CN100438430C - Method for realizing safety on-chip intelligent members - Google Patents
Method for realizing safety on-chip intelligent members Download PDFInfo
- Publication number
- CN100438430C CN100438430C CNB2005100377687A CN200510037768A CN100438430C CN 100438430 C CN100438430 C CN 100438430C CN B2005100377687 A CNB2005100377687 A CN B2005100377687A CN 200510037768 A CN200510037768 A CN 200510037768A CN 100438430 C CN100438430 C CN 100438430C
- Authority
- CN
- China
- Prior art keywords
- intelligent body
- sheet
- aocm
- intelligent
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to a safe on-chip intelligent body proposal which is used for an open network environment, adopts integrated chips as a hardware basis to provide a safe and reliable execution environment for intelligent technology and can effectively realize an application system on the basis of the intelligent body in a network. The proposal adopts the integrated chips as the execution environment of bottom-layer hardware of the intelligent body, and the chips are installed on each network node which needs to operate the intelligent body and provide a safe and easily deployed on-chip execution environment for the intelligent body which operates in an open and unsafe network environment; the safe technical scheme of the on-chip intelligent body is divided into three parts: an AoC system construction proposal, an AoC system application proposal and an AoC system operation proposal, and the chips are installed on each network node which needs to operate the intelligent body and provide the safe and easily deployed on-chip execution environment for the intelligent body which operates in the open and unsafe network environment.
Description
Technical field
The present invention is a kind of being used in open network environment, adopts integrated chip to provide safe and reliable execution environment as hardware foundation for intelligent agent technology, thereby can effectively realize the technical scheme based on the application system of intelligent body in network.Present technique belongs to the interleaving techniques application of embedded software, artificial intelligence and information security.
Background technology
Modern network technology is to distributed, mobilism, intelligent direction development, and intelligent agent technology is exactly a kind of new distributed computing model that arises at the historic moment under this demand.The birth of intelligent agent technology and development are the inevitable outcomes of distributed artificial intelligence technology and network technical development, it is a kind of intelligence software entity in essence, compare with traditional computation schema, it has excellent characteristics such as autonomy, social, reactive, reasoning and mobility.
In network application system, adopt intelligent agent technology, can effectively reduce network traffics, increase the asynchronism of client-server, be convenient to load balancing and fault-tolerant, support mobile client and the dynamic customization of service etc., this makes intelligent agent technology well be used in fields such as ecommerce, workflow, network management, long-distance education, dynamic routing, information retrieval and general fit calculations, and the research of intelligent agent technology has at present become a focus of based on network distributed artificial intelligence research.
Under the excitation of the fine application prospect of intelligent agent technology, more external companies, university and research institution have released the intelligent system of oneself one after another, also need time but really will push commercial the application to, wherein one of topmost restraining factors are the safety issues of intelligent agent technology.The safety problem of intelligence body mainly contains the following aspects: the intelligent body in the transmission course under fire; Intelligence body execution environment and main frame are to the attack of intelligent body; The intelligence body is to the attack of execution environment and main frame.For the intelligent body protection in the transmission, can solve with the existing information safety guarantee technology (as: security socket layer technology etc.) in the network, comparatively ripe solution has been arranged at present.Protection for intelligent body execution environment and main frame; many researchs have been carried out at present; and proposed some effective and feasible methods and realize mandate, authentication, access control etc. to intelligent body, as using sandbox technology, signature and technology such as authentication, security code inspection.
And be a very stubborn problem for the protection of intelligent body, because in the intelligent system of routine, when intelligent body moved to purpose intelligence body execution environment, the promoter of intelligent body had just lost the control to intelligent body fully.Each line code of intelligence body all will be explained, carry out by local execution environment, that is to say, intelligent body is to be exposed to fully in the purpose intelligence system, and intelligent body executor can isolate easily and catch intelligent body, and intelligent body is carried out various attack.This just needs us to study and realizes that new technology, method guarantee that intelligent body is not subjected to the attack of malicious host.
Malicious host attack is analyzed:
The intelligence body must move on destination host, so its code and data all are visible for destination host.If destination host is a malice, perhaps victim is occupied or is pretended, and it may carry out following several attack to intelligent body program:
1. malicious host can only be destroyed or stop intelligent body program, thereby stops this intelligence body to be executed the task;
2. malicious host can be stolen the entrained useful information of this intelligence body, average information of being collected in roam procedure as intelligent body program etc.;
3. malicious host can be revised the entrained data of intelligent body, when collecting the optimum bidding price of certain commodity as being responsible for the user when an intelligent body, this main frame is by distorting the quotation of the collected previous server of intelligent body program, and takeing for its quotation that provides with user cheating is optimum price;
4. the more complicated and bigger attack of harm is that the assailant makes it carry out some malicious attack operations after returning subscriber's main station or roaming into other servers by rewriting the code of the intelligent body program of part.Under normal conditions, the user regards the intelligent body that it sent as believable, and its authority that inserts local resource is also bigger, thus this class to attack the harm of intelligent body also bigger.
In general, it is comparatively difficult that intelligent body is carried out complete protection (no matter procedure code or data), because destination host must be visited intelligent body procedure code and state could move this intelligence body.And because storage computation result or response results, the partial data of intelligent body and state normally change.Common scheme all is to provide certain mechanism to revise to find such by the host of sending intelligent body, thereby determines whether the intelligent body that is sent is under attack, and provides corresponding strategy.
Summary of the invention
Technical problem: the purpose of this invention is to provide intelligent body method on a kind of safe sheet (Agent-on-Chip is called for short AoC later on).AoC adopts integrated chip (Chip) as its bottom hardware execution environment, this chip is installed on each network node that needs the intelligent body of operation, for the intelligent body that moves in open, unsafe network environment provides safe, is easy to dispose execution environment on the sheet.The AoC technology have be independent of platform, multi-functional, be easy to function upgrading, flexibility and compatible good premium properties.
Technical scheme: AoC technology and security solution thereof; use hardware trusty, attack protection that intelligent body is protected; its core concept is that this hardware inside is packaged with intelligent body execution environment to believable hardware of main frame optional equipment, and the receivability intelligent mobile agent is executed the task.This hardware can provide the running environment of a safety for intelligent body because main frame can only by hardware self provide interface mutual with it, can't intervene the execution of its internal task.Main frame even intelligent body execution environment can be provided, but the communication interface between it and this special hardware must standardization, should be able to reach an agreement at least.Adopt this type of hardware device, the safety of intelligent body can be guaranteed, because its only migration and only by message and untrustworthy environment (as main frame and the service that provides thereof) alternately between believable environment.
The selection of type of hardware is extremely important, and the hardware platform that can consider comprises integrated chip, PC (personal computer) card and smart card etc.Our viewpoint is: the big more just difficult more supply of hardware size.In the present invention, we adopt the hardware platform of integrated chip as our intelligent body safe operation environment, promptly go up at a chip (Chip) and realize whole intelligent systems, and this technology is exactly " intelligent body on the sheet " technology.
Bottom hardware in the AoC system is to have comprised the silicon that possesses holonomic system framework and function, and its framework comprises processor, memory, interface and the peripheral circuit etc. that can carry out functions such as control/computing.Being embedded OS on the hardware, can adopting built-in Linux (a kind of operating system that can freely use belongs to free software) system etc., is the work of treatment of being responsible for low layer, as the operating system on the PC.The DLL (dynamic link library) class provides the required class libraries of intelligent body software systems of realizing various demands for the developer.The superiors in the AoC system are exactly intelligent body service system and the intelligent body program that runs on wherein.In order to guarantee to run foul of each other between the intelligent body program, adopt fire compartment wall to intercept each intelligent body program.
Main frame links to each other with the chip hardware of AoC by standard interface, and the intelligent body program that main frame is sent other main frame is sent in the AoC system and moved.
In the intelligent body protection scheme among the present invention, the AoCM of manufacturer of AoC (AoC Manufacturer) is equipment manufacturers, and it produces AoC equipment.Intelligence body recipient (Agent Receiver is called for short AR later on), the main frame that promptly intelligent body will be visited.The owner AS (Agent Sender) of intelligence body also is the promoter of intelligent body simultaneously.Proxy (agency) provide a kind of directory service.AR can be at the following reference information of one or more Proxy place registration: the machine name of place main frame and physical network address, provide which kind of security strategy and AoCM certificate, these information to be used to AS location AR.Comprise the type of manufacturer, the AoC of following message: AoC, security strategy that AoC provides and the PKI of AoC in the AoCM certificate.AS holds a true copies of AoCM PKI, is used to the AoCM certificate of verifying that it is signed and issued.
AoC is provided with a cryptographic coprocessor, produces key to guaranteeing that private key is unknown to the external world, even the owner of AoC equipment does not know yet by it.Main frame can only by clear and definite interface accessing it.
Suppose that AoCM has good prestige, AS trusts it very much.Like this, as long as the main frame at AR place has the AoC equipment that AoCM produces, just can attract AS to send intelligent body to come.If this main frame is used to carry out the business of ecommerce class, so, the intelligent body that comes is many more, and the profit that it may obtain is also just big more.From number one, AR need take appropriate measures to attract intelligent body.So the owner of AR just removes to buy the AoC equipment that certain AoCM that AS trusts produces, and obtains the signing certificate that AoCM provides in the time of purchase of equipment.Afterwards, for the trust to AoCM, AS can send intelligent body to go to AR place main frame to execute the task.So far we exist the replacement of trusting relationship: AS to trust AoCM as can be seen in this scheme, so, as long as AR place main frame has the AoC equipment that AoCM produces, just can attract intelligent body to come, promptly the trust of AoCM has been replaced the trust of AS to AR with AS.
Intelligent body scheme adopts the bottom hardware execution environment of integrated chip as intelligent body on the sheet of safety, this chip is installed on each network node that needs the intelligent body of operation, for the intelligent body that moves in open, unsafe network environment provides safe, is easy to dispose execution environment on the sheet, the intelligent agent technology scheme is divided into three parts on the sheet of safety, that is: AoC system constructing scheme, AoC system applies scheme and AoC system operating scheme are specific as follows
AoC system constructing scheme:
1) at first design whole soft, the hardware systems framework of AoC system, based on the thought of layering, system is divided into 5 levels according to the tightness degree of getting in touch with hardware environment, be followed successively by from bottom to up: silicon hardware comprises processor, memory, interface; Embedded OS; The DLL (dynamic link library) class; Intelligence body service system; Intelligence body application program;
2) bottom hardware in the AoC system selects to possess the silicon of holonomic system framework and function, its framework comprises processor, memory, interface and the peripheral circuit that can carry out functions such as control/computing, actual be on a silicon, realized based on the deep-sub-micrometer semiconductor process technology complete, independently calculate and storage platform;
3) on the hardware platform be embedded OS, this system operates on the chips, adopt TinyOperation System (micro OS) technology, adopt embedded Linux system in this programme, be to be responsible for and the mutual work of treatment of low-level hardware, and for upper layer application provides service, as hardware management, system call, as the operating system of PC;
4) the DLL (dynamic link library) class provides the required class libraries of intelligent body software systems of realizing various demands for the developer, class in the class libraries can be carried out additions and deletions and modification according to concrete application, after system finishes, along with the change and the increase of demand can be done changes such as further upgrading to class libraries, these work only can be finished by AoC supplier;
5) the superiors in the AoC system are exactly intelligent body service system and the intelligent body program that runs on wherein, intelligence body program is loaded in the zone of intelligent body service system regulation by intelligent body recipient or operator by the bottom standard interface, by intelligent body service system to its be decrypted, encryption, certifying signature and execution, intelligence body program and service system thereof all adopt embedded JAVA technological development, concrete developing instrument is selected J2ME (Java 2 Micro Edition, Java 2 miniature editions) for use.In order to guarantee to interfere with each other, attack between the intelligent body program, adopt firewall technology to intercept each intelligent body program.
AoC system applies scheme:
1) be that AoC equipment is sold to the user of intelligent body by equipment manufacturers at first by the AoCM of manufacturer (AoC Manufacturer) of AoC.Based on the prerequisite that the intelligent body owner trusts the AoCM of AoC equipment manufacturers, believe that they understand correct design and produce this kind equipment.Therefore the method for this method is to replace another kind with a kind of trusting relationship---it is the trust of destination host to the AoC equipment owner that the intelligent body owner has replaced it to the trust of AoCM with good prestige;
2) AoCM provides AoCM signing certificate to the purchase/user of AoC equipment, comprise the type of manufacturer, the AoC of following message: AoC, security strategy that AoC provides and the PKI of AoC in the AoCM certificate, AS holds a true copies of AoCM PKI, is used to the AoCM certificate of verifying that it is signed and issued;
3) intelligent body recipient (Agent Receiver, be called for short AR later on), it is the main frame that intelligent body will be visited, the owner AS (Agent Sender) of intelligence body also is the promoter of intelligent body simultaneously, Proxy (agency) locate to provide a kind of directory service, AR can be at the following reference information of one or more Proxy place registration: the machine name of place main frame and physical network address, provide which kind of security strategy and AoCM certificate, these information to be used to AS location AR;
4) AoC is provided with a cryptographic coprocessor, produces key to guaranteeing that private key is unknown to the external world, even the owner of AoC equipment does not know yet by it.Main frame can only by clear and definite interface accessing it.
5) owner of AR buys the AoC equipment of certain AoCM production of AS trust, obtains the signing certificate that AoCM provides in the time of purchase of equipment, and based on the trust to AoCM, AS just can send intelligent body to go to AR place main frame to execute the task;
AoC system operating scheme:
1) AS submits the name of certain AR to Proxy, obtains relevant with it information, such as the AoCM certificate,
2) validity of the copy of the AoCM PKI held with oneself of AS checking AoCM certificate is proved to be successful, and then carries out next step; Otherwise abandon this AR,
3) whether the AS security strategy examining this AR and provide is enough to protect number one, if strategy is abundant inadequately, just abandons this AR; Otherwise, send destination host to the code segment in the intelligent body of PKI (in the AoCM certificate) encryption of purpose AoC and with intelligent body, destroyed by main frame in order to prevent intelligent body, adopt the method for eap-message digest, as MD5;
4) AR accepts the intelligent body of arrival, owing to do not know the private key of AoC, therefore can't decode the code of encryption, except being uploaded to the AoC, it can not do whatever,
5) the AoC system integrality of verifying smart body at first, if be damaged, then abandon and do not carry out, otherwise decipher this intelligent body and operation, after operation is finished, AoC obtains the AoCM certificate of the next stop AR that intelligent body will visit by top method, and code, data and the operation result of the public key encryption intelligence body that provides among the AoCM are provided
6) the intelligent body after AoC will encrypt is passed to AR, and AR does not know the private key of next stop AoC, therefore can't decipher intelligent body,
7) intelligent body migrates to other AR or is back to AS.
Our scheme supposes that intelligent body owner AS trusts the AoC AoCM of equipment manufacturers, believe that they understand correct design and produce this kind equipment, can not restrict the behavior of manufacturer, thus our method be replace with a kind of trusting relationship another kind of---it is the trust of destination host to the AoC equipment owner that AS has replaced it to the trust of AoCM.We think this meaning that is substituted with it: at first, as the secure device manufacturer of specialty, AoCM has more complete solution to fail safe and privacy problem.At presumable millions of AoC equipment owner, the manufacturer of professional assessment mechanism controls number less relatively (hundreds of) is much easier.Secondly, produce because this kind equipment is difficult, manufacturer only may be some bigger companies, and they can try every possible means to make and obtain good reputation themselves.Such as manufacturer may invite the relevant expert to monitor the operation of company, and this is very similar to the ISO9000 quality certification system.At last, because the manufacturer and the AoC equipment owner are separate, so he can not directly benefit from the AoC equipment owner there that improper behavior is arranged.Manufacturer has following feature: specialty, be easy to control, have a good character and do not have a bad motivation, we think that these are enough to make AS to trust and buy the AoC equipment of its production.
Beneficial effect: use the AoC technology that following advantage is arranged:
1. be independent of platform
The AoC technology makes the running environment of intelligent body be limited in chip the inside, and this just makes the hardware platform of the network node that is equipped with the AoC system and the running environment of operating system platform and intelligent body have nothing to do.Simultaneously, adopt the AoC system of same AoC chip technology exploitation standard to move in the chip of different developer's exploitations, this just makes the operation of intelligent body not be subjected to the restriction of bottom chip kind.
2. multi-functional
Can move a plurality of intelligent body programs in the single AoC chip, each intelligent body program can realize different functions, finishes different tasks.For guaranteeing between the intelligent body not can the phase mutual interference, cause potential safety hazard, adopt fire compartment wall to make and isolate mutually between a plurality of intelligent bodies.
3. be easy to system upgrade
Still new application program can be installed after the distribution of AoC chip, only need corresponding new intelligent body program is loaded in the chip by input interface.This function makes and the demand that AoC chip publisher can the dynamic response client constantly changes realizes system upgrade simultaneously.
4. flexibility
Intelligence body and AoC system adopt Embedded object-oriented method and developing instrument (as embedded JAVA) to develop.This Object-oriented Technique provides the flexibility in the programming on the sheet.
5. compatible
AoC technology and formal SoC international standard (as IEEE P1500) and industrywide standard compatibility.The assurance of this compatibility just makes the AoC system to be achieved on the basic platform of SoC, strengthened the intelligent body that different vendor develops and the interoperability of AoC system, thereby make that the AoC system is easier to dispose widely on each node of network.
Description of drawings
Fig. 1 is the architectural framework figure of AoC technology.
Nethermost one deck is the bottom hardware in the AoC system among the figure, is to have comprised the silicon that possesses holonomic system framework and function, and its framework comprises processor, memory, interface and the peripheral circuit etc. that can carry out functions such as control/computing.
Being embedded OS on the hardware, can adopting embedded Linux system etc., is the work of treatment of being responsible for low layer, as the operating system of personal computer.
The DLL (dynamic link library) class provides the required class libraries of intelligent body software systems of realizing various demands for the developer.
The superiors among the figure are exactly intelligent body service system and the intelligent body program that runs on wherein.In order to guarantee to run foul of each other between the intelligent body program, adopt fire compartment wall to intercept each intelligent body program.
Main frame links to each other with the Chip hardware of AoC by standard interface, and the intelligent body program that main frame is sent other main frame is sent in the AoC system and moved.
Fig. 2 is based on the intelligent body protection scheme model of AoC technology.
AoC refers to intelligent system (Agent-on-Clip) on the sheet among the figure.
AoCM is AoC manufacturer (AoC Manufacturer) wherein.
AR is meant the intelligent body recipient of intelligent body recipient (Agent Receiver), the host B that promptly intelligent body will be visited (Host B).
AS is meant the owner (Agent Sender) of intelligent body, i.e. promoter's host A of intelligent body (Host A).
Proxy (agency) provide a kind of directory service, and AR can be at the following reference information of one or more Proxy place registration: the machine name of place main frame and physical network address, provide which kind of security strategy and AoCM certificate, these information to be used to AS location AR.
Comprise the type of manufacturer, the AoC of following message: AoC, security strategy that AoC provides and the PKI of AoC in the AoCM certificate.
Fig. 3 is the network architecture model of example system.
The network of example system is made up of four host computer, and wherein one is intelligent body originating end, and promptly client provides user interface, accepts the customer transaction request, and according to the customer transaction request, customizes and send intelligent body.
Three is the e-book server in addition, two intelligent body execution environments of every station server operation, and one is main frame intelligence body execution environment, and one is the AoC execution environment, and wherein main frame intelligence body execution environment only is primary " foothold " of intelligent body.
Intelligent agent technology scheme block diagram on the sheet of Fig. 4 safety.
Embodiment
The intelligent agent technology scheme is divided into three parts on the sheet of safety: AoC system constructing scheme, AoC system applies scheme and AoC system operating scheme, and embodiment is as follows:
One, makes up the AoC system
1) at first designs whole soft, the hardware systems framework of AoC system, thought based on layering, system is divided into 5 levels according to the tightness degree of getting in touch with hardware environment, is followed successively by from bottom to up: silicon hardware (comprising processor, memory, interface etc.), embedded OS, DLL (dynamic link library) class, intelligent body service system, intelligent body application program.
2) bottom hardware in the AoC system selects to possess the silicon of holonomic system framework and function, its framework comprises processor, memory, interface and the peripheral circuit etc. that can carry out functions such as control/computing, actual be on a silicon, realized based on the deep-sub-micrometer semiconductor process technology complete, independently calculate and storage platform.
3) on the hardware platform be embedded OS, because this system operates on the chips, so must adopt Tiny Operation System (micro OS) technology, adopt embedded Linux system etc. in this programme, be to be responsible for and the mutual work of treatment of low-level hardware, and for upper layer application provides service, as hardware management, system call etc., as the operating system of PC.
4) the DLL (dynamic link library) class provides the required class libraries of intelligent body software systems of realizing various demands for the developer.Class in the class libraries can be carried out additions and deletions and modification according to concrete application.After system finished, along with the change and the increase of demand can be done changes such as further upgrading to class libraries, these work only can be finished by AoC supplier.
5) the superiors in the AoC system are exactly intelligent body service system and the intelligent body program that runs on wherein.Intelligence body program is loaded into by the bottom standard interface in the zone of intelligent body service system regulation by intelligent body recipient or operator, by intelligent body service system to its be decrypted, encryption, certifying signature and execution.Intelligence body program and service system thereof all adopt embedded JAVA technological development, and concrete developing instrument is selected J2ME (Java 2 Micro Edition, Java 2 miniature editions) for use.In order to guarantee to interfere with each other, attack between the intelligent body program, adopt firewall technology to intercept each intelligent body program.
Two, use the AoC system
1) be that AoC equipment is sold to the user of intelligent body by equipment manufacturers at first by the AoCM of manufacturer (AoC Manufacturer) of AoC.Based on the prerequisite that the intelligent body owner trusts the AoCM of AoC equipment manufacturers, believe that they understand correct design and produce this kind equipment.Therefore the method for this method is to replace another kind with a kind of trusting relationship---it is the trust of destination host to the AoC equipment owner that the intelligent body owner has replaced it to the trust of AoCM with good prestige.
2) AoCM provides AoCM signing certificate to the purchase/user of AoC equipment.Comprise the type of manufacturer, the AoC of following message: AoC, security strategy that AoC provides and the PKI of AoC in the AoCM certificate.AS holds a true copies of AoCM PKI, is used to the AoCM certificate of verifying that it is signed and issued.
3) intelligent body recipient (Agent Receiver is called for short AR later on), the main frame that promptly intelligent body will be visited.The owner AS (Agent Sender) of intelligence body also is the promoter of intelligent body simultaneously.Proxy (agency) locate to provide a kind of directory service.AR can be at the following reference information of one or more Proxy place registration: the machine name of place main frame and physical network address, provide which kind of security strategy and AoCM certificate, these information to be used to AS location AR.
4) AoC is provided with a cryptographic coprocessor, produces key to guaranteeing that private key is unknown to the external world, even the owner of AoC equipment does not know yet by it.Main frame can only by clear and definite interface accessing it.
5) owner of AR buys the AoC equipment of certain AoCM production of AS trust, obtains the signing certificate that AoCM provides in the time of purchase of equipment.Based on the trust to AoCM, AS just can send intelligent body to go to AR place main frame to execute the task.
Three, operation AoC system
1) AS obtains relevant with it information, such as the AoCM certificate to the name that Proxy submits certain AR to.
2) validity of the copy of the AoCM PKI held with oneself of AS checking AoCM certificate.Be proved to be successful, then carry out next step; Otherwise abandon this AR.
3) whether the AS security strategy examining this AR and provide is enough to protect number one.If strategy is abundant inadequately, just abandon this AR; Otherwise, send destination host to the code segment in the intelligent body of PKI (in the AoCM certificate) encryption of purpose AoC and with intelligent body.In order to prevent that intelligent body from being destroyed by main frame, can adopt the method for eap-message digest, as MD5.
4) AR accepts the intelligent body of arrival, owing to do not know the private key of AoC, therefore can't decode the code of encryption, can not do whatever except it is uploaded to the AoC.
5) the AoC system integrality of verifying smart body at first if be damaged, then abandon and does not carry out, otherwise deciphers this intelligent body and operation.After operation was finished, AoC obtained the AoCM certificate of the next stop AR that intelligent body will visit by top method, and code, data and the operation result etc. of the public key encryption intelligence body that provides among the AoCM are provided.
6) the intelligent body after AoC will encrypt is passed to AR, and AR does not know the private key of next stop AoC, therefore can't decipher intelligent body.
7) intelligent body migrates to other AR or is back to AS.
Based on the intelligent body safety system model scheme of AoC technology, we have developed an intelligent body safety system prototype, and this model is applied in the e-book inquiry transaction system example, and this is actual to be that a typical case in the e-commerce system uses.Fig. 3 is the network architecture model of example system.
The e-book transaction system based on AoC/ intelligence body that we realize has four host computer, and wherein one is intelligent body originating end, and promptly client provides user interface, accepts the customer transaction request, and according to the customer transaction request, customizes and send intelligent body.Three is the e-book server in addition, two intelligent body execution environments of every station server operation, and one is main frame intelligence body execution environment AR, and one is the AoC execution environment, and wherein main frame intelligence body execution environment is primary " foothold " of intelligent body.In addition, every station server all has a MySQL database, deposits e-book information.
After the intelligent body that client is sent arrives server, inquire about qualified book information.If user's request COS is inquiry, transaction is finished so, carries Query Result and roams into next tame server continuation inquiry; If user's request COS is purchase, and inquires the books that meet the customer transaction condition, from the credit card number that intelligent body carries, deducts corresponding cost so, and e-book is sent in entrained " email " mailbox of intelligent body.After transaction is finished, return transaction results to intelligent body originating end.If there are not qualified books, intelligent body roams into next tame server according to own entrained server list information, continues inquiry.
Each assembly to system is introduced below:
1. user interface: friendly man-machine interface is provided, is responsible for receiving user's transaction request information, comprising:
(1) request COS: inquiry, purchase;
(2) book information: title, price, author, publishing house etc.;
(3) if the request COS is to buy, also need to fill in credit card information, the email account number, wherein the email account number is used to receive the e-book that buys.
2. intelligent body makes up device: according to service request, make up intelligent body.If the request COS is inquiry, just make up an intelligent body of inquiry.If the request COS is divided into intelligent body two intelligent bodies of son so for buying: inquire about sub intelligent body, buy sub intelligent body, it is lower wherein to inquire about sub intelligent body level of security, is carried out by main frame, and establishing flag bit is 0; Buy the information such as credit card number that sub intelligent body relates to the user, level of security is higher, needs to be carried out by AoC, and establishing its flag bit is 1.In order to guarantee intelligent body fail safe, we must encrypt intelligent body, wherein inquire about sub intelligent body and function host public key and encrypt, and buy sub intelligent body and function AoC public key encryption.
3. intelligent body distributor: be responsible for receiving intelligent body, distribute according to intelligent body mark position, is that 0 sub intelligent body is distributed to main frame with flag bit, by main frame with own private key deciphering execution; Flag bit is that 1 sub intelligent body is uploaded to AoC, by AoC with own private key deciphering execution.
4. book information database: be installed in the Database Systems of main frame, deposit book information.These Database Systems can only be responsible for receiving query requests, and the result is returned by the intelligent body visit in the main frame.Intelligent body among the AoC is not directly visited this database, but learns Query Result by inquiring about sub intelligent body.
Claims (1)
1, intelligent body method on a kind of safe sheet, it is characterized in that adopting the bottom hardware execution environment of integrated chip as intelligent body, this chip is installed on each network node that needs the intelligent body of operation, for the intelligent body that moves in open, unsafe network environment provides execution environment on the sheet safe, that be easy to dispose, intelligent body method is divided into three parts on the sheet of safety, that is: intelligent body equipment operation method on intelligent body equipment application process and the sheet on intelligent body device build method, the sheet on the sheet, specific as follows:
Intelligent body device build method on the sheet:
1) at first designs whole soft, the hardware systems framework of intelligent body equipment on the sheet, thought based on layering, whole soft, the hardware systems framework of intelligent body equipment is divided into 5 levels according to the tightness degree of getting in touch with hardware environment, be followed successively by from bottom to up: silicon hardware, this silicon hardware comprises processor, memory, interface; Embedded OS; The DLL (dynamic link library) class; Intelligence body service system; The intelligence body;
2) bottom hardware in whole soft, the hardware systems framework of intelligent body equipment selects to possess the silicon of holonomic system framework and function on the sheet, the framework of silicon comprises processor, memory, interface and the peripheral circuit that can carry out control/calculation function, actual be on a silicon, realized based on the deep-sub-micrometer semiconductor process technology complete, independently calculate and storage platform;
3) on the hardware platform be embedded OS, this embedded OS operates on the chips, specifically adopts embedded Linux system, be responsible for and the mutual work of treatment of low-level hardware, and for upper layer application provides service,
4) the DLL (dynamic link library) class provides the required class libraries of intelligent body software systems of realizing various demands for the developer, class in the class libraries is carried out additions and deletions and modification according to concrete application, after intelligent body software systems are finished, along with the change and the increase of demand are done further upgrading change to class libraries, these work only can be finished by the AoCM of manufacturer of intelligent body equipment on the sheet;
5) the superiors whole soft, the hardware systems framework of intelligent body equipment are exactly intelligent body service system and run on wherein intelligent body on sheet, the intelligence body is loaded in the zone of intelligent body service system regulation by the recipient AR of intelligent body by the bottom standard interface, by intelligent body service system to its be decrypted, encryption, certifying signature and execution, intelligent body and intelligent body service system all adopt embedded JAVA technological development;
Intelligent body equipment application process on the sheet:
1) at first sells intelligent body equipment on the sheet to described AR by described AoCM, the prerequisite of all trusting described AoCM based on intelligent body owner AS, believe that they understand correct design and produce this kind equipment, replace another kind ofly with a kind of trusting relationship, promptly the trust of described AoCM with good prestige has been replaced it is the trust of destination host to the intelligent body equipment owner on the sheet to the owner AS of intelligent body;
2) purchase/user of AoCM intelligent body equipment on sheet provides AoCM signing certificate, comprise following message in the described AoCM signing certificate: the PKI of intelligent body equipment on security strategy that intelligent body equipment provides on the type of intelligent body equipment, the sheet on the manufacturer of intelligent body equipment, the sheet on the sheet and the sheet, the owner AS of intelligence body holds a true copies of AoCM PKI, is used to the described AoCM signing certificate of verifying that described AoCM signs and issues;
3) intelligent body recipient, it is the destination host that intelligent body will be visited, described AS also is the promoter of intelligent body simultaneously, the Agency provides a kind of directory service, intelligence body recipient AR can register following reference information one or more Agencies: the machine name of destination host and physical network address, provide which kind of security strategy and described AoCM signing certificate, these information are used to described AS to locate described AR;
4) intelligent body equipment is provided with a cryptographic coprocessor on the sheet, produce key to guaranteeing that private key is unknown to the external world by it, even the owner of intelligent body equipment does not know yet on the sheet, destination host can only be by intelligent body equipment on the clear and definite interface accessing sheet;
5) owner of described AR buys intelligent body equipment on the sheet that certain described AoCM that described AS trusts produces, obtain the signing certificate that described AoCM provides in the time of purchase of equipment, based on the trust to described AoCM, described AS will send intelligent body to go to described AR to execute the task;
Intelligent body equipment operation method on the sheet:
1) described AS obtains relevant with it information to the name of certain described AR of agency's submission, and relevant with it information comprises described AoCM signing certificate,
2) copy of the described AoCM PKI held with oneself of described AS is verified the validity of described AoCM signing certificate, is proved to be successful, and then carries out next step; Otherwise abandon this AR,
3) whether the described AS security strategy examining this AR and provide is enough to protect number one, if strategy is abundant inadequately, just abandons this AR; Otherwise the code segment in the public key encryption that provides in the AoCM signing certificate with this AR intelligence body is also sent intelligent body to destination host, is destroyed by destination host in order to prevent intelligent body, adopts the method for eap-message digest;
4) described AR accepts the intelligent body of arrival, owing to do not know the private key of intelligent body equipment on the sheet, therefore can't decode the code of encryption, except being uploaded on the sheet, intelligent body can not do whatever the intelligent body equipment,
5) the intelligent body equipment integrality of verifying smart body at first on the sheet, if be damaged, then abandon and do not carry out, otherwise decipher this intelligent body and operation, after operation is finished, intelligent body equipment obtains the described AoCM signing certificate of the described AR in the next stop that intelligent body will visit by top method on the sheet, and code, data and the operation result of the public key encryption intelligence body that provides in the AoCM signing certificate of the described AR in the next stop are provided
6) the intelligent body after intelligent body equipment will be encrypted on the sheet is passed to the described AR of our station, and the described AR of our station does not know the private key of intelligent body equipment on the sheet of the next stop, therefore can't decipher intelligent body,
7) intelligent body migrates to the described AR in the next stop.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100377687A CN100438430C (en) | 2005-02-04 | 2005-02-04 | Method for realizing safety on-chip intelligent members |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100377687A CN100438430C (en) | 2005-02-04 | 2005-02-04 | Method for realizing safety on-chip intelligent members |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1655523A CN1655523A (en) | 2005-08-17 |
| CN100438430C true CN100438430C (en) | 2008-11-26 |
Family
ID=34894382
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100377687A Expired - Fee Related CN100438430C (en) | 2005-02-04 | 2005-02-04 | Method for realizing safety on-chip intelligent members |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100438430C (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101883122B (en) * | 2010-07-30 | 2012-12-05 | 迈普通信技术股份有限公司 | Safety connection establishing method and client equipment for establishing safety connection |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1218223A (en) * | 1997-11-26 | 1999-06-02 | 国际商业机器公司 | Method of executing mobile objects and recording medium storing mobile objects |
| CN1305160A (en) * | 1999-11-17 | 2001-07-25 | 国际商业机器公司 | System and method of proceeding communication using 'mobile software agency' and mobile data processing equipment |
| WO2004023313A1 (en) * | 2002-09-04 | 2004-03-18 | Fraunhofer Crcg, Inc. | Protecting mobile code against malicious hosts cross references to related applications |
-
2005
- 2005-02-04 CN CNB2005100377687A patent/CN100438430C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1218223A (en) * | 1997-11-26 | 1999-06-02 | 国际商业机器公司 | Method of executing mobile objects and recording medium storing mobile objects |
| CN1305160A (en) * | 1999-11-17 | 2001-07-25 | 国际商业机器公司 | System and method of proceeding communication using 'mobile software agency' and mobile data processing equipment |
| WO2004023313A1 (en) * | 2002-09-04 | 2004-03-18 | Fraunhofer Crcg, Inc. | Protecting mobile code against malicious hosts cross references to related applications |
Non-Patent Citations (6)
| Title |
|---|
| Multi-Mobile Agents' Separation Scheme in JavaCard Application for Mobile Agent's Security. Ruchuan Wang ET AL.IEEE. 2004 |
| Multi-Mobile Agents' Separation Scheme in JavaCard Application for Mobile Agent's Security. Ruchuan Wang ET AL.IEEE. 2004 * |
| 基于JavaCard的移动代理保护的研究. 王汝传等.计算机学报,第4卷第27期. 2004 |
| 基于JavaCard的移动代理保护的研究. 王汝传等.计算机学报,第4卷第27期. 2004 * |
| 基于JavaCard的移动代理安全模型研究. 王汝传等.通信学报,第11卷第24期. 2003 |
| 基于JavaCard的移动代理安全模型研究. 王汝传等.通信学报,第11卷第24期. 2003 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1655523A (en) | 2005-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109981679B (en) | Method and apparatus for performing transactions in a blockchain network | |
| Dai et al. | SDTE: A secure blockchain-based data trading ecosystem | |
| US7805375B2 (en) | Digital license migration from first platform to second platform | |
| TWI413908B (en) | Flexible licensing architecture for licensing digital application | |
| US6178504B1 (en) | Host system elements for an international cryptography framework | |
| CN1713106B (en) | Method for providing security to an application and authorizing application to access to the security object | |
| CN110266659A (en) | A kind of data processing method and equipment | |
| Sharma et al. | A review of smart contract-based platforms, applications, and challenges | |
| CN109726229A (en) | A kind of block chain date storage method and device | |
| US20080276086A9 (en) | Method of controlling the processing of data | |
| CN101167072A (en) | Supplementary trust model for software licensing/commercial digital distribution policy | |
| JPH10313309A (en) | System for authenticating legitimate execution of prescribed service class by application under framework of international cryptology | |
| CN109600366A (en) | The method and device of protection user data privacy based on block chain | |
| CN102411693A (en) | Inherited Product Activation For Virtual Machines | |
| KR20190089506A (en) | System and method for e-contract with shared and distributed ledger coupled with outer storage devices | |
| Tkachuk et al. | A survey on blockchain-based telecommunication services marketplaces | |
| CN107147649A (en) | Data-optimized dispatching method based on cloud storage | |
| CN107135223A (en) | The data persistence method of Mass Data Management system | |
| CN106911814A (en) | Large-scale data distributed storage method | |
| CN115730338A (en) | Zero-trust sensitive big data cross-domain sharing method and device based on privacy calculation | |
| Xu et al. | Model-driven engineering for blockchain applications | |
| Yang et al. | A lightweight anonymous mobile shopping scheme based on DAA for trusted mobile platform | |
| Klopfenstein et al. | " Worth one minute": An anonymous rewarding platform for crowd-sensing systems | |
| CN100438430C (en) | Method for realizing safety on-chip intelligent members | |
| Bello et al. | On the application of financial security standards in blockchain platforms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20081126 Termination date: 20170204 |