CN111639310A - Software cloud timed use control method and device based on specific time encryption - Google Patents

Software cloud timed use control method and device based on specific time encryption Download PDF

Info

Publication number
CN111639310A
CN111639310A CN202010473555.3A CN202010473555A CN111639310A CN 111639310 A CN111639310 A CN 111639310A CN 202010473555 A CN202010473555 A CN 202010473555A CN 111639310 A CN111639310 A CN 111639310A
Authority
CN
China
Prior art keywords
time
server
software
pef
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010473555.3A
Other languages
Chinese (zh)
Other versions
CN111639310B (en
Inventor
袁科
张宝磊
闫永航
李家保
张文超
朱孟祥
欧阳文蕾
韩旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan University
Original Assignee
Henan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan University filed Critical Henan University
Priority to CN202010473555.3A priority Critical patent/CN111639310B/en
Publication of CN111639310A publication Critical patent/CN111639310A/en
Application granted granted Critical
Publication of CN111639310B publication Critical patent/CN111639310B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a software cloud timed use control method based on specific time encryption, which comprises the following steps: the software developer server S carries out SM4 encryption on the OEF through the key MK, generates a PEF after adding a shell and sends the PEF to the cloud server CS; s, calculating a public and private key pair of the user and sending the private key to the user R; s is according to params, MK, pk, TS-MPK and [ t0,t1]Generating a ciphertext C and sending the ciphertext C to the CS; time server TS release time trapdoor Dt={dx=sH1(x):x∈ρtAnd broadcasting; CS will DtLinking to generate a new time trapdoor chain tikChain; r is in [ t ]0,t1]Sending sk to CS, and sending a PEF operation command; CS runs PEF, decladding according to C, sk and tikChain and then runs OEF; the invention also discloses a method based on the specific timeThe encrypted software cloud regularly uses the control device. The method and the device avoid the means that illegal software users perform reverse analysis on the software and the like so as to break the time limit, and have higher safety.

Description

Software cloud timed use control method and device based on specific time encryption
Technical Field
The invention belongs to the technical field of software timing use control, and particularly relates to a software cloud timing use control method and device based on specific time encryption.
Background
With the rapid development of modern society, various new application requirements are continuously met. Such as one of the application scenarios: a company needs to use a large piece of expensive software periodically, such as at the end of each month. If the software is purchased directly, it is difficult to recoup the cost. In this case, it is possible to pay for the usage time to save the company cost. Therefore, a mechanism for controlling the software utilization time is needed to meet the application scenario requirement.
The software use time limit is realized by adopting two modes of local verification (https:// blog. csdn. net/lizhaoen 003/arrow/details/51475450. The local verification mode is that two time values are stored in a registry or a certain file or sector, one is the installation time of the software, the other is the latest running time of the software, the current time is compared with the latest running time when the software is started every time, and the current time is compared with the installation time of the software after the software is legal, so that the use time limit of the software is realized. The method of local verification records the time value locally, so that the time value recorded by an illegal software user can be easily found and modified to break the time limit.
The server verifies the software use time by the server and returns the verification result to the user end, and then the user end determines whether to continue to run the following codes by judging the verification result. The server verifies the method, because the time verification is put on the server, the limitation of the software use time of an illegal software user is avoided to the utmost extent, but the threat that the software user can crack the software use time limitation in the modes of reversely cracking the software or modifying the time verification result by communicating with the server and the like still exists.
With the diversification of software requirements of enterprises and individual users, software purchasing according to requirements (such as time, frequency and frequency of use) is easier to be accepted by software users, so that the price threshold of purchasing software by users is effectively reduced, and unnecessary expenses of the software users are also reduced. However, both the local authentication method and the server authentication method have a great risk of being illegally cracked, so a novel software use time control method and a novel software use time protection method are needed to conveniently and safely use software at regular time.
Disclosure of Invention
The invention provides a software cloud timed use control method and device based on specific time encryption, aiming at the problem that local authentication and server authentication have high risk of being illegally cracked.
In order to achieve the purpose, the invention adopts the following technical scheme:
a software cloud timed use control method based on specific time encryption comprises the following steps:
step 1, a software developer server S encrypts a code segment of an original executable file OEF by an SM4 through an encryption key MK, then carries out shell adding operation on the OEF after the code segment is encrypted to obtain a shell added executable file PEF, and sends the PEF to a cloud server CS;
step 2, the software developer server S takes the public parameters as input, selects the private key of the user
Figure BDA0002515119520000021
Calculating a user public key pk ═ (uP, usP), and sending sk to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,
Figure BDA0002515119520000022
a generator randomly chosen for the time server TS,
Figure BDA0002515119520000023
is the time server private key TS-MSK;
step 3, the software developer server S according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
step 4, time server TS releases time trapdoor Dt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtA set of nodes on paths in the binary tree for t;
step 5, the cloud server CS enables the time trap door DtLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
step 6, the user R is in [ t ]0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and 7, operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
Further, the step 3 comprises:
step 3.1: verify that e (uP, sP) ═ e (P, usP), when the equation holds, generates coverage [ t [ t ] ]0,t1]Minimal root set of subtrees of all time nodes
Figure BDA0002515119520000031
Step 3.2: for each
Figure BDA0002515119520000032
Randomly selecting r to
Figure BDA0002515119520000033
Calculating rP and rusP;
computing
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
Figure BDA0002515119520000034
Generating a ciphertext
Figure BDA0002515119520000035
Further, the step 7 includes:
step 7.1: acquiring tikChain chain tail node data, and generating time t and time trap door Dt
Step 7.2: generating coverage [ t ]0,t1]Minimal root set of subtrees of all time nodes
Figure BDA0002515119520000036
Set ρ of paths of sum t in binary treetCalculating rhotAnd
Figure BDA0002515119520000037
the only elements z that intersect;
step 7.3: computing
K′=e(U,dz)u
Step 7.4: computing
Figure BDA0002515119520000038
Step 7.5: it is determined whether K' is equal to K,
Figure BDA0002515119520000039
whether or not it is equal to MK; if so, the code sections of the PEF are traversed, and SM4 decryption is performed on the code sections of the PEF, and the OEF is un-shelled.
A software cloud timed use control device based on specific time encryption comprises:
the shell adding module is used for enabling the software developer server S to carry out SM4 encryption on the code segment of the original executable file OEF through the encryption key MK, then carrying out shell adding operation on the OEF after the code segment is encrypted to obtain a PEF (executable file) after the shell is added, and sending the PEF to the cloud server CS;
a user public and private key pair generation module used for selecting a user private key by the software developer server S by taking the public parameter as input
Figure BDA0002515119520000041
Calculating a user public key pk ═ (uP, usP), and sending sk to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,
Figure BDA0002515119520000042
a generator randomly chosen for the time server TS,
Figure BDA0002515119520000043
is the time server private key TS-MSK;
a cipher text generation module used for the software developer server S to generate the cipher text according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
the time trap door release module is used for the time server TS to release the time trap door Dt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtA set of nodes on paths in the binary tree for t;
a time trap door chain updating module for the cloud server CS to trap the time DtLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
a command sending module for the user R to be at [ t0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and the shelling operation module is used for operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
Further, the ciphertext generating module comprises:
a first verification sub-module for verifying e (uP, sP) e (P, usP) that generates a coverage [ t ] when the equation holds true0,t1]Minimal root set of subtrees of all time nodes
Figure BDA0002515119520000044
A first calculation submodule for calculating for each
Figure BDA0002515119520000045
Randomly selecting r to
Figure BDA0002515119520000046
Calculating rP and rusP;
a second calculation submodule for calculating
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
Figure BDA0002515119520000051
Generating a ciphertext
Figure BDA0002515119520000052
Further, the shelling operating module comprises:
the time trap door acquisition module is used for acquiring tikChain chain tail node data and generating time t and time trap door Dt
A third computation submodule for generating a coverage [ t ]0,t1]Minimal root set of subtrees of all time nodes
Figure BDA0002515119520000053
Set ρ of paths of sum t in binary treetCalculating rhotAnd
Figure BDA0002515119520000054
the only elements z that intersect;
a fourth calculation submodule for calculating
K′=e(U,dz)u
A fifth calculation submodule for calculating
Figure BDA0002515119520000055
A shelling operation submodule for judging whether K' is equal to K,
Figure BDA0002515119520000056
whether or not it is equal to MK; if so, the code sections of the PEF are traversed, and SM4 decryption is performed on the code sections of the PEF, and the OEF is un-shelled.
Compared with the prior art, the invention has the following beneficial effects:
in view of safety, on one hand, the method avoids the time limit cracking caused by means of reverse analysis and the like of software by illegal software users due to the fact that the shelled software is started on the cloud server, and on the other hand, the time limit cracking caused by the fact that the illegal software users are communicated with the cloud server is avoided due to the fact that the time server is added and a time trap door chain is introduced; in view of practical value, the invention provides a way for software developers to reliably limit the use of software according to the regularity or the non-regularity of the use time, the frequency and the like, can effectively reduce the price threshold of software purchase, and assists the developers to increase the sales volume. For the customers who use the software regularly and for a short time, the software use cost can be greatly saved. In addition, due to the introduction of a shell adding technology for the software executable file, the protection of the software on the cloud is enhanced, and the universality of the invention is improved. Based on the software shell adding technology, a software developer can directly save the step of developing an account management system only for realizing software use control, thereby greatly reducing the development pressure and the operation and maintenance cost of the software developer.
Drawings
FIG. 1 is a schematic diagram of a software cloud timed-use system architecture based on specific time encryption;
FIG. 2 is a schematic diagram of a binary tree structure with depth 3;
fig. 3 is a basic flowchart of a software cloud timing use control method based on specific time encryption according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a software cloud timed-use control device based on specific-time encryption according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
suppose that software user R purchases software from a software developer at t0,t1]Permission to use during a time interval, then R is only holding the private key for a time t0,t1]The software can be opened and used within the interval. Such a system is called a software cloud timed-use system based on specific time encryption, as shown in fig. 1. The formal definition of which is given below.
Define 1TSE-STUC scheme ξ. the scheme includes time server TS, cloud server CS, software developer S, software user R four entities, and algorithm 8-tuple ξTSE-STUC=(MK-Setup,SM4.Enc,PK.Setup,PK.KeyGen,PK.Enc,PK.TIK-Ext,TIK-Chain,SM4-PK.Dec)。
The MK-Setup algorithm is used to initialize the SM4 encryption key MK, specifically, randomly choosing one number assignment at a time to assign to the key MK
Figure BDA0002515119520000061
SM4 is generated to encrypt key MK.
The enc algorithm is used for a given original executable file OEF, the encryption key MK, and the software developer performs the following operations: using MK, firstly, SM4 encryption is performed on the code segment of the OEF, then shell adding operation is performed (the entry address of the OEF is modified, the entry address is modified into the shell program entry address, and the shell program is a dll running program), and a corresponding executable file PEF after shell adding is generated, which is sm4.enc (MK, OEF).
Setup algorithm is used to initialize parameters, specifically for a given security parameter k and time length T, and the algorithm outputs system parameters params ═ k, q, G1,G2,e,P,H1,H2N, time server public and private key pair (TS-MPK, TS-MSK) and depth d (T2)d) As shown in fig. 2. Wherein G is1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear map satisfying definition 1; hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the plaintext length; random selection of generator by time server
Figure BDA0002515119520000071
Time server private key
Figure BDA0002515119520000072
Its corresponding public key TS-MPK ═ (P, sP). params and TS-MPK are public parameters。
KeyGen algorithm is used for selecting user private key by taking public parameter as input
Figure BDA0002515119520000073
The user public key pk is calculated (uP, usP).
Enc algorithm for a given SM4 key MK, one receiver's public key pk ═ (uP, usP), the time server's public key TS-MPK ═ P, sP, and one release time interval t0,t1]The software developer performs the following operations:
(1) verifying that e (uP, sP) ═ e (P, usP), the following operations are performed only if the equation is true;
(2) generating coverage [ t ]0,t1]Minimal root set of subtrees of all time nodes
Figure BDA0002515119520000074
(3) For each
Figure BDA0002515119520000075
Performing the following encryption operations;
(4) randomly selecting r to
Figure BDA0002515119520000076
Calculating rP and rusP;
(5) computing
K=e(rusP,H1(y))=e(P,H1(y))rus
(6) Obtain a ciphertext set
Figure BDA0002515119520000077
Generating a ciphertext
Figure BDA0002515119520000078
TIK-Ext algorithm for example at time t ∈ {0,1}*The method comprises the steps of generating a set rho of nodes on paths of t in a binary treetTime server release timeTrapdoor Dt={dx=sH1(x):x∈ρt}. Each user can verify its authenticity, i.e.
Sign(x):dx=sH1(x),Ver(dx,x):e(sP,H1(x))=e(P,sH1(x))
Wherein Sign () is a signature function and Ver () is a verification function.
Time trapdoor D published by time trapdoor Chain tikChain and time server through TIK-Chain algorithmtAnd generating a node for inputting, and linking the node to the tail of the time trap door chain tikChain to generate a new time trap door chain tikChain.
Dec algorithm for one encryption key ciphertext, given one PEF
Figure BDA0002515119520000081
The receiver private key sk and the time trapdoor chain tikChain are processed by the cloud server as follows:
(1) acquiring tikChain chain tail node data, and generating time t and time trap door Dt
(2) Generating coverage [ t ]0,t1]Minimal root set of subtrees of all time nodes
Figure BDA0002515119520000082
Set ρ of paths of sum t in binary treetCalculating rhotAnd
Figure BDA0002515119520000083
the only elements z that intersect;
(3) computing
K′=e(U,dz)u
(4) Computing
Figure BDA0002515119520000084
Recover SM4 key MK;
if C is the correct ciphertext, U-rP,
Figure BDA0002515119520000085
whereinK=e(P,H1(z))rus
Figure BDA0002515119520000086
The decryption correctness is verified as follows:
K′=e(U,dz)u=e(rP,sH1(z))u=e(P,H1(z))rus=K
Figure BDA0002515119520000087
(5) the PEF code section is traversed, the sm4.dec (MK, code) is computed, the code section is decrypted and the OEF is un-shelled.
On the basis of the TSE-STUC scheme ξ, as shown in fig. 3, the invention discloses a software cloud timed use control method based on specific time encryption, which comprises the following steps:
s101, a software developer server S encrypts a code segment of the OEF by an encryption key MK in SM4 mode, then conducts shell adding operation on the OEF after the code segment is encrypted to obtain a shell added executable file PEF, and sends the PEF to a cloud server CS;
step S102, the software developer server S takes the public parameter as input, selects the private key of the user
Figure BDA0002515119520000088
Calculating a user public key pk ═ (uP, usP), and sending sk to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,
Figure BDA0002515119520000091
when isThe inter-server TS randomly selects a generator,
Figure BDA0002515119520000092
is the time server private key TS-MSK;
step S103, the software developer server S according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
step S104, time server TS releases time trap door Dt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtIs the set of nodes on the path of t in the binary tree, and it is worth noting that t ∈ {0,1}*Representing a binary file consisting of t 0 and 1, which is in [ t ] when t is converted to decimal0,t1]Internal;
step S105, the cloud server CS enables the time trap door DtLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
step S106, user R is at [ t ]0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and S107, operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
Further, the step S103 includes:
step S103.1: verify that e (uP, sP) ═ e (P, usP), when the equation holds, generates coverage [ t [ t ] ]0,t1]Minimal root set of subtrees of all time nodes
Figure BDA0002515119520000093
Step S103.2: for each
Figure BDA0002515119520000094
Randomly selecting r to
Figure BDA0002515119520000095
Calculating rP and rusP;
computing
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
Figure BDA0002515119520000096
Generating a ciphertext
Figure BDA0002515119520000097
It is to be noted that U and V are intermediate variables, U ═ rP,
Figure BDA0002515119520000101
further, in the step S104, each user can verify the authenticity of the time trap door issued by the time server, i.e. the time trap door is issued by the time server
Sign(x):dx=sH1(x),Ver(dx,x):e(sP,H1(x))=e(P,sH1(x))
Wherein Sign () is a signature function and Ver () is a verification function.
Further, the step S107 includes:
step S107.1: acquiring tikChain chain tail node data, and generating time t and time trap door Dt
Step S107.2: generating coverage [ t ]0,t1]Minimal root set of subtrees of all time nodes
Figure BDA0002515119520000102
Set ρ of paths of sum t in binary treetCalculating rhotAnd
Figure BDA0002515119520000103
the only elements z that intersect;
step S107.3: computing
K′=e(U,dz)u
Step S107.4: computing
Figure BDA0002515119520000104
Step S107.5: it is determined whether K' is equal to K,
Figure BDA0002515119520000105
if it is equal to MK, it is verified whether the following equation holds:
K′=e(U,dz)u=e(rP,sH1(z))u=e(P,H1(z))rus=K
Figure BDA0002515119520000106
if so, the code sections of the PEF are traversed, and SM4 decryption is performed on the code sections of the PEF, and the OEF is un-shelled.
On the basis of the above embodiment, as shown in fig. 4, the present invention further discloses a software cloud timing use control device based on specific time encryption, including:
the shell adding module 201 is used for the software developer server S to encrypt the code segment of the OEF by SM4 through the encryption key MK, then to add the shell of the OEF after the code segment is encrypted to obtain an executable file PEF after the shell is added, and to send the PEF to the cloud server CS;
a user public and private key pair generation module 202 for the software developer server S to select the user private key by using the public parameter as input
Figure BDA0002515119520000107
Calculating a user public key pk ═ (uP, usP), and sending sk to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,
Figure BDA0002515119520000111
a generator randomly chosen for the time server TS,
Figure BDA0002515119520000112
is the time server private key TS-MSK;
the ciphertext generating module 203 is used for the software developer server S to generate the ciphertext according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
time trap door publishing module 204 for publishing time trap door D by time server TSt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtA set of nodes on paths in the binary tree for t;
a time trapdoor chain updating module 205, configured to update the time trapdoors D by the cloud server CStLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
a command sending module 206 for the user R to be at [ t0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and the shelling operation module 207 is used for operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
Further, the ciphertext generating module 203 includes:
a first verification sub-module for verifying e (uP, sP) e (P, usP) that generates a coverage [ t ] when the equation holds true0,t1]Minimal root set of subtrees of all time nodes
Figure BDA0002515119520000113
A first calculation submodule for calculating for each
Figure BDA0002515119520000114
Randomly selecting r to
Figure BDA0002515119520000115
Calculating rP and rusP;
a second calculation submodule for calculating
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
Figure BDA0002515119520000121
Generating a ciphertext
Figure BDA0002515119520000122
Further, the shelling operation module 207 includes:
the time trap door acquisition module is used for acquiring tikChain chain tail node data and generating time t and time trap door Dt
A third computation submodule for generating a coverage [ t ]0,t1]Minimal root set of subtrees of all time nodes
Figure BDA0002515119520000123
Set ρ of paths of sum t in binary treetCalculating rhotAnd
Figure BDA0002515119520000124
the only elements z that intersect;
a fourth calculation submodule for calculating
K′=e(U,dz)u
A fifth calculation submodule for calculating
Figure BDA0002515119520000125
Shelling operation submodule for judging whether K' is equalIn the presence of K, the process is carried out,
Figure BDA0002515119520000126
whether or not it is equal to MK; if so, the code sections of the PEF are traversed, and SM4 decryption is performed on the code sections of the PEF, and the OEF is un-shelled.
To verify the effect of the invention, the following safety analyses were performed:
the cloud server, the time server and the software legal user are set to be honest and curious, and all the cloud server, the time server and the software legal user can be served according to the requirements of the rules. They do not collude with each other, but try to obtain the usage rights of the software from the information already obtained by themselves. Meanwhile, a malicious attacker may reversely crack the software executable code after the software is shelled or try to violently crack the personal private key of the legal user of the software, so that the use authority of the software is illegally obtained. The following security analysis is performed for threats to prove that the present invention is safe.
Theorem 1 the present invention prevents a time server from obtaining usage rights for software.
And (3) proving that: the time server is the producer of the time trapdoors, which owns all the time trapdoors that are generated and broadcast according to the rules. In this embodiment, the SM4 key is encrypted with the time server public key, the user public key, and the decryptable time interval before being sent. Since the time server does not have the user recipient's personal private key, the difficulty it wants to decrypt the SM4 key ciphertext to un-shell the running original executable on the cloud server is equivalent to breaking the cryptographic mechanism of a public key encryption, which is obviously very difficult. The theory is bound to obtain the syndrome.
Theorem 2 the present invention can prevent the cloud server from obtaining the use authority of the software.
And (3) proving that: the cloud server is a container for software shelling and running, and has all the time traps broadcasted by the time server, a shelled executable file sent by a software developer and a ciphertext of an SM4 key sent by the software developer. In the invention, before the SM4 secret key is sent, the encryption is carried out through a time server public key, a user public key and a decryptable time interval. Since the cloud server does not have the user recipient's personal private key, it wants to decrypt the SM4 key ciphertext, so the difficulty of shelling out the running original executable file thereon is equivalent to breaking the cryptographic mechanism of a public key encryption, which is obviously very difficult. In addition, if the cloud server wants to perform reverse analysis on the shelled executable file, the difficulty is equivalent to breaking the SM4 encryption mechanism, which is obviously very difficult. Although the shelling is performed on the cloud server to restore the original executable file code segments, since the step is restored in the memory during the operation process, it is very difficult for the cloud server to reverse the contents of the original executable file code segments. The theory is bound to obtain the syndrome.
Theorem 3 the present invention prevents legitimate users of software from using the software before and after a specified usage time interval.
And (3) proving that: the software legal user has own personal private key and the time trap door broadcasted by all the time servers. In the invention, before the SM4 key is sent, the time server public key, the user public key and the decryptable time interval are used for encryption, and because the time trap door of the tail node of the time trap door chain on the current cloud server is not the time trap door in the decryptable time interval, the difficulty that the user wants to decrypt the SM4 key ciphertext so as to remove the shell on the cloud server and run the original executable file is equivalent to breaking a cryptography mechanism of public key encryption, which is obviously very difficult. The theory is bound to obtain the syndrome.
Theorem 4 the present invention prevents a malicious attacker from obtaining the usage rights of the software.
And (3) proving that: a malicious attacker may interact with the cloud server. In the scheme, the SM4 secret key is encrypted through the time server public key, the user public key and the decryptable time interval before being sent, and a malicious attacker does not have a legal personal user private key, so that the difficulty that the malicious attacker wants to decrypt an SM4 secret key ciphertext so as to remove a shell on the cloud server and operate an original executable file is equivalent to breaking a cryptography mechanism of public key encryption, which is obviously very difficult. In addition, if a malicious attacker wants to obtain the shelled executable file for reverse cracking, the malicious attacker needs to attack the cloud server to illegally obtain the shelled executable file and then attack the SM4 encryption mechanism. The difficulty is obviously more difficult. The theory is bound to obtain the syndrome.
In summary, the present invention provides an implementation scheme based on a dual encryption, shell-adding and specific time encryption scheme with the purpose of implementing timing use control and more software use time control. The above formalized definitions and embodiments illustrate how the present invention can be implemented to limit the use of software users over a period of time, and more varied control schemes are available from the above variations. In view of safety, on one hand, the method avoids cracking time limitation caused by reverse analysis and other means of software by an illegal software user due to the starting of the executable file on the cloud server after the shell is added, and on the other hand, the method avoids the cracking time limitation caused by the serial connection of the illegal software user and the cloud server due to the addition of the time server and the introduction of a time trap chain; in view of practical value, the scheme provides a mode for reliably limiting the use of the software according to regularity or non-regularity of use time, frequency and the like for a software developer, can effectively reduce the price threshold of software purchase, and assists the developer to increase sales volume. For the customers who use the software regularly and for a short time, the software use cost can be greatly saved. In addition, due to the introduction of a shell adding technology for the software executable file, the protection of the software at the cloud is enhanced, and the universality of the scheme is improved. Based on the software shell adding technology, a software developer can directly save the step of developing an account management system only for realizing software use control, thereby greatly reducing the development pressure and the operation and maintenance cost of the software developer.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.

Claims (6)

1. A software cloud timed use control method based on specific time encryption is characterized by comprising the following steps:
step 1, a software developer server S encrypts a code segment of an original executable file OEF by an SM4 through an encryption key MK, then carries out shell adding operation on the OEF after the code segment is encrypted to obtain a shell added executable file PEF, and sends the PEF to a cloud server CS;
step 2, the software developer server S takes the public parameters as input, selects the private key of the user
Figure FDA0002515119510000011
Calculating a user public key pk ═ (uP, usP), and sending sk to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,
Figure FDA0002515119510000012
a generator randomly chosen for the time server TS,
Figure FDA0002515119510000013
is the time server private key TS-MSK;
step 3, the software developer server S according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
step 4, time server TS releases time trapdoor Dt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtA set of nodes on paths in the binary tree for t;
step 5, the cloud server CS enables the time trap door DtLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
step 6, the user R is in [ t ]0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and 7, operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
2. The method for controlling the timed usage of the software cloud based on specific time encryption of claim 1, wherein the step 3 comprises:
step 3.1: verify that e (uP, sP) ═ e (P, usP), when the equation holds, generates coverage [ t [ t ] ]0,t1]Minimal root set of subtrees of all time nodes
Figure FDA0002515119510000021
Step 3.2: for each
Figure FDA0002515119510000022
Randomly selecting r to
Figure FDA0002515119510000023
Calculating rP and rusP;
computing
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
Figure FDA0002515119510000024
Generating a ciphertext
Figure FDA0002515119510000025
3. The method for controlling timed usage of software cloud based on specific time encryption according to claim 2, wherein said step 7 includes:
step 7.1: acquiring tikChain chain tail node data, and generating time t and time trap door Dt
Step 7.2: generating coverage [ t ]0,t1]Minimal root set of subtrees of all time nodes
Figure FDA0002515119510000026
Set ρ of paths of sum t in binary treetCalculating rhotAnd
Figure FDA0002515119510000027
the only elements z that intersect;
step 7.3: computing
K′=e(U,dz)u
Step 7.4: computing
Figure FDA0002515119510000028
Step 7.5: it is determined whether K' is equal to K,
Figure FDA0002515119510000029
whether or not it is equal to MK; if so, the code sections of the PEF are traversed, and SM4 decryption is performed on the code sections of the PEF, and the OEF is un-shelled.
4. A software cloud timed use control device based on specific time encryption is characterized by comprising:
the shell adding module is used for enabling the software developer server S to carry out SM4 encryption on the code segment of the original executable file OEF through the encryption key MK, then carrying out shell adding operation on the OEF after the code segment is encrypted to obtain a PEF (executable file) after the shell is added, and sending the PEF to the cloud server CS;
a user public and private key pair generation module used for selecting a user private key by the software developer server S by taking the public parameter as input
Figure FDA00025151195100000210
For calculationThe user public key pk is (uP, usP), and sk is sent to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,
Figure FDA0002515119510000031
a generator randomly chosen for the time server TS,
Figure FDA0002515119510000032
is the time server private key TS-MSK;
a cipher text generation module used for the software developer server S to generate the cipher text according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
the time trap door release module is used for the time server TS to release the time trap door Dt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtA set of nodes on paths in the binary tree for t;
a time trap door chain updating module for the cloud server CS to trap the time DtLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
a command sending module for the user R to be at [ t0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and the shelling operation module is used for operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
5. The device for controlling timed usage of software cloud based on specific-time encryption according to claim 4, wherein the ciphertext generation module comprises:
a first verification sub-module for verifying e (uP, sP) e (P, usP) that generates a coverage [ t ] when the equation holds true0,t1]Minimal root set of subtrees of all time nodes
Figure FDA0002515119510000033
A first calculation submodule for calculating for each
Figure FDA0002515119510000034
Randomly selecting r to
Figure FDA0002515119510000035
Calculating rP and rusP;
a second calculation submodule for calculating
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
Figure FDA0002515119510000041
Generating a ciphertext
Figure FDA0002515119510000042
6. The device for controlling timed usage of software cloud based on specific time encryption according to claim 5, wherein the de-shelling operation module comprises:
the time trap door acquisition module is used for acquiring tikChain chain tail node data and generating time t and time trap door Dt
A third computation submodule for generating a coverage [ t ]0,t1]Minimum root set of subtrees of all time nodesCombination of Chinese herbs
Figure FDA0002515119510000043
Set ρ of paths of sum t in binary treetCalculating rhotAnd
Figure FDA0002515119510000044
the only elements z that intersect;
a fourth calculation submodule for calculating
K′=e(U,dz)u
A fifth calculation submodule for calculating
Figure FDA0002515119510000045
A shelling operation submodule for judging whether K' is equal to K,
Figure FDA0002515119510000046
whether or not it is equal to MK; if so, the code sections of the PEF are traversed, and SM4 decryption is performed on the code sections of the PEF, and the OEF is un-shelled.
CN202010473555.3A 2020-05-29 2020-05-29 Software cloud timing use control method and device based on specific time encryption Active CN111639310B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010473555.3A CN111639310B (en) 2020-05-29 2020-05-29 Software cloud timing use control method and device based on specific time encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010473555.3A CN111639310B (en) 2020-05-29 2020-05-29 Software cloud timing use control method and device based on specific time encryption

Publications (2)

Publication Number Publication Date
CN111639310A true CN111639310A (en) 2020-09-08
CN111639310B CN111639310B (en) 2023-05-16

Family

ID=72331194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010473555.3A Active CN111639310B (en) 2020-05-29 2020-05-29 Software cloud timing use control method and device based on specific time encryption

Country Status (1)

Country Link
CN (1) CN111639310B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100185863A1 (en) * 2006-12-01 2010-07-22 Rabin Michael O Method and apparatus for time-lapse cryptography
CN102609666A (en) * 2012-01-20 2012-07-25 飞天诚信科技股份有限公司 Protecting method for packing executable program
CN109428892A (en) * 2017-09-01 2019-03-05 埃森哲环球解决方案有限公司 Multistage rewritable block chain
CN109981690A (en) * 2019-04-29 2019-07-05 河南大学 A kind of anti-tamper timing data security transmission method based on block chain intelligence contract

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100185863A1 (en) * 2006-12-01 2010-07-22 Rabin Michael O Method and apparatus for time-lapse cryptography
CN102609666A (en) * 2012-01-20 2012-07-25 飞天诚信科技股份有限公司 Protecting method for packing executable program
CN109428892A (en) * 2017-09-01 2019-03-05 埃森哲环球解决方案有限公司 Multistage rewritable block chain
CN109981690A (en) * 2019-04-29 2019-07-05 河南大学 A kind of anti-tamper timing data security transmission method based on block chain intelligence contract

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
XUANMEI QIN 等: "An access control scheme with fine-grained time constrained attributes based on smart contract and trapdoor", 《2019 26TH INTERNATIONAL CONFERENCE ON TELECOMMUNICATIONS (ICT)》 *
徐紫枫 等: "基于时间释放加密和数字签名的匿名电子投票方案", 《计算机应用与软件》 *
袁科 等: "TRE加密技术研究", 《计算机研究与发展》 *

Also Published As

Publication number Publication date
CN111639310B (en) 2023-05-16

Similar Documents

Publication Publication Date Title
US20220141038A1 (en) Method of rsa signature or decryption protected using a homomorphic encryption
CN108632292B (en) Data sharing method and system based on alliance chain
US8171306B2 (en) Universal secure token for obfuscation and tamper resistance
US7877604B2 (en) Proof of execution using random function
JP2020523822A (en) Computer-implemented system and method for providing a distributed protocol for cryptographic asset recovery
US11874935B2 (en) Protecting data from brute force attack
JP2009529832A (en) Undiscoverable, ie secure data communication using black data
CN113268715A (en) Software encryption method, device, equipment and storage medium
CN114036539A (en) Safety auditable Internet of things data sharing system and method based on block chain
US11870913B2 (en) Method for generating a digital signature of an input message
KR101048439B1 (en) The server that stores the game execution authority authentication method, the recording medium on which the game execution authority authentication program is recorded, and the game execution authority authentication program.
WO2007142170A1 (en) System for disabling unauthorized person, encryption device, encryption method, and program
CN108809996B (en) Integrity auditing method for duplicate deletion stored data with different popularity
CN107465508B (en) Method, system and equipment for constructing true random number by combining software and hardware
EP3010173B1 (en) Key storage device, key storage method, and program therefor
CN113098681A (en) Port order enhanced and updatable blinded key management method in cloud storage
CN112350820A (en) Multi-receiver signcryption method, sending end, receiving end, system and storage medium
Bhardwaj et al. HS1-RIV: Improved Efficiency for Authenticated Encryption
CN111639310A (en) Software cloud timed use control method and device based on specific time encryption
CN110225041B (en) Data management method, system and related components
WO2021009860A1 (en) Cryptosystem, function value calculation method and program
JPWO2021009860A5 (en)
Neela et al. A Hybrid Cryptography Technique with Blockchain for Data Integrity and Confidentiality in Cloud Computing
CN116629862A (en) Efficient and privacy-protected asynchronous payment method based on blockchain
Ramesh KL Neela

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant