WO2012149717A1 - License dynamic management method, device and system based on tcm or tpm - Google Patents

License dynamic management method, device and system based on tcm or tpm Download PDF

Info

Publication number
WO2012149717A1
WO2012149717A1 PCT/CN2011/079141 CN2011079141W WO2012149717A1 WO 2012149717 A1 WO2012149717 A1 WO 2012149717A1 CN 2011079141 W CN2011079141 W CN 2011079141W WO 2012149717 A1 WO2012149717 A1 WO 2012149717A1
Authority
WO
WIPO (PCT)
Prior art keywords
license
data packet
function
public key
changed
Prior art date
Application number
PCT/CN2011/079141
Other languages
French (fr)
Chinese (zh)
Inventor
石峰
张羽
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2011/079141 priority Critical patent/WO2012149717A1/en
Priority to CN201180004976.0A priority patent/CN102986162B/en
Publication of WO2012149717A1 publication Critical patent/WO2012149717A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/603Digital right managament [DRM]

Definitions

  • the present invention relates to the field of information technology, and in particular, to a TCM or TPM-based license dynamic management method, device and system.
  • License is the permission identifier of the customer to use the product. Different customers have different functional requirements for the product. Therefore, the product manufacturer will provide different licenses for customers to choose to purchase to meet the customer's needs, but the manufacturer prevents it in order to protect its own interests. The license is cracked or stolen, and the license needs to be securely managed.
  • the prior art provides a method for managing a license.
  • the specific operation of the method may be: the client requests the utility function A, the server generates a temporary enable message and sends the message to the client, and the client temporarily starts the function according to the temporary enable message.
  • the client sends a message to the server to purchase the feature A.
  • the server issues a start message, and the client permanently enables the feature A according to the start message.
  • the technical solution provided by the prior art does not consider the security of the intermediate transaction when the activation of the functional component A (including temporary or purchase), so the security of the prior art technical solution is low.
  • the dynamic management method of the license is designed to solve the problem of low security of the prior art.
  • the invention also provides a dynamic management support method for a license based on TCM or TPM.
  • the invention also provides a dynamic management device based on a TCM or TPM license.
  • the present invention also provides a support device for dynamic management of a license based on TCM or TPM.
  • the invention also provides a license management system.
  • the present invention provides a method for dynamically managing a license based on a TCM or a TPM, the method comprising:
  • the function list includes: a software and hardware function in the local device;
  • the key pair includes: a private key K S2 and a public key K P2 ;
  • the first data packet includes: a public key K P2 and a function to be changed ;
  • the second data packet encrypted by using the public key K P2 specifically includes: a license calculated for the local unique identifier and the function to be changed;
  • the encrypted second data packet is decrypted by using the private key K S2 to obtain a license, and the configuration of the function to be changed is completed according to the license.
  • the present invention provides a TCM based or TPM based A dynamic management support method for a license, characterized in that the method includes:
  • the first data packet includes: a public key K P2 and a function to be changed;
  • the present invention also provides a TCM based or TPM based Dynamic management device for the license, the device comprising:
  • a configuration unit configured to configure a public key K P1 in the local device
  • a receiving unit configured to receive a function to be changed selected by the customer according to the function list, where the function list includes: a software and hardware function in the local device;
  • a key generating unit configured to generate a key pair according to the local identification information, where the key pair includes: a private key K S2 and a public key K P2 ;
  • An encryption unit configured to generate a first data packet according to the public key K P2 and the function to be changed, and encrypt the first data packet by using the public key K P1 , where the first data packet includes: a public key K P2 And the function to be changed;
  • a sending unit configured to send the encrypted first data packet and the local unique identifier to the server, so that the server can obtain the private key K S1 according to the local unique identifier; and decrypt the first key according to the private key K S1 a public key K P2 obtained by a data packet and a function to be changed;
  • the receiving unit is further configured to receive a second data packet that is encrypted by using the public key K P2 , where the second data packet includes: a license that is calculated by a local unique identifier and a function to be changed;
  • the decryption configuration unit is configured to decrypt the encrypted second data packet by using the private key K S2 to obtain a license, and complete the configuration of the function to be changed according to the license; the private key K S1 and the public key K P1 are a key pair.
  • the invention further provides a TCM based or TPM A dynamic management support device for the license, the device comprising:
  • a configuration unit configured to configure a correspondence between the private key K S1 and the private key K S1 and the unique identifier of the client in the server;
  • a receiving unit configured to receive a unique identifier sent by the client and a first data packet encrypted by using a public key K P1 , where the first data packet includes: a public key K P2 and a function to be changed;
  • a decryption unit configured to decrypt, by using the private key K S1 , the encrypted first data packet to obtain a public key K P2 in the first data packet and a function to be changed;
  • Querying unit configured to query the corresponding relationship between the private key K S1 and uniquely identifies the client to the private key K S1 according to a unique identifier
  • the calculation sending unit is configured to calculate a license according to the unique identifier and the function to be changed, encrypt the license with the public key K P2 to obtain a second data packet, and send the second data packet to the client.
  • the present invention provides a license management system, the system comprising: a client and a server; wherein the client stores a public key K P1 ; the server stores a private key K S1 and a private key K S1 Corresponding relationship with the unique identifier of the client; the private key K S1 and the public key K P1 are a key pair;
  • the client is configured to receive a function to be changed selected by the client according to the function list, and generate a key pair according to the local identification information, where the key pair includes: a private key K S2 and a public key K P2 ; according to the public key K P2 and the function to be changed generate a first data packet, and encrypt the first data packet with the public key K P1 , the first data packet includes: a public key K P2 and a function to be changed; the function
  • the list includes: hardware and software functions within the local device;
  • the client is further configured to send the encrypted first data packet and the local unique identifier to the server;
  • the server is configured to query the private key K S1 from the correspondence between the private key K S1 and the unique identifier of the client according to the unique identifier, and use the private key K S1 to decrypt the encrypted first data packet to obtain the first data packet.
  • the public key K P2 and the function to be changed calculate the license according to the unique identifier and the function to be changed, encrypt the license with the public key K P2 to obtain the second data packet, and send the second data packet to the client;
  • the client is further configured to decrypt the second data packet by using the private key K S2 to obtain a license, and complete the configuration of the function to be changed according to the license.
  • the present invention has the beneficial effects that the present invention applies the key pair to encrypt the message in the transaction process of the functional component, so the method provided by the present invention has the advantage of high security.
  • FIG. 1 is a flowchart of a method for dynamically managing a license based on a TCM or a TPM according to the present invention
  • FIG. 2 is a flowchart of a method for dynamically managing a license based on a TCM or a TPM according to the present invention
  • FIG. 3 is a flowchart of a method for dynamically managing a license based on a TCM or a TPM according to an embodiment of the present invention
  • FIG. 4 is a flowchart of a method for dynamically managing a license based on a TCM or a TPM according to another embodiment of the present invention
  • FIG. 5 is a structural diagram of a dynamic management apparatus for a license based on a TCM or a TPM according to the present invention
  • FIG. 6 is a structural diagram of a device for dynamically managing a license based on a TCM or a TPM according to the present invention.
  • the present invention provides a dynamic management method for a license based on TCM or TPM.
  • TCM Trusted Cryptography Module
  • TPM Trusted Platform Module
  • the method is shown in Figure 1. The method is completed by the client. Before performing the following method, the manufacturer needs to configure the public key K P1 in the local device. The method includes the following steps:
  • the local identification information includes: information that can identify the local device;
  • the foregoing first data packet may include: a public key K P2 and a function to be changed.
  • S14 Send the encrypted first data packet and the local unique identifier to the server, so that the server can obtain the private key K S1 according to the local unique identifier; and decrypt the first data packet according to the private key K S1 The obtained public key K P2 and the function to be changed;
  • the second data packet that is sent by the receiving server and encrypted by using the public key K P2 , where the second data packet includes: a license that is calculated for the local unique identifier and the function to be changed;
  • the license may be specifically: the server uses the K S1 decryption to obtain the to-be-changed function of the encrypted first data packet in the S14, and calculates the function and the unique identifier to be changed to obtain a license; in addition, the private key K S1 can uniquely identify from the query based on the corresponding relationship that uniquely identifies a private key K S1 and pre-configured to the private key K S1.
  • private key K S2 and the public key K P2 are key pairs; the private key K S1 and the public key K P1 are another key pair.
  • the private key K S1 and the private key K S2 belong to completely different private keys
  • the public key K P1 and the public key K P2 belong to completely different public keys
  • the first data packet and the second data packet It also belongs to completely different data.
  • the method provided by the present invention performs license management
  • all data interaction between the local (ie, the client) and the server is encrypted and decrypted by using a key pair, and all the data between them is not easy to be leaked and changed by others, all of which
  • the method has the advantages of improving the security of the license management.
  • since the number of functions to be changed of the method provided by the present invention can be flexibly set, it can improve the flexibility of license management.
  • the foregoing first data packet may further include: a pre-stored ciphertext, when the first data packet includes a pre-stored ciphertext, the server determines the hash value of the ciphertext and obtains according to the unique identifier. When the hash value is consistent, the second data packet with the license hash value of the private key K S1 signature encrypted by the public key K P2 is transmitted.
  • the encrypted second data packet in the foregoing S15 may further include: a license hash value obtained by using the private key K S2 and obtained by the private key K S2 , when the encrypted second data packet includes a license hash value,
  • the method specifically includes the following in S16:
  • the private data K S2 is used to decrypt the encrypted second data packet to obtain the license hash value of the license and the private key K S1 signature, and the license hash value signed by the private key K S1 is decrypted by the public key K P1 to obtain the license hash value, and the decryption value is decrypted.
  • the license hash value is the same as the license hash value calculated by hashing the license, the configuration of the function to be changed is completed according to the license, and the operation is ended.
  • the above method provided by the present invention uses the public key K P1 and the private key K S1 to determine whether the encrypted second data packet in S15 is sent by the server, because the public key K P1 and the private key K S1 are a key pair, such as encryption. After the second data packet is not sent by the server, the public key K P1 cannot decrypt the signed hash value of the signature at all, and the comparison and the confirmation cannot be performed. Therefore, the method further improves the security of the license management.
  • the present invention also provides a dynamic management support method for a license based on TCM or TPM, which is completed by a server.
  • the server is configured with a correspondence between the private key K S1 and the private key K S1 and the unique identifier of the client. Relationship; the method is shown in Figure 2 and includes:
  • the foregoing first data packet may further include: a pre-stored ciphertext.
  • the foregoing method may further include: configuring a ciphertext and a ciphertext hash value in the server before the S21
  • the steps in the foregoing method may further include:
  • the ciphertext hash value is queried from the correspondence between the ciphertext hash value and the client unique identifier, and the hash value of the received ciphertext is calculated to the calculated hash value; the hash value and calculation of the query are compared. If the hash value is consistent, execute S22-S26, otherwise the operation ends.
  • the foregoing S25 may further include: a license hash value obtained by performing a hash value calculation on the license, and the license hash value is encrypted by using a private key K S1 to obtain a license hash value of the private key K S1 signature, and the public key K is used.
  • P2 encrypts the license hash value and license of the private key K S1 to obtain the encrypted second data packet.
  • the license management support method provided by the present invention supports the implementation of the license management method.
  • the embodiment of the present invention provides an embodiment.
  • the method for managing a license is implemented between a client and a server.
  • the method is described by taking the function to be activated as an example.
  • the scenario is that the factory settings are made when the client leaves the factory.
  • the specific settings can be: through TCM/TPM, generate a key pair (such as private key K S1 , public key K P1 ), and the public key is stored in the client's TCM/TPM.
  • the private key is saved by the manufacturer himself.
  • the pair of keys is used for the signature of the manufacturer.
  • the key pair is only at the factory.
  • each factory client will save K P1 ;
  • the client is bound with a unique identifier (such as the client's MAC address, etc.), the identifier can be based on the client The identification of each hardware on the machine (in order to guarantee privacy, it can be its encrypted performance), or it can be a unique code defined by the manufacturer to the client.
  • the unique identifier only serves as a cable.
  • the function is convenient for the manufacturer to query the client for related information in its own database; the client is randomly bound with a ciphertext (the ciphertext can be a randomly generated ciphertext), which is stored in the client's TCM/TPM.
  • the hash value of the ciphertext is stored in the manufacturer server, and the ciphertext is another "identity card" of the client.
  • the manufacturer can determine that the relevant information is from the client.
  • the machine sends the relevant characteristics of the hash algorithm.
  • the hash value is saved, and the identity information can be verified.
  • the manufacturer can add a record containing the following fields to the database managed by the manufacturer through the above settings. Includes: unique identifier, ciphertext ("ID”) hash value, software feature status list, hardware status list, and e-wallet amount.
  • ID unique identifier
  • the method provided in this embodiment may specifically include:
  • the foregoing function list may specifically include, but not limited to, all software and hardware functions, and may also be a function activated or not activated by the client.
  • the display method of the activated or inactive function may be multiple. The method, for example, the activation function adopts a bright display, the inactive function is displayed in a dark color, and of course, the activation function is displayed in green, the inactive function is displayed in red, and the like; in addition, the function list may further include: function list.
  • the client determines a function (which may be software and/or hardware) selected by the user to be activated and how the function is applied (for example, permanent or temporary).
  • a function which may be software and/or hardware
  • the embodiment does not limit the number of functions, and the amount of data can be freely selected by the client, for example, 1, 2, 3 or 4, and the like.
  • the client generates another key pair (private key K S2 , public key K P2 ) according to the identification information on the client (for example, the unique identifier of the hardware).
  • identifier information may be the same as the unique identifier or unique code of the client, and may of course be different.
  • the client generates a first data packet according to the ciphertext, K P2, and the function to be activated, and encrypts the first data packet with K P1 ;
  • the foregoing first data packet may include: ciphertext, K P2, and a function to be activated.
  • the specific manifestation of the function to be activated may be: a list of software functions that the customer needs to use at the time, and a list of hardware that the customer needs to use at the time.
  • the client sends the encrypted first data packet and the unique identifier of the client to the server.
  • the server searches for the K S1 and the hash value corresponding to the unique identifier according to the unique identifier, and decrypts the encrypted first data packet by using the K S1 to obtain the ciphertext, the K P2, and the function to be activated in the first data packet. ;
  • the server performs a hash operation on the ciphertext in the first data packet to obtain a hash value of the ciphertext, and compares the calculated hash value with the hash value queried according to the unique identifier, and if the same, performs the following operations, otherwise Stop the operation.
  • the server calculates a license according to the unique identifier and the function to be activated, performs a hash operation on the license to obtain a hash value of the license, and signs the hash value of the license with K S1 , and signs the signature with K P2 .
  • the hash value of the license and the license are encrypted and sent to the client;
  • the client decrypts with K S2 to obtain the hash value and license of the signed license, and decrypts the hash value of the signed license with K P1 to obtain the license hash value, and compares the decrypted license hash value and the license.
  • the obtained license hash value is the same, and the loading and configuration of the to-be activated function is performed according to the license.
  • the method for loading and configuring the to-be-activated function according to the license may be: storing the license in the TCM/TPM of the client; after the client restarts, from the trusted metric root (Core) Root of Trust Measurement , CTRM) began to build a trusted platform, and finally in the trusted platform to configure the software and hardware functions (to be activated) according to the license.
  • CTRM trusted metric root
  • each message needs to be encrypted and decrypted by a key pair during function configuration and loading, so that it has the advantage of improving the security of the license management.
  • the client when performing encryption, The client is re-authenticated by using the hash value of the random ciphertext, which further improves the security, so that it has the advantage of higher security.
  • the method provided by the embodiment can flexibly configure the to-be activated according to the needs of the client. The function is more in line with the customer's needs, so it has the advantage that the customer can flexibly choose the client configuration.
  • the embodiment of the present invention further provides another embodiment.
  • the present embodiment provides a license management method, which is described by taking the unsubscribe function as an example.
  • the method is the same as the technical scenario of an embodiment, and the specific operation of the method is The process is shown in Figure 4 and includes:
  • the client When the client triggers unsubscription on the client, the client displays a function list.
  • the client determines a function (which may be software and/or hardware) selected by the user to be unsubscribed.
  • the embodiment does not limit the number of functions, and the amount of data can be freely selected by the client, for example, 1, 2, 3 or 4, etc., in addition, in principle, permanent functions and basic functions (ie, no such Features that the feature client cannot run) cannot be unsubscribed.
  • the client generates another key pair (private key K S3 , public key K P3 ) according to the identification information on the client (for example, the unique identifier of the hardware).
  • identifier information may be the same as the unique identifier or unique code of the client, and may of course be different.
  • the client generates a first data packet according to the ciphertext, K P3, and the function to be unsubscribed, and encrypts the first data packet by using the public key K P1 .
  • the foregoing first data packet may include: a ciphertext, a private key K P3, and a function to be unsubscribed.
  • the specific manifestation of the function to be unsubscribed may be: a list of software functions that the customer needs to unsubscribe at the moment, and a list of hardware that the customer needs to unsubscribe at the moment.
  • the client sends the encrypted data and the unique identifier of the client to the server.
  • the server searches for the private key K S1 and the hash value corresponding to the unique identifier according to the unique identifier, and decrypts the encrypted first data packet with the private key K S1 to obtain the ciphertext and the private key K in the first data packet.
  • S46 The server performs a hash operation on the ciphertext in the first data packet to obtain a hash value of the ciphertext, and compares the calculated hash value with the hash value queried according to the unique identifier, and if the same, performs the following operations, otherwise Stop the operation.
  • the server calculates a license according to the unique identifier and the function to be unsubscribed, performs a hash operation on the license to obtain a hash value of the license, and uses the private key K S1 to sign the hash value of the license, and then signs the signature with the public key K P3 .
  • the hash value of the subsequent license is encrypted and sent to the client;
  • the client decrypts with K S3 to obtain the hash value and license of the signed license, and decrypts the hash value of the signed license with K P1 to obtain the license hash value, and compares the decrypted license hash value and the license. If the obtained license hash value is the same, the unsubscribe function is unsubscribed according to the license, and after the unsubscribe is successful, an unsubscribe success message is generated to the server;
  • the server calculates a residual value of the unsubscribe function, and returns the remaining value to the client.
  • the method for unsubscribing the function to be unsubscribed according to the license may be: storing the license in the TCM/TPM of the client; after the client restarts, establishing a trusted platform from the CTRM, and finally The configuration of the software and hardware functions (to be unsubscribed) according to the license in the trusted platform.
  • the method provided in this embodiment provides a function unsubscribe mechanism, which expands the function of the license.
  • the method needs to perform strict encryption and decryption operations when performing function unsubscription, so it also has high security. advantage.
  • a specific embodiment of the present invention also provides a TCM based or TPM
  • the dynamic management device of the license includes:
  • the configuration unit 56 is configured to configure the public key K P1 in the local device
  • the receiving unit 51 is configured to receive a function to be changed selected by the customer according to the function list, where the function list includes: all software and hardware functions in the local device;
  • the key generating unit 52 is configured to generate a key pair according to the local identification information, where the key pair includes: a private key K S2 and a public key K P2 , wherein the identification information is: information that can identify the local device;
  • the encryption unit 53 is configured to generate a first data packet according to the public key K P2 and the function to be changed, and encrypt the first data packet with the public key K P1 ; the first data packet includes: a public key K P2 and the function to be changed;
  • the sending unit 54 is configured to send the encrypted first data packet and the local unique identifier to the server, so that the server can obtain the private key K S1 according to the local unique identifier, and decrypt the public key K S1 according to the private key K S1
  • the public key K P2 obtained by the first data packet and the function to be changed;
  • the receiving unit 51 is further configured to receive the second data packet encrypted by using the public key K P2 , where the second data packet specifically includes: a license obtained by decrypting and calculating the encrypted data by using the private key K S1 ;
  • the decryption configuration unit 55 is configured to decrypt the encrypted second data packet by using the private key K S2 to obtain a license, and complete the configuration of the function to be changed according to the license;
  • the private key K S1 and the public key K P1 are a key pair.
  • the functions to be changed include:
  • the encrypted second data packet may further comprise: a public key K P2 license signature hash value, when the license includes a public key hash value K P2 signature, decryption unit 55 is further arranged for using a private key K S2 decrypts the encrypted second data packet to obtain the license hash value of the license and the private key K S1 signature, and uses the public key K P1 to decrypt the license hash value signed by the private key K S1 to obtain the license hash value, and compares the decrypted license hash.
  • the value is the same as the license hash value calculated for the license, and the configuration of the function to be changed is completed according to the license.
  • the device provided by the present invention performs license management, all data interaction between the local (ie, the license management device, specifically the client) and the server is encrypted and decrypted by using a key pair, and the data between them is not easy. Leaked and changed by others, all of the devices have the advantage of improving license management security.
  • Embodiments of the present invention also provide a TCM based or TPM
  • the dynamic management support device of the license as shown in FIG. 6, includes:
  • the configuration unit 66 is configured to configure a correspondence between the private key K S1 and the private key K S1 and the unique identifier of the client in the server;
  • the receiving unit 61 is configured to receive the unique identifier sent by the client and the first data packet encrypted by using the public key K P1 , where the first data packet includes: a public key K P2 and a function to be changed;
  • the query unit 62 is configured to query the private key K S1 from the pre-configured private key K S1 and the uniquely identified correspondence according to the unique identifier;
  • the decrypting unit 63 is configured to decrypt the data sent by the client by using the private key K S1 to obtain the public key K P2 and the function to be changed;
  • the calculation sending unit 64 is configured to calculate a license according to the unique identifier and the function to be changed, encrypt the license with the public key K P2 to obtain a second data packet, and send the second data packet to the client.
  • the foregoing first data packet further includes: a ciphertext
  • the configuration unit 66 is further configured to configure a correspondence between the ciphertext and the ciphertext hash value and the unique identifier of the client
  • the apparatus further includes:
  • the hash value verification unit 65 is configured to query the key hash value from the correspondence between the ciphertext hash value and the client unique identifier according to the unique identifier, and compare the queryed hash value with the received ciphertext hash value, such as
  • the trigger inquiry unit 62, the decryption unit 63, and the calculation transmission unit 64 perform operations.
  • the calculating sending unit 64 specifically includes:
  • the calculation module 641 is configured to calculate a license according to the unique identifier and the function to be changed, and perform a hash value of the license value calculated by the hash value of the license;
  • the signature module 642 is configured to encrypt the license hash value by using a private key K S1 to obtain a license hash value of the private key K S1 signature.
  • Transmitting encryption module 643, license for using encrypted hash value and the license of the private key of the public key K P2 K S1 signature is encrypted second data packet, sends the packet to the second client.
  • the support device for license management provided by the present invention supports the implementation of the management method of the above license.
  • a specific embodiment of the present invention further provides a management system for a license, the system comprising: a client and a server; wherein the client stores a public key K P1 ; the server stores a private key K S1 and a private key K a correspondence between S1 and a unique identifier of the client; the private key K S1 and the public key K P1 are a key pair;
  • a client configured to receive a function to be changed selected by the client according to the function list, and generate a key pair according to the local identification information, the key pair includes: a private key K S2 and a public key K P2 ; according to the public key K P2 and The function to be changed generates a first data packet, and encrypts the first data packet with a public key K P1 ; the first data packet includes: a public key K P2 and a function to be changed; the function list includes: local Software and hardware functions within the device;
  • the client is further configured to send the encrypted first data packet and the local unique identifier to the server;
  • a server configured to query the private key K S1 from the correspondence between the private key K S1 and the client unique identifier according to the unique identifier, and use the private key K S1 to decrypt the encrypted first data packet to obtain the public information in the first data packet.
  • Key K P2 and the function to be changed ; calculate the license according to the unique identifier and the function to be changed, encrypt the license with the public key K P2 to obtain the second data packet, and send the second data packet to the client;
  • the client is further configured to decrypt the second data packet by using the private key K S2 to obtain a license, and complete the configuration of the function to be changed according to the license.
  • the client and the server in the system provided by the present invention use the encryption and decryption method to exchange information when interacting, so it has the advantage of improving the security of the intermediate data.
  • the technical solution provided by the invention has the advantage of high safety.
  • each module or unit included is only divided according to functional logic, but is not limited to the above division, as long as the corresponding function can be implemented; in addition, the specific name of each functional module is also They are only used to facilitate mutual differentiation and are not intended to limit the scope of the present invention.

Abstract

The present invention belongs to the field of information technology, and particularly provided are a license dynamic management method, device and system based on a TCM or TPM. The method includes: receiving a function to be changed selected by a client according to a function list; generating a pair of keys according to local identification information, wherein the pair of keys includes a private key KS2 and a public key KP2; generating a first data packet and encrypting the same using a public key KP1, wherein the first data packet includes the public key KP2 and the function to be changed; sending to a server the encrypted data and the local unique identification; receiving a second data packet encrypted using the public key KP2 and sent from the server, wherein the second data packet in particular includes a license obtained by decrypting and calculating the encrypted data using a private key KS1; and obtaining the license by decrypting the second encrypted data packet using the private key KS2, and completing the configuration of the function to be changed according to the license. The technical solution provided by the present invention has the advantage of high security.

Description

基于TCM 或TPM 的license动态管理方法、装置及系统  License dynamic management method, device and system based on TCM or TPM 技术领域Technical field
本发明涉及信息技术领域,尤其涉及一种基于TCM 或TPM 的license动态管理方法、装置及系统。 The present invention relates to the field of information technology, and in particular, to a TCM or TPM-based license dynamic management method, device and system.
背景技术Background technique
license是客户使用产品的权限标识,不同的客户对产品的功能需求是不一致的,因此产品厂商会提供不同权限的license供客户选择购买,以满足客户的需求,但是厂商为了维护自己的利益,防止license被破解或盗用,也需要对license进行安全管理。License is the permission identifier of the customer to use the product. Different customers have different functional requirements for the product. Therefore, the product manufacturer will provide different licenses for customers to choose to purchase to meet the customer's needs, but the manufacturer prevents it in order to protect its own interests. The license is cracked or stolen, and the license needs to be securely managed.
现有技术提供了一种license的管理方法,该方法具体操作可以为:客户机请求实用功能部件A,服务器生成临时启用消息并下发给客户机,客户机根据该临时启用消息临时启动功能部件A,在确定购买功能部件A时,客户机向服务器发送购买功能部件A的消息,服务器确定付费后,下发启动消息,客户机根据该启动消息永久启用功能部件A。The prior art provides a method for managing a license. The specific operation of the method may be: the client requests the utility function A, the server generates a temporary enable message and sends the message to the client, and the client temporarily starts the function according to the temporary enable message. A. When determining to purchase the feature A, the client sends a message to the server to purchase the feature A. After determining that the payment is made, the server issues a start message, and the client permanently enables the feature A according to the start message.
按照现有技术所提供的技术方案,发现现有技术中存在如下技术问题:According to the technical solutions provided by the prior art, the following technical problems are found in the prior art:
现有技术提供的技术方案在功能部件A的启用(包括临时或购买)时,并没有考虑中间交易的安全性,所以现有技术的技术方案的安全性低。The technical solution provided by the prior art does not consider the security of the intermediate transaction when the activation of the functional component A (including temporary or purchase), so the security of the prior art technical solution is low.
技术问题technical problem
本发明的一个目的是提供一种基于TCM 或TPM 的license的动态管理方法,旨在解决现有技术安全性低的问题。 It is an object of the present invention to provide a TCM based or TPM based The dynamic management method of the license is designed to solve the problem of low security of the prior art.
本发明还提供一种基于TCM 或TPM 的license的动态管理支持方法。The invention also provides a dynamic management support method for a license based on TCM or TPM.
本发明还提供一种基于TCM 或TPM 的license的动态管理装置。The invention also provides a dynamic management device based on a TCM or TPM license.
本发明还提供一种基于TCM 或TPM 的license的动态管理的支持装置。The present invention also provides a support device for dynamic management of a license based on TCM or TPM.
本发明还提供一种license的管理系统。The invention also provides a license management system.
技术解决方案Technical solution
一方面,本发明提供一种基于TCM 或TPM 的license的动态管理方法,所述方法包括:In one aspect, the present invention provides a method for dynamically managing a license based on a TCM or a TPM, the method comprising:
在本地设备内配置公钥KP1Configure the public key K P1 in the local device;
接收客户根据功能列表选择的待改变的功能,所述功能列表包括:本地设备内的软硬件功能;Receiving a function to be changed selected by the customer according to the function list, where the function list includes: a software and hardware function in the local device;
根据本地的标识信息生成一密钥对,该密钥对包括:私钥KS2和公钥KP2Generating a key pair according to the local identification information, the key pair includes: a private key K S2 and a public key K P2 ;
根据公钥KP2和待改变的功能生成一第一数据包,并将该第一数据包用所述公钥KP1加密,所述第一数据包包括:公钥KP2和待改变的功能;Generating a first data packet according to the public key K P2 and the function to be changed, and encrypting the first data packet with the public key K P1 , the first data packet includes: a public key K P2 and a function to be changed ;
将加密后的第一数据包以及本地的唯一标识发送给服务器;以使所述服务器能根据该本地的唯一标识获取私钥KS1;并根据该私钥KS1解密该第一数据包得到的公钥KP2和待改变的功能;Sending the encrypted first data packet and the local unique identifier to the server; so that the server can obtain the private key K S1 according to the local unique identifier; and decrypting the first data packet according to the private key K S1 Public key K P2 and function to be changed;
接收服务器发送的采用公钥KP2加密的第二数据包,该第二数据包具体包括:对本地的唯一标识和待改变的功能计算得到的license;Receiving, by the receiving server, the second data packet encrypted by using the public key K P2 , the second data packet specifically includes: a license calculated for the local unique identifier and the function to be changed;
采用私钥KS2对加密的第二数据包解密得到license,根据该license完成待改变功能的配置。The encrypted second data packet is decrypted by using the private key K S2 to obtain a license, and the configuration of the function to be changed is completed according to the license.
另一方面,本发明提供一种基于TCM 或TPM 的license的动态管理支持方法,其特征在于,述方法包括:In another aspect, the present invention provides a TCM based or TPM based A dynamic management support method for a license, characterized in that the method includes:
在服务器内配置私钥KS1以及私钥KS1和客户机唯一标识的对应关系;Configuring a correspondence between the private key K S1 and the private key K S1 and the unique identifier of the client in the server;
接收客户机发送的唯一标识和采用公钥KP1加密后的第一数据包;所述第一数据包包括:公钥KP2和待改变的功能;Receiving the unique identifier sent by the client and the first data packet encrypted by using the public key K P1 ; the first data packet includes: a public key K P2 and a function to be changed;
根据唯一标识从私钥KS1和客户机唯一标识的对应关系中查询到私钥KS1Querying the private key K S1 from the correspondence between the private key K S1 and the unique identifier of the client according to the unique identifier;
采用私钥KS1对该加密后的第一数据包解密得到第一数据包内的公钥KP2和待改变的功能;Decrypting the encrypted first data packet by using the private key K S1 to obtain the public key K P2 in the first data packet and the function to be changed;
根据该唯一标识和该待改变的功能进行计算得到license,采用公钥KP2对license加密得到第二数据包,将该第二数据包发送给客户机。Calculating the license according to the unique identifier and the function to be changed, encrypting the license with the public key K P2 to obtain the second data packet, and transmitting the second data packet to the client.
又一方面,本发明还提供一种基于TCM 或TPM 的license的动态管理装置,所述装置包括:In still another aspect, the present invention also provides a TCM based or TPM based Dynamic management device for the license, the device comprising:
配置单元,用于在本地设备内配置公钥KP1a configuration unit, configured to configure a public key K P1 in the local device;
接收单元,用于接收客户根据功能列表选择的待改变的功能,所述功能列表包括:本地设备内的软硬件功能;a receiving unit, configured to receive a function to be changed selected by the customer according to the function list, where the function list includes: a software and hardware function in the local device;
密钥生成单元,用于根据本地的标识信息生成一密钥对,该密钥对包括:私钥KS2和公钥KP2a key generating unit, configured to generate a key pair according to the local identification information, where the key pair includes: a private key K S2 and a public key K P2 ;
加密单元,用于根据公钥KP2和待改变的功能生成一第一数据包,并将该第一数据包用所述公钥KP1加密,所述第一数据包包括:公钥KP2和待改变的功能;An encryption unit, configured to generate a first data packet according to the public key K P2 and the function to be changed, and encrypt the first data packet by using the public key K P1 , where the first data packet includes: a public key K P2 And the function to be changed;
发送单元,用于将加密后的第一数据包以及本地的唯一标识发送给服务器;以使所述服务器能根据该本地的唯一标识获取私钥KS1;并根据该私钥KS1解密该第一数据包得到的公钥KP2和待改变的功能;a sending unit, configured to send the encrypted first data packet and the local unique identifier to the server, so that the server can obtain the private key K S1 according to the local unique identifier; and decrypt the first key according to the private key K S1 a public key K P2 obtained by a data packet and a function to be changed;
所述接收单元,还用于接收采用公钥KP2加密的第二数据包,该第二数据包具体包括:对本地的唯一标识和待改变的功能计算得到的license;The receiving unit is further configured to receive a second data packet that is encrypted by using the public key K P2 , where the second data packet includes: a license that is calculated by a local unique identifier and a function to be changed;
解密配置单元,用于采用私钥KS2对加密的第二数据包解密得到license,根据该license完成待改变功能的配置;所述私钥KS1和公钥KP1为一密钥对。The decryption configuration unit is configured to decrypt the encrypted second data packet by using the private key K S2 to obtain a license, and complete the configuration of the function to be changed according to the license; the private key K S1 and the public key K P1 are a key pair.
再一方面,本发明又提供一种基于TCM 或TPM 的license的动态管理的支持装置,所述装置包括:In a further aspect, the invention further provides a TCM based or TPM A dynamic management support device for the license, the device comprising:
配置单元,用于在服务器内配置私钥KS1以及私钥KS1和客户机唯一标识的对应关系;a configuration unit, configured to configure a correspondence between the private key K S1 and the private key K S1 and the unique identifier of the client in the server;
接收单元,用于接收客户机发送的唯一标识和采用公钥KP1加密后的第一数据包,所述第一数据包包括:公钥KP2和待改变的功能;a receiving unit, configured to receive a unique identifier sent by the client and a first data packet encrypted by using a public key K P1 , where the first data packet includes: a public key K P2 and a function to be changed;
解密单元,用于采用私钥KS1该加密后的第一数据包解密得到第一数据包内的公钥KP2和待改变的功能;a decryption unit, configured to decrypt, by using the private key K S1 , the encrypted first data packet to obtain a public key K P2 in the first data packet and a function to be changed;
查询单元,用于根据唯一标识从私钥KS1和客户机唯一标识的对应关系中查询到私钥KS1Querying unit configured to query the corresponding relationship between the private key K S1 and uniquely identifies the client to the private key K S1 according to a unique identifier;
计算发送单元,用于根据该唯一标识和该待改变的功能进行计算得到license,采用公钥KP2对license加密得到第二数据包,将该第二数据包发送给客户机。The calculation sending unit is configured to calculate a license according to the unique identifier and the function to be changed, encrypt the license with the public key K P2 to obtain a second data packet, and send the second data packet to the client.
最后,本发明提供一种license的管理系统,所述系统包括:客户机和服务器;其中所述客户机内存储有公钥KP1;所述服务器内存储有私钥KS1以及私钥KS1和客户机唯一标识的对应关系;所述私钥KS1和公钥KP1为一密钥对;Finally, the present invention provides a license management system, the system comprising: a client and a server; wherein the client stores a public key K P1 ; the server stores a private key K S1 and a private key K S1 Corresponding relationship with the unique identifier of the client; the private key K S1 and the public key K P1 are a key pair;
所述客户机,用于接收客户根据功能列表选择的待改变的功能,根据本地的标识信息生成一密钥对,该密钥对包括:私钥KS2和公钥KP2;根据公钥KP2和待改变的功能生成一第一数据包,并将该第一数据包用所述公钥KP1加密,所述第一数据包包括:公钥KP2和待改变的功能;所述功能列表包括:本地设备内的软硬件功能;The client is configured to receive a function to be changed selected by the client according to the function list, and generate a key pair according to the local identification information, where the key pair includes: a private key K S2 and a public key K P2 ; according to the public key K P2 and the function to be changed generate a first data packet, and encrypt the first data packet with the public key K P1 , the first data packet includes: a public key K P2 and a function to be changed; the function The list includes: hardware and software functions within the local device;
所述客户机,还用于将加密后的第一数据包以及本地的唯一标识发送给服务器;The client is further configured to send the encrypted first data packet and the local unique identifier to the server;
所述服务器,用于根据唯一标识从私钥KS1和客户机唯一标识的对应关系中查询到私钥KS1,采用私钥KS1该加密后的第一数据包解密得到第一数据包内的公钥KP2和待改变的功能;根据唯一标识和待改变的功能计算出license,采用公钥KP2对license加密得到第二数据包,将该第二数据包发送给客户机;The server is configured to query the private key K S1 from the correspondence between the private key K S1 and the unique identifier of the client according to the unique identifier, and use the private key K S1 to decrypt the encrypted first data packet to obtain the first data packet. The public key K P2 and the function to be changed; calculate the license according to the unique identifier and the function to be changed, encrypt the license with the public key K P2 to obtain the second data packet, and send the second data packet to the client;
所述客户机,还用于采用私钥KS2对该第二数据包解密得到license,根据license完成待改变功能的配置。The client is further configured to decrypt the second data packet by using the private key K S2 to obtain a license, and complete the configuration of the function to be changed according to the license.
有益效果Beneficial effect
本发明与现有技术相比,有益效果在于:本发明在功能部件的交易过程中均实用了密钥对对消息进行加密,所以本发明提供的方法具有安全性高的优点。 Compared with the prior art, the present invention has the beneficial effects that the present invention applies the key pair to encrypt the message in the transaction process of the functional component, so the method provided by the present invention has the advantage of high security.
附图说明DRAWINGS
图1为本发明提供的一种基于TCM 或TPM 的license的动态管理方法的流程图;1 is a flowchart of a method for dynamically managing a license based on a TCM or a TPM according to the present invention;
图2为本发明提供的一种基于TCM 或TPM 的license的动态管理支持方法的流程图;2 is a flowchart of a method for dynamically managing a license based on a TCM or a TPM according to the present invention;
图3为本发明一实施例提供的一种基于TCM 或TPM 的license的动态管理方法的流程图;FIG. 3 is a flowchart of a method for dynamically managing a license based on a TCM or a TPM according to an embodiment of the present invention;
图4为本发明另一实施例提供的一种基于TCM 或TPM 的license的动态管理方法的流程图;FIG. 4 is a flowchart of a method for dynamically managing a license based on a TCM or a TPM according to another embodiment of the present invention;
图5为本发明提供的一种基于TCM 或TPM 的license的动态管理装置的结构图;FIG. 5 is a structural diagram of a dynamic management apparatus for a license based on a TCM or a TPM according to the present invention; FIG.
图6为本发明提供的一种基于TCM 或TPM 的license的动态管理的支持装置的结构图。FIG. 6 is a structural diagram of a device for dynamically managing a license based on a TCM or a TPM according to the present invention.
本发明的实施方式Embodiments of the invention
本发明提供一种基于TCM 或TPM 的license的动态管理方法,需要说明的是,上述license管理方法一般基于可信密码模块(Trusted Cryptography Module ,TCM)或可信赖平台模块(Trusted Platform Module ,TPM),在国内一般基于TCM,该方法如图1所示,该方法由客户机完成,在执行下述方法之前,厂家需在本地设备内配置公钥KP1;该方法包括如下步骤:The present invention provides a dynamic management method for a license based on TCM or TPM. It should be noted that the above license management method is generally based on a Trusted Cryptography Module (TCM) or a Trusted Platform Module (TPM). In the country, it is generally based on TCM. The method is shown in Figure 1. The method is completed by the client. Before performing the following method, the manufacturer needs to configure the public key K P1 in the local device. The method includes the following steps:
S11、接收客户根据功能列表选择的待改变的功能,该功能列表包括:本地设备的所有的软硬件功能;S11. Receive a function to be changed selected by the customer according to the function list, where the function list includes: all software and hardware functions of the local device;
S12、根据本地的标识信息生成一密钥对,该密钥对包括:私钥KS2和公钥KP2;该本地的标识信息包括:能标识本地设备的信息;S12. Generate a key pair according to the local identification information, where the key pair includes: a private key K S2 and a public key K P2 ; the local identification information includes: information that can identify the local device;
S13、根据该公钥KP2和待改变的功能生成一第一数据包,并将该第一数据包用该公钥KP1加密得到加密后的第一数据包;S13. Generate a first data packet according to the public key K P2 and the function to be changed, and encrypt the first data packet with the public key K P1 to obtain the encrypted first data packet.
需要说明的是,上述第一数据包可以包括:公钥KP2和待改变的功能。It should be noted that the foregoing first data packet may include: a public key K P2 and a function to be changed.
S14、将加密后的第一数据包以及本地的唯一标识发送给服务器;以使所述服务器能根据该本地的唯一标识获取私钥KS1;并根据该私钥KS1解密该第一数据包得到的公钥KP2和待改变的功能;S14: Send the encrypted first data packet and the local unique identifier to the server, so that the server can obtain the private key K S1 according to the local unique identifier; and decrypt the first data packet according to the private key K S1 The obtained public key K P2 and the function to be changed;
S15、接收服务器发送的采用公钥KP2加密的第二数据包,该第二数据包具体包括:对本地的唯一标识和待改变的功能计算得到的license; S15. The second data packet that is sent by the receiving server and encrypted by using the public key K P2 , where the second data packet includes: a license that is calculated for the local unique identifier and the function to be changed;
其中,上述license具体可以为:服务器对S14中的加密后的第一数据包采用KS1解密得到待改变的功能,对该待改变的功能和唯一标识进行计算得到license;另外,私钥KS1可以依据唯一标识从预先配置的私钥KS1和唯一标识的对应关系中查询到私钥KS1The license may be specifically: the server uses the K S1 decryption to obtain the to-be-changed function of the encrypted first data packet in the S14, and calculates the function and the unique identifier to be changed to obtain a license; in addition, the private key K S1 can uniquely identify from the query based on the corresponding relationship that uniquely identifies a private key K S1 and pre-configured to the private key K S1.
S16、采用私钥KS2对加密的第二数据包解密得到license,根据该license完成待改变功能的配置。S16: decrypting the encrypted second data packet by using the private key K S2 to obtain a license, and completing the configuration of the function to be changed according to the license.
需要说明的是,上述私钥KS2和公钥KP2为密钥对;私钥KS1和公钥KP1为另一密钥对。It should be noted that the private key K S2 and the public key K P2 are key pairs; the private key K S1 and the public key K P1 are another key pair.
需要额外说明的是,上述私钥KS1与私钥KS2属于完全不同的私钥,上述公钥KP1与公钥KP2属于完全不同的公钥;上述第一数据包和第二数据包也属于完全不同的数据。It should be additionally noted that the private key K S1 and the private key K S2 belong to completely different private keys, and the public key K P1 and the public key K P2 belong to completely different public keys; the first data packet and the second data packet It also belongs to completely different data.
需要说明的是,上述计算得到license的具体算法可以为:信息摘要算法5(Message Digest algorithm version 5,MD5),当然在实际情况中,还可以用其他的方法,例如:软件的每个功能都有一个标识(Identificatio,ID)号,这个ID号可以使从0开始,顺序增加,然后license采用位域的方法进行比较,比如有一个功能的ID号是5,那么可以采用if (license & (1 <<ID)==1)的方法判断,也就是判断license的第5位是否为1。It should be noted that the specific algorithm for calculating the license may be: Message Digest 5 (Message Digest) Algorithm version 5, MD5), of course, in the actual situation, you can also use other methods, for example: each function of the software has an identification (Identificatio, ID) number, this ID number can be started from 0, the order is increased, then the license Use bit field method to compare, for example, if there is a function ID number is 5, then you can use if The method of (license & (1 <<ID)==1) determines whether the fifth digit of the license is 1.
本发明提供的方法在进行license管理时,本地(即客户机)与服务器之间的所有数据交互均采用密钥对进行加解密,所有其之间的数据不容易泄密和被他人更改,所有该方法具有提高license管理安全性的优点,另外,由于本发明提供的方法的待改变的功能的数量是可以灵活设置的,所以其能够提高license管理的灵活性。When the method provided by the present invention performs license management, all data interaction between the local (ie, the client) and the server is encrypted and decrypted by using a key pair, and all the data between them is not easy to be leaked and changed by others, all of which The method has the advantages of improving the security of the license management. In addition, since the number of functions to be changed of the method provided by the present invention can be flexibly set, it can improve the flexibility of license management.
需要说明的是,上述待改变的功能具体可以包括:功能的退订或待激活的功能。It should be noted that the foregoing functions to be changed may specifically include: unsubscribe of functions or functions to be activated.
需要说明的是,上述退订或激活的功能的数量可以灵活的设置,例如单个功能进行激活,也可以多个功能进行激活,本发明并不限制具体的实现方式。It should be noted that the number of the above unsubscribed or activated functions may be flexibly set, for example, a single function is activated, or multiple functions may be activated, and the present invention does not limit the specific implementation manner.
需要说明的是,上述第一数据包还可以包括:预先存储的密文,当该第一数据包包括预先存储的密文时, 服务器在确定该密文的杂凑值与根据该唯一标识获取的杂凑值一致时,发送采用公钥KP2加密的具有私钥KS1签名的license杂凑值的第二数据包。It should be noted that, the foregoing first data packet may further include: a pre-stored ciphertext, when the first data packet includes a pre-stored ciphertext, the server determines the hash value of the ciphertext and obtains according to the unique identifier. When the hash value is consistent, the second data packet with the license hash value of the private key K S1 signature encrypted by the public key K P2 is transmitted.
需要说明的是,上述S15中的加密第二数据包还可以包括:采用私钥KS2加密的得到私钥KS2签名的license杂凑值,当该加密第二数据包包括license杂凑值时,上述方法在S16具体可以包括:It should be noted that the encrypted second data packet in the foregoing S15 may further include: a license hash value obtained by using the private key K S2 and obtained by the private key K S2 , when the encrypted second data packet includes a license hash value, The method specifically includes the following in S16:
采用私钥KS2对加密的第二数据包解密得到license和私钥KS1签名的license杂凑值,采用公钥KP1对私钥KS1签名的license杂凑值解密得到license杂凑值,比对解密后的license杂凑值与对license进行杂凑值计算得到的license杂凑值,如相同,根据该license完成待改变功能的配置,如不同,结束操作。The private data K S2 is used to decrypt the encrypted second data packet to obtain the license hash value of the license and the private key K S1 signature, and the license hash value signed by the private key K S1 is decrypted by the public key K P1 to obtain the license hash value, and the decryption value is decrypted. After the license hash value is the same as the license hash value calculated by hashing the license, the configuration of the function to be changed is completed according to the license, and the operation is ended.
本发明提供的上述方法采用公钥KP1和私钥KS1来确定S15中的加密第二数据包是否为服务器发送的,因为公钥KP1和私钥KS1为一密钥对,如加密后的第二数据包不是服务器发送的,则公钥KP1根本无法对具有签名的license杂凑值解密,更无法进行比对和确认,所以该方式进一步提高了license管理的安全性。The above method provided by the present invention uses the public key K P1 and the private key K S1 to determine whether the encrypted second data packet in S15 is sent by the server, because the public key K P1 and the private key K S1 are a key pair, such as encryption. After the second data packet is not sent by the server, the public key K P1 cannot decrypt the signed hash value of the signature at all, and the comparison and the confirmation cannot be performed. Therefore, the method further improves the security of the license management.
本发明还提供一种基于TCM 或TPM 的license的动态管理支持方法,该方法由服务器完成,在实现该方法之前,先对服务器配置私钥KS1以及私钥KS1和客户机唯一标识的对应关系;该方法如图2所示,包括:The present invention also provides a dynamic management support method for a license based on TCM or TPM, which is completed by a server. Before implementing the method, the server is configured with a correspondence between the private key K S1 and the private key K S1 and the unique identifier of the client. Relationship; the method is shown in Figure 2 and includes:
S21、接收客户机发送的唯一标识和采用公钥KP1加密后的第一数据包;S21. The unique identifier sent by the receiving client and the first data packet encrypted by using the public key K P1 ;
该第一数据包的具体包括的形式可以参见上述实施例中的表述,这里不再赘述。For the specific form of the first data packet, refer to the description in the foregoing embodiment, and details are not described herein again.
S22、根据唯一标识从私钥KS1和客户机唯一标识的对应关系中查询到私钥KS1S22. Query the private key K S1 from the correspondence between the private key K S1 and the unique identifier of the client according to the unique identifier;
S23、采用私钥KS1该加密后的第一数据包解密得到第一数据包内的公钥KP2和待改变的功能;S23, using the private key K S1 to decrypt the encrypted first data packet to obtain the public key K P2 in the first data packet and the function to be changed;
S24、根据该唯一标识和该待改变的功能进行计算得到license,S24. Calculate a license according to the unique identifier and the function to be changed.
S25、采用公钥KP2对license加密得到加密第二数据包;S25. Encrypt the license with the public key K P2 to obtain the encrypted second data packet.
S26、对客户机发送该加密第二数据包。S26. Send the encrypted second data packet to the client.
需要说明的是,上述待改变的功能具体可以包括:功能的退订或待激活的功能。It should be noted that the foregoing functions to be changed may specifically include: unsubscribe of functions or functions to be activated.
需要说明的是,上述第一数据包还可以包括:预先存储的密文,当该第一数据包包括密文时,上述方法在S21之前还可以包括:在服务器配置密文以及密文杂凑值与客户机唯一标识的对应关系,另外上述方法中的步骤在S22的同时还可以包括:It should be noted that the foregoing first data packet may further include: a pre-stored ciphertext. When the first data packet includes a ciphertext, the foregoing method may further include: configuring a ciphertext and a ciphertext hash value in the server before the S21 In addition to the unique identifier of the client, the steps in the foregoing method may further include:
根据唯一标识从密文杂凑值与客户机唯一标识的对应关系中查询到密文杂凑值,对接收到的密文进行杂凑值运算的到计算出的杂凑值;对比查询到的杂凑值与计算出的杂凑值,如一致,执行S22—S26,否则结束操作。According to the unique identifier, the ciphertext hash value is queried from the correspondence between the ciphertext hash value and the client unique identifier, and the hash value of the received ciphertext is calculated to the calculated hash value; the hash value and calculation of the query are compared. If the hash value is consistent, execute S22-S26, otherwise the operation ends.
需要说明的是,上述S25还可以包括:对该license进行杂凑值计算得到的license杂凑值,对该license杂凑值采用私钥KS1加密得到私钥KS1签名的license杂凑值,采用公钥KP2对该私钥KS1签名的license杂凑值和license加密得到加密第二数据包。It should be noted that the foregoing S25 may further include: a license hash value obtained by performing a hash value calculation on the license, and the license hash value is encrypted by using a private key K S1 to obtain a license hash value of the private key K S1 signature, and the public key K is used. P2 encrypts the license hash value and license of the private key K S1 to obtain the encrypted second data packet.
本发明提供的license管理的支持方法支持了license的管理方法的实现。The license management support method provided by the present invention supports the implementation of the license management method.
本发明具体实施方式提供一实施例,本实施例提供一种license管理方法,该方法在客户机与厂家服务器之间完成,该方法以待激活的功能为例进行说明,本实施例实现的技术场景为,在客户机出厂时,进行出厂设置,具体设置可以为:通过TCM/TPM,产生密钥对(例如私钥KS1,公钥KP1),公钥保存在客户机的TCM/TPM中,私钥由厂商自己进行保存,这对密钥是用于厂商的签名,通过使用公钥和私钥加解密,可以确信相关信息是由厂商发送过来的,该密钥对只在出厂时产生一次,且每对密钥对均不相同,每台出厂的客户机都会对KP1进行保存;给客户机绑定一个唯一标识(例如客户机的MAC地址等),该标识可以是根据客户机上的各个硬件的标识产生(为了保证隐私,可以是它的加密表现),也可以是厂商给客户机定义的一个唯一编码,唯一标识只是起到了一个索引的作用,方便厂商在自己的数据库中对客户机进行相关信息的查询;给客户机随机绑定一段密文(该密文可以为随机生成的密文),存放在客户机的TCM/TPM里面,同时将该段密文的杂凑值存放在厂商服务器中,该密文是客户机的另一“身份证”,通过对该密文的杂凑值进行检查,厂商可以确定相关信息是由该客户机发送过来的,出于杂凑算法得相关特性,这里选择杂凑值保存,更加可以验证身份信息是否被修改;厂商通过上述设置,向自己管理的数据库中添加一条包含以下字段的记录,该记录可以包括:唯一标识,密文(“身份证”)杂凑值,软件功能状态列表,硬件状态列表和电子钱包金额。本实施例提供的方法如图3所示,具体可以包括:The embodiment of the present invention provides an embodiment. The method for managing a license is implemented between a client and a server. The method is described by taking the function to be activated as an example. The scenario is that the factory settings are made when the client leaves the factory. The specific settings can be: through TCM/TPM, generate a key pair (such as private key K S1 , public key K P1 ), and the public key is stored in the client's TCM/TPM. In the middle, the private key is saved by the manufacturer himself. The pair of keys is used for the signature of the manufacturer. By using the public key and the private key for encryption and decryption, it can be ensured that the relevant information is sent by the manufacturer. The key pair is only at the factory. Generated once, and each pair of key pairs is different, each factory client will save K P1 ; the client is bound with a unique identifier (such as the client's MAC address, etc.), the identifier can be based on the client The identification of each hardware on the machine (in order to guarantee privacy, it can be its encrypted performance), or it can be a unique code defined by the manufacturer to the client. The unique identifier only serves as a cable. The function is convenient for the manufacturer to query the client for related information in its own database; the client is randomly bound with a ciphertext (the ciphertext can be a randomly generated ciphertext), which is stored in the client's TCM/TPM. At the same time, the hash value of the ciphertext is stored in the manufacturer server, and the ciphertext is another "identity card" of the client. By checking the hash value of the ciphertext, the manufacturer can determine that the relevant information is from the client. The machine sends the relevant characteristics of the hash algorithm. Here, the hash value is saved, and the identity information can be verified. The manufacturer can add a record containing the following fields to the database managed by the manufacturer through the above settings. Includes: unique identifier, ciphertext ("ID") hash value, software feature status list, hardware status list, and e-wallet amount. As shown in FIG. 3, the method provided in this embodiment may specifically include:
S31、当客户在客户机上触发功能升级时,客户机显示功能列表;S31. When the client triggers a function upgrade on the client, the client displays a function list.
需要说明的是,上述功能列表具体可以包括但不限于:所有的软硬件功能,当然还可以为本客户机激活或未激活的功能,另外,上述激活或未激活功能的显示方法可以采用多种方式,例如,激活功能采用明亮显示,未激活功能采用暗色显示,当然还可以采用,激活功能采用绿色显示,未激活功能采用红色显示等等;另外,上述功能列表具体还可以包括:能退订功能列表。It should be noted that the foregoing function list may specifically include, but not limited to, all software and hardware functions, and may also be a function activated or not activated by the client. In addition, the display method of the activated or inactive function may be multiple. The method, for example, the activation function adopts a bright display, the inactive function is displayed in a dark color, and of course, the activation function is displayed in green, the inactive function is displayed in red, and the like; in addition, the function list may further include: function list.
S32、客户机确定用户选择的待激活的功能(可以为软件和/或硬件)以及该功能的应用方式(例如永久或临时),S32. The client determines a function (which may be software and/or hardware) selected by the user to be activated and how the function is applied (for example, permanent or temporary).
需要说明的是,本实施例并不限制该功能的数量,该数据量可以由客户自由选择,例如1、2、3或4等。It should be noted that the embodiment does not limit the number of functions, and the amount of data can be freely selected by the client, for example, 1, 2, 3 or 4, and the like.
S33、客户机根据客户机上的标识信息(例如硬件的唯一标识)生成另一密钥对(私钥KS2,公钥KP2);S33. The client generates another key pair (private key K S2 , public key K P2 ) according to the identification information on the client (for example, the unique identifier of the hardware).
需要说明的是,上述标识信息可以与上述客户机的唯一标识或唯一编码相同,当然也可以不同。It should be noted that the identifier information may be the same as the unique identifier or unique code of the client, and may of course be different.
S34、客户机根据密文、KP2 和待激活的功能生成一第一数据包,将该第一数据包用KP1加密;S34. The client generates a first data packet according to the ciphertext, K P2, and the function to be activated, and encrypts the first data packet with K P1 ;
需要说明的是,上述第一数据包可以包括:密文、KP2 和待激活的功能。另外,待激活的功能的具体表现形式可以为:客户当次需使用的软件功能列表,客户当次需使用的硬件列表。It should be noted that the foregoing first data packet may include: ciphertext, K P2, and a function to be activated. In addition, the specific manifestation of the function to be activated may be: a list of software functions that the customer needs to use at the time, and a list of hardware that the customer needs to use at the time.
S35、客户机将加密后的第一数据包和客户机的唯一标识发送给服务器;S35. The client sends the encrypted first data packet and the unique identifier of the client to the server.
S36、服务器根据该唯一标识查找出该唯一标识对应的KS1和杂凑值,用KS1对加密后的第一数据包解密得到上述第一数据包内的密文、KP2 和待激活的功能;S36. The server searches for the K S1 and the hash value corresponding to the unique identifier according to the unique identifier, and decrypts the encrypted first data packet by using the K S1 to obtain the ciphertext, the K P2, and the function to be activated in the first data packet. ;
S37、服务器对该第一数据包内的密文进行杂凑运算得到该密文的杂凑值,将计算得到的杂凑值与根据唯一标识查询到的杂凑值比较,如相同,进行下述操作,否则停止操作。S37. The server performs a hash operation on the ciphertext in the first data packet to obtain a hash value of the ciphertext, and compares the calculated hash value with the hash value queried according to the unique identifier, and if the same, performs the following operations, otherwise Stop the operation.
S38、服务器确定付费后,服务器根据该唯一标识和待激活功能计算出一个license,对license进行杂凑运算得到该license的杂凑值,用KS1对该license的杂凑值签名后,用KP2对签名后的license的杂凑值和license加密并发送给客户机;S38: After determining the payment, the server calculates a license according to the unique identifier and the function to be activated, performs a hash operation on the license to obtain a hash value of the license, and signs the hash value of the license with K S1 , and signs the signature with K P2 . The hash value of the license and the license are encrypted and sent to the client;
S39、客户机用KS2进行解密得到签名后的license的杂凑值和license,对签名后的license的杂凑值用KP1解密得到license杂凑值,比对解密后的license杂凑值与对license进行计算得到的license杂凑值,如相同,根据该license进行待激活功能的加载和配置。S39. The client decrypts with K S2 to obtain the hash value and license of the signed license, and decrypts the hash value of the signed license with K P1 to obtain the license hash value, and compares the decrypted license hash value and the license. The obtained license hash value is the same, and the loading and configuration of the to-be activated function is performed according to the license.
需要说明的是,上述根据该license进行待激活功能的加载和配置的方法具体可以为:将license存储在客户机的TCM/TPM中;客户机重启后,从可信度量根核(Core Root of Trust Measurement ,CTRM)开始建立可信任平台,最终在可信任平台中根据license进行软硬件功能(待激活功能)的配置。It should be noted that the method for loading and configuring the to-be-activated function according to the license may be: storing the license in the TCM/TPM of the client; after the client restarts, from the trusted metric root (Core) Root of Trust Measurement , CTRM) began to build a trusted platform, and finally in the trusted platform to configure the software and hardware functions (to be activated) according to the license.
本实施例提供的方法在进行功能配置和加载时,每个消息均需通过密钥对进行加解密,所以其具有提高license管理的安全性的优点,另外,本实施例在进行加密时,还采用随机的密文的杂凑值对客户机再次进行验证,进一步提高了安全性,所以其具有更高的安全性的优点,另外本实施例提供的方法客户可以根据自身的需要灵活配置待激活的功能,更能符合客户的需要,所以其具有客户可以灵活选择客户机配置的优点。In the method provided by the embodiment, each message needs to be encrypted and decrypted by a key pair during function configuration and loading, so that it has the advantage of improving the security of the license management. In addition, in the embodiment, when performing encryption, The client is re-authenticated by using the hash value of the random ciphertext, which further improves the security, so that it has the advantage of higher security. In addition, the method provided by the embodiment can flexibly configure the to-be activated according to the needs of the client. The function is more in line with the customer's needs, so it has the advantage that the customer can flexibly choose the client configuration.
本发明具体实施方式还提供另一实施例,本实施例提供了一种license管理方法,该方法以退订功能为例进行说明,该方法与一实施例的技术场景相同,该方法具体的操作流程如图4所示,包括:The embodiment of the present invention further provides another embodiment. The present embodiment provides a license management method, which is described by taking the unsubscribe function as an example. The method is the same as the technical scenario of an embodiment, and the specific operation of the method is The process is shown in Figure 4 and includes:
S40、当客户在客户机上触发退订时,客户机显示功能列表;S40. When the client triggers unsubscription on the client, the client displays a function list.
S41、客户机确定用户选择的待退订的功能(可以为软件和/或硬件),S41. The client determines a function (which may be software and/or hardware) selected by the user to be unsubscribed.
需要说明的是,本实施例并不限制该功能的数量,该数据量可以由客户自由选择,例如1、2、3或4等,另外,原则上永久性的功能以及基本功能(即没有该功能客户机无法运行的功能)无法退订。It should be noted that the embodiment does not limit the number of functions, and the amount of data can be freely selected by the client, for example, 1, 2, 3 or 4, etc., in addition, in principle, permanent functions and basic functions (ie, no such Features that the feature client cannot run) cannot be unsubscribed.
S42、客户机根据客户机上的标识信息(例如硬件的唯一标识)生成另外一密钥对(私钥KS3,公钥KP3);S42. The client generates another key pair (private key K S3 , public key K P3 ) according to the identification information on the client (for example, the unique identifier of the hardware).
需要说明的是,上述标识信息可以与上述客户机的唯一标识或唯一编码相同,当然也可以不同。It should be noted that the identifier information may be the same as the unique identifier or unique code of the client, and may of course be different.
S43、客户机根据密文、KP3和待退订的功能生成一第一数据包,将该第一数据包用公钥KP1加密;S43. The client generates a first data packet according to the ciphertext, K P3, and the function to be unsubscribed, and encrypts the first data packet by using the public key K P1 .
需要说明的是,上述第一数据包可以包括:密文、私钥KP3和待退订的功能。另外,待退订的功能的具体表现形式可以为:客户当次需退订的软件功能列表,客户当次需退订的硬件列表。It should be noted that the foregoing first data packet may include: a ciphertext, a private key K P3, and a function to be unsubscribed. In addition, the specific manifestation of the function to be unsubscribed may be: a list of software functions that the customer needs to unsubscribe at the moment, and a list of hardware that the customer needs to unsubscribe at the moment.
S44、客户机将加密后的数据和客户机的唯一标识发送给服务器;S44. The client sends the encrypted data and the unique identifier of the client to the server.
S45、服务器根据该唯一标识查找出该唯一标识对应的私钥KS1和杂凑值,用私钥KS1对加密后的第一数据包解密得到上述第一数据包内的密文、私钥KP3和待退订的功能;S45. The server searches for the private key K S1 and the hash value corresponding to the unique identifier according to the unique identifier, and decrypts the encrypted first data packet with the private key K S1 to obtain the ciphertext and the private key K in the first data packet. P3 and the function to be unsubscribed;
S46、服务器对该第一数据包内的密文进行杂凑运算得到该密文的杂凑值,将计算得到的杂凑值与根据唯一标识查询到的杂凑值比较,如相同,进行下述操作,否则停止操作。S46: The server performs a hash operation on the ciphertext in the first data packet to obtain a hash value of the ciphertext, and compares the calculated hash value with the hash value queried according to the unique identifier, and if the same, performs the following operations, otherwise Stop the operation.
S47、服务器根据该唯一标识和待退订功能计算出一个license,对license进行杂凑运算得到该license的杂凑值,用私钥KS1对该license的杂凑值签名后,用公钥KP3对签名后的license的杂凑值加密并发送给客户机;S47. The server calculates a license according to the unique identifier and the function to be unsubscribed, performs a hash operation on the license to obtain a hash value of the license, and uses the private key K S1 to sign the hash value of the license, and then signs the signature with the public key K P3 . The hash value of the subsequent license is encrypted and sent to the client;
S48、客户机用KS3进行解密得到签名后的license的杂凑值和license,对签名后的license的杂凑值用KP1解密得到license杂凑值,比对解密后的license杂凑值与对license进行计算得到的license杂凑值,如相同,根据该license进行待退订功能的退订,退订成功后,生成退订成功消息给服务器;S48. The client decrypts with K S3 to obtain the hash value and license of the signed license, and decrypts the hash value of the signed license with K P1 to obtain the license hash value, and compares the decrypted license hash value and the license. If the obtained license hash value is the same, the unsubscribe function is unsubscribed according to the license, and after the unsubscribe is successful, an unsubscribe success message is generated to the server;
S49、服务器计算该退订功能的剩余价值,并将该剩余价值退还给客户机。S49. The server calculates a residual value of the unsubscribe function, and returns the remaining value to the client.
退还给客户机的方式可以有多种,例如直接退还金额给电子钱包,当然也可以直接退还电子优惠卷给客户机等。There are various ways to return to the client, such as directly refunding the amount to the e-wallet, and of course, directly returning the e-coupon to the client.
需要说明的是,上述根据该license进行待退订功能的退订的方法具体可以为:将license存储在客户机的TCM/TPM中;客户机重启后,从CTRM开始建立可信任平台,最终在可信任平台中根据license进行软硬件功能(待退订功能)的配置。The method for unsubscribing the function to be unsubscribed according to the license may be: storing the license in the TCM/TPM of the client; after the client restarts, establishing a trusted platform from the CTRM, and finally The configuration of the software and hardware functions (to be unsubscribed) according to the license in the trusted platform.
本实施例提供的方法提供一种功能的退订机制,扩大了license的功能,另外,该方法在进行功能退订时,均需要进过严格的加解密操作,所以其也具有安全性高的优点。The method provided in this embodiment provides a function unsubscribe mechanism, which expands the function of the license. In addition, the method needs to perform strict encryption and decryption operations when performing function unsubscription, so it also has high security. advantage.
本发明具体实施例还提供一种基于TCM 或TPM 的license的动态管理装置,该装置如图5所示,包括:A specific embodiment of the present invention also provides a TCM based or TPM The dynamic management device of the license, as shown in Figure 5, includes:
配置单元56,用于在本地设备内配置公钥KP1The configuration unit 56 is configured to configure the public key K P1 in the local device;
接收单元51,用于接收客户根据功能列表选择的待改变的功能,所述功能列表包括:本地设备内所有的软硬件功能;The receiving unit 51 is configured to receive a function to be changed selected by the customer according to the function list, where the function list includes: all software and hardware functions in the local device;
密钥生成单元52,用于根据本地的标识信息生成一密钥对,该密钥对包括:私钥KS2和公钥KP2,所述标识信息为:能标识本地设备的信息;The key generating unit 52 is configured to generate a key pair according to the local identification information, where the key pair includes: a private key K S2 and a public key K P2 , wherein the identification information is: information that can identify the local device;
加密单元53,用于根据公钥KP2和待改变的功能生成一第一数据包,并将该第一数据包用所述公钥KP1加密;所述第一数据包包括:公钥KP2和待改变的功能;The encryption unit 53 is configured to generate a first data packet according to the public key K P2 and the function to be changed, and encrypt the first data packet with the public key K P1 ; the first data packet includes: a public key K P2 and the function to be changed;
发送单元54,用于将加密后的第一数据包以及本地的唯一标识发送给服务器;以使所述服务器能根据该本地的唯一标识获取私钥KS1;并根据该私钥KS1解密该第一数据包得到的公钥KP2和待改变的功能;The sending unit 54 is configured to send the encrypted first data packet and the local unique identifier to the server, so that the server can obtain the private key K S1 according to the local unique identifier, and decrypt the public key K S1 according to the private key K S1 The public key K P2 obtained by the first data packet and the function to be changed;
接收单元51,还用于接收采用公钥KP2加密的第二数据包,该第二数据包具体包括:对该加密后数据采用私钥KS1解密并计算得到的license;The receiving unit 51 is further configured to receive the second data packet encrypted by using the public key K P2 , where the second data packet specifically includes: a license obtained by decrypting and calculating the encrypted data by using the private key K S1 ;
解密配置单元55,用于采用私钥KS2对加密的第二数据包解密得到license,根据该license完成待改变功能的配置;The decryption configuration unit 55 is configured to decrypt the encrypted second data packet by using the private key K S2 to obtain a license, and complete the configuration of the function to be changed according to the license;
上述私钥KS1和公钥KP1为一密钥对。The private key K S1 and the public key K P1 are a key pair.
可选的,待改变的功能包括: Optionally, the functions to be changed include:
功能的退订或待激活的功能。 Unsubscribe or feature to be activated.
可选的,上述加密的第二数据包还可以包括:公钥KP2签名的license杂凑值,在包含有公钥KP2签名的license杂凑值时,解密配置单元55进一步用于采用私钥KS2对加密的第二数据包解密得到license和私钥KS1签名的license杂凑值,采用公钥KP1对私钥KS1签名的license杂凑值解密得到license杂凑值,比对解密后的license杂凑值与对license进行计算得到的license杂凑值,如相同,根据该license完成待改变功能的配置。Optionally, the encrypted second data packet may further comprise: a public key K P2 license signature hash value, when the license includes a public key hash value K P2 signature, decryption unit 55 is further arranged for using a private key K S2 decrypts the encrypted second data packet to obtain the license hash value of the license and the private key K S1 signature, and uses the public key K P1 to decrypt the license hash value signed by the private key K S1 to obtain the license hash value, and compares the decrypted license hash. The value is the same as the license hash value calculated for the license, and the configuration of the function to be changed is completed according to the license.
本发明提供的装置在进行license管理时,本地(即license的管理装置,具体可以为客户机)与服务器之间的所有数据交互均采用密钥对进行加解密,所有其之间的数据不容易泄密和被他人更改,所有该装置具有提高license管理安全性的优点。When the device provided by the present invention performs license management, all data interaction between the local (ie, the license management device, specifically the client) and the server is encrypted and decrypted by using a key pair, and the data between them is not easy. Leaked and changed by others, all of the devices have the advantage of improving license management security.
本发明具体实施方式还提供一种基于TCM 或TPM 的license的动态管理的支持装置,该装置如图6所示,包括:Embodiments of the present invention also provide a TCM based or TPM The dynamic management support device of the license, as shown in FIG. 6, includes:
配置单元66,用于在服务器内配置私钥KS1以及私钥KS1和客户机唯一标识的对应关系;The configuration unit 66 is configured to configure a correspondence between the private key K S1 and the private key K S1 and the unique identifier of the client in the server;
接收单元61,用于接收客户机发送的唯一标识和采用公钥KP1加密后的第一数据包,所述第一数据包包括:公钥KP2和待改变的功能;The receiving unit 61 is configured to receive the unique identifier sent by the client and the first data packet encrypted by using the public key K P1 , where the first data packet includes: a public key K P2 and a function to be changed;
查询单元62,用于根据唯一标识从预先配置的私钥KS1和唯一标识的对应关系中查询到私钥KS1The query unit 62 is configured to query the private key K S1 from the pre-configured private key K S1 and the uniquely identified correspondence according to the unique identifier;
解密单元63,用于对客户机发送的数据采用私钥KS1解密得到公钥KP2和待改变的功能;The decrypting unit 63 is configured to decrypt the data sent by the client by using the private key K S1 to obtain the public key K P2 and the function to be changed;
计算发送单元64,用于根据该唯一标识和该待改变的功能进行计算得到license,采用公钥KP2对license加密得到第二数据包,将该第二数据包发送给客户机。The calculation sending unit 64 is configured to calculate a license according to the unique identifier and the function to be changed, encrypt the license with the public key K P2 to obtain a second data packet, and send the second data packet to the client.
可选的,上述待改变的功能包括: Optionally, the foregoing functions to be changed include:
功能的退订或待激活的功能。 Unsubscribe or feature to be activated.
可选的,上述第一数据包还包括:密文,配置单元66还用于配置密文以及密文杂凑值与客户机唯一标识的对应关系,上述装置还包括:Optionally, the foregoing first data packet further includes: a ciphertext, where the configuration unit 66 is further configured to configure a correspondence between the ciphertext and the ciphertext hash value and the unique identifier of the client, where the apparatus further includes:
杂凑值验证单元65,用于根据唯一标识从密文杂凑值与客户机唯一标识的对应关系中查询到密钥杂凑值,对比查询到的杂凑值与接收到的密文杂凑值,如一致,触发查询单元62、解密单元63和计算发送单元64执行操作。The hash value verification unit 65 is configured to query the key hash value from the correspondence between the ciphertext hash value and the client unique identifier according to the unique identifier, and compare the queryed hash value with the received ciphertext hash value, such as The trigger inquiry unit 62, the decryption unit 63, and the calculation transmission unit 64 perform operations.
可选的,计算发送单元64具体包括:Optionally, the calculating sending unit 64 specifically includes:
计算模块641,用于根据该唯一标识和该待改变的功能进行计算得到license,对该license进行杂凑值计算得到的license杂凑值;The calculation module 641 is configured to calculate a license according to the unique identifier and the function to be changed, and perform a hash value of the license value calculated by the hash value of the license;
签名模块642,用于对该license杂凑值采用私钥KS1加密得到私钥KS1签名的license杂凑值,The signature module 642 is configured to encrypt the license hash value by using a private key K S1 to obtain a license hash value of the private key K S1 signature.
加密发送模块643,用于采用公钥KP2对该私钥KS1签名的license杂凑值和license加密得到加密第二数据包,将该第二数据包发送给客户机。Transmitting encryption module 643, license for using encrypted hash value and the license of the private key of the public key K P2 K S1 signature is encrypted second data packet, sends the packet to the second client.
本发明提供的license管理的支持装置支持了上述license的管理方法的实现。The support device for license management provided by the present invention supports the implementation of the management method of the above license.
本发明具体实施方式还提供一种license的管理系统,该系统包括:客户机和服务器;其中所述客户机内存储有公钥KP1;所述服务器内存储有私钥KS1以及私钥KS1和客户机唯一标识的对应关系;所述私钥KS1和公钥KP1为一密钥对;A specific embodiment of the present invention further provides a management system for a license, the system comprising: a client and a server; wherein the client stores a public key K P1 ; the server stores a private key K S1 and a private key K a correspondence between S1 and a unique identifier of the client; the private key K S1 and the public key K P1 are a key pair;
客户机,用于接收客户根据功能列表选择的待改变的功能,根据本地的标识信息生成一密钥对,该密钥对包括:私钥KS2和公钥KP2;根据公钥KP2和待改变的功能生成一第一数据包,并将该第一数据包用公钥KP1加密;所述第一数据包包括:公钥KP2和待改变的功能;所述功能列表包括:本地设备内的软硬件功能;a client, configured to receive a function to be changed selected by the client according to the function list, and generate a key pair according to the local identification information, the key pair includes: a private key K S2 and a public key K P2 ; according to the public key K P2 and The function to be changed generates a first data packet, and encrypts the first data packet with a public key K P1 ; the first data packet includes: a public key K P2 and a function to be changed; the function list includes: local Software and hardware functions within the device;
客户机,还用于将加密后的第一数据包以及本地的唯一标识发送给服务器;The client is further configured to send the encrypted first data packet and the local unique identifier to the server;
服务器,用于根据唯一标识从私钥KS1和客户机唯一标识的对应关系中查询到私钥KS1,采用私钥KS1该加密后的第一数据包解密得到第一数据包内的公钥KP2和待改变的功能;根据唯一标识和待改变的功能计算出license,采用公钥KP2对license加密得到第二数据包,将该第二数据包发送给客户机;a server, configured to query the private key K S1 from the correspondence between the private key K S1 and the client unique identifier according to the unique identifier, and use the private key K S1 to decrypt the encrypted first data packet to obtain the public information in the first data packet. Key K P2 and the function to be changed; calculate the license according to the unique identifier and the function to be changed, encrypt the license with the public key K P2 to obtain the second data packet, and send the second data packet to the client;
客户机,还用于采用私钥KS2对该第二数据包解密得到license,根据license完成待改变功能的配置。The client is further configured to decrypt the second data packet by using the private key K S2 to obtain a license, and complete the configuration of the function to be changed according to the license.
本发明提供的系统中的客户机和服务器在交互时,均采用加解密方式交互信息,所以其具有提高中间数据安全性的优点。 The client and the server in the system provided by the present invention use the encryption and decryption method to exchange information when interacting, so it has the advantage of improving the security of the intermediate data.
本发明提供的技术方案具有安全性高的优点。The technical solution provided by the invention has the advantage of high safety.
上述单元和系统实施例中,所包括的各个模块或单元只是按照功能逻辑进行划分的,但并不局限于上述的划分,只要能够实现相应的功能即可;另外,各功能模块的具体名称也只是为了便于相互区分,并不用于限制本发明的保护范围。In the above unit and system embodiment, each module or unit included is only divided according to functional logic, but is not limited to the above division, as long as the corresponding function can be implemented; in addition, the specific name of each functional module is also They are only used to facilitate mutual differentiation and are not intended to limit the scope of the present invention.
本领域技术人员可以理解,本发明实施例提供的非线性容限的补偿方法中,其全部或部分步骤是可以通过程序指令相关的硬件来完成。比如可以通过计算机运行程来完成。该程序可以存储在可读取存储介质,例如,随机存储器、磁盘、光盘等。It can be understood by those skilled in the art that all or part of the steps of the nonlinear tolerance compensation method provided by the embodiments of the present invention can be completed by hardware related to program instructions. For example, it can be done by computer running. The program can be stored in a readable storage medium such as a random access memory, a magnetic disk, an optical disk, or the like.

Claims (17)

  1. 一种基于TCM 或TPM 的license的动态管理方法,其特征在于,所述方法包括:A method for dynamically managing a license based on a TCM or a TPM, the method comprising:
    在本地设备内配置公钥KP1Configure the public key K P1 in the local device;
    接收客户根据功能列表选择的待改变的功能,所述功能列表包括:本地设备内的软硬件功能;Receiving a function to be changed selected by the customer according to the function list, where the function list includes: a software and hardware function in the local device;
    根据本地的标识信息生成一密钥对,该密钥对包括:私钥KS2和公钥KP2Generating a key pair according to the local identification information, the key pair includes: a private key K S2 and a public key K P2 ;
    根据公钥KP2和待改变的功能生成一第一数据包,并将该第一数据包用所述公钥KP1加密,所述第一数据包包括:公钥KP2和待改变的功能;Generating a first data packet according to the public key K P2 and the function to be changed, and encrypting the first data packet with the public key K P1 , the first data packet includes: a public key K P2 and a function to be changed ;
    将加密后的第一数据包以及本地的唯一标识发送给服务器;以使所述服务器能根据该本地的唯一标识获取私钥KS1;并根据该私钥KS1解密该第一数据包得到的公钥KP2和待改变的功能;Sending the encrypted first data packet and the local unique identifier to the server; so that the server can obtain the private key K S1 according to the local unique identifier; and decrypting the first data packet according to the private key K S1 Public key K P2 and function to be changed;
    接收服务器发送的采用公钥KP2加密的第二数据包,该第二数据包具体包括:对本地的唯一标识和待改变的功能计算得到的license;Receiving, by the receiving server, the second data packet encrypted by using the public key K P2 , the second data packet specifically includes: a license calculated for the local unique identifier and the function to be changed;
    采用私钥KS2对加密的第二数据包解密得到license,根据该license完成待改变功能的配置。The encrypted second data packet is decrypted by using the private key K S2 to obtain a license, and the configuration of the function to be changed is completed according to the license.
  2. 根据权利要求1所述的方法,其特征在于,所述待改变的功能包括:功能的退订或待激活的功能。The method according to claim 1, wherein the function to be changed comprises a function of unsubscribing or a function to be activated.
  3. 根据权利要求1所述的方法,其特征在于,所述方法在本地设备配置公钥KP1时,还在本地设备配置一密文;在配置有密文后,所述根据公钥KP2和待改变的功能生成一第一数据包,并将该第一数据包用所述公钥KP1加密具体包括:The method according to claim 1, wherein the method further configures a ciphertext on the local device when the local device configures the public key K P1 ; and after the ciphertext is configured, the public key K P2 and The function to be changed generates a first data packet, and encrypting the first data packet with the public key K P1 specifically includes:
    根据公钥KP2、待改变的功能和所述密文生成一第一数据包,将该第一数据包用所述公钥KP1加密,所述第一数据包公钥KP2、待改变的功能和所述密文。Generating a first data packet according to the public key K P2 , the function to be changed, and the ciphertext, and encrypting the first data packet with the public key K P1 , the first data packet public key K P2 , to be changed The function and the ciphertext.
  4. 根据权利要求1所述的方法,其特征在于,所述加密的第二数据包还包括:公钥KP2签名的license杂凑值,且第二数据包包括上述签名的公钥KP2签名的license杂凑值时,所述采用私钥KS2对加密的第二数据包解密得到license,根据该license完成待改变功能的配置具体包括:The method according to claim 1, wherein the encrypted second data packet further comprises: license hash value signed public key K P2, and the second data packet includes the public key of the signature of the license signature K P2 When the hash value is used, the private key K S2 decrypts the encrypted second data packet to obtain a license, and the configuration of the function to be changed according to the license includes:
    采用私钥KS2对加密的第二数据包解密得到license和私钥KS1签名的license杂凑值,采用公钥KP1对私钥KS1签名的license杂凑值解密得到license杂凑值,比对解密后的license杂凑值与对license进行计算得到的license杂凑值,如相同,根据该license完成待改变功能的配置。The private data K S2 is used to decrypt the encrypted second data packet to obtain the license hash value of the license and the private key K S1 signature, and the license hash value signed by the private key K S1 is decrypted by the public key K P1 to obtain the license hash value, and the decryption value is decrypted. After the license hash value is the same as the license hash value calculated for the license, the configuration of the function to be changed is completed according to the license.
  5. 一种基于TCM 或TPM 的license的动态管理支持方法,其特征在于,所述方法包括:A dynamic management support method for a license based on a TCM or a TPM, the method comprising:
    在服务器内配置私钥KS1以及私钥KS1和客户机唯一标识的对应关系;Configuring a correspondence between the private key K S1 and the private key K S1 and the unique identifier of the client in the server;
    接收客户机发送的唯一标识和采用公钥KP1加密后的第一数据包;所述第一数据包包括:公钥KP2和待改变的功能;Receiving the unique identifier sent by the client and the first data packet encrypted by using the public key K P1 ; the first data packet includes: a public key K P2 and a function to be changed;
    根据唯一标识从私钥KS1和客户机唯一标识的对应关系中查询到私钥KS1Querying the private key K S1 from the correspondence between the private key K S1 and the unique identifier of the client according to the unique identifier;
    采用私钥KS1对该加密后的第一数据包解密得到第一数据包内的公钥KP2和待改变的功能;Decrypting the encrypted first data packet by using the private key K S1 to obtain the public key K P2 in the first data packet and the function to be changed;
    根据该唯一标识和该待改变的功能进行计算得到license,采用公钥KP2对license加密得到第二数据包,将该第二数据包发送给客户机。Calculating the license according to the unique identifier and the function to be changed, encrypting the license with the public key K P2 to obtain the second data packet, and transmitting the second data packet to the client.
  6. 根据权利要求5所述的方法,其特征在于,所述待改变的功能包括:功能的退订或待激活的功能。The method according to claim 5, wherein the function to be changed comprises a function of unsubscribing or a function to be activated.
  7. 根据权利要求5所述的方法,其特征在于,所述第一数据包还包括:密文,当该第一数据包包括密文时,所述方法还包括:在服务器内配置密文杂凑值与客户机唯一标识的对应关系;The method according to claim 5, wherein the first data packet further comprises: a ciphertext, when the first data packet includes a ciphertext, the method further comprises: configuring a ciphertext hash value in the server Correspondence with the unique identifier of the client;
    所述方法根据唯一标识从私钥KS1和客户机唯一标识的对应关系中查询到私钥KS1的同时还包括:The method further includes: querying the private key K S1 from the correspondence between the private key K S1 and the unique identifier of the client according to the unique identifier:
    根据唯一标识从密文杂凑值与客户机唯一标识的对应关系中查询到该唯一标识对应的密文杂凑值,对比查询到的杂凑值与接收到的密文的杂凑值,如一致,执行根据唯一标识从预先配置的私钥KS1和唯一标识的对应关系中查询到私钥KS1的后续操作。Query the ciphertext hash value corresponding to the unique identifier from the correspondence between the ciphertext hash value and the client unique identifier according to the unique identifier, and compare the hash value of the query with the hash value of the received ciphertext, such as The subsequent operation of querying the private key K S1 from the pre-configured private key K S1 and the uniquely identified correspondence relationship is uniquely identified.
  8. 根据权利要求5所述的方法,其特征在于,所述采用公钥KP2对license加密得到第二数据包具体包括:对该license进行杂凑值计算得到的license杂凑值,对该license杂凑值采用私钥KS1加密得到私钥KS1签名的license杂凑值,采用公钥KP2对该私钥KS1签名的license杂凑值和license加密得到加密第二数据包。The method according to claim 5, wherein the encrypting the license to obtain the second data packet by using the public key K P2 comprises: a license hash value obtained by calculating a hash value of the license, and adopting the license hash value of the license K S1 private secret key encrypted license K S1 signed hash value using a hash of license and license encrypted public key to the private key K S1 K P2 signature is encrypted second data packet.
  9. 一种基于TCM 或TPM 的license的动态管理装置,其特征在于,所述装置包括:A dynamic management device for a license based on a TCM or TPM, characterized in that the device comprises:
    配置单元,用于在本地设备内配置公钥KP1a configuration unit, configured to configure a public key K P1 in the local device;
    接收单元,用于接收客户根据功能列表选择的待改变的功能,所述功能列表包括:本地设备内的软硬件功能;a receiving unit, configured to receive a function to be changed selected by the customer according to the function list, where the function list includes: a software and hardware function in the local device;
    密钥生成单元,用于根据本地的标识信息生成一密钥对,该密钥对包括:私钥KS2和公钥KP2a key generating unit, configured to generate a key pair according to the local identification information, where the key pair includes: a private key K S2 and a public key K P2 ;
    加密单元,用于根据公钥KP2和待改变的功能生成一第一数据包,并将该第一数据包用所述公钥KP1加密,所述第一数据包包括:公钥KP2和待改变的功能;An encryption unit, configured to generate a first data packet according to the public key K P2 and the function to be changed, and encrypt the first data packet by using the public key K P1 , where the first data packet includes: a public key K P2 And the function to be changed;
    发送单元,用于将加密后的第一数据包以及本地的唯一标识发送给服务器;以使所述服务器能根据该本地的唯一标识获取私钥KS1;并根据该私钥KS1解密该第一数据包得到的公钥KP2和待改变的功能;a sending unit, configured to send the encrypted first data packet and the local unique identifier to the server, so that the server can obtain the private key K S1 according to the local unique identifier; and decrypt the first key according to the private key K S1 a public key K P2 obtained by a data packet and a function to be changed;
    所述接收单元,还用于接收采用公钥KP2加密的第二数据包,该第二数据包具体包括:对本地的唯一标识和待改变的功能计算得到的license;The receiving unit is further configured to receive a second data packet that is encrypted by using the public key K P2 , where the second data packet includes: a license that is calculated by a local unique identifier and a function to be changed;
    解密配置单元,用于采用私钥KS2对加密的第二数据包解密得到license,根据该license完成待改变功能的配置;所述私钥KS1和公钥KP1为一密钥对。The decryption configuration unit is configured to decrypt the encrypted second data packet by using the private key K S2 to obtain a license, and complete the configuration of the function to be changed according to the license; the private key K S1 and the public key K P1 are a key pair.
  10. 根据权利要求9所述的装置,其特征在于,所述待改变的功能包括:功能的退订或待激活的功能。The device according to claim 9, wherein the function to be changed comprises a function of unsubscribing or a function to be activated.
  11. 根据权利要求9所述的装置,其特征在于,所述加密的第二数据包还包括:公钥KP2签名的license杂凑值,所述解密配置单元进一步用于采用私钥KS2对加密的第二数据包解密得到license和私钥KS1签名的license杂凑值,采用公钥KP1对私钥KS1签名的license杂凑值解密得到license杂凑值,比对解密后的license杂凑值与对license进行计算得到的license杂凑值,如相同,根据该license完成待改变功能的配置。The apparatus according to claim 9, wherein the encrypted second data packet further comprises: a license hash value signed by the public key K P2 , the decryption configuration unit further configured to encrypt the encrypted key K S2 The second data packet is decrypted to obtain the license hash value of the license and the private key K S1 signature, and the license hash value of the private key K S1 signature is decrypted by the public key K P1 to obtain the license hash value, and the decrypted license hash value and the license are compared. The license hash value obtained by the calculation is the same, and the configuration of the function to be changed is completed according to the license.
  12. 一种基于TCM 或TPM 的license的动态管理的支持装置,其特征在于,所述装置包括:A device for dynamically managing a license based on a TCM or TPM, characterized in that the device comprises:
    配置单元,用于在服务器内配置私钥KS1以及私钥KS1和客户机唯一标识的对应关系;a configuration unit, configured to configure a correspondence between the private key K S1 and the private key K S1 and the unique identifier of the client in the server;
    接收单元,用于接收客户机发送的唯一标识和采用公钥KP1加密后的第一数据包,所述第一数据包包括:公钥KP2和待改变的功能;a receiving unit, configured to receive a unique identifier sent by the client and a first data packet encrypted by using a public key K P1 , where the first data packet includes: a public key K P2 and a function to be changed;
    解密单元,用于采用私钥KS1该加密后的第一数据包解密得到第一数据包内的公钥KP2和待改变的功能;a decryption unit, configured to decrypt, by using the private key K S1 , the encrypted first data packet to obtain a public key K P2 in the first data packet and a function to be changed;
    查询单元,用于根据唯一标识从私钥KS1和客户机唯一标识的对应关系中查询到私钥KS1Querying unit configured to query the corresponding relationship between the private key K S1 and uniquely identifies the client to the private key K S1 according to a unique identifier;
    计算发送单元,用于根据该唯一标识和该待改变的功能进行计算得到license,采用公钥KP2对license加密得到第二数据包,将该第二数据包发送给客户机。The calculation sending unit is configured to calculate a license according to the unique identifier and the function to be changed, encrypt the license with the public key K P2 to obtain a second data packet, and send the second data packet to the client.
  13. 根据权利要求12所述的装置,其特征在于,所述待改变的功能包括:功能的退订或待激活的功能。The device according to claim 12, wherein the function to be changed comprises a function of unsubscribing or a function to be activated.
  14. 根据权利要求12所述的装置,其特征在于,所述第一数据包还包括:密文,所述配置单元还用于在服务器内配置密文杂凑值与客户机唯一标识的对应关系;The apparatus according to claim 12, wherein the first data packet further comprises: a ciphertext, wherein the configuration unit is further configured to configure a correspondence between the ciphertext hash value and the client unique identifier in the server;
    所述装置还包括:杂凑值验证单元,用于根据唯一标识从密文杂凑值和客户机唯一标识的对应关系中查询到该唯一标识对应的密钥杂凑值,对比查询到的杂凑值与接收到的密文杂凑值,如一致,触发所述查询单元、所述解密单元和所述计算发送单元执行操作。The device further includes: a hash value verification unit, configured to query, according to the unique identifier, a key hash value corresponding to the unique identifier from a correspondence between the ciphertext hash value and the client unique identifier, and compare the queried value and the received query The received ciphertext hash value, if consistent, triggers the query unit, the decryption unit, and the computing sending unit to perform operations.
  15. 根据权利要求12所述的装置,其特征在于,所述计算发送单元具体包括:The device according to claim 12, wherein the calculating and transmitting unit specifically comprises:
    计算模块,用于根据该唯一标识和该待改变的功能进行计算得到license,对该license进行杂凑值计算得到的license杂凑值;a calculation module, configured to calculate a license according to the unique identifier and the function to be changed, and perform a hash value of the license value calculated by the hash value of the license;
    签名模块,用于对该license杂凑值采用私钥KS1加密得到私钥KS1签名的license杂凑值,a signature module, configured to encrypt the license hash value by using a private key K S1 to obtain a license hash value of the private key K S1 signature,
    加密发送模块,用于采用公钥KP2对该私钥KS1签名的license杂凑值和license加密得到加密第二数据包,将该第二数据包发送给客户机。Transmitting encryption module configured to use license and license encrypted hash value of the public key K P2 signature private key K S1 is encrypted second data packet, the second data packet to the client.
  16. 一种license的管理系统,其特征在于,所述系统包括:客户机和服务器;其中所述客户机内存储有公钥KP1;所述服务器内存储有私钥KS1以及私钥KS1和客户机唯一标识的对应关系;所述私钥KS1和公钥KP1为一密钥对;A license management system, characterized in that the system comprises: a client and a server; wherein the client stores a public key K P1 ; the server stores a private key K S1 and a private key K S1 and a correspondence uniquely identified by the client; the private key K S1 and the public key K P1 are a key pair;
    所述客户机,用于接收客户根据功能列表选择的待改变的功能,根据本地的标识信息生成一密钥对,该密钥对包括:私钥KS2和公钥KP2;根据公钥KP2和待改变的功能生成一第一数据包,并将该第一数据包用所述公钥KP1加密,所述第一数据包包括:公钥KP2和待改变的功能;所述功能列表包括:本地设备内的软硬件功能;The client is configured to receive a function to be changed selected by the client according to the function list, and generate a key pair according to the local identification information, where the key pair includes: a private key K S2 and a public key K P2 ; according to the public key K P2 and the function to be changed generate a first data packet, and encrypt the first data packet with the public key K P1 , the first data packet includes: a public key K P2 and a function to be changed; the function The list includes: hardware and software functions within the local device;
    所述客户机,还用于将加密后的第一数据包以及本地的唯一标识发送给服务器;The client is further configured to send the encrypted first data packet and the local unique identifier to the server;
    所述服务器,用于根据唯一标识从私钥KS1和客户机唯一标识的对应关系中查询到私钥KS1,采用私钥KS1该加密后的第一数据包解密得到第一数据包内的公钥KP2和待改变的功能;根据唯一标识和待改变的功能计算出license,采用公钥KP2对license加密得到第二数据包,将该第二数据包发送给客户机;The server is configured to query the private key K S1 from the correspondence between the private key K S1 and the unique identifier of the client according to the unique identifier, and use the private key K S1 to decrypt the encrypted first data packet to obtain the first data packet. The public key K P2 and the function to be changed; calculate the license according to the unique identifier and the function to be changed, encrypt the license with the public key K P2 to obtain the second data packet, and send the second data packet to the client;
    所述客户机,还用于采用私钥KS2对该第二数据包解密得到license,根据license完成待改变功能的配置。The client is further configured to decrypt the second data packet by using the private key K S2 to obtain a license, and complete the configuration of the function to be changed according to the license.
  17. 根据权利要求16所述的系统,其特征在于,所述待改变的功能包括:功能的退订或待激活的功能。The system according to claim 16, wherein the function to be changed comprises a function of unsubscribing or a function to be activated.
PCT/CN2011/079141 2011-08-31 2011-08-31 License dynamic management method, device and system based on tcm or tpm WO2012149717A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2011/079141 WO2012149717A1 (en) 2011-08-31 2011-08-31 License dynamic management method, device and system based on tcm or tpm
CN201180004976.0A CN102986162B (en) 2011-08-31 2011-08-31 Based on license dynamic management approach, the Apparatus and system of TCM or TPM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/079141 WO2012149717A1 (en) 2011-08-31 2011-08-31 License dynamic management method, device and system based on tcm or tpm

Publications (1)

Publication Number Publication Date
WO2012149717A1 true WO2012149717A1 (en) 2012-11-08

Family

ID=47107752

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/079141 WO2012149717A1 (en) 2011-08-31 2011-08-31 License dynamic management method, device and system based on tcm or tpm

Country Status (2)

Country Link
CN (1) CN102986162B (en)
WO (1) WO2012149717A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112235107A (en) * 2020-10-27 2021-01-15 南方电网科学研究院有限责任公司 Data transmission method, device, equipment and storage medium
CN112597551A (en) * 2020-12-22 2021-04-02 南京道熵信息技术有限公司 Disk encryption method and system capable of updating in real time by using License
CN114499891A (en) * 2022-03-21 2022-05-13 宁夏凯信特信息科技有限公司 Signature server system and signature verification method
WO2022174748A1 (en) * 2021-02-20 2022-08-25 普源精电科技股份有限公司 Electronic test device and optional function configuring method
CN116155633A (en) * 2023-04-23 2023-05-23 农数源(成都)科技有限公司 Sensor external data security protection and bidirectional authentication method, system and device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916390B (en) * 2014-03-20 2017-10-31 汉柏科技有限公司 License control method and device in cloud computing system
CN112398818B (en) * 2020-11-02 2023-03-07 深圳数联天下智能科技有限公司 Software activation method and related device thereof
CN113422683B (en) * 2021-03-04 2023-05-26 上海数道信息科技有限公司 Edge cloud cooperative data transmission method, system, storage medium and terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1372055A2 (en) * 2002-06-12 2003-12-17 Microsoft Corporation Publishing content in connection with digital rights management (DRM) architecture
CN1539107A (en) * 2001-06-07 2004-10-20 ��̹�е¿عɹɷ����޹�˾ Method and system for subscription digital rights management
CN101610148A (en) * 2009-07-08 2009-12-23 李伟 A kind of reciprocity internet digital literary property protection method
CN102077213A (en) * 2008-06-26 2011-05-25 微软公司 Techniques for ensuring authentication and integrity of communications

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631305B (en) * 2009-07-28 2011-12-07 交通银行股份有限公司 Encryption method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1539107A (en) * 2001-06-07 2004-10-20 ��̹�е¿عɹɷ����޹�˾ Method and system for subscription digital rights management
EP1372055A2 (en) * 2002-06-12 2003-12-17 Microsoft Corporation Publishing content in connection with digital rights management (DRM) architecture
CN102077213A (en) * 2008-06-26 2011-05-25 微软公司 Techniques for ensuring authentication and integrity of communications
CN101610148A (en) * 2009-07-08 2009-12-23 李伟 A kind of reciprocity internet digital literary property protection method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHEN, JUAN ET AL.: "Research on CPK Authentication of Information Security Based on TPM", MODERN ELECTRONIC TECHNIQUE, vol. 323, no. 12, June 2010 (2010-06-01), pages 137 - 140 AND 146 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112235107A (en) * 2020-10-27 2021-01-15 南方电网科学研究院有限责任公司 Data transmission method, device, equipment and storage medium
CN112235107B (en) * 2020-10-27 2023-03-03 南方电网科学研究院有限责任公司 Data transmission method, device, equipment and storage medium
CN112597551A (en) * 2020-12-22 2021-04-02 南京道熵信息技术有限公司 Disk encryption method and system capable of updating in real time by using License
CN112597551B (en) * 2020-12-22 2023-08-18 南京道熵信息技术有限公司 Disk encryption method and system capable of being updated in real time by License
WO2022174748A1 (en) * 2021-02-20 2022-08-25 普源精电科技股份有限公司 Electronic test device and optional function configuring method
CN114499891A (en) * 2022-03-21 2022-05-13 宁夏凯信特信息科技有限公司 Signature server system and signature verification method
CN116155633A (en) * 2023-04-23 2023-05-23 农数源(成都)科技有限公司 Sensor external data security protection and bidirectional authentication method, system and device
CN116155633B (en) * 2023-04-23 2023-06-27 农数源(成都)科技有限公司 Sensor external data security protection and bidirectional authentication method, system and device

Also Published As

Publication number Publication date
CN102986162A (en) 2013-03-20
CN102986162B (en) 2015-08-05

Similar Documents

Publication Publication Date Title
WO2012149717A1 (en) License dynamic management method, device and system based on tcm or tpm
WO2014069783A1 (en) Password-based authentication method, and apparatus for performing same
WO2020147383A1 (en) Process examination and approval method, device and system employing blockchain system, and non-volatile storage medium
WO2014175538A1 (en) Apparatus for providing puf-based hardware otp and method for authenticating 2-factor using same
WO2019132272A1 (en) Id as blockchain based service
WO2013086758A1 (en) Ethernet encryption and authentication system and method
WO2016206530A1 (en) Highly secure mobile payment method, apparatus, and system
CA2713787C (en) Protocol for protecting content protection data
WO2016169410A1 (en) Login method and device, server and login system
WO2019074326A1 (en) Method and apparatus for secure offline payment
WO2020050424A1 (en) BLOCK CHAIN-BASED SYSTEM AND METHOD FOR MULTIPLE SECURITY AUTHENTICATION BETWEEN MOBILE TERMINAL AND IoT DEVICE
WO2016123926A1 (en) Remote control based subscriber identity module card terminal management method and system
WO2018072261A1 (en) Information encryption method and device, information decryption method and device, and terminal
WO2020186775A1 (en) Service data providing method, apparatus and device, and computer-readable storage medium
WO2012093900A2 (en) Method and device for authenticating personal network entity
WO2018098886A1 (en) Method for opening vehicle door, mobile terminal, vehicle-mounted terminal, and system
WO2012099330A2 (en) System and method for issuing an authentication key for authenticating a user in a cpns environment
WO2020022700A1 (en) Secure element for processing and authenticating digital key and operation method therefor
WO2018090481A1 (en) Method and system for verifying digital certificate of mobile terminal application
WO2020253120A1 (en) Webpage registration method, system and device, and computer storage medium
WO2020034527A1 (en) User personal information encryption and authorisation method, apparatus, and device, and readable storage medium
JP2024051151A (en) Cryptographic communication system, secure element, device, and cryptographic communication method
WO2017166884A1 (en) File processing method and apparatus employing external device
WO2018053904A1 (en) Information processing method and terminal
WO2017016272A1 (en) Method, apparatus and system for processing virtual resource data

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201180004976.0

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11864687

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11864687

Country of ref document: EP

Kind code of ref document: A1