CN104601600A - Rogue program prevention and control method based on asymmetric identity - Google Patents
Rogue program prevention and control method based on asymmetric identity Download PDFInfo
- Publication number
- CN104601600A CN104601600A CN201510085623.8A CN201510085623A CN104601600A CN 104601600 A CN104601600 A CN 104601600A CN 201510085623 A CN201510085623 A CN 201510085623A CN 104601600 A CN104601600 A CN 104601600A
- Authority
- CN
- China
- Prior art keywords
- program
- identity
- cnum
- pnum
- pid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a rogue program prevention and control method based on asymmetric identity and belongs to the technical field of digital signature technology and computer. The rogue program prevention and control method includes key management, identity modulation, dynamic monitoring and identity authentication; a software production enterprise has two keys including a private one and a public key, the private key is possessed by the enterprise only and is unrevealed and used for asymmetric identity of the enterprise to module programs, the asymmetric identity is stored in a main name of the program, the public key can be disclosed and stored on an authentication platform and used for a user computer to identify the asymmetric identity; when the programs are started in the user computer, a dynamic monitoring module intercepts the start process of the program, extracts the identity and transmits to be identified and calculated on the authentication platform. The rogue program prevention and control method has the advantages that forging is forbidden, authentication speed is high and program identity and the program are in the same body, and can be used for preventing start and operating of rogue programs (including pirate programs).
Description
(1) technical field
This method belongs to digital signature technology and field of computer technology, is a kind of new method preventing rogue program from running in a computer.Here rogue program comprises network worm, Trojan Horse etc., and they exist with the form of executable file, script file or dynamic link library file, distort or steal the data in subscriber computer after operation.
(2) background technology
First digital signature scheme RSA is born in (R.L.Rivest in 1978, A.Shamir, L.M.Adleman, A Methodfor Obtaining Digital Signatures and Public-key Cryptosystems, Communications of the ACM, vol.21, no.2,1978, pp.120-126.).RSA system is based on a factorization difficult problem, and it exists subset index time solution, and therefore, when the security requirement of user is 2^80 magnitude, the modulus length of RSA is 1024 bits.
In April, 2012, the original REESSE1+ public key scheme that applicant studies the several years is delivered (Shenghui Su by International Periodicals, Shuwang L ü, A Public Key Cryptosystem Based on Three New Provable Problems, TheoreticalComputer Science, vol.426-427, Apr.2012, pp.91-117.).REESSE1+ is based on three new difficult problems demonstrate,proved, and they also do not have the found subset index time to separate.Due to this advantage, on the basis of REESSE1+, we have amplified out JUNA light weight digital signature technology (a kind of light weight digital signature method based on a super logarithm difficult problem, application number: 201110297654.1, in October, 2011).When the security requirement of user is 2^112 magnitude, the modulus length of JUNA can be only 112 bits, and under same fail safe, the modulus length of RSA needs 2048 bits.On the basis of JUNA, the technology preventing rogue program from running can be researched and developed further.
(3) summary of the invention
When computer networking, the mode that network worm is easy to divide into groups with normal IP enters computer through fire compartment wall, and starts to distort to computer, delete, steals the attacks such as data, and IPsec agreement is also helpless to this; Trojan Horse attracts user download and perform by camouflage self, and then harm subscriber computer.This just needs a kind of mechanism---and when an executable file, script file or dynamic link library file (below, three is referred to as program) are activated, its identity should first be verified.If identity is illegal, it should be prohibited to run, and is eliminated.
The present invention proposes a kind of preventing rogue program start-up and functionning and notifying that user deletes the technical method of rogue program, for network security and information security provide new technical guarantee newly.
In this article, symbol "=" represents that the value on variable or the expression both sides value on the right being assigned to the left side is equal, and " ≠ " represents that the value on both sides is unequal, and " # " is file or character string connector.
3.1 several basic conceptions
Be mainly concerned with asymmetric identity, program identity, program message, digital signature code etc.
3.1.1 asymmetric identity and program identity
Asymmetric identity is used for the authentication of article in cyberspace or real world.In cyberspace, article can be a computer, program file, a data file etc.Produce the unit of article main body, article itself are called out-customer body.
Definition 1: in cyberspace, asymmetric identity refers to and implies object characteristic information (especially unique number) and the privately owned key of main body (abbreviation private key), and by digital signature code that the open key (abbreviation PKI) of main body is verified.
It has four character:
1. uniqueness (not repeating in application);
2. antifalsification (identity of associated article can not be counterfeiting);
3. implicity (characteristic information is hidden and do not reveal);
4. asymmetry (using public and private two keys).
Definition 2: the asymmetric identity implying contents of program, program number, main body (i.e. software setup enterprise) numbering and main body private key is called as program identity.
3.1.2 program message, program digest and digital signature code
Definition 3: number by contents of program, program number and main body a file forming or character string is called as program message.
Definition 4: be called as program digest using program message as the output of the uni-directional hash module of input.
Definition 5: the output of digital signature scheme is called as digital signature code.
3.2 technical schemes of the present invention
Key of the present invention is to employ private key and PKI two keys, and program identity is stored in the primary name of program.
The present invention is a kind of rogue program preventing control method based on asymmetric identity, be made up of key management, identity modulation, dynamic surveillance and authentication four parts, it is the anti-control products mandatory general principle of institute of a kind of exploitation rogue program and technical scheme just, instead of physical product itself.
According to the present invention, key management chip, identity modulation chip, dynamic surveillance chip and authentication chip can be produced, or develop key management software, identity modulation software, dynamic surveillance software and authentication software.
3.2.1 key management part
For software setup enterprise, correlation module runs in the computer of business manager office, does not network, and is used for generating and depositing a private key and a PKI.
Suppose that Signsys is a good digital signature scheme of performance, Keygen is its key generation module, and Cnum is enterprise's numbering (10-12 16 system characters), then the implementation method of key management part is:
(1) select security parameter, wherein, modulus length is 224 bits to the maximum;
(2) call Keygen (security parameter), obtain private key SK and PKI PK;
(3) SK is stored in flash disk, by business manager keeping, must not reveals;
(4) Cnum and PK is uploaded in the database of public keys of verification platform;
(5) by information such as private key numbering, PKI, rise time, life cycle, custodians
Stored in key management database.
Note, verification platform is made up of one or several computers, can be used for multiple software setup enterprise jointly to use, and is connected with network.
3.2.2 identity modulating part
This part for software setup enterprise, and is carried out at program packaging before sales, and correlation module runs in the computer of enterprise office, does not network, and is used for the asymmetric identity of generation program (and different backup).
Suppose that Signing is the Digital Signature module of Signsys, Hash is a uni-directional hash module of mating with Signsys, and SK is the private key of enterprise, Pnum is program number (10-12 16 system characters, and the backup of same program must have different numbering), Pcon is contents of program, and PM is program message, PD is program digest, PID is program identity, and Nori is the original primary name of program, and Date is the date of manufacture, Func is that program function illustrates, then the implementation method of identity modulating part is:
(1) PM=Cnum#Pnum#Pcon is put;
(2) PD=Hash (PM) is made;
(3) PID=Signing (PD, SK) is calculated;
(4) PID, PD are converted into 16 system characters;
(5) PID, PD, Cnum, Pnum are inserted into the rightmost of program primary name;
(6) by Cnum, Hash (PID), Pnum, Nori, Date, Func etc.
Be deposited in the program profile data storehouse of verification platform.
Note, a program name comprises two parts, and the part before ". " is called as primary name, and the part after ". " is called as extension name.At present, in mainstream operation system, the maximum length of name is about 256 characters.
3.2.3 dynamic surveillance part
This part is for purchase and installed the user of program, and correlation module runs in the computer of user, and this computer is in networking state.
Suppose that Hash is the uni-directional hash module that mates with Signsys, the implementation method of dynamic surveillance part is:
(1) often when the program is started, intercept and capture the startup of program, and obtain the primary name of program;
It is (2) if the length of primary name is less than specific length, then illegal to user report program,
And stop the startup of program;
(3) from primary name, PID, PD, Cnum and Pnum is extracted;
(4) PD=Hash (Cnum#Pnum#Pcon) is made;
It is (5) if the PD of new PD ≠ old, then illegal to user report program,
And stop the startup of program;
(6) PID, PD, Cnum, Pnum are sent to verification platform in the form of packets;
(7) result returned from platform is received;
(8) if result is "false", then illegal to user report program, and stop the startup of program,
Otherwise, allow program to continue to start.
Note, the grouping in the 6th step can be IP grouping, also can be the grouping of other agreement.
3.2.4 authentication part
This part is for the verification platform in network, and correlation module runs in authentication server, is used for carrying out identification computing to program identity.
Suppose that Verifying is the authentication module of Signsys, PK is the PKI of enterprise, and Res is the result, and its value is "true" or "false", then the implementation method of authentication part is:
(1) grouping from subscriber computer is received,
Obtain the parameters such as PID, PD, Cnum, Pnum;
(2) in database of public keys, PK is found by Cnum;
(3) in program profile data storehouse, Pnum is found by Cnum and Hash (PID);
(4) if current Pnum ≠ deposit Pnum, then Res="false" is made,
Otherwise, calculate Res=Verifying (PID, PD, PK);
(5) if the source address in program profile data storehouse is empty, then current source address is write,
Otherwise, if deposited source address ≠ current source address, then made Res="false";
(6) Res is returned.
As can be seen from above-mentioned 5th step, we have also been used as pirate program as rogue program, and namely the program of same identity can not be run in two subscriber computers that source address is different, and in addition, Verifying module exports the value of "true" or "false".
3.3 advantages and good effect
3.3.1 unforgeable
In the present invention, program identity private key is modulated, and by public key verifications, is asymmetric certification.Due to private key underground and can not obtain from PKI (by key convert a difficult problem one-way determine), therefore, program identity can not be forged before a relevant difficult problem is cracked.
3.3.2 verifying speed is fast
Because Signsys is a good digital signature scheme of performance, or even light weight digital signature scheme, therefore, signature speed and verifying speed all will be very fast.
3.3.3 not only anti-rogue program but also anti-piracy program
The present invention not only can prevent the operation of rogue program, and can prevent the operation of pirate program, and notifies that user deletes them.
3.3.4 program identity and program consubstantiality
Program identity does not need independent file to preserve, but leaves in the primary name of program, for checking provides conveniently.
3.3.5 unified verification platform can be built
Be not that each software setup enterprise needs to set up a program identity verification platform, but a unified verification platform can be shared by all software setup enterprises, to improve authoritative and to reduce costs.
(4) embodiment
Feature based on the rogue program preventing control method of asymmetric identity is: it have employed asymmetric identity identifying technology, and program identity is deposited in the primary name of program.
The method use two keys, a key can only enterprise have privately, and for the modulation of program identity, a key can be put on the server, for the checking of program identity publicly.This ensures that, program identity can not forge.
A pair private key and PKI are generated by software setup enterprise, and PKI is uploaded in the authentication server of verification platform, and certainly, agent's keeping that private key must be specified by business manager or its, never can divulge a secret.
This programme can realize with logical circuit or computer language, and it comprises four parts: 1. develop chip for private key and public key management or software module, for software setup enterprise according to 3.2.1 joint; 2. the chip or software module modulated for program identity is developed according to 3.2.2 joint, also for software setup enterprise; 3. the chip or software module developed for dynamic surveillance is saved according to 3.2.3, for program user; 4. develop the chip or software module verified for program identity according to 3.2.4 joint, be placed on verification platform, for subscriber computer.
Claims (1)
1. based on the rogue program preventing control method of asymmetric identity, by key management, identity is modulated, dynamic surveillance and authentication four part composition, Part I is used for generating and a pair private key of management software manufacturing enterprise and PKI, Part II utilizes the private key of oneself to modulate the asymmetric identity of a program for enterprise, Part III carrys out the start-up course of supervisory programme for subscriber computer, Part IV utilizes the enterprise's PKI left on verification platform to identify the asymmetric identity of a program for subscriber computer, it is characterized in that (about the implication of symbol asks for an interview specification):
Key management part have employed the following step:
1) select security parameter, wherein, modulus length is 224 bits to the maximum;
2) call Keygen (security parameter), obtain private key SK and PKI PK;
3) SK is stored in flash disk, by business manager keeping, must not reveals;
4) Cnum and PK is uploaded in the database of public keys of verification platform;
5) by information such as private key numbering, PKI, rise time, life cycle, custodians stored in key management database;
Like this, enterprise obtains and has taken care of oneself a pair private key and PKI;
Identity modulating part have employed the following step:
<1> puts PM=Cnum#Pnum#Pcon;
<2> makes PD=Hash (PM);
<3> calculates PID=Signing (PD, SK);
PID, PD are converted into 16 system characters by <4>;
PID, PD, Cnum, Pnum are inserted into the rightmost of program primary name by <5>;
Cnum, Hash (PID), Pnum, Nori, Date, Func etc. are deposited in the program profile data storehouse of verification platform by <6>;
Like this, enterprise is that each program (and each backup) imparts an asymmetric identity;
Dynamic surveillance part have employed the following step:
(1) often when the program is started, intercept and capture the startup of program, and obtain the primary name of program;
It is (2) if the length of primary name is less than specific length, then illegal to user report program,
And stop the startup of program;
(3) from primary name, PID, PD, Cnum and Pnum is extracted;
(4) PD=Hash (Cnum#Pnum#Pcon) is made;
(5) if the PD of new PD ≠ old, then illegal to user report program, and stop the startup of program;
(6) PID, PD, Cnum, Pnum are sent to verification platform in the form of packets;
(7) result returned from platform is received;
(8) if result is "false", then illegal to user report program, and stop the startup of program,
Otherwise, allow program to continue to start;
Like this, subscriber computer can identify illegal program and stop their startup;
Authentication part have employed the following step:
1. the grouping from subscriber computer is received,
Obtain the parameters such as PID, PD, Cnum, Pnum;
2. in database of public keys, PK is found by Cnum;
3. in program profile data storehouse, Pnum is found by Cnum and Hash (PID);
If 4. current Pnum ≠ storage Pnum, then make Res="false",
Otherwise, calculate Res=Verifi (PID, PD, PK);
If the source address 5. in program profile data storehouse is empty, then write current source address,
Otherwise, if deposited source address ≠ current source address, then made Res="false";
6. Res is returned;
Like this, whether legal verification platform can identify the true and false of a program identity and.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510085623.8A CN104601600B (en) | 2015-02-17 | 2015-02-17 | Rogue program preventing control method based on asymmetric identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510085623.8A CN104601600B (en) | 2015-02-17 | 2015-02-17 | Rogue program preventing control method based on asymmetric identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104601600A true CN104601600A (en) | 2015-05-06 |
| CN104601600B CN104601600B (en) | 2019-04-23 |
Family
ID=53127104
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510085623.8A Active CN104601600B (en) | 2015-02-17 | 2015-02-17 | Rogue program preventing control method based on asymmetric identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104601600B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105787303A (en) * | 2016-03-22 | 2016-07-20 | 深圳森格瑞通信有限公司 | Method and system for protecting intellectual property of software of embedded system |
| CN113722720A (en) * | 2021-10-29 | 2021-11-30 | 苏州浪潮智能科技有限公司 | System starting method and related device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1389786A (en) * | 2002-07-24 | 2003-01-08 | 苏盛辉 | Digital signal system based on public cipher key algorithm |
| CN1960257A (en) * | 2006-11-23 | 2007-05-09 | 苏盛辉 | Digital signature method based on super logarithm difficult problem, and dual coresidual theorem |
| CN101388767A (en) * | 2008-10-14 | 2009-03-18 | 苏盛辉 | Certificate false proof method based on light weight digital signature scheme |
| CN101771699A (en) * | 2010-01-06 | 2010-07-07 | 华南理工大学 | Method and system for improving SaaS application security |
| CN104320257B (en) * | 2014-10-22 | 2015-10-28 | 李名选 | Electronic record verification method and device |
-
2015
- 2015-02-17 CN CN201510085623.8A patent/CN104601600B/en active Active
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105787303A (en) * | 2016-03-22 | 2016-07-20 | 深圳森格瑞通信有限公司 | Method and system for protecting intellectual property of software of embedded system |
| CN105787303B (en) * | 2016-03-22 | 2019-10-11 | 深圳森格瑞通信有限公司 | A kind of built-in system software intellectual property protection method and protection system |
| CN113722720A (en) * | 2021-10-29 | 2021-11-30 | 苏州浪潮智能科技有限公司 | System starting method and related device |
| CN113722720B (en) * | 2021-10-29 | 2022-02-18 | 苏州浪潮智能科技有限公司 | System starting method and related device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104601600B (en) | 2019-04-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109768988B (en) | Decentralized Internet of things security authentication system, equipment registration and identity authentication method | |
| KR102627000B1 (en) | Script-based blockchain interaction | |
| US11212081B2 (en) | Method for signing a new block in a decentralized blockchain consensus network | |
| Garg et al. | RITS-MHT: Relative indexed and time stamped Merkle hash tree based data auditing protocol for cloud computing | |
| CN111130757B (en) | Multi-cloud CP-ABE access control method based on block chain | |
| Sookhak et al. | Auditing big data storage in cloud computing using divide and conquer tables | |
| CN103501303B (en) | Active remote attestation method for measurement of cloud platform virtual machine | |
| Xiao et al. | Security and privacy in cloud computing | |
| Yu et al. | Improved security of a dynamic remote data possession checking protocol for cloud storage | |
| CN101834860B (en) | Method for remote dynamic verification on integrality of client software | |
| CN111448579A (en) | Quantum certified block chains | |
| CN110998630A (en) | Random number generation in block chains | |
| WO2010090633A2 (en) | Database outsourcing with access privacy | |
| Hardjono et al. | Anonymous identities for permissioned blockchains | |
| Luo et al. | An effective integrity verification scheme of cloud data based on BLS signature | |
| CN111815321A (en) | Transaction proposal processing method, device, system, storage medium and electronic device | |
| CN103326856A (en) | Cloud storage data responsibility confirmation structure and method based on two-way digital signature | |
| CN104601600A (en) | Rogue program prevention and control method based on asymmetric identity | |
| Mishra et al. | MPoWS: Merged proof of ownership and storage for block level deduplication in cloud storage | |
| CN117376026A (en) | Internet of things equipment identity authentication method and system | |
| CN104092733A (en) | Credibility distribution type file system based on HDFS | |
| Chen et al. | A remote data integrity checking scheme for big data storage | |
| Homoliak et al. | Aquareum: A centralized ledger enhanced with blockchain and trusted computing | |
| CN107395355B (en) | Cloud storage data integrity verification method based on implicit trusted third party | |
| Lyu et al. | JRS: A joint regulating scheme for secretly shared content based on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: Digital Bingfu (Fuzhou) Technology Co.,Ltd. Document name: Deemed not to have been notified |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210827 Address after: 350207 Building 2, Southeast big data Industrial Park, No. 2, Hujiang Road, Wenwusha Town, Changle District, Fuzhou City, Fujian Province Patentee after: Digital Bingfu (Fuzhou) Technology Co.,Ltd. Address before: Beijing 100037 Haidian District, building 24, room 1508 Patentee before: Su Shenghui Patentee before: Lv Shuwang Patentee before: Zheng Jianhua |