CN114785514A - Method and system for authorizing application permission of industrial Internet of things terminal - Google Patents

Method and system for authorizing application permission of industrial Internet of things terminal Download PDF

Info

Publication number
CN114785514A
CN114785514A CN202210291358.9A CN202210291358A CN114785514A CN 114785514 A CN114785514 A CN 114785514A CN 202210291358 A CN202210291358 A CN 202210291358A CN 114785514 A CN114785514 A CN 114785514A
Authority
CN
China
Prior art keywords
public key
terminal
certificate
application app
app
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210291358.9A
Other languages
Chinese (zh)
Other versions
CN114785514B (en
Inventor
李玉凌
李二霞
杨红磊
刘海涛
吕广宪
亢超群
朱克琪
王利
许保平
樊勇华
韩子龙
孙智涛
刘芸杉
吴殿亮
杜金陵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Online Shanghai Energy Internet Research Institute Co ltd
Original Assignee
China Online Shanghai Energy Internet Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Online Shanghai Energy Internet Research Institute Co ltd filed Critical China Online Shanghai Energy Internet Research Institute Co ltd
Priority to CN202210291358.9A priority Critical patent/CN114785514B/en
Publication of CN114785514A publication Critical patent/CN114785514A/en
Application granted granted Critical
Publication of CN114785514B publication Critical patent/CN114785514B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a system for authorizing application permission of an industrial Internet of things terminal, wherein the method comprises the following steps: s11, configuring a security module for the terminal to be authorized, wherein the security module comprises a unique public key and a unique private key which are associated with the terminal; s12, collecting the public key associated with the terminal to be authorized by the APP management mechanism, and sending the public key to the certificateA digital certificate issuing authority; s13, issuing a public key digital certificate C for the terminal to be authorized based on the public key by the certificate digital certificate issuing organizationTPublic key digital certificate CTIncluding terminal-associated public key, characteristic information of application APP and public key digital certificate CTA validity period; s14, based on the symmetric key K1For CA certificate C1After encryption, an encrypted CA certificate C 'is obtained'1Encryption of CA certificate C'1Solidified in program code of application APP, will pass through symmetric key K1The encrypted characteristic information of the application APP is solidified in the program code of the application APP, and the symmetric key K is used1Obtaining an anti-symmetric key K 'by bit-wise negation'1Solidified in the program code for applying the APP.

Description

Method and system for application permission authorization of industrial Internet of things terminal
Technical Field
The invention relates to the technical field of industrial thing networking terminals, in particular to a method and a system for authorizing application permission of an industrial thing networking terminal.
Background
With the development of the internet of things technology and the continuous expansion of industrial application, industrial internet of things terminals (including distribution terminal equipment such as a transformer area intelligent integration terminal, an intelligent station terminal and an intelligent feeder terminal, a transformer substation measurement and control protection device, an oil field telecontrol terminal equipment and the like) gradually have the technical characteristics of hardware platformization, software containerization, APP and the like so as to meet the application requirements of edge computing and internet of everything. The terminal equipment is designed by adopting a 'software defined terminal' technical idea, realizes software and hardware decoupling through a standard platform architecture, and supports the installation and operation of third-party FDV application software (namely APP). The traditional terminal equipment has great application program copying difficulty due to great difference of software and hardware architectures, and standardized data interaction interfaces are adopted among the APPs, the operating system components and the APPs in the Internet of things terminal, so that the APPs in the terminal are illegally copied to other terminals to run.
At present, an APP in an industrial Internet of things terminal mainly adopts two installation modes of remote installation and field installation, and an APP software package is attached with signature information of an APP management center and used for verifying the legality of the APP by the terminal. However, the signature does not have a function of preventing the APP from being illegally copied. The APP in the existing terminal mainly achieves the purpose of preventing illegal copying by binding a unique identifier (such as a device ID, a MAC address and the like) of the terminal, and because information such as the device ID, the MAC address and the like is easy to forge and tamper, a new mode needs to be adopted to achieve APP license authorization management.
Therefore, a technique is needed to enable authorization of industrial instrumented terminal application licenses.
Disclosure of Invention
The technical scheme of the invention provides a method and a system for permission authorization of industrial Internet of things terminal application, which aim to solve the problem of how to perform permission authorization on the industrial Internet of things terminal application.
In order to solve the above problem, the present invention provides a method for authorizing an application permission of an industrial internet of things terminal, the method comprising:
s11, configuring a security module for a terminal to be authorized, wherein the security module comprises a unique public key and a unique private key which are associated with the terminal;
s12, acquiring a public key associated with the terminal to be authorized by an application APP management mechanism, and sending the public key to a certificate digital certificate issuing mechanism;
s13, issuing a public key digital certificate C for the terminal to be authorized by the certificate digital certificate issuing authority based on the public keyTSaid public key digital certificate CTIncluding the public key associated with said terminal, the characteristic information of the application APP and the public key digital certificate CTA validity period;
s14, based on the symmetric key K1For CA certificate C1Obtaining an encrypted CA certificate C after encryption'1Encryption of CA certificate C'1Solidified in the program code of the application APP and going through the symmetric key K1The encrypted characteristic information of the application APP is solidified in the program code of the application APP, and the symmetric key K is used for1An inverted symmetric key K 'obtained by bitwise inversion'1Solidified in the program code of the application APP.
Preferably, the method further comprises the following steps:
s21, starting the application APP, and searching the public key digital certificate C of the terminalT
S22, when finding out the public key digital certificate C of the terminalTReading an anti-symmetric key K 'in the program code of the application APP'1By taking the inverse symmetric key K'1Obtaining the symmetric key K by bit negation1By said symmetric key K1Decrypting the encrypted characteristic information of the application APP in the program code of the application APP to obtain the characteristic information of the application APP;
s23, analyzing the public key digital certificate C through the application APPTFeature information of application APP inInformation and public key digital certificate CTA validity period;
s24, comparing the characteristic information of the application APP obtained in the steps S22 and S23, and judging the public key digital certificate C when the comparison result of the characteristic information of the application APP in the steps S22 and S23 is consistentTWhether the validity period is within the validity period;
s25, reading an encrypted CA certificate C 'in the program code of the application APP'1Based on said symmetric key K1To the encrypted CA certificate C'1Decrypting to obtain CA certificate C1
S26, based on the CA certificate C1To public key digital certificate CTPerforming signature verification to obtain a signature verification result;
s27, when the signature verification result is successful, generating a random number R through the application APP, sending the random number R to the security module, and obtaining a signature random number S through the security module signatureR
S28, based on the public key digital certificate CTFor the signature random number SRVerifying to obtain a random number verification result;
s29, when the verification result is that the application APP passes, the application APP normally runs.
Preferably, the public key of the terminal includes: a public key SM2, RSA, and ECC.
Preferably, the collecting, by the APP management authority, the public key associated with the terminal to be authorized includes:
obtaining from a terminal certificate request file; or
And acquiring the digital certificate of the terminal which is issued and used for authenticating the terminal and the master station identity.
Preferably, the terminal issues a public key digital certificate CTThe method comprises the following steps: secret SM2, RSA, ECC public key certificate.
Preferably, the feature information of the APP includes: the application APP comprises an application APP name, an application APP manufacturer, a version number and a unique identifier.
Preferably, the public key digital certificate CTThe validity period is the period of time that the application APP permits the terminal to be authorized to use.
Based on another aspect of the present invention, the present invention provides a system for authorization of application of industrial IoT terminal, the system comprising:
an initial unit, configured to configure a security module for a terminal to be authorized, the security module including a unique public key and a private key associated with the terminal;
the acquisition unit is used for acquiring a public key associated with the terminal to be authorized through an application APP management mechanism and sending the public key to a certificate digital certificate issuing mechanism;
an issuing unit for issuing a public key digital certificate C for the terminal to be authorized based on the public key by the certificate digital certificate issuing authorityTSaid public key digital certificate CTIncluding the terminal-associated public key, the characteristic information of the application APP and the public key digital certificate CTA validity period;
a processing unit for basing the symmetric key K1For CA certificate C1After encryption, an encrypted CA certificate C 'is obtained'1Encryption of CA certificate C'1Solidified in program code of application APP and going through the symmetric key K1The encrypted characteristic information of the application APP is solidified in the program code of the application APP, and the symmetric key K is used for1Bit-wise negated derived negated symmetric key K'1Solidified in the program code for applying the APP.
Preferably, the method further comprises the following steps:
a search unit for starting the application APP and searching the public key digital certificate C of the terminalT
A first obtaining unit, configured to find the public key digital certificate C of the terminalTWhen reading the anti-symmetric key K 'in the program code of the application APP'1By extracting the said anti-symmetric key K'1Obtaining the symmetric key K by bit negation1By said symmetric key K1Decrypting the encrypted characteristic information of the application APP in the program code of the application APP to obtain the characteristic information of the application APP;
An analysis unit for analyzing the public key digital certificate C through the application APPTCharacteristic information of application APP in the system and public key digital certificate CTA validity period;
the comparison unit is used for comparing the characteristic information of the application APP acquired in the acquisition unit and the analysis unit, and when the characteristic information comparison results of the application APP acquired in the acquisition unit and the analysis unit are consistent, the public key digital certificate C is judgedTWhether the validity period is within the validity period;
a decryption unit for reading the encrypted CA certificate C 'in the program code of the application APP'1Based on said symmetric key K1To the encrypted CA certificate C'1Decrypting to obtain CA certificate C1
A first authentication unit for authenticating the CA certificate C based on the CA certificate C1To public key digital certificate CTPerforming signature verification to obtain a signature verification result;
a second obtaining unit, configured to generate a random number R through the APP when the signature verification result is successful, send the random number R to the security module, and obtain a signature random number S through a security module signatureR
A second verification unit for verifying the digital certificate C based on the public keyTFor the signature random number SRVerifying to obtain a random number verification result;
and the result unit is used for normally operating the application APP when the verification result is passed.
Preferably, the public key of the terminal includes: a public key SM2, RSA, and ECC.
Preferably, the collecting, by the APP management authority, the public key associated with the terminal to be authorized includes:
obtaining from a terminal certificate request file; or
And acquiring the digital certificate of the terminal which is issued and used for authenticating the terminal and the master station identity.
Preferably, the terminal issues a public key digital certificate CTThe method comprises the following steps: secret SM2, RSA, ECC public key certificate.
Preferably, the feature information of the APP includes: the application APP comprises an application APP name, an application APP manufacturer, a version number and a unique identifier.
Preferably, the public key digital certificate CTThe validity period is the period of time that the application APP permits the terminal to be authorized to use.
The technical scheme of the invention provides a method and a system for authorizing application permission of an industrial Internet of things terminal, wherein the method comprises the following steps: s11, configuring a security module for the terminal to be authorized, wherein the security module comprises a unique public key and a unique private key which are associated with the terminal; s12, acquiring a public key associated with the terminal to be authorized by the APP management mechanism, and sending the public key to the certificate digital certificate issuing mechanism; s13, issuing a public key digital certificate C for the terminal to be authorized based on the public key by the certificate digital certificate issuing organizationTPublic key digital certificate CTIncluding terminal-associated public key, application APP characteristic information and public key digital certificate CTA validity period; s14, based on the symmetric key K1For CA certificate C1After encryption, an encrypted CA certificate C 'is obtained'1Encrypted CA certificate C'1Solidified in program code of application APP, will pass through symmetric key K1The encrypted characteristic information of the application APP is solidified in the program code of the application APP, and the symmetric key K is used1Bit-wise negated derived negated symmetric key K'1Solidified in the program code for applying the APP. The technical scheme of the invention solves the problems that the existing industrial Internet of things terminal APP cannot be effectively prevented from being illegally copied and applied, and the like.
Drawings
A more complete understanding of exemplary embodiments of the present invention may be had by reference to the following drawings in which:
FIG. 1 is a flow chart of a method for authorization of industrial IoT terminal application in accordance with a preferred embodiment of the present invention; and
fig. 2 is a block diagram of a system for authorization of industrial IoT terminal application according to a preferred embodiment of the present invention.
Detailed Description
Example embodiments of the present invention will now be described with reference to the accompanying drawings, however, the invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, which are provided for a complete and complete disclosure of the invention and to fully convey the scope of the invention to those skilled in the art. The terms used in the exemplary embodiments shown in the drawings are not intended to limit the present invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Fig. 1 is a flowchart of a method for authorization of application of an industrial IoT terminal according to a preferred embodiment of the invention. Aiming at the problems that the conventional industrial Internet of things terminal APP cannot be effectively prevented from being illegally copied and applied and the like, the APP is bound with the hardware information of the terminal equipment by utilizing a cryptographic algorithm and an identity authentication technology based on a security module, the APP can identify the identity of the terminal, the identity information of the terminal can be prevented from being maliciously tampered or forged, and the permission authorization management level of the APP of the terminal is effectively improved. The invention provides an industrial internet of things terminal application permission authorization method based on a security module, which comprises a binding method of an APP and a terminal security module and an identification method of the APP to a terminal identity.
As shown in fig. 1, the present invention provides a method for authorization of application of an industrial internet of things terminal, the method comprising:
s11, configuring a security module for the terminal to be authorized, wherein the security module comprises a unique public key and a unique private key which are associated with the terminal; preferably, the public key of the terminal comprises: SM2 public key, RSA public key, and ECC public key.
The invention provides a binding method of an APP and a terminal security module.
S12, acquiring a public key associated with the terminal to be authorized by using an APP management mechanism, and sending the public key to a certificate digital certificate issuing mechanism;
preferably, the method includes acquiring a public key associated with a terminal to be authorized by using an APP management mechanism, and the acquisition mode includes:
obtaining from a terminal certificate request file; or
And acquiring the digital certificate of the terminal which is issued and used for authenticating the terminal and the master station identity.
The APP management mechanism collects public key information of the terminal security module to be authorized.
S13, issuing a public key digital certificate C for the terminal to be authorized based on the public key by the certificate digital certificate issuing organizationTPublic key digital certificate CTIncluding terminal-associated public key, application APP characteristic information and public key digital certificate CTA validity period; preferably, the terminal issues a public key digital certificate CTThe method comprises the following steps: secret SM2, RSA, ECC public key certificate. Preferably, the feature information of the APP includes: the application APP comprises an application APP name, an application APP manufacturer, a version number and a unique identifier. Preferably, the public key digital certificate CTThe validity period is the period of time that the application APP permits the terminal to be authorized to use.
The certificate issuing authority (CA system) of the invention issues a public key digital certificate C for the terminal to be authorizedT. Wherein, the digital certificate CTThe public key in the terminal is the public key of the terminal security module; digital certificate CTThe feature information of the binding APP in the subject (or the extension) includes, but is not limited to, APP name, APP manufacturer, version number, and unique identifier, and when APP name or APP manufacturer is different, the unique identifier should be different; digital certificate CTHas a validity period of APP licenseThe terminal may be authorized for a period of use.
S14, based on the symmetric key K1For CA certificate C1Obtaining an encrypted CA certificate C after encryption'1Encryption of CA certificate C'1Solidified in program code of application APP, will pass through symmetric key K1The encrypted characteristic information of the application APP is solidified in the program code of the application APP, and the symmetric key K is used1Obtaining an anti-symmetric key K 'by bit-wise negation'1Solidified in the program code of the application APP.
The invention uses the symmetric key K in the APP development process1For CA certificate C1Encrypted to give C'1Prepared from C'1Curing in the program code of the APP; using information such as APP name, APP manufacturer, version number, unique identifier and the like as a secret key K1After encryption, the encrypted data is solidified in an APP program code; for secret key K1Taking out the product of K 'according to position'1Prepared from K'1Cured in the program code of APP.
The invention combines APP and digital certificate CTPackaged together and installed in an authorized terminal.
Preferably, the method further comprises the following steps:
s21, starting application APP and searching public key digital certificate C of terminalT
After the APP is started, the invention firstly searches the digital certificate CT(ii) a If C is found under the specified directoryTThen step S22 is performed, otherwise the operation is exited.
S22, when finding out the public key digital certificate C of the terminalTAt the moment, reading an anti-symmetric key K 'in the program code of the application APP'1By pairing an inverse symmetric key K'1Obtaining the symmetric key K by bit negation1By means of a symmetric key K1Decrypting the encrypted characteristic information of the application APP in the program code of the application APP to obtain the characteristic information of the application APP;
k 'is read from the APP code of the invention'1It is inverted according to bit to obtain the secret key K1(ii) a Then reading out the APP name, APP manufacturer, version number and unique identification ciphertext from the code, and using the secret key K1And decrypting to obtain a plaintext.
S23, analyzing the public key digital certificate C by applying APPTCharacteristic information of application APP in the system and public key digital certificate CTA validity period;
s24, comparing the characteristic information of the application APP obtained in the steps S22 and S23, and judging that the public key digital certificate C is the public key digital certificate C when the comparison result of the characteristic information of the application APP in the steps S22 and S23 is consistentTWhether the validity period is within the validity period;
APP analysis digital certificate C of the inventionTMixing C withTComparing the information such as the APP name, the APP manufacturer, the version number, the unique identifier and the like with the decrypted information read from the code, if the comparison result is consistent, performing S24, otherwise, quitting the operation of the APP;
the APP acquires the system time, and if the current time is in the digital certificate CTWithin the validity period, the step S25 is carried out, otherwise, the operation is quitted;
s25, reading an encrypted CA certificate C 'in the program code of the application APP'1Based on a symmetric key K1To encrypted CA certificate C'1Decrypting to obtain CA certificate C1
S26, based on CA certificate C1To public key digital certificate CTCarrying out signature verification to obtain a signature verification result;
APP of the invention reads C 'from code'1Using the secret key K1Decrypting the certificate to obtain a CA certificate plaintext C1In combination with C1For digital certificate CTAnd (6) signature verification is carried out, if the verification is successful, the step S27 is carried out, otherwise, the APP quits running.
S27, when the signature verification result is successful, generating a random number R by applying the APP, sending the random number R to the security module, and obtaining a signature random number S by the security module signatureR
The APP generates a random number R, and sends the random number R to the security module for signature to obtain SR
S28, based on public key digital certificate CTFor signature random number SRPerforming verification to obtain random numberVerifying the result;
and S29, when the verification result is that the application APP passes, the application APP normally runs.
The APP uses the digital certificate CTVerifying the signature S of the security module on RR(ii) a If the verification is passed, the APP normally runs, otherwise, the APP quits running.
According to the invention, the safety module is configured in the industrial Internet of things terminal, and the identity authentication capability of the APP to the terminal is enhanced by combining the cryptographic algorithm, so that the APP can be effectively prevented from being illegally copied and applied, and the legal intellectual property of an APP supplier is ensured.
The invention binds the APP information with the terminal hardware information, can effectively control the installation quantity of the APP, and is convenient for APP authorization management.
The invention can effectively prevent the information of the APP and the terminal from being tampered, and can promote the development of the industrial Internet of things terminal to the intelligent and APP directions.
The invention provides an industrial Internet of things terminal application permission authorization method based on a security module, which comprises a binding method of an APP and a terminal security module and an identification method of the APP on terminal identity.
Examples of specific applications of the invention are as follows:
(1) binding method of APP and terminal security module
1) The terminal to be authorized should be configured with a security module, and the security module has a unique public key and a unique private key.
2) The method comprises the steps that an APP management mechanism collects public key information of a terminal security module to be authorized; the security module public key may be a public key SM2 public key, an RSA public key, an ECC public key, or the like. The acquisition modes include but are not limited to: obtaining from a terminal certificate request file (P10 format); or acquiring the terminal digital certificate from the issued terminal digital certificate for the identity authentication of the terminal and the master station.
3) The certificate issuing authority (CA system) issues a public key digital certificate C for the terminal to be authorizedT;CTThe digital certificate format of X509V 3 is adopted, and can be SM2, RSA, ECC public key certificate, etc. Digital certificate CTThe public key in (1) is the public key of the terminal security module. Digital certificate CTThe subject of (1) is as follows:
CN is power distribution terminal
SERIALNUMBER=0114234801001C09
APPNAME=IEC104
APPVENDOR=ABC Co.,Ltd
APPVERSION=1.23.07.69
APPID=61309F2359B803721A2C8D042383EAD1
OU=CEPRI
O=SGCC
C=CN
Wherein, SERIALNUMBER is the serial number of the security module; APPNAME is APP name, APPRENDOR is APP manufacturer, and APPMERSION is APP version number; the APPID is the unique APP identification, and the unique identifications should be different when the APP names or APP manufacturers are different.
Digital certificate CTHas a validity period of 12 months 20 days 12:00:00 in 2021 to 2031, 12 months 20 days 12:00:00, i.e. the period for which the terminal is authorized to use the APP is 10 years.
4) In APP development process, symmetric key K is used1For CA certificate C1Encrypted to give C'1Prepared from C'1Cured in the program code of the APP; using information such as APP name, APP manufacturer, version number, unique identifier and the like as a secret key K1After encryption, the data is solidified in the APP program code; for secret key K1Taking out the product of K 'according to position'1Prepared from K'1Cured in the program code of APP. Secret key K1The type keys can be 16-byte SM4, SM7, AES, 3DES, etc.
5) Associating APP executable file, configuration file and digital certificate CTCompressed into tar packets together and installed in an authorized terminal.
(2) Method for identifying terminal identity by APP
1) After APP is started, the digital certificate C is firstly searched in a specified directory (such as/data/APP/IEC 104/cer)T(ii) a If C is found under the specified directoryTIf not, the operation is quitted;
2) APP reads K from code'1It is inverted according to bit to obtain the secret key K1(ii) a Then reading out APP name, APP manufacturer and APP edition from the codeCipher text of the number and the unique identifier by using a secret key K1Decrypting to obtain a plaintext;
3) APP analysis digital certificate CTMixing C withTComparing the field values (namely the APP name, the APP manufacturer, the version number and the unique identifier) of the APPNAME, the APPVENDOR, the APPVERSION and the APPID in the theme with the decrypted information read from the codes, and if the comparison results are consistent, performing step 4), otherwise, quitting the operation of the APP;
4) APP obtains system time, if current time (such as 12 months, 20 days, 15:00:00, 2021) is in digital certificate CTIn the validity period, the step 5) is carried out, otherwise, the operation is quitted;
5) APP reads C 'from code'1Using the secret key K1Decrypting the certificate to obtain a CA certificate plaintext C1And use of C in combination1For digital certificate CTSignature verification is carried out, if the verification is successful, the step 6) is carried out, otherwise, the APP quits operation;
6) the APP generates a random number R and sends the random number R to the security module for signature to obtain SR(ii) a Wherein, the length of the random number R can be 8 bytes, 16 bytes, etc. (the length is not suitable to be less than 8 bytes);
7) APP uses digital certificate CTVerifying the signature S of the security module on RR(ii) a If the verification is passed (namely the APP is authorized to be used by the terminal legally), the APP normally operates, otherwise, the APP quits operation.
Fig. 2 is a block diagram of a system for authorization of application of industrial internet of things according to a preferred embodiment of the present invention.
As shown in fig. 2, the present invention provides a system for authorizing an application license of an industrial internet of things, the system comprising:
an initial unit 201, configured to configure a security module for a terminal to be authorized, the security module including a unique public key and a unique private key associated with the terminal; preferably, the public key of the terminal comprises: SM2 public key, RSA public key, and ECC public key.
The acquisition unit 202 is used for acquiring a public key associated with a terminal to be authorized by using an APP management mechanism and sending the public key to a certificate digital certificate issuing mechanism;
preferably, the public key associated with the terminal to be authorized is acquired by the APP management mechanism, and the acquisition mode includes:
obtaining from a terminal certificate request file; or
And acquiring the digital certificate of the terminal used for authenticating the terminal and the master station from the issued digital certificate.
Preferably, the terminal issues a public key digital certificate CTThe method comprises the following steps: SM2, RSA, ECC public key certificate.
An issuing unit 203 for issuing a public key digital certificate C for the terminal to be authorized based on the public key by the certificate digital certificate issuing organizationTPublic key digital certificate CTIncluding terminal-associated public key, application APP characteristic information and public key digital certificate CTA validity period;
a processing unit 204 for basing the symmetric key K1For CA certificate C1Obtaining an encrypted CA certificate C after encryption'1Encrypted CA certificate C'1Solidified in program code of application APP, will pass through symmetric key K1The encrypted characteristic information of the application APP is solidified in the program code of the application APP, and the symmetric key K is used1Bitwise negation to obtain negated symmetric key K'1Solidified in the program code of the application APP.
Preferably, the feature information of the APP includes: the application APP comprises an application APP name, an application APP manufacturer, a version number and a unique identifier.
Preferably, the system further comprises:
a search unit for starting the application APP and searching the public key digital certificate C of the terminalT
A first obtaining unit for finding out the public key digital certificate C of the terminalTWhen reading the anti-symmetric key K 'in the program code of the application APP'1By pairing an anti-symmetric key K'1Obtaining the symmetric key K by bit negation1By means of a symmetric key K1Decrypting the encrypted characteristic information of the application APP in the program code of the application APP to obtain the characteristic information of the application APP;
a parsing unit for parsing the public key digital certificate C by applying the APPTCharacteristic information of application APP in (1) and public key digital certificate CTA validity period;
the comparison unit is used for comparing the characteristic information of the application APP acquired in the acquisition unit and the analysis unit, and when the comparison result of the characteristic information of the application APP acquired in the acquisition unit and the analysis unit is consistent, the public key digital certificate C is judgedTWhether the validity period is within the validity period;
a decryption unit for reading the encrypted CA certificate C 'in the program code of the application APP'1Based on a symmetric key K1To encrypted CA certificate C'1Decrypting to obtain CA certificate C1
A first authentication unit for authenticating the certificate based on the CA certificate C1To public key digital certificate CTCarrying out signature verification to obtain a signature verification result;
a second obtaining unit, configured to, when the signature verification result is successful, generate a random number R by applying the APP, send the random number R to the security module, and obtain a signature random number S by signing the security moduleR
A second verification unit for verifying the digital certificate C based on the public keyTFor signature random number SRVerifying to obtain a random number verification result;
and the result unit is used for normally operating the application APP when the verification result is passed.
Preferably, the public key digital certificate CTThe validity period is the period of time that the application APP permits the terminal to be authorized to use.
The system 200 for authorizing the application of the industrial internet of things terminal in the preferred embodiment of the present invention corresponds to the method 100 for authorizing the application of the industrial internet of things terminal in the preferred embodiment of the present invention, and will not be described herein again.
The invention has been described with reference to a few embodiments. However, other embodiments of the invention than the one disclosed above are equally possible within the scope of the invention, as would be apparent to a person skilled in the art from the appended patent claims.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a// the [ device, component, etc ]" are to be interpreted openly as at least one instance of a device, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

Claims (14)

1. A method for industrial internet of things terminal application license authorization, the method comprising:
s11, configuring a security module for a terminal to be authorized, wherein the security module comprises a unique public key and a unique private key which are associated with the terminal;
s12, acquiring a public key associated with the terminal to be authorized by an APP management mechanism, and sending the public key to a certificate digital certificate issuing mechanism;
s13, issuing a public key digital certificate C for the terminal to be authorized by the certificate digital certificate issuing authority based on the public keyTSaid public key digital certificate CTIncluding the terminal-associated public key, the characteristic information of the application APP and the public key digital certificate CTA validity period;
s14, based on the symmetric key K1For CA certificate C1After encryption, an encrypted CA certificate C 'is obtained'1Encrypted CA certificate C'1Solidified in program code of application APP and going through the symmetric key K1The encrypted characteristic information of the application APP is solidified in the program code of the application APP, and the symmetric key K is used1Bit-wise negated derived negated symmetric key K'1Solidified in the program code of the application APP.
2. The method of claim 1, further comprising:
s21, starting the application APP, and searching the public key digital certificate C of the terminalT
S22, when the terminal is foundPublic key digital certificate of (C)TReading an anti-symmetric key K 'in the program code of the application APP'1By taking the inverse symmetric key K'1Obtaining the symmetric key K by bit negation1By said symmetric key K1Decrypting the encrypted characteristic information of the application APP in the program code of the application APP to obtain the characteristic information of the application APP;
s23, analyzing the public key digital certificate C through the application APPTCharacteristic information of application APP in the system and public key digital certificate CTA validity period;
s24, comparing the characteristic information of the application APP obtained in the steps S22 and S23, and judging that the public key digital certificate C is the public key digital certificate C when the comparison result of the characteristic information of the application APP in the steps S22 and S23 is consistentTWhether the validity period is within the validity period;
s25, reading an encrypted CA certificate C 'in the program code of the application APP'1Based on said symmetric key K1To the encrypted CA certificate C'1Decrypting to obtain CA certificate C1
S26, based on the CA certificate C1To public key digital certificate CTCarrying out signature verification to obtain a signature verification result;
s27, when the signature verification result is successful, generating a random number R through the application APP, sending the random number R to the security module, and obtaining a signature random number S through the security module signatureR
S28, based on the public key digital certificate CTFor the signature random number SRVerifying to obtain a random number verification result;
s29, when the verification result is that the application APP passes, the application APP normally runs.
3. The method of claim 1, the public key of the terminal comprising: SM2 public key, RSA public key, and ECC public key.
4. The method of claim 1, wherein the collecting, by the APP administrator, the public key associated with the terminal to be authorized comprises:
obtaining from a terminal certificate request file; or
And acquiring the digital certificate of the terminal used for authenticating the terminal and the master station from the issued digital certificate.
5. The method of claim 1, the terminal issuing a public key digital certificate CTThe method comprises the following steps: secret SM2, RSA, ECC public key certificate.
6. The method of claim 1, said applying feature information of APP, comprising: the application APP comprises an application APP name, an application APP manufacturer, a version number and a unique identifier.
7. The method of claim 1, the public key digital certificate CTThe validity period is the period of time that the application APP permits the terminal to be authorized to use.
8. A system for industrial internet of things terminal application license authorization, the system comprising:
an initial unit configured to configure a security module for a terminal to be authorized, the security module comprising a unique public key and private key associated with the terminal;
the terminal comprises an acquisition unit, a certificate issuing unit and a certificate issuing unit, wherein the acquisition unit is used for acquiring a public key associated with the terminal to be authorized by an application APP management mechanism and sending the public key to a certificate digital certificate issuing mechanism;
an issuing unit for issuing a public key digital certificate C for the terminal to be authorized based on the public key by the certificate digital certificate issuing authorityTSaid public key digital certificate CTIncluding the public key associated with said terminal, the characteristic information of the application APP and the public key digital certificate CTA validity period;
a processing unit for processing a key based on a symmetric key K1For CA certificate C1Obtaining an encrypted CA certificate C after encryption'1Encryption of CA certificate C'1Solidified in the program code of the application APP, will pass through the symmetric cipherKey K1The encrypted characteristic information of the application APP is solidified in the program code of the application APP, and the symmetric key K is used1An inverted symmetric key K 'obtained by bitwise inversion'1Solidified in the program code of the application APP.
9. The system of claim 8, further comprising:
a search unit for starting the application APP and searching the public key digital certificate C of the terminalT
A first obtaining unit, configured to find the public key digital certificate C of the terminalTReading an anti-symmetric key K 'in the program code of the application APP'1By taking the inverse symmetric key K'1Obtaining the symmetric key K by bit negation1By said symmetric key K1Decrypting the encrypted characteristic information of the application APP in the program code of the application APP to obtain the characteristic information of the application APP;
an analysis unit for analyzing the public key digital certificate C through the application APPTCharacteristic information of application APP in (1) and public key digital certificate CTA validity period;
the comparison unit is used for comparing the characteristic information of the application APP acquired in the acquisition unit and the analysis unit, and when the comparison result of the characteristic information of the application APP acquired in the acquisition unit and the analysis unit is consistent, the public key digital certificate C is judgedTWhether the validity period is within the validity period;
a decryption unit for reading the encrypted CA certificate C 'in the program code of the application APP'1Based on said symmetric key K1To the encrypted CA certificate C'1Decrypting to obtain CA certificate C1
A first authentication unit for authenticating the CA certificate C1To public key digital certificate CTCarrying out signature verification to obtain a signature verification result;
a second obtaining unit, configured to generate a random number R through the APP when the signature verification result is successful, send the random number R to the security module, and pass securityModule signature acquisition signature random number SR
A second verification unit for verifying the digital certificate C based on the public keyTFor the signature random number SRVerifying to obtain a random number verification result;
and the result unit is used for normally running the application APP when the verification result is passed.
10. The system of claim 9, the public key of the terminal comprising: SM2 public key, RSA public key, and ECC public key.
11. The system of claim 9, wherein the collecting, by the APP administrator, the public key associated with the terminal to be authorized comprises:
obtaining from a terminal certificate request file; or
And acquiring the digital certificate of the terminal which is issued and used for authenticating the terminal and the master station identity.
12. The system of claim 9, the terminal issues a public key digital certificate CTThe method comprises the following steps: SM2, RSA, ECC public key certificate.
13. The system of claim 9, said applying feature information of APP, comprising: the application APP comprises an application APP name, an application APP manufacturer, a version number and a unique identifier.
14. The system of claim 9, the public key digital certificate CTThe validity period is the period of time that the application APP permits the terminal to be authorized to use.
CN202210291358.9A 2022-03-23 2022-03-23 Method and system for application license authorization of industrial Internet of things terminal Active CN114785514B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210291358.9A CN114785514B (en) 2022-03-23 2022-03-23 Method and system for application license authorization of industrial Internet of things terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210291358.9A CN114785514B (en) 2022-03-23 2022-03-23 Method and system for application license authorization of industrial Internet of things terminal

Publications (2)

Publication Number Publication Date
CN114785514A true CN114785514A (en) 2022-07-22
CN114785514B CN114785514B (en) 2023-11-14

Family

ID=82425134

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210291358.9A Active CN114785514B (en) 2022-03-23 2022-03-23 Method and system for application license authorization of industrial Internet of things terminal

Country Status (1)

Country Link
CN (1) CN114785514B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022091A (en) * 2022-08-04 2022-09-06 亿次网联(杭州)科技有限公司 Digital certificate-based autonomous authorization method and system
CN117714214A (en) * 2024-02-05 2024-03-15 国网上海能源互联网研究院有限公司 Data transmission security protection method and device, electronic equipment and medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004006075A1 (en) * 2002-07-09 2004-01-15 Fujitsu Limited Open type general-purpose attack-resistant cpu, and application system thereof
CN102065092A (en) * 2010-12-31 2011-05-18 广东九联科技股份有限公司 Method and system for authorizing digital signature of application program of set top box
CN103812871A (en) * 2014-02-24 2014-05-21 北京明朝万达科技有限公司 Development method and system based on mobile terminal application program security application
CN104008351A (en) * 2014-05-06 2014-08-27 武汉天喻信息产业股份有限公司 System, method and device for Windows application program integrity checking
WO2018000886A1 (en) * 2016-07-01 2018-01-04 广州爱九游信息技术有限公司 Application program communication processing system, apparatus, method, and client terminal, and server terminal
CN109560933A (en) * 2018-10-12 2019-04-02 阿里巴巴集团控股有限公司 Authentication method and system, storage medium based on digital certificate, electronic equipment
CN109670828A (en) * 2018-12-06 2019-04-23 福建联迪商用设备有限公司 A kind of application on-line signature method and system
US20200344072A1 (en) * 2018-06-06 2020-10-29 Tencent Technology (Shenzhen) Company Limited Key management method, apparatus, and system, storage medium, and computer device
CN112470428A (en) * 2018-06-08 2021-03-09 威睿公司 Unmanaged secure inter-application data communications
CN113378119A (en) * 2021-06-25 2021-09-10 成都卫士通信息产业股份有限公司 Software authorization method, device, equipment and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004006075A1 (en) * 2002-07-09 2004-01-15 Fujitsu Limited Open type general-purpose attack-resistant cpu, and application system thereof
CN102065092A (en) * 2010-12-31 2011-05-18 广东九联科技股份有限公司 Method and system for authorizing digital signature of application program of set top box
CN103812871A (en) * 2014-02-24 2014-05-21 北京明朝万达科技有限公司 Development method and system based on mobile terminal application program security application
CN104008351A (en) * 2014-05-06 2014-08-27 武汉天喻信息产业股份有限公司 System, method and device for Windows application program integrity checking
WO2018000886A1 (en) * 2016-07-01 2018-01-04 广州爱九游信息技术有限公司 Application program communication processing system, apparatus, method, and client terminal, and server terminal
US20200344072A1 (en) * 2018-06-06 2020-10-29 Tencent Technology (Shenzhen) Company Limited Key management method, apparatus, and system, storage medium, and computer device
CN112470428A (en) * 2018-06-08 2021-03-09 威睿公司 Unmanaged secure inter-application data communications
CN109560933A (en) * 2018-10-12 2019-04-02 阿里巴巴集团控股有限公司 Authentication method and system, storage medium based on digital certificate, electronic equipment
CN109670828A (en) * 2018-12-06 2019-04-23 福建联迪商用设备有限公司 A kind of application on-line signature method and system
CN113378119A (en) * 2021-06-25 2021-09-10 成都卫士通信息产业股份有限公司 Software authorization method, device, equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
WEI XIONG; LI XIONG: "Data Trading Certification Based on Consortium Blockchain and Smart Contracts", IEEE *
刘红玲;: "移动应用开发加密密钥标识校验系统关键技术研究", 江西电力职业技术学院学报, no. 03 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022091A (en) * 2022-08-04 2022-09-06 亿次网联(杭州)科技有限公司 Digital certificate-based autonomous authorization method and system
CN117714214A (en) * 2024-02-05 2024-03-15 国网上海能源互联网研究院有限公司 Data transmission security protection method and device, electronic equipment and medium
CN117714214B (en) * 2024-02-05 2024-05-03 国网上海能源互联网研究院有限公司 Data transmission security protection method and device, electronic equipment and medium

Also Published As

Publication number Publication date
CN114785514B (en) 2023-11-14

Similar Documents

Publication Publication Date Title
CN101444063B (en) Secure time functionality for a wireless device
US8838978B2 (en) Content access management using extracted watermark information
US8683610B2 (en) Method and apparatus for managing digital rights of secure removable media
US7634816B2 (en) Revocation information management
CN114785514B (en) Method and system for application license authorization of industrial Internet of things terminal
EP3025235B1 (en) Anti-piracy protection for software
CN107733636B (en) Authentication method and authentication system
CN111181928A (en) Vehicle diagnosis method, server, and computer-readable storage medium
CN1925392A (en) Method for identification of equipment validity
CN109598104B (en) Software authorization protection system and method based on timestamp and secret authentication file
CN112632593B (en) Data storage method, data processing method, device and storage medium
CN101694685A (en) Safety product license management method based on XML encryption and digital certificate
CN105099705A (en) Safety communication method and system based on USB protocol
CN111399980A (en) Safety authentication method, device and system for container organizer
CN112000933B (en) Application software activation method and device, electronic equipment and storage medium
KR20050083699A (en) Integrated software and method for authenticating same
CN112383577A (en) Authorization method, device, system, equipment and storage medium
Adelsbach et al. Secure software delivery and installation in embedded systems
KR101458929B1 (en) A log black box device in online service provider server of log information authentication system using third party certification and its methods of operation.
Zou et al. A cloud based SIM DRM scheme for the mobile internet
CN205029678U (en) Secure communication system based on USB agreement
CN114745100B (en) Software authentication method for energy controller
CN111866554B (en) Multimedia safe playing method and system
CN116074037A (en) Interface authentication method, device, equipment and storage medium
CN117056878A (en) License authorization centralized management method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant