Disclosure of Invention
In the existing Java card collaborative development model, a downloadable file (CAP file) of an application developer may need to be provided to a platform developer for distribution. During the distribution process, there are cases where the CAP file is used at will and exceeds the contractually agreed number of uses. In the transmission process, the loss or stealing of the CAP file may occur, so that the applied CAP file cannot be effectively protected.
The invention uses technical means to prevent the phenomenon from happening, so as to ensure the safety of the application program (CAP file) application range provided by an application developer and the controllability of the use times, and ensure that others unrelated to the project can not use the application program at will after acquiring the application program.
The invention provides an application program authentication module, comprising:
the first true random number generation module is used for generating a first true random number;
the first authentication key generation module is used for generating a first authentication key according to the first true random number and a second true random number acquired from the authentication terminal;
the authentication submodule is used for comparing whether the first authentication key is consistent with a second authentication key acquired from the authentication terminal, and if so, the function of the application program is allowed to be called by the external equipment; otherwise, the call is not allowed.
The first authentication key generation module includes:
the first process key generation submodule is used for generating a first process key according to the fixed key stored in the application program authentication module and the second true random number acquired from the authentication terminal;
and the first authentication key generation submodule is used for generating a first authentication key according to the first true random number and the first process key.
The application authentication module further comprises: a storage module for storing the fixed key.
The present invention provides an authentication terminal, including:
the second true random number generation module is used for generating a second true random number;
the authentication number identification module is used for acquiring the first true random number from the application program authentication module, comparing the used number of the application program with a preset number upper limit, and if the used number does not exceed the preset number upper limit after adding 1, generating a second authentication key through the second authentication key generation module; otherwise, returning the first true random number to the application program authentication module;
and the second authentication key generation module is used for generating a second authentication key according to the first true random number and the second true random number.
The second authentication key generation module includes:
the second process key generation submodule is used for generating a second process key according to the fixed key and the second true random number stored in the authentication terminal;
and the second authentication key generation submodule is used for generating a second authentication key according to the first true random number and the second process key.
The authentication terminal further includes:
and the storage module is used for storing the used times and the preset upper limit of times of the application program and the fixed key.
The invention provides an application program authentication system, comprising: the application program authentication module and the authentication terminal are described above.
The invention provides an application program authentication method, which comprises the following steps:
the application program authentication module sends the generated first true random number to an authentication terminal;
the authentication terminal compares the used times of the application program with a preset time upper limit, and if the used times do not exceed the preset time upper limit after adding 1, the authentication terminal generates a second authentication key according to the first true random number and a second true random number generated by the authentication terminal and sends the second authentication key to the application program authentication module; otherwise, returning the first real random number to the application program authentication module;
the application program authentication module generates a first authentication key according to the first true random number and a second true random number in a second authentication key acquired from an authentication terminal, compares whether the first authentication key and the second authentication key are consistent, and if so, allows the function of the application program to be called by external equipment; otherwise, the call is not allowed.
The authentication terminal generating a second authentication key according to the first true random number and a second true random number generated by the authentication terminal comprises:
the authentication terminal generates a second true random number;
the authentication terminal encrypts a fixed key and a second true random number stored in the authentication terminal to generate a second process key;
and the authentication terminal encrypts the first true random number and the second process key to generate a second authentication key.
The application authentication module generating a first authentication key according to the first true random number and a second true random number in a second authentication key acquired from the authentication terminal includes:
the application program authentication module encrypts a second true random number in a fixed key stored in the application program authentication module and a second authentication key acquired from an authentication terminal to generate a first process key;
the application authentication module encrypts the first true random number and the first process key to generate a first authentication key.
The encryption algorithm that generates the first process key is the same as the encryption algorithm that generates the second process key; the encryption algorithm for generating the first authentication key is the same as the encryption algorithm for generating the second authentication key.
The invention provides an application program authentication module, comprising:
the first true random number generation module is used for generating a first true random number;
the first authentication key verification module is used for verifying the consistency of a first true random number and a second true random number generated by decryption in a second authentication key acquired from the authentication terminal with the first true random number generated by the first true random number generation module and the second true random number acquired from the authentication terminal, and if the first true random number and the second true random number are consistent, the function of the application program is allowed to be called by external equipment; otherwise, the call is not allowed.
The first authentication key verification module includes:
the first authentication key verification submodule is used for decrypting a second authentication key acquired from the authentication terminal to generate a second process key and a first true random number and verifying the consistency of the first true random number and the first random number generated by the first true random number generation module;
the first process key verification submodule is used for decrypting a second process key generated by decrypting the second authentication key to generate a second random number and verifying the consistency of the second true random number and the second true random number acquired from the authentication terminal;
the execution submodule is used for allowing the function of the application program to be called by the external equipment if the verification consistency of the first authentication key verification submodule and the first process key verification submodule passes; otherwise, the call is not allowed.
The present invention provides an authentication system, including: one of the application program authentication modules and an authentication terminal.
The invention provides an authentication method, which comprises the following steps:
the application program authentication module sends the generated first true random number to an authentication terminal;
the authentication terminal compares the used times of the application program with a preset time upper limit, and if the used times do not exceed the preset time upper limit after adding 1, the authentication terminal generates a second authentication key according to the first true random number and a second true random number generated by the authentication terminal and sends the second authentication key to the application program authentication module; otherwise, returning the first real random number to the application program authentication module;
the application program authentication module decrypts the generated first true random number and second true random number according to a second authentication key acquired from the authentication terminal, and the first true random number and the second true random number generated by the first true random number generation module are consistent with the second true random number acquired from the authentication terminal, if the first true random number and the second true random number are consistent, the function of the application program is allowed to be called by external equipment; otherwise, the call is not allowed.
Compared with the closest prior art, the technical scheme provided by the invention has the following beneficial effects:
according to the technical scheme provided by the invention, the application program authentication terminal uses the authentication times identification submodule to identify the authentication times, so that the controllability of the use times of the application program is ensured, and the security of the use range of the application program is ensured by generating the authentication key through an encryption algorithm;
according to the technical scheme provided by the invention, the application program authentication module generates the authentication key through the encryption algorithm according to the true random number and the process key, so that the safety of the application program application range is ensured, and irrelevant personnel can not use the application program randomly after obtaining the application program;
according to the technical scheme provided by the invention, the application program authentication system identifies the authentication times through the authentication time identification submodule to ensure the controllability of the use times of the application program, generates the authentication key through an encryption algorithm and identifies the authentication key to ensure the safety of the use range of the application program;
according to the technical scheme provided by the invention, the authentication times are authenticated by the application program authentication method, so that the controllability of the use times of the application program is ensured, and the use times exceeding the contract agreement is avoided; the condition that the application program is stolen is avoided through the authentication of the authentication key, and the safety of the application program use range is ensured.
Detailed Description
The invention is described in further detail below with reference to the accompanying drawings:
in the existing smart chip collaborative development mode, downloadable applications of an application developer may need to be provided to a platform developer for distribution. During the distribution process, there are cases where the application is used at will and exceeds the number of uses agreed by the contract. During the transmission process, the loss or theft of the application program may occur, so that the application program cannot be effectively protected.
Example one
In order to solve the defect that the application program can be randomly used after being downloaded and installed in the prior art, the invention provides an application program authentication module, the structure of which is shown in fig. 1 and comprises:
the first true random number generation module is used for generating a first true random number which is used as an input parameter for generating the authentication key;
the first authentication key generation module is used for generating a first authentication key according to the first true random number and a second true random number acquired from the authentication terminal;
the authentication submodule is used for comparing whether the first authentication key is consistent with a second authentication key acquired from the authentication terminal, and if so, the function of the application program is allowed to be called by the external equipment; otherwise, the call is not allowed.
Optionally, the first authentication key generation module may further include:
the first process key generation submodule is used for generating a first process key according to the fixed key stored in the application program authentication module and the second true random number acquired from the authentication terminal, and the process key is used as a key generated by the authentication key;
and the first authentication key generation submodule is used for generating a first authentication key according to the first true random number and the first process key. The algorithm for generating the authentication key may be a symmetric algorithm or an asymmetric algorithm.
The invention also provides an authentication terminal, wherein the authentication terminal records the upper limit times of the application program (CAP file) which can be used, and when the authentication times of the CAP file exceeds the upper limit, the authentication can not be carried out. The authentication terminal may be a smart card, a module, a USB KEY, or the like according to different packaging forms, and the structure of the authentication terminal is shown in fig. 2 and includes:
the second true random number generation module is used for generating a second true random number;
the authentication number identification module is used for acquiring the first true random number from the application program authentication module, comparing the used number of the application program with a preset number upper limit, and if the used number does not exceed the preset number upper limit after adding 1, generating a second authentication key through the second authentication key generation module; otherwise, returning the first true random number to the application program authentication module;
and the second authentication key generation module is used for generating a second authentication key according to the first true random number and the second true random number.
The authentication terminal further includes:
and the storage module is used for storing the used times and the preset upper limit of times of the application program and the fixed key.
The second authentication key generation module includes:
the second process key generation submodule is used for generating a second process key according to the fixed key and the second true random number stored in the authentication terminal;
and the second authentication key generation submodule is used for generating a second authentication key according to the first true random number and the second process key. The algorithm for generating the authentication key may be a symmetric algorithm or an asymmetric algorithm.
As shown in fig. 3, the present invention also provides an authentication system, including: the authentication terminal generates the authentication key by using a symmetric algorithm, such as the application authentication module shown in fig. 1 and the authentication terminal shown in fig. 2.
As shown in fig. 4, the present invention provides an authentication method, including:
after the Java card platform passes the security authentication, downloading an application program applied by the Java card to the platform, and before the application program passes the security authentication, sending an authentication command to an application program authentication module;
the application program authentication module adds the generated first true random number into an authentication command and sends the authentication command to an authentication terminal;
the authentication terminal receives an authentication command and then compares the used times of the application program with a preset time upper limit, and if the used times do not exceed the preset time upper limit after adding 1, the authentication terminal generates a second authentication key according to the first true random number and a second true random number generated by the authentication terminal and sends the second authentication key to the application program authentication module; otherwise, returning the first real random number to the application program authentication module;
the application program authentication module generates a first authentication key according to the first true random number and a second true random number in a second authentication key acquired from an authentication terminal, compares whether the first authentication key and the second authentication key are consistent, and if so, the function of the application program can be called by external equipment; otherwise it cannot be called.
The authentication terminal generating a second authentication key according to the first true random number and a second true random number generated by the authentication terminal comprises:
the authentication terminal generates a second true random number;
the authentication terminal encrypts a fixed key and a second true random number stored in the authentication terminal to generate a second process key;
and the authentication terminal encrypts the first true random number and the second process key to generate a second authentication key.
The application authentication module generating a first authentication key according to the first true random number and a second true random number in a second authentication key acquired from the authentication terminal includes:
the application program authentication module encrypts a second true random number in a fixed key stored in the application program authentication module and a second authentication key acquired from an authentication terminal to generate a first process key;
the application authentication module encrypts the first true random number and the first process key to generate a first authentication key.
The encryption algorithm that generates the first process key is the same as the encryption algorithm that generates the second process key; the encryption algorithm for generating the first authentication key is the same as the encryption algorithm for generating the second authentication key.
The encryption algorithm adopts a symmetric encryption algorithm.
Example two
The invention provides an application program authentication module, comprising:
the first true random number generation module is used for generating a first true random number;
the first authentication key verification module is used for verifying the consistency of a first true random number and a second true random number generated by decryption in a second authentication key acquired from the authentication terminal with the first true random number generated by the first true random number generation module and the second true random number acquired from the authentication terminal, and if the first true random number and the second true random number are consistent, the function of the application program is allowed to be called by external equipment; otherwise, the call is not allowed.
The first authentication key generation module includes:
the first authentication key verification submodule is used for decrypting a second authentication key acquired from the authentication terminal to generate a second process key and a first true random number and verifying the consistency of the first true random number and the first random number generated by the first true random number generation module;
the first process key verification submodule is used for decrypting a second process key generated by decrypting the second authentication key to generate a second random number and verifying the consistency of the second true random number and the second true random number acquired from the authentication terminal;
the execution submodule is used for allowing the function of the application program to be called by the external equipment if the verification consistency of the first authentication key verification submodule and the first process key verification submodule passes; otherwise, the call is not allowed.
The present invention provides an authentication system, including: in the application authentication module in this embodiment and the authentication terminal in the first embodiment, an algorithm for generating the authentication key by the authentication terminal is an asymmetric algorithm.
The invention also provides an authentication method, which comprises the following steps:
the application program authentication module sends the generated first true random number to an authentication terminal;
the authentication terminal compares the used times of the application program with a preset time upper limit, and if the used times do not exceed the preset time upper limit after adding 1, the authentication terminal generates a second authentication key according to the first true random number and a second true random number generated by the authentication terminal and sends the second authentication key to the application program authentication module; otherwise, returning the first real random number to the application program authentication module;
the application program authentication module decrypts the generated first true random number and second true random number according to a second authentication key acquired from the authentication terminal, and the first true random number and the second true random number generated by the first true random number generation module are consistent with the second true random number acquired from the authentication terminal, if the first true random number and the second true random number are consistent, the function of the application program is allowed to be called by external equipment; otherwise, the call is not allowed.
The authentication terminal generating a second authentication key according to the first true random number and a second true random number generated by the authentication terminal comprises:
the authentication terminal generates a second true random number;
the authentication terminal encrypts a fixed key and a second true random number stored in the authentication terminal to generate a second process key;
and the authentication terminal encrypts the first true random number and the second process key to generate a second authentication key.
The application program authentication module decrypts the consistency of the generated first true random number, the generated second true random number and the first true random number generated by the first true random number generation module according to the second authentication key acquired from the authentication terminal, and the consistency of the generated second true random number and the second true random number acquired from the authentication terminal, and comprises the following steps:
the application program authentication module decrypts a second authentication key acquired from the authentication terminal to generate a second process key and a first true random number, and verifies the consistency of the first true random number and the first random number generated by the first true random number generation module;
the application program authentication module decrypts a second process key generated by decrypting the second authentication key to generate a second random number, and verifies the consistency of the second true random number and a second true random number acquired from the authentication terminal; if the first authentication key verification sub-module and the first process key verification sub-module pass the verification consistency, the function of the application program is allowed to be called by the external equipment; otherwise, the call is not allowed.
In the second embodiment, both encryption and decryption use asymmetric encryption algorithms.
The application program authentication module, the terminal, the system and the method provided by the invention can prevent the phenomenon from occurring, so that the safety of the application program application range and the controllability of the use times provided by an application developer are ensured, and other people irrelevant to the project can not use the application program at will after acquiring the application program.
The technical personnel in the field can easily construct an application program authentication module based on the asymmetric encryption algorithm, an authentication terminal and an authentication system consisting of the application program authentication module and the authentication terminal according to the inventive concept provided by the invention.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the scope of protection thereof, and although the present application is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: numerous variations, modifications, and equivalents will occur to those skilled in the art upon reading the present application and are within the scope of the claims appended hereto.