ N ]) according to the platform hardware ID and the ciphertext array N [ N ]. The encryption algorithm may be an encryption algorithm in the prior art, which is not described in detail in this embodiment. After obtaining the authorization array Key _ value, the hardware client 200 may reassemble the authorization array Key _ value, and add the specified bit, e.g., the K-th bit, of the reassembled authorization array Key _ value to the encryption factor n to form the authorization code.
In step S140, the authorization client 100 decrypts the ciphertext to obtain an authorization code, and sends the authorization code to the embedded platform 300.
In step S150, the embedded platform 300 stores the received authorization code in the storage device.
Step S160, after the embedded platform 300 is restarted, the authorization code in the storage device is verified, if the authorization code passes the verification, the static library file in the embedded platform 300 normally works, and if the authorization code does not pass the verification, the static library file does not work.
In this embodiment, after receiving the encrypted authorization code sent by the hardware client 200, the authorization client 100 decrypts the authorization code by using a corresponding decryption algorithm to obtain the authorization code, and sends the authorization code to the embedded platform 300.
The embedded platform 300 stores the authorization code in a storage device upon receiving the authorization code. In this embodiment, in the authorized use management process, that is, when the embedded platform 300 calls the static library file after being restarted, the stored authorization code needs to be verified, and after the verification is passed, the static library file can normally work. Optionally, referring to fig. 4, in this embodiment, the embedded platform 300 may verify the authorization code by:
in step S151, the embedded platform 300 obtains the authorization code corresponding to the platform hardware ID from the storage device.
Step S152, reading the specified position of the authorization code to obtain the encryption factor in the authorization code, and obtaining the verification authorization code according to the encryption factor and the platform hardware ID.
Step S153, whether the verification authorization code is consistent with the authorization code is detected, and if so, the verification is determined to be passed.
In this embodiment, a verification program is stored in the static library file, and the authorization code in the embedded platform 300 can be verified by using the verification program. In the verification, the process of generating the authorization code by the hardware client 200 is referred to, that is, the encryption factor is obtained in a reverse manner, the locally generated verification authorization code is obtained by using an encryption algorithm, and whether the two are consistent or not is detected so as to determine whether the authorization code is valid or not.
As can be seen from the above description, the embedded platform 300 stores the authorization code sent by the authorization client 100 in the storage device after receiving the authorization code. When the authorization code needs to be verified, the embedded platform 300 may obtain the corresponding authorization code from the storage device according to the platform hardware ID. A designated bit of an authorization code is read to obtain an encryption factor in the authorization code. It should be noted that the designated bit is the designated bit of the hardware client 200 that adds the encryption factor to the reassembled authorization array. Therefore, the encryption factor obtained by the embedded platform 300 at this time is the encryption factor generated by the hardware client 200.
The embedded platform 300 obtains the verification authorization code according to the read encryption factor and the platform hardware ID, wherein the process can be executed by the following steps, please refer to fig. 5 in combination:
step S1521, query a ciphertext table in the stored static library file using the encryption factor as an index to obtain an encryption array corresponding to the encryption factor.
Step S1522, encrypting the platform hardware ID and the encrypted array by using an encryption algorithm to obtain an authorized array.
Step S1523, the authorization array is reassembled, and the encryption factor is added to the specified bit of the reassembled authorization array to obtain the verification authorization code.
The embedded platform 300 uses the read encryption factor as an index to search a ciphertext table in the stored static library file, wherein the ciphertext table is consistent with the encryption table in the hardware client 200 and also consists of a plurality of constant arrays. And searching the ciphertext table to obtain an encryption array corresponding to the encryption factor. And encrypting the platform hardware ID and the encrypted array using an encryption algorithm to obtain an authorized array. And recombining the authorization array, and adding the encryption factor into the specified bit of the recombined authorization array to obtain a verification authorization code. The encryption algorithm adopted by the embedded platform 300 is the same as that adopted by the hardware client 200, and the scrambling rule adopted by the embedded platform 300 when the authorization array is recombined is the same as that adopted by the hardware client 200. The specified bits are the bits for extracting the encryption factor from the authorization code.
It should be understood that if the authorization code is written into the embedded platform 300 after being encrypted by the authorization client 100 and the hardware client 200, the encryption factor obtained by the static library file according to the authorization code in the embedded platform 300 in the reverse direction is the encryption factor generated by the hardware client 200, and since the ciphertext table in the embedded platform 300 is consistent with the encryption table in the hardware client 200, the encryption array obtained from the ciphertext table by using the encryption factor as an index is consistent with the encryption array obtained from the hardware client 200.
Moreover, when the encryption algorithms used by the embedded platform 300 and the hardware client 200 are the same, the authorization arrays obtained based on the same encryption array and the platform hardware ID are also the same. Further, after the same scrambling rule is adopted to recombine the authorization arrays, the obtained authorization arrays are also consistent. After the encryption factor is inserted into the designated bits of the authorization array, the authentication authorization code finally obtained in the embedded platform 300 and the authorization code generated by the hardware platform should be consistent.
Therefore, in this embodiment, the authorization code is verified in the embedded platform 300 through the above steps, so as to verify the authorization code written in the initialization process. When detecting that the obtained authentication authorization code is consistent with the authorization code, the embedded platform 300 may determine that the authentication is passed, and the static library file in the embedded platform 300 may work normally. Otherwise, the static library file does not work.
In order to make the authorization management scheme provided by the present invention more clearly understood by those skilled in the art, in this embodiment, the interaction process among the authorization client 100, the hardware client 200, and the embedded platform 300 is described, please refer to fig. 6 in combination.
The authorization client 100 sends an authorization instruction to the embedded platform 300, and the embedded platform 300 returns a platform hardware ID to the authorization client 100. The authorization client 100 encrypts the platform hardware ID and sends the encrypted platform hardware ID to the hardware client 200. The hardware client 200 decrypts the platform hardware ID, and detects whether the authorization frequency of the static library file in the embedded platform 300 reaches a preset upper limit value. And if the preset upper limit value is reached, ending the authorization process. If the authorization code does not reach the preset upper limit value, the authorization code is obtained according to the decrypted platform hardware ID, and the authorization code is encrypted and then sent to the authorization client 100. The authorization client 100 decrypts the authorization code after receiving the authorization code in the form of the ciphertext, and sends the decrypted authorization code to the embedded platform 300.
The embedded platform 300 is stored in the storage device upon receiving the authorization code. The stored authorization code needs to be verified after the embedded platform 300 is rebooted. The static library file comprises a verification program, can store and reversely process the authorization code, and encrypts the authorization code again by using the obtained encryption factor to obtain the verification authorization code. And detecting whether the verification authorization code is consistent with the stored authorization code, if so, judging that the authorization is passed, and the static library file can normally work. If the verification fails, the static library file does not work.
Another preferred embodiment of the present application further provides an authorization management system, which includes an authorization client 100, and a hardware client 200 and an embedded platform 300 communicatively connected to the authorization client 100.
The embedded platform 300 is configured to receive an authorization instruction sent by the authorization client 100, obtain a platform hardware ID according to the authorization instruction, and return the platform hardware ID to the authorization client 100.
The authorization client 100 is configured to encrypt the platform hardware ID, and send the encrypted platform hardware ID to the hardware client 200.
The hardware client 200 is configured to decrypt the encrypted platform hardware ID, calculate an authorization code according to the decrypted platform hardware ID, encrypt the authorization code to obtain a ciphertext, and send the ciphertext to the authorization client 100.
The authorization client 100 is configured to decrypt the ciphertext to obtain an authorization code, and send the authorization code to the embedded platform 300.
The embedded platform 300 is configured to store the received authorization code in a storage device.
The embedded platform 300 is configured to verify the authorization code in the storage device after being restarted, and if the authorization code passes the verification, the static library file in the embedded platform 300 normally works, and if the authorization code does not pass the verification, the static library file does not work.
Further, the hardware client 200 is further configured to update the stored authorization times of the static library file in the embedded platform 300, and store the updated authorization times.
In this embodiment, the hardware client 200 is further configured to detect whether the authorization frequency of the static library file in the embedded platform 300 reaches a preset upper limit, and if the authorization frequency reaches the preset upper limit, determine that the authorization does not pass, and end the authorization process.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
To sum up, in the authorization management method and system provided in the embodiment of the present application, by adding the hardware client 200, after receiving the encrypted platform hardware ID sent by the authorization client 100, the hardware client 200 decrypts the platform hardware ID, calculates an authorization code according to the decrypted platform hardware ID, encrypts the authorization code to obtain a ciphertext, and sends the ciphertext to the authorization client 100. The authorization client 100 decrypts the ciphertext to obtain an authorization code and sends the authorization code to the embedded platform 300, and the embedded platform 300 stores the authorization code in the storage device. After the embedded platform 300 is restarted, a verification authorization code is generated to verify the storage authorization code, and after the verification is passed, the static library file in the embedded platform 300 can work normally. According to the authorization management scheme, the hardware client 200 is additionally arranged to encrypt the interactive information, so that the risk of cracking the authorization information is reduced, and the defect of increased management cost caused by the need of externally connecting an IC in the prior art is overcome.
Furthermore, in the authorization management scheme, the platform hardware ID and the encryption factor are used for obtaining the authorization code, the authorization code is recombined, and the encryption factor is inserted into the designated bit, so that the security of the authorization code is improved. Moreover, the ciphertext is adopted between the hardware client 200 and the authorization client 100 for information transmission, so that the risk that the hardware client 200 is copied is prevented.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative and, for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (8)

1. An authorization management method is applied to an authorization management system, wherein the authorization management system comprises an authorization client, a hardware client and an embedded platform, and the hardware client is in communication connection with the authorization client, and the method comprises the following steps:
after receiving an authorization instruction sent by the authorization client, the embedded platform returns a platform hardware ID of the embedded platform to the authorization client;
the authorization client encrypts the platform hardware ID and sends the encrypted platform hardware ID to the hardware client;
the hardware client decrypts the encrypted platform hardware ID, obtains an authorization code by calculation according to the decrypted platform hardware ID, encrypts the authorization code to obtain a ciphertext, and sends the ciphertext to the authorization client;
the hardware client generates a random number, and the random number is used as an encryption factor;
searching for a ciphertext array according to the encryption factor, and carrying out encryption calculation on the ciphertext array and the platform hardware ID to obtain an authorization code;
the step of carrying out encryption calculation on the ciphertext array and the platform hardware ID to obtain an authorization code comprises the following steps:
performing table look-up operation on a prestored encryption table according to the encryption factor to obtain a ciphertext array corresponding to the encryption factor;
calculating by using an encryption function according to the platform hardware ID and the ciphertext array to obtain an authorization array;
recombining the authorization array, and adding the encryption factor into the specified bit of the recombined authorization array to obtain an authorization code;
the authorization client decrypts the ciphertext to obtain an authorization code and sends the authorization code to the embedded platform;
the embedded platform stores the received authorization code in the storage device;
and after the embedded platform is restarted, verifying the authorization code in the storage device, if the authorization code passes the verification, the static library file in the embedded platform normally works, and if the authorization code does not pass the verification, the static library file does not work.
2. The authorization management method according to claim 1, wherein after the step of the hardware client decrypting the encrypted platform hardware ID, the method further comprises:
and the hardware client updates the stored authorization times of the static library file in the embedded platform and stores the updated authorization times.
3. The authorization management method according to claim 1, wherein after the step of the hardware client decrypting the encrypted platform hardware ID, the method further comprises:
and the hardware client detects whether the authorization frequency of the static library file in the embedded platform reaches a preset upper limit value, if so, the hardware client judges that the authorization does not pass and ends the authorization process.
4. The authorization management method according to claim 1, wherein the step of verifying the authorization code in the storage device after the embedded platform is restarted comprises:
after the embedded platform is restarted, obtaining an authorization code corresponding to a platform hardware ID from the storage equipment;
reading the specified position of the authorization code to obtain an encryption factor in the authorization code, and obtaining a verification authorization code according to the encryption factor and the platform hardware ID;
and detecting whether the verification authorization code is consistent with the authorization code, and if so, judging that the verification is passed.
5. The method according to claim 4, wherein the step of obtaining a verification authorization code according to the encryption factor and the platform hardware ID comprises:
inquiring a ciphertext table in a stored static library file by using the encryption factor as an index to obtain an encryption array corresponding to the encryption factor;
encrypting the platform hardware ID and the encrypted array by using an encryption algorithm to obtain an authorized array;
and recombining the authorization array, and adding the encryption factor into the specified bit of the recombined authorization array to obtain a verification authorization code.
6. An authorization management system, comprising an authorization client, and a hardware client and an embedded platform communicatively connected to the authorization client:
the embedded platform is used for receiving an authorization instruction sent by the authorization client, acquiring a platform hardware ID according to the authorization instruction, and returning the platform hardware ID to the authorization client;
the authorization client is used for encrypting the platform hardware ID and sending the encrypted platform hardware ID to the hardware client;
the hardware client is used for decrypting the encrypted platform hardware ID, obtaining an authorization code by calculation according to the decrypted platform hardware ID, encrypting the authorization code to obtain a ciphertext and sending the ciphertext to the authorization client;
the hardware client generates a random number, and the random number is used as an encryption factor;
searching for a ciphertext array according to the encryption factor, and carrying out encryption calculation on the ciphertext array and the platform hardware ID to obtain an authorization code;
the method for carrying out encryption calculation on the ciphertext array and the platform hardware ID to obtain the authorization code comprises the following steps:
performing table look-up operation on a prestored encryption table according to the encryption factor to obtain a ciphertext array corresponding to the encryption factor;
calculating by using an encryption function according to the platform hardware ID and the ciphertext array to obtain an authorization array;
recombining the authorization array, and adding the encryption factor into the specified bit of the recombined authorization array to obtain an authorization code;
the authorization client is used for decrypting the ciphertext to obtain an authorization code and sending the authorization code to the embedded platform;
the embedded platform is used for storing the received authorization code in the storage device;
the embedded platform is used for verifying the authorization code in the storage device after being restarted, if the authorization code passes the verification, the static library file in the embedded platform normally works, and if the authorization code does not pass the verification, the static library file does not work.
7. The authorization management system according to claim 6, wherein the hardware client is further configured to update the stored authorization times of the static library file in the embedded platform, and store the updated authorization times.
8. The authorization management system according to claim 6, wherein the hardware client is further configured to detect whether the authorization frequency of the static library file in the embedded platform reaches a preset upper limit value, and if the authorization frequency reaches the preset upper limit value, determine that authorization does not pass, and end the authorization process.
CN201810510212.2A 2018-05-24 2018-05-24 Authorization management method and system Active CN108848064B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810510212.2A CN108848064B (en) 2018-05-24 2018-05-24 Authorization management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810510212.2A CN108848064B (en) 2018-05-24 2018-05-24 Authorization management method and system

Publications (2)

Publication Number Publication Date
CN108848064A CN108848064A (en) 2018-11-20
CN108848064B true CN108848064B (en) 2020-12-29

Family

ID=64213467

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810510212.2A Active CN108848064B (en) 2018-05-24 2018-05-24 Authorization management method and system

Country Status (1)

Country Link
CN (1) CN108848064B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110809270B (en) * 2019-09-23 2020-12-18 珠海格力电器股份有限公司 Application control method, system and readable medium
CN110730177A (en) * 2019-10-18 2020-01-24 四川九州电子科技股份有限公司 Remote authorization system and method
CN111104363B (en) * 2019-12-27 2022-04-22 浪潮(北京)电子信息产业有限公司 FPGA cloud platform using method, device, equipment and medium
CN111222104A (en) * 2019-12-31 2020-06-02 苏州思必驰信息科技有限公司 Method, device and system for authorizing embedded device by using hardware dongle
CN113515728B (en) * 2021-05-18 2023-08-04 北京飞利信电子技术有限公司 Internet of things platform software authorization control system and method based on multistage deployment
CN113329025B (en) * 2021-06-07 2022-06-28 中国电子科技集团公司第二十九研究所 Recording data protection method and system based on software authorization embedded symmetric encryption
CN114546506B (en) * 2022-02-24 2022-12-02 科东(广州)软件科技有限公司 Authorization method, device, equipment and medium for embedded operating system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577906A (en) * 2009-06-12 2009-11-11 大唐微电子技术有限公司 Smart card and terminal capable of realizing machine card security authentication
CN101583124A (en) * 2009-06-10 2009-11-18 大唐微电子技术有限公司 Authentication method and system of subscriber identity module and terminal
CN101931623A (en) * 2010-07-06 2010-12-29 华南理工大学 Safety communication method suitable for remote control with limited capability at controlled end
CN103955652A (en) * 2014-04-30 2014-07-30 武汉库百网络技术有限公司 File encryption method and device based on Andriod equipment authentication
US8817984B2 (en) * 2011-02-03 2014-08-26 mSignia, Inc. Cryptographic security functions based on anticipated changes in dynamic minutiae
CN104200143A (en) * 2014-09-04 2014-12-10 广东欧珀移动通信有限公司 Method and system for inputting password into intelligent mobile terminal rapidly through wearable device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101583124A (en) * 2009-06-10 2009-11-18 大唐微电子技术有限公司 Authentication method and system of subscriber identity module and terminal
CN101577906A (en) * 2009-06-12 2009-11-11 大唐微电子技术有限公司 Smart card and terminal capable of realizing machine card security authentication
CN101931623A (en) * 2010-07-06 2010-12-29 华南理工大学 Safety communication method suitable for remote control with limited capability at controlled end
US8817984B2 (en) * 2011-02-03 2014-08-26 mSignia, Inc. Cryptographic security functions based on anticipated changes in dynamic minutiae
CN103955652A (en) * 2014-04-30 2014-07-30 武汉库百网络技术有限公司 File encryption method and device based on Andriod equipment authentication
CN104200143A (en) * 2014-09-04 2014-12-10 广东欧珀移动通信有限公司 Method and system for inputting password into intelligent mobile terminal rapidly through wearable device

Also Published As

Publication number Publication date
CN108848064A (en) 2018-11-20

Similar Documents

Publication Publication Date Title
CN108848064B (en) Authorization management method and system
CN109313690B (en) Self-contained encrypted boot policy verification
US20040268339A1 (en) Firmware validation
CN103946858A (en) Decryption and encryption of application data
CN105577379A (en) Information processing method and apparatus thereof
CN110311787B (en) Authorization management method, system, device and computer readable storage medium
WO2006053304A9 (en) Volatile device keys and applications thereof
US10985914B2 (en) Key generation device and key generation method
CN111666564B (en) Application program safe starting method and device, computer equipment and storage medium
US11556630B2 (en) Private password constraint validation
KR102244290B1 (en) Encryption communication apparatus that supports secure communication between a data transmitting apparatus and a data receiving apparatus, and the operating method thereof
US20160013933A1 (en) Order-preserving encryption system, device, method, and program
US20120096280A1 (en) Secured storage device with two-stage symmetric-key algorithm
EP3206329A1 (en) Security check method, device, terminal and server
CN111522809A (en) Data processing method, system and equipment
CN112118245B (en) Key management method, system and equipment
US11128455B2 (en) Data encryption method and system using device authentication key
CN105812313A (en) Method and server for restoring session, and method and server for generating session credential
CN103403729A (en) Secure management and personalization of unique code signing keys
US8862893B2 (en) Techniques for performing symmetric cryptography
CN110914826A (en) System and method for distributed data mapping
CN109784072B (en) Security file management method and system
CN116132041A (en) Key processing method and device, storage medium and electronic equipment
US20220216999A1 (en) Blockchain system for supporting change of plain text data included in transaction
CN113282945B (en) Intelligent lock authority management method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant