CN103258150A - System with local and remote software protection devices capable of working cooperatively - Google Patents
System with local and remote software protection devices capable of working cooperatively Download PDFInfo
- Publication number
- CN103258150A CN103258150A CN2012104089369A CN201210408936A CN103258150A CN 103258150 A CN103258150 A CN 103258150A CN 2012104089369 A CN2012104089369 A CN 2012104089369A CN 201210408936 A CN201210408936 A CN 201210408936A CN 103258150 A CN103258150 A CN 103258150A
- Authority
- CN
- China
- Prior art keywords
- module
- protective device
- lock
- software protective
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000001681 protective effect Effects 0.000 claims description 89
- 230000006870 function Effects 0.000 claims description 23
- 238000013475 authorization Methods 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 6
- 238000012856 packing Methods 0.000 claims description 5
- 244000035744 Hura crepitans Species 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 230000008034 disappearance Effects 0.000 claims description 3
- 230000006855 networking Effects 0.000 abstract description 8
- 230000008901 benefit Effects 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 abstract description 2
- 230000000875 corresponding effect Effects 0.000 description 16
- 238000000034 method Methods 0.000 description 16
- 238000003860 storage Methods 0.000 description 16
- 230000001360 synchronised effect Effects 0.000 description 12
- 230000008569 process Effects 0.000 description 9
- 230000036541 health Effects 0.000 description 5
- 241000251468 Actinopterygii Species 0.000 description 4
- 238000013500 data storage Methods 0.000 description 4
- 238000010200 validation analysis Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000006386 memory function Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000005520 cutting process Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a system with a local software protection device and a remote software protection device which are capable of working cooperatively. The system is characterized in that a remote protection function is copied to the local device and is implemented in an offline manner on the basis of a hardware encryption lock, and instructions are downloaded and executed by the aid of a background safety automatic synchronization technology, so that the local protection device and the remote protection device can work cooperatively. The system has the advantages that the local software protection device can replace the remote software protection device to implement the function, networking is temporarily omitted, and accordingly benefits of users are guaranteed.
Description
Technical field
The present invention relates to computer utility protection and information security field, particularly the system of a kind of hardware protection device and the collaborative work of remote protecting device.
Background technology
The a lot of users of mobile Internet are by mobile terminal Internet access.A large amount of outstanding individual software application are wherein arranged at running of mobile terminal, relate to life ﹠ amusement, recreation, health, navigation, shopping, all many-sides of instrument.The user downloads from software store (APP-Store) and uses the abundant life of outstanding application program on the one hand, and a large amount of on the one hand mobile application developer must obtain income by soft ware authorization.The mobile application must adopt some software protecting equipments to protect software illegally not authorized or piracy; mobile software application illegally cracks for preventing; a large amount of remote validation or remote data storage or remote functionality code call means of adopting; but this remote validation can cause needing transferring large number of data between portable terminal and the server, thereby makes the communication traffic between the two heighten.In addition, in the place that does not have signal or poor signal, even can't start certain mobile applications.
Summary of the invention
In view of this, the invention provides a kind of software protecting equipment (hardware encipher lock) of this locality and the system of remote software protective device (the cloud encryption lock is called cloud lock server in the following text) collaborative work.
According to an aspect of the present invention, provide a kind of for the system at mobile device terminal safe operation mobile applications, described system comprises:
The local software protective device is used to described mobile device terminal that the physical security environment of the functional module in the described mobile applications of safe operation or the described mobile applications is provided, and is connected in mobile device terminal;
The remote software protective device is used for providing mandate protection and the data protection of described mobile applications, and by network and the wireless or wired connection of described mobile device terminal;
Mobile device terminal is used for the described mobile applications of operation, and is connected with described local software protective device;
Security of operation processing module on the described mobile device terminal, described safe handling module and described local software protective device and described remote software protective device carry out safe communication and data are handled.
According to an aspect of the present invention, described local software protective device comprises:
The execution environment module is used for providing instruction set to move for described mobile applications;
The upgrading module is used for deciphering PKG packet and new data more;
Authentication module is for the legitimacy of authenticated identity and PKG packet;
The soft ware authorization module is used for storing and reading the certain functional modules information of described mobile applications and the authorization message of described certain functional modules;
Memory module in the lock is for the interface that reading and writing data is provided.
According to an aspect of the present invention, described remote software protective device comprises:
The execution environment module is used for providing instruction set to move for described mobile applications;
The User Recognition authentication module, whether be used for the identification user identity legal;
The soft ware authorization identification module is used for judging that described mobile applications is whether within the scope of authority;
Data simultaneous module is used for synchronization packets.
According to an aspect of the present invention, described local software protective device or described remote software protective device can move the custom feature that the mobile applications developer provides.
According to an aspect of the present invention, described safe handling module comprises:
Call and send module, be used for function or the data of described mobile applications far call are forwarded to described local software protective device, perhaps send to described remote software protective device;
Synchronization module, be used for receiving or packing PKG packet, and cooperate with the described upgrading module in the described local software protective device, described PKG packet is sent in the described local software protective device, perhaps send in the described remote software protective device;
Lock outer cache module, be used for buffer memory and store up described PKG packet and be used for storing data and the document of having encrypted by described mobile applications generation.
According to an aspect of the present invention, described mobile applications directly calls described local software protective device by calling the described module of sending, and perhaps sends module to be called to call described remote software protective device after the described synchronization module again by described calling.
According to an aspect of the present invention, the local software protective device comprises the hardware encipher lock, and described hardware encipher lock comprises the physical security chip.
According to an aspect of the present invention, described physical security chip comprises: central processing unit, internal memory and non-power-failure disappearance storer.
According to an aspect of the present invention, the execution environment module is moved described mobile applications with the form of virtual machine in described execution environment module, the described lock.
According to an aspect of the present invention, the execution environment module compiles with the low order virtual machine in described execution environment module, the described lock, and the code of described mobile applications is operated in the safe sandbox.
Description of drawings
Fig. 1 is the system of collaborative work of a kind of local software protective device and remote software protective device and the system construction drawing of device;
Fig. 2 is the system of collaborative work of a kind of local software protective device and remote software protective device and the software protecting equipment cut-away view of device;
Fig. 3 is the system and the outer buffer memory cut-away view of the lock in the device of the collaborative work of a kind of local software protective device and remote software protective device;
Fig. 4 be a kind of local software protective device and remote software protective device collaborative work system with the device in all types of figure of resources conseravtion;
Fig. 5 be a kind of local software protective device and remote software protective device collaborative work system with the device in the resources conseravtion block diagram;
Fig. 6 is the concrete structural map of PKG packet protocol.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
According to the present invention; the local software protective device is the encryption lock of example, in hardware; guarantee its be one can safe operation software or the physical security environment of software function module; its physically or circuit be connected on the portable terminal; wherein the connected mode of encryption lock and portable terminal is not emphasis of the present invention, repeats no more.
According to embodiments of the invention, the local software protective device is the multiple hardwares encryption lock that the inventor has produced, and its hardware The Nomenclature Composition and Structure of Complexes is not key content in the present invention, repeats no more.Particular content can be referring to the content of locking about hardware encipher among the http://www.sense.com.cn/.
As shown in Figure 2, functional module realizes with software form in the lock in the local software protective device, comprising following functional unit: memory module in upgrading module, authentication module, soft ware authorization module, the lock.
As shown in Figure 1, outside local protective device outside comprises a lock cache module, call that to send module and synchronization module, these modules are software function modules of realizing at portable terminal.Set up cloud lock server in the internet.
The shielded mobile applications that moves on the portable terminal (being the mobile software among Fig. 1) is by calling the defencive function of sending module directly to call the local software protective device or calling the function that cloud lock server can provide by calling again after sending module invoke synchronous module.
According to an embodiment of the invention, when the function that mobile software directly can provide to cloud lock server calls cloud lock server, mobile software at first sends to call request to call sends module, sends to synchronization module again by calling this call request of sending module to receive then.Synchronization module then carries out authenticating user identification and soft ware authorization authentication by internet and cloud lock server, and after authentication, synchronization module and cloud are locked server handshaking, and call request is sent to cloud lock server, requires synchrodata is downloaded.Then, cloud lock server provides wants data in synchronization, is directly downloaded to the outer buffer memory of lock by the internet.
According to an embodiment of the invention; when mobile software directly calls the function that the local software protective device can provide to the local software protective device; during the function of the correspondence of asking when the not mobile software in local software protective device inside; then the local software protective device is with the form of piecemeal, read downloaded in the outer buffer memory of lock and lock the data block of server sync with cloud.After the authentication module by local software protective device inside carries out the legitimacy audit; thereby write or upgrade the interior memory module of lock of local software protective device inside; and then can carry out or read function and/or the data of local software protective device inside further, at last the result is fed back to outside mobile Application Software Program.
When mobile software generating routine document and data; then be forwarded to the local software protective device by calling the request of sending module will write data, thereby by the local software protective device documentation of program and the data that mobile software produces be written to the interior memory module of lock or be written to the outer buffer memory of lock.
Because the mobile software after the collaborative work can temporarily not need networking, thereby can call the local software protective device always.Owing to have the outer buffer memory of lock, thus can allow cost is lower, the less local software protective device of resource cost intactly supports the function that cloud is locked server.Owing to have buffer memory in the local software protective device, thereby temporary transient offline storage and some data of use.Because the local software protective device is a kind of safety equipment and has authentication module, thereby can prevent that synchrodata from divulging a secret, falsely using and distorting.
Because to call the local software protective device be transparent for mobile software, and the data in local software protective device and the cloud lock server can be in background synchronization, thereby need not the manual upgrading of user and upgrade data in the local software protective device.
Owing to contain user authentication data in the local software protective device, thereby can under the situation of off-line, authenticate by the user identity to mobile software users.
But above-mentioned specialized hardware encryption lock refers to a kind of secure hardware that support code is carried out, have domestic os, be used for guaranteeing the complete identical execution function with the cloud lock, and can resist physical attacks, specifically comprise: software section in physical security chip and the lock.
Above-mentioned physical security chip as shown in Figure 2, specifically comprises:
Central processor CPU, internal memory and non-power-failure disappearance storer (FLASH EEPROM), and be encapsulated in one.This physical security chip itself can provide the hardware security function, prevents from being cloned or being cracked, and is in the physics state that is perfectly safe.The data of functional module itself are stored in the physical security chip in the lock.
Funtion part in the above-mentioned lock specifically comprises:
Memory module in execution environment module, upgrading module, authentication module, soft ware authorization module and the lock.
Above-mentioned execution environment module specifically comprises:
Specific certain the cpu instruction set of true CPU or virtual machine simulation moves for application program.And can compatiblely carry out cloud lock operating instruction under the execution environment.
Also have some algorithms most in use accelerators.
Also comprise some expanding libraries, include but not limited to cryptographic algorithm storehouse, database storage interface, disk file storage vault, IO input etc.This running environment essence has provided a kind of solution that program source code may operate in local protective device and the different frameworks of remote protecting device, and multiple way is wherein arranged:
Make up a kind of virtual cpu at local device, provide a cover general api interface, and provide the developer to customize translation and compiling environment, allow developer's compilation of source code be the virtual cpu instruction scale-of-two module of appointment, be put into virtual cpu and carry out.In like manner, this part code also can be put into the remote-control device operation of identical virtual cpu framework.
Second method; make up a kind of safe sandbox mechanism at local protective device and remote protecting device; provide a cover general api interface; and provide the specific compiler of developer and environment (similar Low Level Virtual Maine-low order virtual machine (LLVM; name stems from the abbreviation of bottom (claiming low order again) virtual machine (Low Level Virtual Maine) the earliest; it is the capital construction of a compiler, is write as with C++.It is the formula of being write as for any one programming language, utilizes virtual technology, creates compiling period, link period, the optimization in run time and " idle period ".Support to comprise Objective-C, Fortran, Ada, Haskell, Java bytecode, Python, Ruby, ActionScript, GLSL and other language at present), wherein allow developer's compilation of source code be the middle layer code (Intermediate form) with any CPU hardware independent, when downloading and using, be converted into the particular CPU binary code automatically and carry out.
Above-mentioned upgrading module specifically comprises:
The encrypted packet of software data and mandate is called for short PKG.Data block after the PKG bag reads needs deciphering, and the file data in locking and authorization message data are carried out upgrading read-write by module.
Above-mentioned authentication module is used for the simple authentication user identity; Identification PKG bag legitimacy.
Above-mentioned soft ware authorization module is used for storing and reading the certain functional modules information of certain a mobile software and the authorization message of this certain functional modules.Comprising: the identity of mobile application software (App-ID) comprises whether using, whether can carry out buffer memory.Mobile application software comprise module identity (module-ID) and authorization message (such as, include but not limited to the equipment of the access times of software, the spendable fate of software, running software binding etc.).
Memory module in the above-mentioned lock provides the interface of file data read-write, and is not physical storage, storage data that can be safe in lock and file system interface is provided.
The outer function software module of above-mentioned lock specifically comprises: call and send the outer secure storage module of module, synchronization module and lock (i.e. the outer buffer memory of lock).
Above-mentioned calling sent module; its concrete function is: according to actual conditions; the remote validation of mobile software transfer or the long-range algorithm that calls are carried out, and the remote data storage function of perhaps calling is forwarded to the local software protective device, perhaps sends to cloud lock server.Call and send module to make that this to call for mobile software be a transparent process.In addition; call and send module can also organize and coordinate collaborative work between local software protective device and the cloud lock server, be used for the invoke synchronous module with data in the lock that upgrades the local software protective device, the outer data of lock and and cloud lock data in the server.
Above-mentioned synchronization module be used for to receive or packing PKG file, and cooperates with the upgrading module in the local software protective device, sends to the PKG data in the local software protective device or sends to cloud lock server.
The outer secure storage module of above-mentioned lock (i.e. the outer buffer memory of lock), its concrete function is:
Because the storage module capacity is smaller in the lock in the local software protective device, thereby the outer buffer memory of lock is used for the PKG bag of all softwares of storage at least; And the data and the document that store the mobile application generation of encrypting for big capacity.But lock storage application program ID(APP-ID in the outer buffer memory), data ID (DATA-ID) and data content (DATA), synchronous version number (DATA-SYNC-Version).
The self-defined defencive function of above-mentioned software developer, it comprises at least:
Application security data memory function, self-defined algorithm function and Standard Encryption algorithm function.
According to one embodiment of present invention, developer oneself defines mobile applications, and each application has own unique identity ID (App-ID).Wherein be used for protecting all encryptions of mobile software application legal authorization and data and the program of checking to be referred to as resources conseravtion (App-protect-resouce).
Above-mentioned application security data store, and it is specially:
Each application program can have data block memory function (Data-read/write), and each data stores and be blocks of data, and each data block has unique ID, (DATA-ID).
Above-mentioned self-defined algorithm function, it is specially:
The developer can be compiled as executable module with C or java or one section algorithm of other high level language (function).And each algoritic module has unique ID (function-ID or ExebinMod-ID).
Above-mentioned Standard Encryption algorithm function, it is specially:
Some canonical algorithm modules are provided in the lock, similar AES, DES, RSA, ECC etc., the developer can oneself define some keys, and key is safe storage, and use does not expose any key.And each module can have unique ID (Crypt-ID), and some enciphering algorithm modules can be called by the unique ID of each module in the outside, carries out cryptography operations such as a kind of black box encryption or deciphering or signature or authentication.
Server end provides cloud lock server.
Above-mentioned cloud lock server is that a kind of to carry out the soft ware authorization protection be purpose with data protection, authorize judgement at user identity identification, but a kind of remote protecting device of operating software developer's custom feature and logical code comprises specifically:
Execution environment module, User Recognition authentication module, soft ware authorization identification module and data simultaneous module etc. in the lock.Its hardware of server framework and operating system and development process all are popular frameworks in the industry, do not do narration herein.
It is specially: execution environment is virtual machine of simulation in the lock, and according to one embodiment of present invention, it is simulated certain a cpu instruction or makes up the safe sandbox of a cover.In addition, also comprise some algorithms most in use accelerators and some expanding libraries, (including but not limited to cryptographic algorithm storehouse, database storage interface, disk file storage vault, network input etc.).
Whether above-mentioned User Recognition authentication module, it is legal to be used for identification user identity account number and password.
Above-mentioned soft ware authorization identification module is used for judging that according to the data of backstage storage whether user's money use within authorizing that concrete mode comprises at least: whether can also use and record use excess time and residue degree.
Above-mentioned data simultaneous module, it specifically is divided into synchronous submodule and last synchronous submodule down.Synchronous submodule is for generation of the packet of distribution upgrading wherein; Go up synchronous submodule for the renewal that receives the self-defining document of user program or data.
Above-mentioned PKG bag, for block encryption and carry a kind of protocol package of resources conseravtion, it specifically is divided into head and health.Wherein head need be encrypted to store and do not encrypt to store and show statement.Wherein head is by particular data file head identification code (MagicCode)-location, and the shared side-play amount of health is head length.According to an embodiment of the invention, the head of a PKG bag comprises:
Head sign-MagicCode.
Head length-head-length.
The appid+app revision ID.
Identify id and the user identity id of corresponding hardware.
Tabulations such as the id length of resources conseravtion, type.
More legitimacy proof test value etc. is wrapped in the scope of new resources (resource all standing or modification partial content) and instruction (upgrade and cover deletion etc.).
Its health is block message, wherein can calculate the side-play amount of health by the length of head, is storage values after the encryption of resources conseravtion correspondence substantially.
The online using method of its medium cloud lock server is not emphasis in this patent, repeats no more herein.The cloud lock online using method of server is very similar with the using method of local software protective device, mainly be the processing speed of cloud lock server than the processing speed of local software protective device fast and cloud to lock the storage volume of server bigger than the memory capacity of local software protective device.
The flow process of the collaborative work of described cloud lock and local hardware lock is as follows:
1, local software protective device initialization, and be connected on the local computer device, this moment, the internet was in linking status.
2, shielded mobile software starts for the first time; the execute protection request (according to one embodiment of present invention; protection request comprises that AppID and the request of encrypting can reading and writing datas; function-id or encryption, decrypted signature etc. are called in execution); here be to send module to send this protection request by calling, and this protection request is forwarded to next step.
3, call and send module inquiry local software protective device, judge to have or not corresponding soft guard member resource (App-protect-resouce) in the local software protective device.If no, need call cloud lock server sync process (step 4).If have, then forward step 6 to.
4, call and send module to pass through synchronization module, send synchronization request to cloud lock server.Cloud lock server at first carries out authentication and authority checking; under the situation that identity and authorization identifying all pass through; specify the encipherment protection resource of the mobile App of application to be packaged as PKG(according to the encryption of resource logical block and packing); be put into server and can supply the interim file directory of downloading, and notify to call and send module.
5, call and send module to download PKG to the outer buffer memory of lock, and upgrade the interior authorization module of lock, upgrade this software authorization message (such as, whether can use whether with buffer memory, access times service time etc.).Forward next step to.
6, call and send module that user's protection request is forwarded to the local software protective device, whether the local software protective device contains the call request resource needed according to memory module in row user's request (AppID+request) inquiry lock.If resource needed is arranged, then execution in step 8, if do not have, then change next step.
7, call and send module (comprise DATA-ID, ExeBinMod-ID Crypt-ID) imports in the local software protective device according to block message corresponding resource ID in the PKG bag of corresponding app in the outer buffer memory of lock.Upgrading module in the local software protective device and authentication module are by upgrading buffer memory in the lock after the audit.
8, the CPU in the local software protective device carries out corresponding resource (reading and writing data, algorithm calculates, encryption and decryption) in lock the memory module, and result data is returned to call by the IO interface send module.
9, call and send module that the result who finally asks for protection is returned to mobile protection software.
According to one embodiment of present invention, synchronization module, wherein the data of mobile applications generation and document can be put into the outer buffer memory of lock writing the result, and upgrade the synchronous version number (DATA-SYNC-Version) that writes by calling the data storage module in the lock.When the user networks, can carry out synchronously.
Its synchronizing process is:
If 1 finds that local version is higher than the version of cloud lock server, then produce by the upgrading module and upload packet (PKG), and store version by calling the data of sending module, synchronization module to upgrade in the cloud lock server.
If 2 find that local version is lower than the version of cloud lock server, then do down synchronization request by synchronization module, wait for that cloud lock server generates the PKG packet, and corresponding data resource in the down loading updating local software protective device.
Wherein download with synchronous and only in networking, play effect.Most of protection request all is to finish by the local software protective device is alternative under the situation of not networking with calling.
The outer buffer memory of its lock uses data procedures to be:
1. reading data procedures is: deciphering-lock internal program used in piecemeal read as required-locks.
2. writing data procedures is: writing more in the lock, the interior encryption-piecemeal of new data-lock writes the outer buffer memory of lock.
In sum, but the hardware encipher lock has been shared cloud lock server load pressure as the entity of a computing, reduces operation cost, and whole process is transparent process for the final user, does not increase the manual process of downloading of user.And save a large number of users flow during the running software, reduce battery consumption.Improved user's experience greatly.
Below provided the specific embodiment that some the present invention use, it is only as a kind of application example of the present invention, and can not be interpreted as concrete restriction of the present invention.
Embodiment 1
Mobile applications in the present embodiment is a kind of charge action recreation that reaches a standard, and the user plays the part of the inside personage, explores and close the recreation that reaches a standard that end enemy cutting is grappled at different scene of game.Recreation is adopted the zone bit of judging charges paid and is preset the scene map file of encryption, adopts packet key deciphering map during recreation is carried out, and makes the user can enter scene of game.Here suppose that customer mobile terminal has installed the local software protective device, and with the user account number binding.Suppose that recreation APP ID is 1034, the DATAID that data read is judged is 1, and recreation is eight scenes altogether, totally eight maps, and each map is to encrypt, corresponding decruption key ID is that CRYPT-02 is to CRYPT-09.
In the 1st step, user's smart mobile phone with account number and password login software store, selects to use this recreation under networking situation, and software store produces pay invoice, and forwards the paying step to.
The 2nd step, to finish payment on the net and pay, charges paid is masked as TRUE in the resources conseravtion of cloud lock server correspondence.
In the 3rd step, download and install this recreation.Download corresponding encipherment protection resource PKG simultaneously and wrap the outer buffer memory of lock.
The 4th step started recreation, and recreation is called and encrypted request reading data unit 1, instructs to be READ; DATA-01 judges whether to pay, if do not pay, then refusal starts.
The 5th step in the game running process, entered first and closes the map program, and the map file that reading encrypted is crossed needs relevant corresponding key to be decrypted, and calls correlation module, sends APPID=1034, crypt02 decoding request and encrypted map datum at once.
In the 6th step, APPID=1034+crypt02 sends module to call encryption lock by calling, and preserve request msg APPID+cryptID+ needs the operand certificate temporarily.
In the 7th step, encryption lock hardware is found the not relevant resources conseravtion of buffer memory in the lock, returns no-CACHE; If have, then jumped to for the 12nd step;
The 8th step, call and send module to receive the no-CACHE signal, remove to lock the resources conseravtion bag of outer cache lookup APPID=1034 at once.If no, then by downloading this resource packet synchronously.
The 9th step, call and send module to find corresponding resource packet, PKG bag deblocking is issued encryption lock, and send cache request in the upgrading lock.
In the 10th step, encryption lock is received cache request and PKG bag in the upgrading lock, and according to the PKG agreement, by locking interior authentication, the upgrading module is upgraded the data buffer area in the lock, and returned and upgrade successfully in by lock.
The 11st step, call and send module to send the computing request to encryption lock again, comprise App ID and CryptID and operand certificate.
In the 12nd step, encryption lock is received the request of encrypting, and carries out the decryption oprerations of being correlated with in lock, and having deciphered the map datum binary stream, and the result returned to call sends module.
The 13rd step, to call and send module that the map datum of deciphering is returned to recreation, recreation then successfully enters first and closes scene.
If wherein all encipherment protection resources are all at the outer buffer memory of lock, do not need with cloud lock server sync, then recreation starts and the scene of game switching does not need to network.
Embodiment 2
In this embodiment, mobile applications is the recreation that fish is fished in a kind of free seabed, the inside bullet and the charge of part stage property.
Wherein common bullet surpasses 200 and sends out recreation later and no longer give, can only be by purchase with cash.Bullet of every emission has an opportunity to capture fish.If successfully mend after the fish, can return to the certain bullet number of user by the score value of fish.Wherein the bullet of laser artillery can only be by purchase with cash.APPid=2001 wherein, wherein common bullet data storage element DATAID is 1, the data cell ID of laser artillery is 2.
At first user's smart mobile phone with account number and password login software store, selects to use this recreation at networking situation.
In the 2nd step, download and install this recreation.Download corresponding encipherment protection resource PKG simultaneously and wrap the outer buffer memory of lock, later suspension.
The 3rd step started recreation, and game initialization is called the encrypt asset cache request in the lock of packing into, and Appid=2001 sends to call and sends module.
In the 4th step, call and send module buffer memory outside locking to load the Appid=2001 resource packet to the interior buffer memory of lock.
In the 5th step, recreation and common bullet are set to 200, and laser artillery bullet numerical value is set to 0, send APPID=2001, WRITE DATA1=200, the request of WRITEDATA2=0.
The 6th step, APPID=2001, WRITEDATA1=200 sends module to call encryption lock by calling, and preserve request msg APPID+FUNCTIONID+ needs the operand certificate temporarily.
The 7th step, call and send module to send the computing request to encryption lock, comprise App ID and FUNCTION-ID and operand certificate.
In the 8th step, encryption lock is received association requests, carries out associative operation in lock, and the data cell branch of DATA-01 and DATA-02 is write 200 and 0, and the while is written as 1 to the synchronous version that the synchronous version Sync-Version of DATA-01 is written as 1 DATA-02.
In the 9th step, along with recreation is carried out, constantly the change of the bullet number in the recreation, corresponding synchronous version number Sync-Version adds 1 operation automatically simultaneously.
In the 10th step, if the user finds that bullet is not enough, want to supplement with money bullet or laser artillery, earlier networking.
In the 11st step, synchronization request on the encryption lock is called in recreation.Call and send module to allow encryption lock data cached encryption in the lock, and upgrade the outer buffer memory of lock.
The 12nd step, call and send module by synchronization module the PKG of APPID=2001 bag Data Update to be locked server to cloud, cloud lock server also upgrades corresponding data automatically.
The 13rd step, click 1000 bullets of on-line purchase and 2 laser guns by interface, produce order, pay and buy.
In the 14th step, the corresponding DAID=01 of data in the cloud lock server adds 1000 data, the DATA2 related data packets, and relevant sync-version adds 1 automatically.
The 15th step, call and send module to download corresponding PKG packet by synchronization module,
In the 16th step, recreation is found to pay and is finished, and calls the packet resource of sending module loading APPid=2001 and arrives buffer memory in the lock.
In the 17th step, recreation continues operation, and the user sees corresponding bullet number and laser artillery number, and can use.
Having only the purchase of paying bullet and laser artillery just need network in the recreation and paying purchase, recreation does not at ordinary times need networking.
The above is preferred embodiment of the present invention only, is not for limiting protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of doing, be equal to and replace and improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. system that is used at mobile device terminal safe operation mobile applications, described system comprises:
The local software protective device is used to described mobile device terminal that the physical security environment of the functional module in the described mobile applications of safe operation or the described mobile applications is provided, and is connected in mobile device terminal;
The remote software protective device is used for providing mandate protection and the data protection of described mobile applications, and by network and the wireless or wired connection of described mobile device terminal;
Mobile device terminal is used for the described mobile applications of operation, and is connected with described local software protective device;
Security of operation processing module on the described mobile device terminal, described safe handling module and described local software protective device and described remote software protective device carry out safe communication and data are handled.
2. system according to claim 1 is characterized in that, described local software protective device comprises:
The execution environment module is used for providing instruction set to move for described mobile applications;
The upgrading module is used for deciphering PKG packet and new data more;
Authentication module is for the legitimacy of authenticated identity and PKG packet;
The soft ware authorization module is used for storing and reading the certain functional modules information of described mobile applications and the authorization message of described certain functional modules;
Memory module in the lock is for the interface that reading and writing data is provided.
3. system according to claim 1 is characterized in that, described remote software protective device comprises:
Execution environment module in the lock is used for providing instruction set to move for described mobile applications;
The User Recognition authentication module, whether be used for the identification user identity legal;
The soft ware authorization identification module is used for judging that described mobile applications is whether within the scope of authority;
Data simultaneous module is used for synchronization packets.
4. according to claim 2 or 3 described systems, it is characterized in that described local software protective device or described remote software protective device can move the custom feature that the mobile applications developer provides.
5. system according to claim 1 is characterized in that, described safe handling module comprises:
Call and send module, be used for function or the data of described mobile applications far call are forwarded to described local software protective device, perhaps send to described remote software protective device;
Synchronization module, be used for receiving or packing PKG packet, and cooperate with the described upgrading module in the described local software protective device, described PKG packet is sent in the described local software protective device, perhaps send in the described remote software protective device;
Lock outer cache module, be used for buffer memory and store up described PKG packet and be used for storing data and the document of having encrypted by described mobile applications generation.
6. system according to claim 5 is characterized in that,
Described mobile applications directly calls described local software protective device by calling the described module of sending, and perhaps sends module to be called to call described remote software protective device after the described synchronization module again by described calling.
7. system according to claim 1 is characterized in that, the local software protective device comprises the hardware encipher lock, and described hardware encipher lock comprises the physical security chip.
8. system according to claim 7 is characterized in that, described physical security chip comprises: central processing unit, internal memory and non-power-failure disappearance storer.
9. according to claim 2,3 described systems, it is characterized in that the execution environment module is moved described mobile applications with the form of virtual machine in described execution environment module, the described lock.
10. according to claim 2,3 described systems, it is characterized in that the execution environment module compiles with the low order virtual machine in described execution environment module, the described lock, and the code of described mobile applications is operated in the safe sandbox.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210408936.9A CN103258150B (en) | 2013-06-24 | 2013-06-24 | A kind of system of local and remote software protecting equipment collaborative work |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210408936.9A CN103258150B (en) | 2013-06-24 | 2013-06-24 | A kind of system of local and remote software protecting equipment collaborative work |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103258150A true CN103258150A (en) | 2013-08-21 |
| CN103258150B CN103258150B (en) | 2016-02-10 |
Family
ID=48962062
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210408936.9A Active CN103258150B (en) | 2013-06-24 | 2013-06-24 | A kind of system of local and remote software protecting equipment collaborative work |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103258150B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020056747A1 (en) * | 2000-08-31 | 2002-05-16 | Sony Corporation | Person authentication system, person authentication method, information processing apparatus, and program providing medium |
| CN1808456A (en) * | 2006-02-24 | 2006-07-26 | 上海方正信息安全技术有限公司 | Method of adding trusted platform on portable terminal |
| CN101286987A (en) * | 2008-03-27 | 2008-10-15 | 北京深思洛克数据保护中心 | Method for transferring authority license of software |
-
2013
- 2013-06-24 CN CN201210408936.9A patent/CN103258150B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020056747A1 (en) * | 2000-08-31 | 2002-05-16 | Sony Corporation | Person authentication system, person authentication method, information processing apparatus, and program providing medium |
| CN1808456A (en) * | 2006-02-24 | 2006-07-26 | 上海方正信息安全技术有限公司 | Method of adding trusted platform on portable terminal |
| CN101286987A (en) * | 2008-03-27 | 2008-10-15 | 北京深思洛克数据保护中心 | Method for transferring authority license of software |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103258150B (en) | 2016-02-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110245506B (en) | Intelligent contract management method and device based on block chain and electronic equipment | |
| EP3038004A1 (en) | Method for providing security for common intermediate language-based program | |
| CN102760219B (en) | A kind of Android platform software protection system, method and apparatus | |
| US7657760B2 (en) | Method for sharing encrypted data region among processes in tamper resistant processor | |
| RU2289157C2 (en) | Method and system for distributed program development for programmable portable information medium | |
| CN1581118B (en) | Secure device, information processing terminal, integrated circuit, application apparatus and method | |
| US7469346B2 (en) | Dual virtual machine architecture for media devices | |
| US7162645B2 (en) | Storage device including a non-volatile memory | |
| CN101419652B (en) | Software and hardware combined program protecting method | |
| CN103329139B (en) | The system and method for JIT is supported in there is the security system of memory range of random assortment | |
| CN103946856B (en) | Encrypting and deciphering processing method, device and equipment | |
| EP1542112A1 (en) | Open type general-purpose attack-resistant cpu, and application system thereof | |
| US20140115292A1 (en) | Dynamic obfuscation of heap memory allocations | |
| CN101872404B (en) | Method for protecting Java software program | |
| US20030120605A1 (en) | System and method for preventing unauthorized use of protected software utilizing a portable security device | |
| CN103413076A (en) | Block protection method for Android application programs | |
| CN104217175A (en) | Data read-write method and device | |
| CN105229659A (en) | Obscure by the access of software application to data storage device | |
| CN109104724A (en) | A kind of data ciphering method and device for device upgrade | |
| KR102247815B1 (en) | Management techniques of game-save data based on block chain network | |
| CN109040134A (en) | A kind of design method and relevant apparatus of information encryption | |
| CN104506504A (en) | Security mechanism and security device for confidential information of card-free terminal | |
| CN103971034A (en) | Method and device for protecting Java software | |
| CN106056017A (en) | Intelligent card COS encrypting and downloading system | |
| CN113190877A (en) | Model loading method and device, readable storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING SHENSI SHUDUN SCIENCE + TECHNOLOGY CO., LT Free format text: FORMER OWNER: BEIJING SENSELOCK SOFTWARE TECHNOLOGY CO., LTD. Effective date: 20150811 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20150811 Address after: 100872 room 1706, building 59, Zhongguancun street, Haidian District, Beijing Applicant after: BEIJING SHENSI SHUDUN TECHNOLOGY Co.,Ltd. Address before: 100084 Beijing City, Haidian District Zhongguancun South Street No. 6 Zhucheng building B block 1201 Applicant before: Beijing Senselock Software Technology Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: 100193 Beijing, Haidian District, East West Road, No. 10, East Hospital, building No. 5, floor 5, layer 510 Patentee after: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. Address before: 100872 room 1706, building 59, Zhongguancun street, Haidian District, Beijing Patentee before: BEIJING SHENSI SHUDUN TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |