CN113626787B - Equipment fingerprint generation method and related equipment - Google Patents
Equipment fingerprint generation method and related equipment Download PDFInfo
- Publication number
- CN113626787B CN113626787B CN202110995607.8A CN202110995607A CN113626787B CN 113626787 B CN113626787 B CN 113626787B CN 202110995607 A CN202110995607 A CN 202110995607A CN 113626787 B CN113626787 B CN 113626787B
- Authority
- CN
- China
- Prior art keywords
- fingerprint
- equipment
- information
- terminal
- terminal device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 16
- 230000007246 mechanism Effects 0.000 claims abstract description 10
- 230000004044 response Effects 0.000 claims abstract description 7
- 238000012795 verification Methods 0.000 claims description 25
- 150000003839 salts Chemical class 0.000 claims description 24
- 238000004590 computer program Methods 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 11
- 238000004364 calculation method Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000003825 pressing Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y20/00—Information sensed or collected by the things
- G16Y20/40—Information sensed or collected by the things relating to personal data, e.g. biometric data, records or preferences
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y40/00—IoT characterised by the purpose of the information processing
- G16Y40/50—Safety; Security of things, users, data or systems
Abstract
The disclosure provides a device fingerprint generation method and related devices. The method is applied to the terminal equipment and comprises the following steps: in response to the starting of the terminal equipment, acquiring equipment information of the terminal equipment at a native layer of the terminal equipment; generating device fingerprints of the terminal device according to the device information at the native layer according to a preset fingerprint generation algorithm; and providing the device fingerprint for the application layer to call based on an interface call mechanism of the native layer and the application layer of the terminal device.
Description
Technical Field
The disclosure relates to the technical field of internet of things, in particular to a device fingerprint generation method and related devices.
Background
In recent years, intelligent terminals of the internet of things are increasingly used. Some terminal products of the internet of things are widely applied to our lives, such as a screen drawing.
In order to provide better services, the intelligent terminal equipment also needs to rely on a server side to provide better support, such as business member services. The member service can bring more convenient and quick service to the user. Generally, the server side needs to record identity information of each device, so as to check whether to provide member service for the device.
A device fingerprint is a device characteristic or unique device identification that can be used to uniquely identify the device, and can be used for device identity verification. With the improvement of technology, some users may tamper with information specific to devices by adopting a certain technical means, so that a phenomenon that one device receives service by using a plurality of devices after finishing registration occurs.
Disclosure of Invention
The embodiment of the disclosure provides a device fingerprint generation method and related devices.
In a first aspect of an embodiment of the present disclosure, a device fingerprint generating method is provided, applied to a terminal device, and includes:
in response to the starting of the terminal equipment, acquiring equipment information of the terminal equipment at a native layer of the terminal equipment;
generating device fingerprints of the terminal device according to the device information at the native layer according to a preset fingerprint generation algorithm; and
and providing the device fingerprint for the application layer to call based on an interface calling mechanism of the native layer and the application layer of the terminal device.
In a second aspect of the embodiments of the present disclosure, there is provided a terminal device including one or more processors, a memory; and one or more programs, wherein the one or more programs are stored in the memory and executed by the one or more processors, the programs comprising instructions for performing the method of the first aspect.
In a third aspect of the embodiments of the present disclosure, there is provided an internet of things system, including:
the terminal device of the second aspect is configured to: receiving a service request sent by a user and sending the service request to a server; and responding to the received equipment information acquisition request of the server, and sending corresponding equipment information to the server according to the equipment information acquisition request; and
a server connected with the terminal device through a network and configured to:
receiving the service request sent by the terminal equipment;
determining whether fingerprint verification is required to be carried out on the terminal equipment according to the service request;
responding to the need of fingerprint verification on the terminal equipment, and sending an equipment information acquisition request to the terminal equipment;
receiving equipment information sent by the terminal equipment based on the equipment information acquisition request;
generating a first device fingerprint of the terminal device according to the device information according to a preset fingerprint generation algorithm;
determining whether the first device fingerprint is consistent with a second device fingerprint of the terminal device stored by the server; and
and responding to the first equipment fingerprint and the second equipment fingerprint to be consistent, and outputting fingerprint verification passing information of the terminal equipment.
A fourth aspect of embodiments of the present disclosure provides a non-transitory computer-readable storage medium containing a computer program which, when executed by one or more processors, causes the processors to perform the method of the first aspect.
A fifth aspect of embodiments of the present disclosure provides a computer program product comprising computer program instructions which, when run on a computer, cause the computer to perform the method of the first aspect.
According to the device fingerprint generation method and the related device, the device fingerprint is generated through the preset fingerprint generation algorithm by reading the device information at the native layer of the terminal device, so that illegal tampering of the device fingerprint by a user can be prevented to a certain extent, and the safety is improved.
Drawings
In order to more clearly illustrate the technical solutions of the present disclosure or related art, the drawings required for the embodiments or related art description will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to those of ordinary skill in the art.
Fig. 1 shows a schematic diagram of an internet of things system provided by an embodiment of the present disclosure.
Fig. 2 illustrates an exemplary architecture diagram of an android system in accordance with an embodiment of the present disclosure.
Fig. 3 shows a schematic diagram of a terminal device interacting with a server according to an embodiment of the present disclosure.
Fig. 4 shows an exemplary hardware architecture diagram of a more specific computer device provided by an embodiment of the present disclosure.
Fig. 5 shows a flow diagram of an exemplary method provided by an embodiment of the present disclosure.
Detailed Description
For the purposes of promoting an understanding of the principles and advantages of the disclosure, reference will now be made to the embodiments illustrated in the drawings and specific language will be used to describe the same.
It should be noted that unless otherwise defined, technical or scientific terms used in the embodiments of the present disclosure should be given the ordinary meaning as understood by one of ordinary skill in the art to which the present disclosure pertains. The terms "first," "second," and the like, as used in embodiments of the present disclosure, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
Most of the current device fingerprint technologies collect the inherent characteristic values of the terminal device at the application end (i.e. application program), and then generate the device fingerprint through calculation. However, this approach has at least several drawbacks: 1. some inherent device information, such as International Mobile Equipment Identification (IMEI) code (International Mobile Equipment Identity number), media access control address (Media Access Control Address, MAC address) and the like, can be changed by a certain technical means, so that a plurality of devices can share a device fingerprint; 2. the process of generating a device fingerprint is strongly dependent on the client application (i.e. the application is used to generate the device fingerprint), which device feature values the client application uses being easily obtained by decompilation techniques.
In view of the above, the embodiments of the present disclosure provide a device fingerprint generating method and related devices, which can effectively improve the security and uniqueness of the device fingerprint, and protect the interests of enterprises.
Fig. 1 shows a schematic diagram of an internet of things system 100 provided by an embodiment of the present disclosure.
As shown in fig. 1, the internet of things system 100 may include a server 300 and a plurality of terminal devices 200a to 200n. The server 300 may be implemented using one or more servers, and may be a distributed architecture when implemented using multiple servers. The terminal devices 200a to 200n and the server 300 may be connected to each other via a network, which may be a wired network or a wireless network, and transmit a request, an instruction, or the like to each other with the server 300. The terminal devices 200a to 200n may be any internet of things terminals, for example, mobile phones (terminal 200 a), televisions (terminal 200 b), air conditioners (terminal 200 n), and the like. The user 400 may cause the terminal apparatuses 200a to 200n to transmit requests or instructions to the server 300 by operating the terminal apparatuses 200a to 200n.
In some embodiments, the android system 500 may be run on the terminal devices 200 a-200 n.
Fig. 2 illustrates an exemplary architecture diagram of an android system 500 in accordance with an embodiment of the present disclosure.
As shown in fig. 2, the system architecture of the Android system 500 includes a five-layer architecture, where, in order from the bottom layer to the application layer, a Linux kernel 502, a Hardware Abstraction Layer (HAL) 504, a Native C/c++ Libraries 506, and an Android runtime environment (run) 508, a Java framework layer 510, and an application layer 512. Wherein each layer of architecture may contain a large number of sub-modules or sub-systems.
The bottom kernel space of the Android system 500 takes a Linux kernel 502 as a base stone, and the upper user space can be composed of a Native layer (Native C/c++ Libraries) 506, an Android runtime environment (runtime) 508 and a Java framework layer 510, and the kernel space and the user space of the system are communicated through a system call (syscel). For user space, it may be written in C++ code (running at native layer 506) or Java code (running at application layer 512), and JNI (Java Native Interface, interaction interface between Java and native code) techniques may be employed to open up native layer 506 and application layer 512 of the user space.
The application layer 512 may include all applications in the android system 500, and may be further divided into a core application that is self-contained in the system and an application that is self-developed by the user. For example, the core application may be an application such as a browser, contact, phone, calendar, camera, and the like. The Android application developed by the user may be, for example, a microblog, a WeChat, or the like.
The android system 500 may include some native C/c++ libraries that may be used by the different components of the android system 500 and may serve the developer through the Java framework layer 510. These native C/c++ libraries constitute the main part of the native layer 506. The developer may use the functions of the libraries in the native layer 506 by calling the interface provided by the Java framework layer 510 (e.g., by implementing the call through a JNI mechanism), or may call directly with the Android NDK.
In view of the problem that the existing device fingerprint is easy to tamper, the terminal devices 200a to 200n in the embodiments of the present disclosure adopt a device fingerprint generation method that is not easy to tamper. The following will take the terminal device 200a as an example.
Before the terminal device 200a leaves the factory, a code written in the C/c++ language may be written in the terminal device 200a for running at the time of system initialization. In this way, after the terminal device 200a is started up, by running the code, the terminal device 200a collects device information of the terminal device 200a at the native layer 506 of the android system 500 and generates a device fingerprint of the terminal device 200a according to the device information at the native layer 506 according to a preset fingerprint generation algorithm. After generating the device fingerprint, the device fingerprint may be provided to the application layer 512 for invocation based on the interface invocation mechanism (e.g., JNI invocation mechanism) of the native layer 506 and the application layer 512. In some embodiments, the process of powering up the terminal device 200a may be that the user 400 powers up the terminal device 200a by pressing a power-on key, and the power module of the terminal device 200a powers up a processor (e.g., CPU) of the terminal device 200a after powering up to thereby start the processor, where the terminal device may be considered to have been powered up. After the processor is powered on and started, the system initialization process starts, and in this system initialization process, the terminal device 200a may run and write codes written in the C/c++ language for device information collection and device fingerprint calculation, so that device information collection and device fingerprint calculation are completed in the native layer 506 of the android system 500.
In the embodiment of the disclosure, the acquisition and calculation code of the device fingerprint of the terminal device is written in the native layer 506 of the android system 500 by using the C/c++ language, and has to be compiled by the android source code and burned in the terminal device. In this way, the C/C++ language is more difficult to decompil than Java language, and meanwhile, because the acquisition and calculation codes of the device fingerprints are burnt in the terminal device in advance, the device fingerprints belong to the functions of the system and do not need to be generated by a client application program, so that the decompil difficulty is high, and the device fingerprints are difficult to acquire by the outside, particularly, the device fingerprints are calculated by the device information.
In some embodiments, the device information may be selected from the following: processor information (e.g., CPU information), memory information, media access control address (MAC address), chip vendor information, product serial number (SN code), international mobile equipment identification (IMEI number). It will be appreciated that the foregoing hardware information is merely exemplary, and that the device information used to generate the device fingerprint may alternatively be other hardware information, without limitation. The hardware information of the device belongs to static attribute information, and is generally written on a system disk of the device when leaving the factory, so that the hardware information can be directly read from the device. The storage location of the device information may be found in the same location, e.g. the CPU information may be read in address/proc/CPU info, the MAC address may be read in address/sys/class/net/eth 0/address, etc.
Since there are a variety of optional device information, in some embodiments, terminal device 200a may randomly collect at least two device information therefrom to generate a device fingerprint. Therefore, the equipment information for generating the equipment fingerprint is randomly selected, so that the cracking difficulty can be increased, and the safety is further improved. To ensure security of the device fingerprint while ensuring computational efficiency, in some embodiments, three device information may be selected to generate the device fingerprint.
In some embodiments, the number of device information used to generate the device fingerprint may be at least two, e.g., three. The terminal device 200a may perform an exclusive-or operation on the at least two device information to obtain the first data. Since the lengths of each device information may not be identical, and accordingly the lengths of the first data may also be different, the terminal device 200a needs to further perform a hash operation (e.g., MD5 operation) on the first data, to obtain a device fingerprint having a preset data length (set according to actual needs). Taking c++ as an example, the exclusive-or operation may be implemented by using an exclusive-or operator Xor, and specific operation rules are not described herein.
In order to ensure the security of the device fingerprint, a salt value (salt) may also be introduced when the device fingerprint is generated by using a hash operation. Thus, in some embodiments, the terminal device 200a may determine the salt value first, and then perform MD5 operation on the first data based on the salt value, to obtain a device fingerprint having a preset data length. The salt value (salt) can be an extra random number added in the hash operation process, so that the decoding difficulty can be improved. In some embodiments, the salt value may be a fixed value that is set in advance for ease of calculation. It will be appreciated that different ways of determining the salt value may be selected depending on the actual requirements.
In some embodiments, terminal device 200a may store the generated device fingerprint in its memory, providing a call interface to the application in application layer 512 through the daemon. Therefore, since the data calculation process is generally performed in the system process, the generated device fingerprint is also stored in the memory (i.e. the calculation result is not stored on the disk), so that the security is well ensured. Since the device fingerprint is generated only after the terminal device 200a is started up and stored in the memory, when the device fingerprint is generated again after the device is powered down, the address thereof in the memory may be changed, and thus it is difficult to obtain the device fingerprint from the outside by finding the device fingerprint from the stored address.
In some embodiments, an access interface may be provided for the application layer 512 through JNI call, and then the device fingerprint is uploaded to the Java framework layer 510, and the upper layer application may obtain the device fingerprint and related information thereof only by calling a service defined by the Java framework layer 510 through get method.
Fig. 3 shows a schematic diagram of a terminal device 200a interacting with a server 300 according to an embodiment of the present disclosure.
The user 400 may transmit a registration request (e.g., a request to register a member account on the server 300) or a service request (e.g., a request to acquire a video service from the server 300) to the server 300 using the device 200a by means of a key, a touch screen, a remote controller, or the like.
In an initial state, the user 400 may first transmit a registration request 602 to the server 300 using the terminal device 200a to complete registration (e.g., registration of a member identity) on the server 300.
Upon sending the registration request 602, the terminal device 200a may invoke the device fingerprint 202 of the terminal device 200a after power-on and obtain the name of the device information 204 used to generate the device fingerprint 202 and the identification information of the terminal device 200a according to the registration request 602. In some embodiments, the device fingerprint 202 generated by the native layer 506 may be invoked at the application layer 512 through the JNI mechanism. In some embodiments, the device information 204 used by the terminal device 200a to generate the device fingerprint 202 may be randomly selected to increase the difficulty of cracking and increase security. In some embodiments, the identification information may be information capable of characterizing a unique identity of the terminal device 200a, where the identification information may be given to the terminal device 200a according to a certain coding rule, or may be unique and unique characteristic information inherent to the terminal device 200a, for example, a MAC address of the terminal device 200 a.
The terminal device 200a may send to the server 300 when sending a registration request 602 to the server 300 together with the device fingerprint 202 and the name of the device information 204 used to generate the device fingerprint 202. In some embodiments, if the device fingerprint 202 incorporates a randomly generated salt (salt) during generation, it may also be desirable to have the registration request 602 sent to the server 300 along with the salt 208. In some embodiments, an interface may be registered with the request server 300 through the terminal device 200a, with the interface parameters including a device fingerprint 202, a device information name 206, identification information (e.g., a MAC address).
After receiving the registration request 602, the device fingerprint 202, the device information name 206, and the identification information, the server 300 may first determine whether the terminal device 200a has completed registration at the server 300 based on the identification information. In some embodiments, as shown in fig. 3, the identification information of the terminal device that has completed registration may be stored in a database of the server 300, and the server 300 may determine whether the terminal device 200a has completed registration by looking up whether there is the stored identification information of the terminal device 200a in the database. If the identification information of the terminal equipment can be found, the registration is completed.
If the terminal device 200a does not complete registration at the server 300, the server 300 may store the device fingerprint 202 and the device information name 206 (e.g., store interface parameters sent by the terminal device) and return corresponding information 604, e.g., registration success information, to the terminal device 200a based on the registration request 602. In some embodiments, the server 300 may also return a corresponding token (token) to the terminal device 200a after registration is completed, which the terminal device 200a may subsequently carry when sending a service request to the server 300 to complete authentication. The token has a pre-set expiration date (e.g., 24 hours, one week, etc.), and the server 300 may not perform further identity verification on the terminal device 200a when the token is within the expiration date.
If the terminal device 200a has completed registration at the server 300, the server 300 may return registration failure information or no re-registration information to the terminal device 200 a.
After the registration is completed, the user 400 can transmit a service request 606 (e.g., a request for obtaining a member service) to the server 300 at any time using the terminal device 200 a.
After receiving the service request 606 transmitted by the terminal apparatus 200a, the server 300 may determine whether fingerprint verification of the terminal apparatus 200a is required according to the service request 606. For example, if the service request 606 of the terminal device 200a carries a token, and the token does not exceed the validity period of the token, fingerprint verification of the terminal device 200a is not required, otherwise fingerprint verification of the terminal device 200a is required.
If fingerprint verification is required for the terminal device 200a, the server 300 may send a device information acquisition request 608 to the terminal device 200a, where the request 608 may include information about the device information to be acquired. In some embodiments, the server 300 may determine, based on the service request 606, the name 206 of the device information 204 used to generate the device fingerprint 202 of the terminal device 200a, and then generate the device information acquisition request 608 based on the device information name 206, where the device information acquisition request 608 includes the name 206 of the device information 204 that the server 300 needs to acquire. For example, the name 206 may be determined based on the device information name 206 of the terminal device 200a that has been stored in the memory 302.
After receiving the device information acquisition request 608 of the server 300, the terminal device 200a may send the corresponding device information 204 to the server 300 according to the device information acquisition request 608. For example, the device information 204 selected by the terminal device 200a to generate the device fingerprint 202 at the time of registration is CPU information, MAC information, and SN code, and names of the CPU information, MAC information, and SN code (i.e., names of the information other than the information itself) are required to be transmitted to the server 300 at the time of registration, so that the server 300 transmits a request for acquiring device information corresponding to the names to the terminal device 200a according to the names stored by the server 300 when the terminal device 200a is required to perform fingerprint verification, so that the terminal device 200a transmits the device information corresponding to the names to the server 300. In some embodiments, the operation of collecting device information may be implemented by a Software Development Kit (SDK) encapsulated in an application program that transmits the service request, and the collected device information may be reported to the server 300 based on the SDK.
After receiving the device information 204 acquired and transmitted by the terminal device 200a based on the device information acquisition request 608, the server 300 may generate the device fingerprint 304 of the terminal device 200a from the device information 204 according to a preset fingerprint generation algorithm. The preset fingerprint generation algorithm is the same as the preset fingerprint generation algorithm that generates the device fingerprint 202 at the time of registration of the terminal device 200 a.
In some embodiments, if the number of device information 204 is at least two, the server 300 may perform an exclusive-or operation on the at least two device information to obtain first data, and then perform a hash operation on the first data to obtain the device fingerprint 304 with a preset data length. In some embodiments, if the device fingerprint 202 is generated in combination with a salt value, the server further needs to obtain the salt value 208 of the terminal device 200a stored in the server 300, and then perform MD5 operation on the first data based on the salt value 208, to obtain the device fingerprint 304 with a preset data length. The salt value 208 may be a fixed value that is pre-agreed. In some embodiments, if the terminal device 200a is a device fingerprint 202 generated based on a randomly generated salt, the terminal device 200a needs to send the salt to the server 300 for storage at registration, so that the server 300 invokes the salt 208 when calculating the device fingerprint 304 of the terminal device 200 a.
After computing the device fingerprint 304, the server 300 may determine whether the device fingerprint 304 is consistent with the device fingerprint 202 of the terminal device 200a stored in the memory 302 of the server 300. If the device fingerprint 304 is consistent with the device fingerprint 202, the fingerprint verification of the terminal device 200a passes, and fingerprint verification passing information 610 of the terminal device 200a can be output; otherwise, the verification is not passed, and verification failure information may be returned to the terminal device 200 a. In some embodiments, after verification is passed, the server 300 may also generate a new token (token) and send it to the terminal device 200a, so that the terminal device 200a does not need to perform fingerprint verification again when the service is requested from the server 300 with the new token during the validity period of the new token. After the verification is completed, the server 300 may provide a corresponding service, for example, a member service, to the terminal device 200a based on the service request 606.
As can be seen from this, in the present embodiment, the server 300 does not directly acquire the device fingerprint from the terminal device 200a to perform verification when verifying the device fingerprint of the terminal device 200a, but acquires the device information for generating the device fingerprint thereof from the terminal device 200a based on the information provided by the terminal device 200a at the time of registration, generates the device fingerprint 304 by the server 300, then performs comparison with the locally stored device fingerprint 202, and passes the verification when the comparison is consistent. Therefore, specific equipment fingerprints are not transmitted in the verification process, the equipment fingerprints are prevented from being intercepted by the outside through the modes of capturing packets and the like when the equipment fingerprints are verified, and the safety is further improved.
According to the device fingerprint generation method and the related device, the device parameters are read at the system native layer of the terminal device, the device fingerprint is generated through the preset fingerprint generation algorithm, and then the device fingerprint is stored in the memory, so that illegal tampering of a user is prevented. When the server performs fingerprint verification, firstly, collecting device information corresponding to device names provided during registration from the terminal device, generating device fingerprints in the server according to a preset fingerprint generation algorithm, comparing the device fingerprints with the device fingerprints provided during registration of the terminal device, and verifying if the device fingerprints are consistent with the device fingerprints. The device fingerprint generation method and the related device effectively improve the safety and the uniqueness of the device fingerprint, and also provide a new thought for the implementation mode of the device fingerprint.
The present disclosure also provides a computer device for implementing the terminal devices 200a to 200n or the server 300. The apparatus may include a memory, a processor, and a computer program stored on the memory and executable on the processor, which when executed implements the method implemented by the terminal apparatuses 200a to 200n or the server 300 in the foregoing embodiments, and accordingly has the technical effects of the foregoing embodiments.
Fig. 4 shows an exemplary hardware architecture diagram of a more specific computer device 700 provided by embodiments of the present disclosure. The apparatus 700 may include: a processor 702, a memory 704, an input/output interface 706, a communication interface 708, and a bus 710. Wherein the processor 702, the memory 704, the input/output interface 706 and the communication interface 708 enable communication connections between each other within the device via a bus 710.
The processor 702 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 704 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 704 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 704 and executed by processor 702.
The input/output interface 706 is used to connect with an input/output module to realize information input and output. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
The communication interface 708 is used to connect communication modules (not shown) to enable communication interactions of the device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 710 includes a path to transfer information between components of the device (e.g., processor 702, memory 704, input/output interface 706, and communication interface 708).
It should be noted that although the above-described device only shows the processor 702, the memory 704, the input/output interface 706, the communication interface 708, and the bus 710, in a specific implementation, the device may also include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.
The embodiment of the disclosure also provides a device fingerprint generation method, which can provide the security of the device fingerprint.
Fig. 5 shows a flow diagram of an exemplary method 800 provided by an embodiment of the present disclosure. The method 800 may be applied to the aforementioned terminal devices 200 a-200 n and implemented by the terminal devices 200 a-200 n. As shown in fig. 5, the method may include the following steps.
In step 802, in response to the terminal device (e.g., terminal device 200a of fig. 3) having been booted up, terminal device 200a may collect device information (e.g., device information 204 of fig. 3) for the terminal device at its native layer (e.g., native layer 506 of fig. 2).
In some embodiments, to further increase the cracking difficulty, collecting, at a native layer of the terminal device, device information of the terminal device may include: and randomly collecting at least two pieces of equipment information of the terminal equipment.
In some embodiments, the device information is selected from the following: processor information, memory information, media access control address, chip vendor information, product serial number, and international mobile equipment identification code.
In step 804, the terminal device 200a may generate a device fingerprint (e.g., the device fingerprint 202 of fig. 3) of the terminal device according to the preset fingerprint generation algorithm at its native layer according to the device information.
In some embodiments, the number of device information is at least two; generating the device fingerprint of the terminal device according to the device information according to a preset fingerprint generation algorithm, including: performing exclusive OR operation on at least two pieces of equipment information to obtain first data; and carrying out hash operation on the first data to obtain the equipment fingerprint with the preset data length, thereby ensuring the consistency of the lengths of the equipment fingerprints.
In some embodiments, performing a hash operation on the first data to obtain the device fingerprint with a preset data length may further include: determining a salt value; and performing MD5 operation on the first data based on the salt value to obtain the equipment fingerprint with the preset data length.
In step 806, the terminal device 200a may provide the device fingerprint to an application layer (e.g., application layer 512 of fig. 2) for invocation based on an interface invocation mechanism (e.g., JNI mechanism) of the native layer and the application layer.
In some embodiments, to improve security, the method 800 may further include: and storing the device fingerprint in a memory of the terminal device.
It should be noted that the foregoing describes some embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Based on the same inventive concept, corresponding to any of the above-described embodiments of method 800, the present disclosure also provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform the method 800 as described in any of the above-described embodiments.
The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
The storage medium of the foregoing embodiments stores computer instructions for causing the computer to perform the method 800 described in any of the foregoing embodiments, and has the advantages of the corresponding method embodiments, which are not described herein.
Based on the same inventive concept, the present disclosure also provides a computer program product, corresponding to any of the embodiment methods 800 described above, comprising a computer program. In some embodiments, the computer program is executable by one or more processors to cause the processors to perform the described method 800. Corresponding to the execution bodies to which the steps in the embodiments of the method 800 correspond, the processor that executes the corresponding step may belong to the corresponding execution body.
The computer program product of the above embodiment is configured to cause a processor to perform the method 800 of any of the above embodiments, and has the advantages of the corresponding method embodiments, which are not described herein.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the disclosure, including the claims, is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined under the idea of the present disclosure, the steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present disclosure as described above, which are not provided in details for the sake of brevity.
Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure the embodiments of the present disclosure. Furthermore, the devices may be shown in block diagram form in order to avoid obscuring the embodiments of the present disclosure, and this also accounts for the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform on which the embodiments of the present disclosure are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.
The disclosed embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Accordingly, any omissions, modifications, equivalents, improvements, and the like, which are within the spirit and principles of the embodiments of the disclosure, are intended to be included within the scope of the disclosure.
Claims (15)
1. The device fingerprint generation method is applied to terminal devices and comprises the following steps:
in response to the starting of the terminal equipment, acquiring equipment information of the terminal equipment at a native layer of an operating system of the terminal equipment;
generating device fingerprints of the terminal device according to the device information at the native layer according to a preset fingerprint generation algorithm, wherein the device fingerprints are generated and stored in a memory after the terminal device is started; and
and providing the device fingerprint for the application layer to call based on an interface calling mechanism of the native layer and an application layer of an operating system of the terminal device.
2. The method of claim 1, wherein the number of device information is at least two;
the generating the device fingerprint of the terminal device according to the device information according to a preset fingerprint generation algorithm comprises the following steps:
performing exclusive OR operation on at least two pieces of equipment information to obtain first data; the method comprises the steps of,
and carrying out hash operation on the first data to obtain the equipment fingerprint with the preset data length.
3. The method of claim 2, wherein hashing the first data to obtain the device fingerprint having a preset data length comprises:
determining a salt value; the method comprises the steps of,
and performing MD5 operation on the first data based on the salt value to obtain the equipment fingerprint with the preset data length.
4. The method of claim 2, wherein the device information is selected from the following: processor information, memory information, media access control address, chip vendor information, product serial number, and international mobile equipment identification code.
5. The method of claim 2, wherein collecting device information of the terminal device at a native layer of the terminal device comprises:
and randomly collecting at least two pieces of equipment information of the terminal equipment.
6. The method of any one of claims 1 to 5, further comprising:
and storing the device fingerprint in a memory of the terminal device.
7. A terminal device comprising one or more processors, memory; and one or more programs, wherein the one or more programs are stored in the memory and executed by the one or more processors, the programs comprising instructions for performing the method of any of claims 1-6.
8. An internet of things system, comprising:
a terminal device configured to:
in response to the starting of the terminal equipment, acquiring equipment information of the terminal equipment at a native layer of an operating system of the terminal equipment;
generating device fingerprints of the terminal device according to the device information at the native layer according to a preset fingerprint generation algorithm, wherein the device fingerprints are generated and stored in a memory after the terminal device is started; and
providing the device fingerprint to the application layer for calling based on an interface calling mechanism of the native layer and an application layer of an operating system of the terminal device;
receiving a service request sent by a user and sending the service request to a server; and
responding to a received equipment information acquisition request of a server, and sending corresponding equipment information to the server according to the equipment information acquisition request; and
a server connected with the terminal device through a network and configured to:
receiving the service request sent by the terminal equipment;
determining whether fingerprint verification is required to be carried out on the terminal equipment according to the service request;
responding to the need of fingerprint verification on the terminal equipment, and sending an equipment information acquisition request to the terminal equipment;
receiving equipment information sent by the terminal equipment based on the equipment information acquisition request;
generating a first device fingerprint of the terminal device according to the device information according to a preset fingerprint generation algorithm;
determining whether the first device fingerprint is consistent with a second device fingerprint of the terminal device stored by the server; and
and responding to the first equipment fingerprint and the second equipment fingerprint to be consistent, and outputting fingerprint verification passing information of the terminal equipment.
9. The internet of things system of claim 8, wherein the number of device information is at least two;
the server is configured to:
performing exclusive OR operation on at least two pieces of equipment information to obtain first data; the method comprises the steps of,
and carrying out hash operation on the first data to obtain the first equipment fingerprint with the preset data length.
10. The internet of things system of claim 9, wherein the server is further configured to:
obtaining the salt value of the terminal equipment stored by the server; the method comprises the steps of,
and performing MD5 operation on the first data based on the salt value to obtain the first equipment fingerprint with the preset data length.
11. The internet of things system of claim 8, wherein the terminal device is configured to:
receiving a registration request sent by a user;
according to the registration request, calling a second device fingerprint generated by the terminal device, a name of device information used for generating the second device fingerprint and identification information of the terminal device; and
transmitting the registration request to a server along with the second device fingerprint and a name of device information used to generate the second device fingerprint;
the server is configured to:
receiving the registration request, the second device fingerprint, the name of the device information for generating the second device fingerprint and the identification information of the terminal device;
determining whether the terminal equipment is registered in the server according to the identification information; and
and in response to the terminal device not being registered in the server, storing the second device fingerprint and the name of the device information used for generating the second device fingerprint, and returning registration success information to the terminal device based on the registration request.
12. The internet of things system of claim 11, wherein the server is configured to:
determining a name of device information for generating a second device fingerprint of the terminal device according to the service request; and
and generating the equipment information acquisition request according to the name of the equipment information used for generating the second equipment fingerprint of the terminal equipment, wherein the equipment information acquisition request comprises the name of the equipment information required to be acquired by the server.
13. The internet of things system of claim 11, wherein the server is configured to:
responding to successful registration of the terminal equipment, and returning a corresponding token to the terminal equipment, wherein the token has a preset validity period; and
and in response to receiving the service request sent by the terminal equipment, determining whether fingerprint verification is needed for the terminal equipment according to whether the token of the terminal equipment exceeds the preset validity period.
14. A non-transitory computer readable storage medium containing a computer program which, when executed by one or more processors, causes the processors to perform the method of any of claims 1 to 6.
15. A computer program product comprising computer program instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110995607.8A CN113626787B (en) | 2021-08-27 | 2021-08-27 | Equipment fingerprint generation method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110995607.8A CN113626787B (en) | 2021-08-27 | 2021-08-27 | Equipment fingerprint generation method and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113626787A CN113626787A (en) | 2021-11-09 |
| CN113626787B true CN113626787B (en) | 2024-01-30 |
Family
ID=78388074
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110995607.8A Active CN113626787B (en) | 2021-08-27 | 2021-08-27 | Equipment fingerprint generation method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113626787B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114143199B (en) * | 2021-11-15 | 2023-11-03 | 江苏有线技术研究院有限公司 | Configuration method, configuration device, configuration equipment and storage medium for broadband access system terminal |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101431192B1 (en) * | 2013-03-28 | 2014-08-19 | 한신대학교 산학협력단 | Method for Rooting Attack Events Detection on Mobile Device |
| CN105893821A (en) * | 2016-03-30 | 2016-08-24 | 贵州大学 | Method for encrypting USB flash disk with fingerprint authentication |
| CN107480996A (en) * | 2017-07-17 | 2017-12-15 | 深圳市金立通信设备有限公司 | A kind of method of payment and terminal |
| CN107908940A (en) * | 2017-11-06 | 2018-04-13 | 深圳市文鼎创数据科技有限公司 | The method and terminal device of a kind of fingerprint recognition |
| CN107957911A (en) * | 2016-10-18 | 2018-04-24 | 腾讯科技(深圳)有限公司 | Method and apparatus, the method and apparatus of module data processing of component call |
| WO2018076291A1 (en) * | 2016-10-28 | 2018-05-03 | 美的智慧家居科技有限公司 | Method and system for generating permission token, and device |
| CN108616361A (en) * | 2018-03-27 | 2018-10-02 | 阿里巴巴集团控股有限公司 | A kind of method and device of identification equipment uniqueness |
| CN110139270A (en) * | 2019-04-10 | 2019-08-16 | 努比亚技术有限公司 | Wearable device matching method, wearable device and computer readable storage medium |
| CN110321228A (en) * | 2018-03-28 | 2019-10-11 | 腾讯科技(深圳)有限公司 | Call method, device, equipment and the computer readable storage medium of Native method |
| CN112100604A (en) * | 2019-06-17 | 2020-12-18 | 北京达佳互联信息技术有限公司 | Terminal equipment information processing method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106487511B (en) * | 2015-08-27 | 2020-02-04 | 阿里巴巴集团控股有限公司 | Identity authentication method and device |
-
2021
- 2021-08-27 CN CN202110995607.8A patent/CN113626787B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101431192B1 (en) * | 2013-03-28 | 2014-08-19 | 한신대학교 산학협력단 | Method for Rooting Attack Events Detection on Mobile Device |
| CN105893821A (en) * | 2016-03-30 | 2016-08-24 | 贵州大学 | Method for encrypting USB flash disk with fingerprint authentication |
| CN107957911A (en) * | 2016-10-18 | 2018-04-24 | 腾讯科技(深圳)有限公司 | Method and apparatus, the method and apparatus of module data processing of component call |
| WO2018076291A1 (en) * | 2016-10-28 | 2018-05-03 | 美的智慧家居科技有限公司 | Method and system for generating permission token, and device |
| CN107480996A (en) * | 2017-07-17 | 2017-12-15 | 深圳市金立通信设备有限公司 | A kind of method of payment and terminal |
| CN107908940A (en) * | 2017-11-06 | 2018-04-13 | 深圳市文鼎创数据科技有限公司 | The method and terminal device of a kind of fingerprint recognition |
| CN108616361A (en) * | 2018-03-27 | 2018-10-02 | 阿里巴巴集团控股有限公司 | A kind of method and device of identification equipment uniqueness |
| CN110321228A (en) * | 2018-03-28 | 2019-10-11 | 腾讯科技(深圳)有限公司 | Call method, device, equipment and the computer readable storage medium of Native method |
| CN110139270A (en) * | 2019-04-10 | 2019-08-16 | 努比亚技术有限公司 | Wearable device matching method, wearable device and computer readable storage medium |
| CN112100604A (en) * | 2019-06-17 | 2020-12-18 | 北京达佳互联信息技术有限公司 | Terminal equipment information processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113626787A (en) | 2021-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10893044B2 (en) | Biometric identity registration and authentication | |
| US10735427B2 (en) | Method and apparatus for managing program of electronic device | |
| US9792374B2 (en) | Method and system for facilitating terminal identifiers | |
| CN105591743B (en) | Method and device for identity authentication through equipment operation characteristics of user terminal | |
| RU2011149084A (en) | INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD, INFORMATION PROCESSING PROGRAM AND SYSTEM | |
| KR20150064063A (en) | Secure identification of computing device and secure identification methods | |
| CN112507291B (en) | Method and device for generating unique identifier of Android device | |
| US10986101B2 (en) | Method and device for preventing server from being attacked | |
| WO2018071222A1 (en) | User and device authentication for web applications | |
| US9449197B2 (en) | Pooling entropy to facilitate mobile device-based true random number generation | |
| CN105637516A (en) | Method for verifying integrity of dynamic code using hash | |
| CN106663268A (en) | Platform identity architecture with a temporary pseudonymous identity | |
| CN113626787B (en) | Equipment fingerprint generation method and related equipment | |
| CN112287376A (en) | Method and device for processing private data | |
| CN114547569A (en) | Account login processing method and device | |
| CN108280342A (en) | Using synchronous method with device, for applying synchronous device | |
| JP6421866B1 (en) | Sensor management unit, sensor device, sensor management method, and sensor management program | |
| CN114585055A (en) | Vehicle-mounted WiFi access method, vehicle controller, cloud server and mobile terminal | |
| CN112100610B (en) | Processing method, device and equipment for login and user login related services | |
| CN112437079B (en) | Intranet access method and device | |
| CN111309551B (en) | Method and device for determining event monitoring SDK integration correctness | |
| CN112787994B (en) | Method, device and equipment for processing equipment ID of electronic equipment and storage medium | |
| CN110912697B (en) | Scheme request verification method, device and equipment | |
| JP6343045B2 (en) | Storage medium and method | |
| CN112507254A (en) | Application program authorization method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |