CN111639310A - Software cloud timed use control method and device based on specific time encryption - Google Patents
Software cloud timed use control method and device based on specific time encryption Download PDFInfo
- Publication number
- CN111639310A CN111639310A CN202010473555.3A CN202010473555A CN111639310A CN 111639310 A CN111639310 A CN 111639310A CN 202010473555 A CN202010473555 A CN 202010473555A CN 111639310 A CN111639310 A CN 111639310A
- Authority
- CN
- China
- Prior art keywords
- time
- server
- software
- pef
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000004364 calculation method Methods 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 12
- 238000013507 mapping Methods 0.000 claims description 6
- 238000004458 analytical method Methods 0.000 abstract description 6
- 230000006870 function Effects 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 7
- 238000005336 cracking Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 208000011580 syndromic disease Diseases 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000009434 installation Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a software cloud timed use control method based on specific time encryption, which comprises the following steps: the software developer server S carries out SM4 encryption on the OEF through the key MK, generates a PEF after adding a shell and sends the PEF to the cloud server CS; s, calculating a public and private key pair of the user and sending the private key to the user R; s is according to params, MK, pk, TS-MPK and [ t0,t1]Generating a ciphertext C and sending the ciphertext C to the CS; time server TS release time trapdoor Dt={dx=sH1(x):x∈ρtAnd broadcasting; CS will DtLinking to generate a new time trapdoor chain tikChain; r is in [ t ]0,t1]Sending sk to CS, and sending a PEF operation command; CS runs PEF, decladding according to C, sk and tikChain and then runs OEF; the invention also discloses a method based on the specific timeThe encrypted software cloud regularly uses the control device. The method and the device avoid the means that illegal software users perform reverse analysis on the software and the like so as to break the time limit, and have higher safety.
Description
Technical Field
The invention belongs to the technical field of software timing use control, and particularly relates to a software cloud timing use control method and device based on specific time encryption.
Background
With the rapid development of modern society, various new application requirements are continuously met. Such as one of the application scenarios: a company needs to use a large piece of expensive software periodically, such as at the end of each month. If the software is purchased directly, it is difficult to recoup the cost. In this case, it is possible to pay for the usage time to save the company cost. Therefore, a mechanism for controlling the software utilization time is needed to meet the application scenario requirement.
The software use time limit is realized by adopting two modes of local verification (https:// blog. csdn. net/lizhaoen 003/arrow/details/51475450. The local verification mode is that two time values are stored in a registry or a certain file or sector, one is the installation time of the software, the other is the latest running time of the software, the current time is compared with the latest running time when the software is started every time, and the current time is compared with the installation time of the software after the software is legal, so that the use time limit of the software is realized. The method of local verification records the time value locally, so that the time value recorded by an illegal software user can be easily found and modified to break the time limit.
The server verifies the software use time by the server and returns the verification result to the user end, and then the user end determines whether to continue to run the following codes by judging the verification result. The server verifies the method, because the time verification is put on the server, the limitation of the software use time of an illegal software user is avoided to the utmost extent, but the threat that the software user can crack the software use time limitation in the modes of reversely cracking the software or modifying the time verification result by communicating with the server and the like still exists.
With the diversification of software requirements of enterprises and individual users, software purchasing according to requirements (such as time, frequency and frequency of use) is easier to be accepted by software users, so that the price threshold of purchasing software by users is effectively reduced, and unnecessary expenses of the software users are also reduced. However, both the local authentication method and the server authentication method have a great risk of being illegally cracked, so a novel software use time control method and a novel software use time protection method are needed to conveniently and safely use software at regular time.
Disclosure of Invention
The invention provides a software cloud timed use control method and device based on specific time encryption, aiming at the problem that local authentication and server authentication have high risk of being illegally cracked.
In order to achieve the purpose, the invention adopts the following technical scheme:
a software cloud timed use control method based on specific time encryption comprises the following steps:
step 1, a software developer server S encrypts a code segment of an original executable file OEF by an SM4 through an encryption key MK, then carries out shell adding operation on the OEF after the code segment is encrypted to obtain a shell added executable file PEF, and sends the PEF to a cloud server CS;
step 2, the software developer server S takes the public parameters as input, selects the private key of the userCalculating a user public key pk ═ (uP, usP), and sending sk to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,a generator randomly chosen for the time server TS,is the time server private key TS-MSK;
step 3, the software developer server S according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
step 5, the cloud server CS enables the time trap door DtLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
step 6, the user R is in [ t ]0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and 7, operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
Further, the step 3 comprises:
step 3.1: verify that e (uP, sP) ═ e (P, usP), when the equation holds, generates coverage [ t [ t ] ]0,t1]Minimal root set of subtrees of all time nodes
computing
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
Further, the step 7 includes:
step 7.1: acquiring tikChain chain tail node data, and generating time t and time trap door Dt;
Step 7.2: generating coverage [ t ]0,t1]Minimal root set of subtrees of all time nodesSet ρ of paths of sum t in binary treetCalculating rhotAndthe only elements z that intersect;
step 7.3: computing
K′=e(U,dz)u
Step 7.5: it is determined whether K' is equal to K,whether or not it is equal to MK; if so, the code sections of the PEF are traversed, and SM4 decryption is performed on the code sections of the PEF, and the OEF is un-shelled.
A software cloud timed use control device based on specific time encryption comprises:
the shell adding module is used for enabling the software developer server S to carry out SM4 encryption on the code segment of the original executable file OEF through the encryption key MK, then carrying out shell adding operation on the OEF after the code segment is encrypted to obtain a PEF (executable file) after the shell is added, and sending the PEF to the cloud server CS;
a user public and private key pair generation module used for selecting a user private key by the software developer server S by taking the public parameter as inputCalculating a user public key pk ═ (uP, usP), and sending sk to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,a generator randomly chosen for the time server TS,is the time server private key TS-MSK;
a cipher text generation module used for the software developer server S to generate the cipher text according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
the time trap door release module is used for the time server TS to release the time trap door Dt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtA set of nodes on paths in the binary tree for t;
a time trap door chain updating module for the cloud server CS to trap the time DtLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
a command sending module for the user R to be at [ t0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and the shelling operation module is used for operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
Further, the ciphertext generating module comprises:
a first verification sub-module for verifying e (uP, sP) e (P, usP) that generates a coverage [ t ] when the equation holds true0,t1]Minimal root set of subtrees of all time nodes
A first calculation submodule for calculating for eachRandomly selecting r toCalculating rP and rusP;
a second calculation submodule for calculating
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
Further, the shelling operating module comprises:
the time trap door acquisition module is used for acquiring tikChain chain tail node data and generating time t and time trap door Dt;
A third computation submodule for generating a coverage [ t ]0,t1]Minimal root set of subtrees of all time nodesSet ρ of paths of sum t in binary treetCalculating rhotAndthe only elements z that intersect;
a fourth calculation submodule for calculating
K′=e(U,dz)u
A shelling operation submodule for judging whether K' is equal to K,whether or not it is equal to MK; if so, the code sections of the PEF are traversed, and SM4 decryption is performed on the code sections of the PEF, and the OEF is un-shelled.
Compared with the prior art, the invention has the following beneficial effects:
in view of safety, on one hand, the method avoids the time limit cracking caused by means of reverse analysis and the like of software by illegal software users due to the fact that the shelled software is started on the cloud server, and on the other hand, the time limit cracking caused by the fact that the illegal software users are communicated with the cloud server is avoided due to the fact that the time server is added and a time trap door chain is introduced; in view of practical value, the invention provides a way for software developers to reliably limit the use of software according to the regularity or the non-regularity of the use time, the frequency and the like, can effectively reduce the price threshold of software purchase, and assists the developers to increase the sales volume. For the customers who use the software regularly and for a short time, the software use cost can be greatly saved. In addition, due to the introduction of a shell adding technology for the software executable file, the protection of the software on the cloud is enhanced, and the universality of the invention is improved. Based on the software shell adding technology, a software developer can directly save the step of developing an account management system only for realizing software use control, thereby greatly reducing the development pressure and the operation and maintenance cost of the software developer.
Drawings
FIG. 1 is a schematic diagram of a software cloud timed-use system architecture based on specific time encryption;
FIG. 2 is a schematic diagram of a binary tree structure with depth 3;
fig. 3 is a basic flowchart of a software cloud timing use control method based on specific time encryption according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a software cloud timed-use control device based on specific-time encryption according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
suppose that software user R purchases software from a software developer at t0,t1]Permission to use during a time interval, then R is only holding the private key for a time t0,t1]The software can be opened and used within the interval. Such a system is called a software cloud timed-use system based on specific time encryption, as shown in fig. 1. The formal definition of which is given below.
Define 1TSE-STUC scheme ξ. the scheme includes time server TS, cloud server CS, software developer S, software user R four entities, and algorithm 8-tuple ξTSE-STUC=(MK-Setup,SM4.Enc,PK.Setup,PK.KeyGen,PK.Enc,PK.TIK-Ext,TIK-Chain,SM4-PK.Dec)。
The MK-Setup algorithm is used to initialize the SM4 encryption key MK, specifically, randomly choosing one number assignment at a time to assign to the key MKSM4 is generated to encrypt key MK.
The enc algorithm is used for a given original executable file OEF, the encryption key MK, and the software developer performs the following operations: using MK, firstly, SM4 encryption is performed on the code segment of the OEF, then shell adding operation is performed (the entry address of the OEF is modified, the entry address is modified into the shell program entry address, and the shell program is a dll running program), and a corresponding executable file PEF after shell adding is generated, which is sm4.enc (MK, OEF).
Setup algorithm is used to initialize parameters, specifically for a given security parameter k and time length T, and the algorithm outputs system parameters params ═ k, q, G1,G2,e,P,H1,H2N, time server public and private key pair (TS-MPK, TS-MSK) and depth d (T2)d) As shown in fig. 2. Wherein G is1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear map satisfying definition 1; hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the plaintext length; random selection of generator by time serverTime server private keyIts corresponding public key TS-MPK ═ (P, sP). params and TS-MPK are public parameters。
KeyGen algorithm is used for selecting user private key by taking public parameter as inputThe user public key pk is calculated (uP, usP).
Enc algorithm for a given SM4 key MK, one receiver's public key pk ═ (uP, usP), the time server's public key TS-MPK ═ P, sP, and one release time interval t0,t1]The software developer performs the following operations:
(1) verifying that e (uP, sP) ═ e (P, usP), the following operations are performed only if the equation is true;
(5) computing
K=e(rusP,H1(y))=e(P,H1(y))rus
(6) Obtain a ciphertext set
TIK-Ext algorithm for example at time t ∈ {0,1}*The method comprises the steps of generating a set rho of nodes on paths of t in a binary treetTime server release timeTrapdoor Dt={dx=sH1(x):x∈ρt}. Each user can verify its authenticity, i.e.
Sign(x):dx=sH1(x),Ver(dx,x):e(sP,H1(x))=e(P,sH1(x))
Wherein Sign () is a signature function and Ver () is a verification function.
Time trapdoor D published by time trapdoor Chain tikChain and time server through TIK-Chain algorithmtAnd generating a node for inputting, and linking the node to the tail of the time trap door chain tikChain to generate a new time trap door chain tikChain.
Dec algorithm for one encryption key ciphertext, given one PEFThe receiver private key sk and the time trapdoor chain tikChain are processed by the cloud server as follows:
(1) acquiring tikChain chain tail node data, and generating time t and time trap door Dt;
(2) Generating coverage [ t ]0,t1]Minimal root set of subtrees of all time nodesSet ρ of paths of sum t in binary treetCalculating rhotAndthe only elements z that intersect;
(3) computing
K′=e(U,dz)u
if C is the correct ciphertext, U-rP,whereinK=e(P,H1(z))rus,The decryption correctness is verified as follows:
K′=e(U,dz)u=e(rP,sH1(z))u=e(P,H1(z))rus=K
(5) the PEF code section is traversed, the sm4.dec (MK, code) is computed, the code section is decrypted and the OEF is un-shelled.
On the basis of the TSE-STUC scheme ξ, as shown in fig. 3, the invention discloses a software cloud timed use control method based on specific time encryption, which comprises the following steps:
s101, a software developer server S encrypts a code segment of the OEF by an encryption key MK in SM4 mode, then conducts shell adding operation on the OEF after the code segment is encrypted to obtain a shell added executable file PEF, and sends the PEF to a cloud server CS;
step S102, the software developer server S takes the public parameter as input, selects the private key of the userCalculating a user public key pk ═ (uP, usP), and sending sk to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,when isThe inter-server TS randomly selects a generator,is the time server private key TS-MSK;
step S103, the software developer server S according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
step S104, time server TS releases time trap door Dt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtIs the set of nodes on the path of t in the binary tree, and it is worth noting that t ∈ {0,1}*Representing a binary file consisting of t 0 and 1, which is in [ t ] when t is converted to decimal0,t1]Internal;
step S105, the cloud server CS enables the time trap door DtLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
step S106, user R is at [ t ]0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and S107, operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
Further, the step S103 includes:
step S103.1: verify that e (uP, sP) ═ e (P, usP), when the equation holds, generates coverage [ t [ t ] ]0,t1]Minimal root set of subtrees of all time nodes
computing
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
further, in the step S104, each user can verify the authenticity of the time trap door issued by the time server, i.e. the time trap door is issued by the time server
Sign(x):dx=sH1(x),Ver(dx,x):e(sP,H1(x))=e(P,sH1(x))
Wherein Sign () is a signature function and Ver () is a verification function.
Further, the step S107 includes:
step S107.1: acquiring tikChain chain tail node data, and generating time t and time trap door Dt;
Step S107.2: generating coverage [ t ]0,t1]Minimal root set of subtrees of all time nodesSet ρ of paths of sum t in binary treetCalculating rhotAndthe only elements z that intersect;
step S107.3: computing
K′=e(U,dz)u
Step S107.5: it is determined whether K' is equal to K,if it is equal to MK, it is verified whether the following equation holds:
K′=e(U,dz)u=e(rP,sH1(z))u=e(P,H1(z))rus=K
if so, the code sections of the PEF are traversed, and SM4 decryption is performed on the code sections of the PEF, and the OEF is un-shelled.
On the basis of the above embodiment, as shown in fig. 4, the present invention further discloses a software cloud timing use control device based on specific time encryption, including:
the shell adding module 201 is used for the software developer server S to encrypt the code segment of the OEF by SM4 through the encryption key MK, then to add the shell of the OEF after the code segment is encrypted to obtain an executable file PEF after the shell is added, and to send the PEF to the cloud server CS;
a user public and private key pair generation module 202 for the software developer server S to select the user private key by using the public parameter as inputCalculating a user public key pk ═ (uP, usP), and sending sk to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,a generator randomly chosen for the time server TS,is the time server private key TS-MSK;
the ciphertext generating module 203 is used for the software developer server S to generate the ciphertext according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
time trap door publishing module 204 for publishing time trap door D by time server TSt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtA set of nodes on paths in the binary tree for t;
a time trapdoor chain updating module 205, configured to update the time trapdoors D by the cloud server CStLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
a command sending module 206 for the user R to be at [ t0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and the shelling operation module 207 is used for operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
Further, the ciphertext generating module 203 includes:
a first verification sub-module for verifying e (uP, sP) e (P, usP) that generates a coverage [ t ] when the equation holds true0,t1]Minimal root set of subtrees of all time nodes
A first calculation submodule for calculating for eachRandomly selecting r toCalculating rP and rusP;
a second calculation submodule for calculating
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
Further, the shelling operation module 207 includes:
the time trap door acquisition module is used for acquiring tikChain chain tail node data and generating time t and time trap door Dt;
A third computation submodule for generating a coverage [ t ]0,t1]Minimal root set of subtrees of all time nodesSet ρ of paths of sum t in binary treetCalculating rhotAndthe only elements z that intersect;
a fourth calculation submodule for calculating
K′=e(U,dz)u
Shelling operation submodule for judging whether K' is equalIn the presence of K, the process is carried out,whether or not it is equal to MK; if so, the code sections of the PEF are traversed, and SM4 decryption is performed on the code sections of the PEF, and the OEF is un-shelled.
To verify the effect of the invention, the following safety analyses were performed:
the cloud server, the time server and the software legal user are set to be honest and curious, and all the cloud server, the time server and the software legal user can be served according to the requirements of the rules. They do not collude with each other, but try to obtain the usage rights of the software from the information already obtained by themselves. Meanwhile, a malicious attacker may reversely crack the software executable code after the software is shelled or try to violently crack the personal private key of the legal user of the software, so that the use authority of the software is illegally obtained. The following security analysis is performed for threats to prove that the present invention is safe.
Theorem 1 the present invention prevents a time server from obtaining usage rights for software.
And (3) proving that: the time server is the producer of the time trapdoors, which owns all the time trapdoors that are generated and broadcast according to the rules. In this embodiment, the SM4 key is encrypted with the time server public key, the user public key, and the decryptable time interval before being sent. Since the time server does not have the user recipient's personal private key, the difficulty it wants to decrypt the SM4 key ciphertext to un-shell the running original executable on the cloud server is equivalent to breaking the cryptographic mechanism of a public key encryption, which is obviously very difficult. The theory is bound to obtain the syndrome.
Theorem 2 the present invention can prevent the cloud server from obtaining the use authority of the software.
And (3) proving that: the cloud server is a container for software shelling and running, and has all the time traps broadcasted by the time server, a shelled executable file sent by a software developer and a ciphertext of an SM4 key sent by the software developer. In the invention, before the SM4 secret key is sent, the encryption is carried out through a time server public key, a user public key and a decryptable time interval. Since the cloud server does not have the user recipient's personal private key, it wants to decrypt the SM4 key ciphertext, so the difficulty of shelling out the running original executable file thereon is equivalent to breaking the cryptographic mechanism of a public key encryption, which is obviously very difficult. In addition, if the cloud server wants to perform reverse analysis on the shelled executable file, the difficulty is equivalent to breaking the SM4 encryption mechanism, which is obviously very difficult. Although the shelling is performed on the cloud server to restore the original executable file code segments, since the step is restored in the memory during the operation process, it is very difficult for the cloud server to reverse the contents of the original executable file code segments. The theory is bound to obtain the syndrome.
Theorem 3 the present invention prevents legitimate users of software from using the software before and after a specified usage time interval.
And (3) proving that: the software legal user has own personal private key and the time trap door broadcasted by all the time servers. In the invention, before the SM4 key is sent, the time server public key, the user public key and the decryptable time interval are used for encryption, and because the time trap door of the tail node of the time trap door chain on the current cloud server is not the time trap door in the decryptable time interval, the difficulty that the user wants to decrypt the SM4 key ciphertext so as to remove the shell on the cloud server and run the original executable file is equivalent to breaking a cryptography mechanism of public key encryption, which is obviously very difficult. The theory is bound to obtain the syndrome.
And (3) proving that: a malicious attacker may interact with the cloud server. In the scheme, the SM4 secret key is encrypted through the time server public key, the user public key and the decryptable time interval before being sent, and a malicious attacker does not have a legal personal user private key, so that the difficulty that the malicious attacker wants to decrypt an SM4 secret key ciphertext so as to remove a shell on the cloud server and operate an original executable file is equivalent to breaking a cryptography mechanism of public key encryption, which is obviously very difficult. In addition, if a malicious attacker wants to obtain the shelled executable file for reverse cracking, the malicious attacker needs to attack the cloud server to illegally obtain the shelled executable file and then attack the SM4 encryption mechanism. The difficulty is obviously more difficult. The theory is bound to obtain the syndrome.
In summary, the present invention provides an implementation scheme based on a dual encryption, shell-adding and specific time encryption scheme with the purpose of implementing timing use control and more software use time control. The above formalized definitions and embodiments illustrate how the present invention can be implemented to limit the use of software users over a period of time, and more varied control schemes are available from the above variations. In view of safety, on one hand, the method avoids cracking time limitation caused by reverse analysis and other means of software by an illegal software user due to the starting of the executable file on the cloud server after the shell is added, and on the other hand, the method avoids the cracking time limitation caused by the serial connection of the illegal software user and the cloud server due to the addition of the time server and the introduction of a time trap chain; in view of practical value, the scheme provides a mode for reliably limiting the use of the software according to regularity or non-regularity of use time, frequency and the like for a software developer, can effectively reduce the price threshold of software purchase, and assists the developer to increase sales volume. For the customers who use the software regularly and for a short time, the software use cost can be greatly saved. In addition, due to the introduction of a shell adding technology for the software executable file, the protection of the software at the cloud is enhanced, and the universality of the scheme is improved. Based on the software shell adding technology, a software developer can directly save the step of developing an account management system only for realizing software use control, thereby greatly reducing the development pressure and the operation and maintenance cost of the software developer.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.
Claims (6)
1. A software cloud timed use control method based on specific time encryption is characterized by comprising the following steps:
step 1, a software developer server S encrypts a code segment of an original executable file OEF by an SM4 through an encryption key MK, then carries out shell adding operation on the OEF after the code segment is encrypted to obtain a shell added executable file PEF, and sends the PEF to a cloud server CS;
step 2, the software developer server S takes the public parameters as input, selects the private key of the userCalculating a user public key pk ═ (uP, usP), and sending sk to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,a generator randomly chosen for the time server TS,is the time server private key TS-MSK;
step 3, the software developer server S according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
step 4, time server TS releases time trapdoor Dt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtA set of nodes on paths in the binary tree for t;
step 5, the cloud server CS enables the time trap door DtLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
step 6, the user R is in [ t ]0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and 7, operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
2. The method for controlling the timed usage of the software cloud based on specific time encryption of claim 1, wherein the step 3 comprises:
step 3.1: verify that e (uP, sP) ═ e (P, usP), when the equation holds, generates coverage [ t [ t ] ]0,t1]Minimal root set of subtrees of all time nodes
computing
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
3. The method for controlling timed usage of software cloud based on specific time encryption according to claim 2, wherein said step 7 includes:
step 7.1: acquiring tikChain chain tail node data, and generating time t and time trap door Dt;
Step 7.2: generating coverage [ t ]0,t1]Minimal root set of subtrees of all time nodesSet ρ of paths of sum t in binary treetCalculating rhotAndthe only elements z that intersect;
step 7.3: computing
K′=e(U,dz)u
4. A software cloud timed use control device based on specific time encryption is characterized by comprising:
the shell adding module is used for enabling the software developer server S to carry out SM4 encryption on the code segment of the original executable file OEF through the encryption key MK, then carrying out shell adding operation on the OEF after the code segment is encrypted to obtain a PEF (executable file) after the shell is added, and sending the PEF to the cloud server CS;
a user public and private key pair generation module used for selecting a user private key by the software developer server S by taking the public parameter as inputFor calculationThe user public key pk is (uP, usP), and sk is sent to the user R; the public parameters comprise a system parameter params and a time server public key TS-MPK, wherein the params is { k, q, G }1,G2,e,P,H1,H2N, TS-MPK ═ P, sP, where k is a security parameter, G1To add group, G2As a multiplicative group, G1And G2The order is prime q, and e is mapped to G1×G1→G2Is a bilinear mapping, Hash function H1:{0,1}*→G1,H2:G2→{0,1}nWhere n is the length of the plaintext,a generator randomly chosen for the time server TS,is the time server private key TS-MSK;
a cipher text generation module used for the software developer server S to generate the cipher text according to the system parameters params, MK, pk, TS-MPK and the release time interval [ t ]0,t1]Generating a ciphertext C, and sending the C to a cloud server CS in advance;
the time trap door release module is used for the time server TS to release the time trap door Dt={dx=sH1(x):x∈ρtAnd D istBroadcast, where t ∈ {0,1}*,ρtA set of nodes on paths in the binary tree for t;
a time trap door chain updating module for the cloud server CS to trap the time DtLinking to the chain tail of the time trap door chain to generate a new time trap door chain tikChain;
a command sending module for the user R to be at [ t0,t1]Sending the sk to a cloud server CS within time, and sending a command for operating a PEF;
and the shelling operation module is used for operating the PEF by the cloud server CS, and operating the OEF after successful legal shelling according to the ciphertext C, the user private key sk and the time trapdoor chain tikChain.
5. The device for controlling timed usage of software cloud based on specific-time encryption according to claim 4, wherein the ciphertext generation module comprises:
a first verification sub-module for verifying e (uP, sP) e (P, usP) that generates a coverage [ t ] when the equation holds true0,t1]Minimal root set of subtrees of all time nodes
A first calculation submodule for calculating for eachRandomly selecting r toCalculating rP and rusP;
a second calculation submodule for calculating
K=e(rusP,H1(y))=e(P,H1(y))rus
Obtain a ciphertext set
6. The device for controlling timed usage of software cloud based on specific time encryption according to claim 5, wherein the de-shelling operation module comprises:
the time trap door acquisition module is used for acquiring tikChain chain tail node data and generating time t and time trap door Dt;
A third computation submodule for generating a coverage [ t ]0,t1]Minimum root set of subtrees of all time nodesCombination of Chinese herbsSet ρ of paths of sum t in binary treetCalculating rhotAndthe only elements z that intersect;
a fourth calculation submodule for calculating
K′=e(U,dz)u
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010473555.3A CN111639310B (en) | 2020-05-29 | 2020-05-29 | Software cloud timing use control method and device based on specific time encryption |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010473555.3A CN111639310B (en) | 2020-05-29 | 2020-05-29 | Software cloud timing use control method and device based on specific time encryption |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111639310A true CN111639310A (en) | 2020-09-08 |
CN111639310B CN111639310B (en) | 2023-05-16 |
Family
ID=72331194
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010473555.3A Active CN111639310B (en) | 2020-05-29 | 2020-05-29 | Software cloud timing use control method and device based on specific time encryption |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111639310B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100185863A1 (en) * | 2006-12-01 | 2010-07-22 | Rabin Michael O | Method and apparatus for time-lapse cryptography |
CN102609666A (en) * | 2012-01-20 | 2012-07-25 | 飞天诚信科技股份有限公司 | Protecting method for packing executable program |
CN109428892A (en) * | 2017-09-01 | 2019-03-05 | 埃森哲环球解决方案有限公司 | Multistage rewritable block chain |
CN109981690A (en) * | 2019-04-29 | 2019-07-05 | 河南大学 | A kind of anti-tamper timing data security transmission method based on block chain intelligence contract |
-
2020
- 2020-05-29 CN CN202010473555.3A patent/CN111639310B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100185863A1 (en) * | 2006-12-01 | 2010-07-22 | Rabin Michael O | Method and apparatus for time-lapse cryptography |
CN102609666A (en) * | 2012-01-20 | 2012-07-25 | 飞天诚信科技股份有限公司 | Protecting method for packing executable program |
CN109428892A (en) * | 2017-09-01 | 2019-03-05 | 埃森哲环球解决方案有限公司 | Multistage rewritable block chain |
CN109981690A (en) * | 2019-04-29 | 2019-07-05 | 河南大学 | A kind of anti-tamper timing data security transmission method based on block chain intelligence contract |
Non-Patent Citations (3)
Title |
---|
XUANMEI QIN 等: "An access control scheme with fine-grained time constrained attributes based on smart contract and trapdoor", 《2019 26TH INTERNATIONAL CONFERENCE ON TELECOMMUNICATIONS (ICT)》 * |
徐紫枫 等: "基于时间释放加密和数字签名的匿名电子投票方案", 《计算机应用与软件》 * |
袁科 等: "TRE加密技术研究", 《计算机研究与发展》 * |
Also Published As
Publication number | Publication date |
---|---|
CN111639310B (en) | 2023-05-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220141038A1 (en) | Method of rsa signature or decryption protected using a homomorphic encryption | |
CN108632292B (en) | Data sharing method and system based on alliance chain | |
US8171306B2 (en) | Universal secure token for obfuscation and tamper resistance | |
US7877604B2 (en) | Proof of execution using random function | |
JP2020523822A (en) | Computer-implemented system and method for providing a distributed protocol for cryptographic asset recovery | |
US11874935B2 (en) | Protecting data from brute force attack | |
JP2009529832A (en) | Undiscoverable, ie secure data communication using black data | |
CN113268715A (en) | Software encryption method, device, equipment and storage medium | |
CN114036539A (en) | Safety auditable Internet of things data sharing system and method based on block chain | |
US11870913B2 (en) | Method for generating a digital signature of an input message | |
KR101048439B1 (en) | The server that stores the game execution authority authentication method, the recording medium on which the game execution authority authentication program is recorded, and the game execution authority authentication program. | |
WO2007142170A1 (en) | System for disabling unauthorized person, encryption device, encryption method, and program | |
CN108809996B (en) | Integrity auditing method for duplicate deletion stored data with different popularity | |
CN107465508B (en) | Method, system and equipment for constructing true random number by combining software and hardware | |
EP3010173B1 (en) | Key storage device, key storage method, and program therefor | |
CN113098681A (en) | Port order enhanced and updatable blinded key management method in cloud storage | |
CN112350820A (en) | Multi-receiver signcryption method, sending end, receiving end, system and storage medium | |
Bhardwaj et al. | HS1-RIV: Improved Efficiency for Authenticated Encryption | |
CN111639310A (en) | Software cloud timed use control method and device based on specific time encryption | |
CN110225041B (en) | Data management method, system and related components | |
WO2021009860A1 (en) | Cryptosystem, function value calculation method and program | |
JPWO2021009860A5 (en) | ||
Neela et al. | A Hybrid Cryptography Technique with Blockchain for Data Integrity and Confidentiality in Cloud Computing | |
CN116629862A (en) | Efficient and privacy-protected asynchronous payment method based on blockchain | |
Ramesh | KL Neela |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |