CN101520832A - System and method for verifying file code signature - Google Patents
System and method for verifying file code signature Download PDFInfo
- Publication number
- CN101520832A CN101520832A CN200810241591A CN200810241591A CN101520832A CN 101520832 A CN101520832 A CN 101520832A CN 200810241591 A CN200810241591 A CN 200810241591A CN 200810241591 A CN200810241591 A CN 200810241591A CN 101520832 A CN101520832 A CN 101520832A
- Authority
- CN
- China
- Prior art keywords
- signature
- module
- file
- digest value
- public
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000012795 verification Methods 0.000 claims abstract description 33
- 238000012545 processing Methods 0.000 claims abstract description 18
- 238000004891 communication Methods 0.000 claims abstract description 8
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 4
- 241000700605 Viruses Species 0.000 abstract description 8
- 238000004364 calculation method Methods 0.000 description 5
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 4
- 230000009545 invasion Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Images
Abstract
The invention discloses a system and a method for verifying a file code signature. The system comprises a user signing module and a signature verifying module, and the user signing module is connected with the signature verifying module in a communication way. The system is characterized in that the signature verifying module comprises a verification processing module and a public key processing module; the verification processing module is connected with the user signing module and the public key processing module in the communication way respectively; the verification processing module is used for controlling to execute verification of a signature value; and the public key processing module is used for controlling to process a trust public key. The method for verifying the file code signature compares a complete summary value with a decrypting complete summary value and confirms whether to execute a mode of a file program according to the comparison result so as to effectively prevent virus programs and Trojan-horse programs entering, ensure the absolute safety of file programs, and improve verifying efficiency and operation flexibility at the same time.
Description
Technical field
A kind of verification system of the technology of the present invention and method thereof relate in particular to a kind of verifying file code signature system and method thereof.
Background technology
Along with the continuous development of computer operating system, the computer operating system kind is variation, but its security also is subjected to increasing challenge.A lot of executable file formats all become the target of attack of virus and various malicious codes.Realize invading by direct revised file program if any the Virus under many computer operating systems.Traditional computer operating system can't be carried out integrality and legitimacy and be detected to the code of carrying out, thereby allows a lot of Viruses and trojan horse program have an opportunity to take advantage of.
Code signature verifying is a kind of method that can effectively prevent virus and the invasion of other malicious codes.For the code signature verifying method under the computer operating system, earlier year has proposed to carry out when mounted the method for signature verification with regard to someone, but this method can't trace routine be installed any modification of back to code, and verification efficiency is low, also underaction.
Therefore, prior art awaits to improve and development.
Summary of the invention
The object of the present invention is to provide a kind of verifying file code signature system and method thereof, prevent the invasion of Virus and trojan horse program, guarantee being perfectly safe of file routine, simultaneously, improve the dirigibility of verification efficiency and operation.
Technical scheme of the present invention is as follows:
A kind of verifying file code signature system, it comprises user's signature module and signature verification module, described user's signature module is connected with described signature verification module communication, it is characterized in that, described signature verification module comprises: checking processing module and public-key process module, and described checking processing module is connected with described user's signature module and public-key process module communication respectively;
Described checking processing module is used to control the checking of carrying out the signature value;
Described public-key process module is used for the control and treatment trusted public key.
Described system, wherein, described checking processing module is provided with authenticating documents buffer memory chained list, is used to store the checking result of authenticating documents.
Described system, wherein, described public-key process module is provided with the trusted public key chained list, the described trusted public key storage of linked list related data that bears the signature, it comprises PKI address, signer essential information, signer PKI and correlating markings.
A kind of verifying file code signature method, its step is as follows:
A, carry out computing, draw complete digest value, and to public-key process module application signer PKI according to all data of file and signature related data;
B, signer PKI to accordingly fully the signature value be decrypted, obtain deciphering complete digest value;
C, described complete digest value and the complete digest value of described deciphering are compared, in full accord, then be proved to be successful, and allow the execute file program.
Described method wherein, also comprises step before the described steps A:
A1, inquire about authenticating documents buffer memory chained list, judge whether not exist to be verified file, then carry out corresponding operation according to the checking result who has verified if exist, otherwise, execution in step A.
Described method, wherein, described step C also comprises step:
C1, described digest value and described deciphering digest value are compared, inconsistent, authentication failed then, and forbid the execute file program.
Described verification method, wherein, described method is further comprising the steps of:
A, carry out computing, draw incomplete digest value, and to public-key process module application signer PKI according to file header data and signature related data;
B, signer PKI are decrypted corresponding not exclusively signature value, obtain deciphering incomplete digest value;
C, described incomplete digest value and the incomplete digest value of described deciphering are compared, in full accord, then be proved to be successful, and allow the execute file program.
Described method wherein, also comprises step before the described step a:
A1, inquire about authenticating documents buffer memory chained list, judge whether not exist to be verified file, then carry out corresponding operation according to the checking result who has verified if exist, otherwise, execution in step a.
Described method, wherein, described step c also comprises step:
C1, described digest value and described deciphering digest value are compared, inconsistent, authentication failed then, and forbid the execute file program.
A kind of verifying file code signature system and the method thereof of providing of the present invention, its method is compared complete digest value and the complete digest value of deciphering owing to adopting, determine whether the mode of execute file program according to comparison result, prevent the invasion of Virus and trojan horse program effectively, guarantee being perfectly safe of file routine, simultaneously, improve the dirigibility of verification efficiency and operation.
Description of drawings
Fig. 1 is a code signature verifying system construction drawing of the present invention;
Fig. 2 is a code signature verifying method process flow diagram of the present invention.
Embodiment
Below in conjunction with accompanying drawing each preferred embodiment of the present invention is made a more detailed description.
Verifying file code signature system architecture of the present invention, as shown in Figure 1, it comprises user's signature module and signature verification module, described user's signature module is connected with described signature verification module communication; Described signature verification module comprises again: checking processing module and public-key process module, and described checking processing module is connected with described user's signature module and public-key process module communication respectively;
The supplementary module of described user's signature module native system is mainly used in file is signed and is provided with;
Described checking processing module is used to control the checking of carrying out the signature value and the caching of authenticating documents;
Described public-key process module is provided with the trusted public key chained list, the described trusted public key storage of linked list related data that bears the signature, and it comprises: PKI address, signer essential information, signer PKI and correlating markings.
Wherein, the PKI address is the MD5 cryptographic hash of corresponding PKI, and length is 16 bytes.In theory, the identical probability in different PKIs address approaches 1/2128th, therefore can see that PKI address and PKI are one to one, and promptly the PKI address is the unique identification of each PKI.
Described public-key process module is used for the trusted public key chained list is carried out control and treatment, as the trusted public key chained list is carried out initialization, and obtains, adds, deletes the PKI node.
Described trusted public key chained list is being stored all by the PKI of trustor, when system verifies the code signature value, can directly obtain corresponding public key from the PKI chained list; If do not have corresponding public key in the PKI chained list, represent that this code signature person is not trusted, then authentication failed is forbidden executive routine; In the system is configurable by trusted public key, during system start-up, according to configuration file initialization core PKI chained list, and can at any time it be refreshed or revise.
System of the present invention and method thereof relate to following key concept: complete digest value refers to the digest value that all data and the signature correlation data calculation of file are come out; Not exclusively digest value refers to the file part significant data is mainly the file header data, and the digest value that comes out of signature correlation data calculation; The signature value refers to complete digest value is encrypted resulting signature value fully; Not exclusively the signature value refers to incomplete digest value is encrypted resulting signature value; The system verification rank refers to system-level checking rank, is applicable to files all in the system; The file verification rank refers to the checking rank of single file, is applicable to certain file of appointment; The signature related data is meant data such as source document size, signer PKI sign ID, signature algorithm, signature time and signer essential information.
Verifying file code signature method key step of the present invention is: at first, adopt a kind of operational method to calculate two kinds of digest value, i.e. not exclusively digest value and digest value fully; And then use the signer PKI that it is carried out encryption to obtain two kinds of signature values i.e. not exclusively signature value and signature fully; At last will be not exclusively the signature value and fully the signature value make up, and be placed on by the signature file end.
Code signature verifying of the present invention comprises two kinds of checking ranks: system verification rank and file verification rank, wherein said system verification rank is divided into four ranks, represent by 0-3 respectively,, also can be provided with as required simultaneously by the control of PROC directory file system; Described file verification rank is the setting of single file, is kept in each file inode sign, can be provided with as required, and it is divided into three ranks, is represented by 0-2 respectively.
Code signature verifying method of the present invention, as shown in Figure 2, its step is as follows:
S1, user's signature processing module send the execute file request command to the signature verification module;
S2, system determine the system verification rank according to the described request command determination; When the system verification rank is " 1 " or " 2 ", execution in step S3 then, when system checking rank be " 0 ", system's permission executive routine then, when the system verification rank is " 3 ", execution in step S420 then;
S3, judgement determine to be performed the file verification rank of file; When the file verification rank is " 1 " then execution in step S410, if file-level is " 2 ", then execution in step S420 is " 0 " as if the file verification rank, then execution in step S415;
S410, go out incomplete digest value according to all data of described file and signature correlation data calculation;
Its computing method have multiple, are prior art all, do not repeat them here;
Whether S411, system queries are verified file in the authenticating documents buffer memory chained list, if the checking result who has then employing to verify, otherwise execution in step S412;
S412, system are to public-key process module application signer PKI;
S413, the signer PKI is decrypted corresponding incomplete signature value, obtains the incomplete digest value of corresponding deciphering;
S414, with described incomplete digest value with the deciphering incomplete digest value compare, if in full accord then the checking pass through execution in step S415; Otherwise authentication failed is forbidden the execute file program;
S415, system allow the execute file program.
S420, go out complete digest value according to all data of described file and signature correlation data calculation;
Whether S421, system queries are verified file in the authenticating documents buffer memory chained list, if the checking result who has then employing to verify, otherwise execution in step S422;
S422, system are to public-key process module application signer PKI;
S423, with the signer PKI to signature value fully accordingly, obtain the corresponding complete digest value of deciphering;
S424, described complete digest value and the complete digest value of described deciphering are compared, if execution in step S425 is passed through in then checking in full accord; Otherwise authentication failed is forbidden the execute file program;
S425, system allow the execute file program.
The present invention needs monitoring file modifying state in order to guarantee the consistance of authenticating documents buffer memory chained list and actual file, if a certain file is modified, then removes the checking result relevant with this document in the authenticating documents buffer memory chained list immediately.
Its method of verifying file code signature of the present invention, owing to adopt complete digest value and the complete digest value of deciphering are compared, and with incomplete digest value with the deciphering incomplete digest value compare, determine whether the mode of execute file program according to comparison result, prevent the invasion of Virus and trojan horse program effectively, guarantee being perfectly safe of file routine execution, simultaneously in the execute file program, improve the efficient of verifying file code signature, also improved the dirigibility of system operation.
Should be understood that the description of above-mentioned specific embodiment is comparatively detailed, can not therefore be interpreted as the restriction to scope of patent protection of the present invention, scope of patent protection of the present invention should be as the criterion with claims.
Claims (9)
1, a kind of verifying file code signature system, it comprises user's signature module and signature verification module, described user's signature module is connected with described signature verification module communication, it is characterized in that, described signature verification module comprises: checking processing module and public-key process module, and described checking processing module is connected with described user's signature module and public-key process module communication respectively;
Described checking processing module is used to control the checking of carrying out the signature value;
Described public-key process module is used for the control and treatment trusted public key.
2, system according to claim 1 is characterized in that, described checking processing module is provided with authenticating documents buffer memory chained list, is used to store the checking result of authenticating documents.
3, system according to claim 2, it is characterized in that, described public-key process module is provided with the trusted public key chained list, the described trusted public key storage of linked list related data that bears the signature, and it comprises PKI address, signer essential information, signer PKI and correlating markings.
4, a kind of verifying file code signature method, its step is as follows:
A, carry out computing, draw complete digest value, and to public-key process module application signer PKI according to all data of file and signature related data;
B, signer PKI to accordingly fully the signature value be decrypted, obtain deciphering complete digest value;
C, described complete digest value and the complete digest value of described deciphering are compared, in full accord, then be proved to be successful, and allow the execute file program.
5, method according to claim 4 is characterized in that, also comprises step before the described steps A:
A1, inquire about authenticating documents buffer memory chained list, judge whether not exist to be verified file, then carry out corresponding operation according to the checking result who has verified if exist, otherwise, execution in step A.
6, method according to claim 5 is characterized in that, described step C also comprises step:
C1, described digest value and described deciphering digest value are compared, inconsistent, authentication failed then, and forbid the execute file program.
7, verification method according to claim 4 is characterized in that, described method is further comprising the steps of:
A, carry out computing, draw incomplete digest value, and to public-key process module application signer PKI according to file header data and signature related data;
B, signer PKI are decrypted corresponding not exclusively signature value, obtain deciphering incomplete digest value;
C, described incomplete digest value and the incomplete digest value of described deciphering are compared, in full accord, then be proved to be successful, and allow the execute file program.
8, method according to claim 7 is characterized in that, also comprises step before the described step a:
A1, inquire about authenticating documents buffer memory chained list, judge whether not exist to be verified file, then carry out corresponding operation according to the checking result who has verified if exist, otherwise, execution in step a.
9, method according to claim 8 is characterized in that, described step c also comprises step:
C1, described digest value and described deciphering digest value are compared, inconsistent, authentication failed then, and forbid the execute file program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810241591A CN101520832A (en) | 2008-12-22 | 2008-12-22 | System and method for verifying file code signature |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810241591A CN101520832A (en) | 2008-12-22 | 2008-12-22 | System and method for verifying file code signature |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101520832A true CN101520832A (en) | 2009-09-02 |
Family
ID=41081418
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810241591A Pending CN101520832A (en) | 2008-12-22 | 2008-12-22 | System and method for verifying file code signature |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101520832A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102004879A (en) * | 2010-11-22 | 2011-04-06 | 北京北信源软件股份有限公司 | Method for identifying credible progress |
| CN102110204A (en) * | 2009-12-23 | 2011-06-29 | 英群企业股份有限公司 | Removable apparatus and method for verifying an executable file in a computing apparatus |
| CN101739525B (en) * | 2009-11-30 | 2012-02-22 | 飞天诚信科技股份有限公司 | Safety check method, compilation device, device and method for executing NET program |
| CN103632093A (en) * | 2013-09-17 | 2014-03-12 | 中国人民解放军61599部队计算所 | Trojan detection method |
| CN104092544A (en) * | 2014-06-26 | 2014-10-08 | 工业和信息化部计算机与微电子发展研究中心(中国软件评测中心) | Service signature method and device compatible with Android application |
| CN104283860A (en) * | 2013-07-10 | 2015-01-14 | 全联斯泰克科技有限公司 | ELF file identification method and device based on code signature |
| CN104978522A (en) * | 2014-04-10 | 2015-10-14 | 北京启明星辰信息安全技术有限公司 | Method and device for detecting malicious code |
| CN104978521A (en) * | 2014-04-10 | 2015-10-14 | 北京启明星辰信息安全技术有限公司 | Method and system for realizing malicious code marking |
| CN103632093B (en) * | 2013-09-17 | 2016-11-30 | 中国人民解放军61599部队计算所 | Trojan detecting method |
| CN107135074A (en) * | 2016-02-29 | 2017-09-05 | 中兴通讯股份有限公司 | A kind of advanced security method and apparatus |
| CN110581833A (en) * | 2018-06-11 | 2019-12-17 | 中移(杭州)信息技术有限公司 | Service security protection method and device |
| CN110750763A (en) * | 2019-10-22 | 2020-02-04 | 北京联合信任技术服务有限公司 | Code signing method, device, storage medium and program product |
| CN111177784A (en) * | 2019-12-31 | 2020-05-19 | 上海摩勤智能技术有限公司 | Security protection method and device for file system and storage medium |
| CN111291371A (en) * | 2020-01-10 | 2020-06-16 | 北京深之度科技有限公司 | Application program security verification method and device |
| CN111866554A (en) * | 2020-07-09 | 2020-10-30 | 郑州信大捷安信息技术股份有限公司 | Multimedia safe playing method and system |
| CN113031626A (en) * | 2020-05-15 | 2021-06-25 | 东风柳州汽车有限公司 | Safety authentication method, device and equipment based on automatic driving and storage medium |
-
2008
- 2008-12-22 CN CN200810241591A patent/CN101520832A/en active Pending
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101739525B (en) * | 2009-11-30 | 2012-02-22 | 飞天诚信科技股份有限公司 | Safety check method, compilation device, device and method for executing NET program |
| CN102110204A (en) * | 2009-12-23 | 2011-06-29 | 英群企业股份有限公司 | Removable apparatus and method for verifying an executable file in a computing apparatus |
| CN102004879A (en) * | 2010-11-22 | 2011-04-06 | 北京北信源软件股份有限公司 | Method for identifying credible progress |
| CN102004879B (en) * | 2010-11-22 | 2012-12-26 | 北京北信源软件股份有限公司 | Method for identifying credible progress |
| CN104283860A (en) * | 2013-07-10 | 2015-01-14 | 全联斯泰克科技有限公司 | ELF file identification method and device based on code signature |
| CN103632093B (en) * | 2013-09-17 | 2016-11-30 | 中国人民解放军61599部队计算所 | Trojan detecting method |
| CN103632093A (en) * | 2013-09-17 | 2014-03-12 | 中国人民解放军61599部队计算所 | Trojan detection method |
| CN104978522B (en) * | 2014-04-10 | 2018-05-08 | 北京启明星辰信息安全技术有限公司 | A kind of method and apparatus for detecting malicious code |
| CN104978522A (en) * | 2014-04-10 | 2015-10-14 | 北京启明星辰信息安全技术有限公司 | Method and device for detecting malicious code |
| CN104978521A (en) * | 2014-04-10 | 2015-10-14 | 北京启明星辰信息安全技术有限公司 | Method and system for realizing malicious code marking |
| CN104978521B (en) * | 2014-04-10 | 2018-05-08 | 北京启明星辰信息安全技术有限公司 | A kind of method and system for realizing malicious code mark |
| CN104092544A (en) * | 2014-06-26 | 2014-10-08 | 工业和信息化部计算机与微电子发展研究中心(中国软件评测中心) | Service signature method and device compatible with Android application |
| CN104092544B (en) * | 2014-06-26 | 2017-11-17 | 工业和信息化部计算机与微电子发展研究中心(中国软件评测中心) | The services signatures method and apparatus of compatible Android application |
| CN107135074A (en) * | 2016-02-29 | 2017-09-05 | 中兴通讯股份有限公司 | A kind of advanced security method and apparatus |
| CN107135074B (en) * | 2016-02-29 | 2021-11-02 | 中兴通讯股份有限公司 | Advanced security method and device |
| CN110581833A (en) * | 2018-06-11 | 2019-12-17 | 中移(杭州)信息技术有限公司 | Service security protection method and device |
| CN110750763A (en) * | 2019-10-22 | 2020-02-04 | 北京联合信任技术服务有限公司 | Code signing method, device, storage medium and program product |
| CN111177784A (en) * | 2019-12-31 | 2020-05-19 | 上海摩勤智能技术有限公司 | Security protection method and device for file system and storage medium |
| CN111291371A (en) * | 2020-01-10 | 2020-06-16 | 北京深之度科技有限公司 | Application program security verification method and device |
| CN113031626A (en) * | 2020-05-15 | 2021-06-25 | 东风柳州汽车有限公司 | Safety authentication method, device and equipment based on automatic driving and storage medium |
| CN111866554A (en) * | 2020-07-09 | 2020-10-30 | 郑州信大捷安信息技术股份有限公司 | Multimedia safe playing method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101520832A (en) | System and method for verifying file code signature | |
| EP1618451B1 (en) | Associating software with hardware using cryptography | |
| US11469885B2 (en) | Remote grant of access to locked data storage device | |
| CN103460195B (en) | For the system and method for security software update | |
| KR100792287B1 (en) | Method for security and the security apparatus thereof | |
| JP5703391B2 (en) | System and method for tamper resistant boot processing | |
| JP4664398B2 (en) | Incremental code signing method and apparatus | |
| CN102084313B (en) | Systems and method for data security | |
| KR20060108710A (en) | Trusted mobile platform architecture | |
| CN109388961B (en) | Security control method of storage device and storage device | |
| US11606206B2 (en) | Recovery key for unlocking a data storage device | |
| US20120096280A1 (en) | Secured storage device with two-stage symmetric-key algorithm | |
| CN102456111A (en) | Method and system for license control of Linux operating system | |
| US20210218557A1 (en) | Initializing a data storage device with a manager device | |
| CN108270574B (en) | Safe loading method and device for white list library file | |
| US11334677B2 (en) | Multi-role unlocking of a data storage device | |
| WO2021118642A1 (en) | Multi-device unlocking of a data storage device | |
| CN113545021B (en) | Registration of pre-authorized devices | |
| KR20200020626A (en) | SECURE FIRMWARE UPDATE METHOD OF IoT DEVICE USING AN INTEGRATED SECURITY SoC | |
| CN109889334A (en) | Embedded firmware encrypting method, apparatus, wifi equipment and storage medium | |
| US20220014918A1 (en) | Wireless security protocol | |
| US8667278B2 (en) | Information processing apparatus and data transmission method of information processing apparatus | |
| CN112613033A (en) | Method and device for safely calling executable file | |
| KR20100106110A (en) | Secure boot data total management system, methods for generating and verifying a verity of matadata for managing secure boot data, computer-readable recording medium storing program for executing any of such methods | |
| US11556665B2 (en) | Unlocking a data storage device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090902 |