CN104753674A - Application identity authentication method and device - Google Patents
Application identity authentication method and device Download PDFInfo
- Publication number
- CN104753674A CN104753674A CN201310752998.6A CN201310752998A CN104753674A CN 104753674 A CN104753674 A CN 104753674A CN 201310752998 A CN201310752998 A CN 201310752998A CN 104753674 A CN104753674 A CN 104753674A
- Authority
- CN
- China
- Prior art keywords
- application
- authentication
- information
- security component
- hmac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the invention discloses an application identity authentication method and device. According to the technical scheme, the method comprises, according to the content of the program files of an application, determining HMAC (Hash message authentication code) information and accordingly authenticating the HMAC information; storing successfully-authenticated information into a server to create a corresponding white list; when a cloud service request is required, issuing the service request to the server according to current HMAC information, and only when the server judges that the application is legal according to the HMAC information, providing corresponding cloud services for the application. Therefore, content change of the application can be accurately recognized, malicious utilization of the services due to application tampering can be avoided; meanwhile, due to the fact transmission and storage of the HMAC information are invisible processes, accuracy and effectiveness of application identity recognition can be ensured.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of verification method and equipment of application identity.
Background technology
The platform operation business of open service is provided towards smart mobile phone application developer, for based on its SDK(Software Development Kit, SDK) secondary development and issue mobile phone application software, often need the identity source of the application identifying request service, comprise the identity of application and the identity of each application running example.Such one side can be added up the service condition of own services, also can pass through server end access authentication on the other hand, prevent high value or sensitive service by unauthorized use.
A comparatively general smart mobile phone application software identification way is that requirement developer locates registered application in service provider, obtains service provider and provides unique identifying information (APP ID).Apply and APP ID and key corresponding are with it kept on mobile phone, and provide when calling service.According to these information, service provider judges that whether service invocation request is from the application of authorizing.As products such as Google Maps SDK, Sina microblogging SDK, similar method is all adopted to authorize application.
To the usual way of smart mobile phone application software installation/running example identification, comprising:
(1), the identification information of cell phone apparatus is gathered, as IMEI(International Mobile EquipmentIdentification Number, international mobile equipment identification number).
(2) other equipment uniqueness mark that use system provides, as the ASHWID(App Specific Hardware ID that Windows Phone platform provides, application program specific hardware identifier), the UDID(Unique Device ID in iOS system, unique device identifier).
(3) self-defined UUID is used.
Realizing in process of the present invention, inventor finds at least there is following problem in prior art:
Based on the application identification technology of APP ID and key, major defect is:
(1) application that is cracked of None-identified: after application is cracked, APP ID and key are all correct, but logic changes and becomes malicious application, and server side None-identified goes out these application, and service ability victim thus cannot be avoided to usurp.
(2) fail safe is in some application scenario not, APP ID and double secret key developer completely visible, although can by certain to obscure, APP ID that encipherment protection is real and key, pass to SDK because it must show, cause cracking and be not difficult.
Summary of the invention
The object of the embodiment of the present invention is the verification method and the equipment that provide a kind of application identity, accurately can identify the legitimacy of application based on HMAC information.
In order to achieve the above object, embodiments provide a kind of verification method of application identity, be applied in the system at least comprising terminal equipment and server, wherein, described terminal equipment comprises security component and at least one application, described method comprises:
When the application start of on described terminal equipment, described security component, according to the program file of described application, determines the current HMAC information corresponding to described application;
Described security component is according to described current HMAC information, and the identity information of described terminal equipment, and the identity information of described application, carry out the certification of described application to described server;
Described security component identification authentication result, if authentication success, described security component is that corresponding parameters for authentication and certification HMAC information are preserved in described application;
When described application needs to initiate cloud service request to described server, described security component judges that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information;
If consistent, described security component sends cloud service request according to described current HMAC information and described parameters for authentication to described server, to make described server when confirming that described application is legal, provides corresponding cloud service to described application.
On the other hand, the embodiment of the present invention additionally provides a kind of security component, is applied in the system at least comprising terminal equipment and server, and wherein, described terminal equipment comprises security component and at least one application, described security component comprises:
Determination module, when the application start of on described terminal equipment, according to the program file of described application, determines the current HMAC information corresponding to described application;
Authentication module, for according to the determined current HMAC information of described determination module, the identity information of described terminal equipment, and the identity information of described application, carry out the certification of described application to described server;
Identification module, for identifying the authentication result that described server returns, if authentication success, for corresponding parameters for authentication and certification HMAC information are preserved in described application;
Judge module, during for needing in described application to initiate cloud service request to described server, judges that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information;
Request module, for when the judged result of described judge module is consistent, cloud service request is sent to described server according to described current HMAC information and described parameters for authentication, to make described server when confirming that described application is legal, provide corresponding cloud service to described application.
On the other hand, the embodiment of the present invention additionally provides a kind of server, is applied in the system at least comprising terminal equipment and server, and wherein, described terminal equipment comprises security component and at least one application, described server comprises:
Memory module, for the HMAC information according to authentication success, and corresponding application identity information, preserve the white list of HMAC information, and record corresponding equipment identity information
Authentication module, for receive described security component send carry current HMAC information, the identity information of terminal equipment, and the authentication request of identity information of application, and whether there is corresponding HMAC information in the white list of the HMAC information stored according to the described memory module of inquiry;
Processing module, for when the Query Result of described authentication module is for being, generates parameters for authentication, and being carried in authentication success message and sending to described security component, or when the Query Result of described authentication module is no, send authentification failure message to described security component;
Authentication module, cloud service request is sent according to current HMAC information and parameters for authentication for receiving described security component, and confirm that whether described application is legal according to described current HMAC information and parameters for authentication, and when described authentication module is proved to be successful, provide corresponding cloud service to described application.
Compared with prior art, the technical scheme that the embodiment of the present invention proposes has the following advantages:
By the technical scheme that the application embodiment of the present invention proposes, content according to the program file of application determines HMAC information, and carry out certification accordingly, and the HMAC information of authentication success is preserved in the server, thus create corresponding white list, when needs carry out cloud service request, then carry out service request according to current HMAC information to server, only when according to HMAC information, server judges that this application is legal, just can provide corresponding cloud service for this application, thus, the change of application content can be recognized accurately, prevent from causing service maliciously to be used because application is distorted, and, due to HMAC information transmission and store be all sightless process, therefore, ensure that accuracy and the validity of application identity identification.
Accompanying drawing explanation
The schematic flow sheet of the verification method of a kind of application identity that Fig. 1 proposes for the embodiment of the present invention;
The schematic flow sheet of the verification method of the application identity in a kind of embody rule scene that Fig. 2 proposes for the embodiment of the present invention;
The structural representation of a kind of safety system towards mobile phone application cloud service provider that Fig. 3 proposes for the embodiment of the present invention;
The structural representation of a kind of security component that Fig. 4 proposes for the embodiment of the present invention;
The structural representation of a kind of server that Fig. 5 proposes for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the present invention, be clearly and completely described the technical scheme in the present invention, obviously, described embodiment is only section Example of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making other embodiments all obtained under creative work prerequisite, belong to the scope of protection of the invention.
The embodiment of the present invention proposes a kind of verification method of application identity, and the identity of arch-rival's machine application identifies, judges to apply the application that whether have passed mandate.Technical scheme mainly calculates HMAC based on to the program file of mobile phone application software, due to mobile phone application software after distribution, program file content remains unchanged, and the HMAC content thus calculated for all program file contents is also unique.Once program file content is changed, its HMAC value must change.Be transferred to server end by after the HMAC value calculated encryption together with APPID, server end, according to HMAC value white list, can judge whether application is modified, thus determines whether authorize the service invocation request of application.The calculating of HMAC value, storage and transmission, all invisible for mobile phone application user, mobile phone application developer, thus ensure that accuracy and the validity of the identification of mobile phone application identity.This motion also includes the method for safe storage, this HMAC value of safe transmission.
In order to achieve the above object, embodiments provide a kind of verification method of application identity, as shown in Figure 1, the schematic flow sheet of the verification method of the application identity provided for the embodiment of the present invention, the method is applied in the system at least comprising terminal equipment and server, wherein, described terminal equipment comprises security component and at least one application, described method comprises:
Step S101, when the application start of on described terminal equipment, described security component, according to the program file of described application, determines the current HMAC information corresponding to described application.
Step S102, described security component are according to described current HMAC information, and the identity information of described terminal equipment, and the identity information of described application, carry out the certification of described application to described server.
In the application scenarios of reality, specifically comprise in this step:
Described security component judges the current effective parameters for authentication whether existed corresponding to described application.
When judged result is yes, and when described security component judges the current authentication success mark do not preserved corresponding to described application, or when judged result is no, described security component sends the authentication request of described application to described server, described current HMAC information is at least comprised in described authentication request, the identity information of described terminal equipment, and the identity information of described application.
Concrete, after this step completes, described server is according to the white list of the local HMAC information of preserving of identity information inquiry of described application, judge whether to exist and described current HMAC information, and the information that the identity information of described terminal equipment is consistent, if existed, described server generates parameters for authentication, and be carried in authentication success message and send to described security component, if there is no, described server sends authentification failure message to described security component.
When judged result is yes, and when described security component judges the current authentication success mark saved corresponding to described application, described security component judges that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information, if consistent, then confirm this initialization success, if inconsistent, then replace described certification HMAC information by described current HMAC information, and confirm this initialization failure.
Step S103, described security component identification authentication result.
If authentication success, then perform step S104.
If authentication result is authentification failure, described security component empties the parameters for authentication and current HMAC information and certification HMAC information of preserving this locality.
Step S104, described security component are that corresponding parameters for authentication and certification HMAC information are preserved in described application.
In concrete application scenarios, the process of this step comprises:
Described security component is that corresponding parameters for authentication is preserved in described application, described current HMAC message is saved as certification HMAC information, and adds the mark of authentication success
Step S105, when described application needs to initiate cloud service request to described server, described security component judges that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information.
Concrete, before this step, also comprise:
Described security component judges that whether the local parameters for authentication stored is effective;
If parameters for authentication is invalid, or this locality is not preserved initialization and is successfully marked, then confirm to ask unsuccessfully;
If parameters for authentication is effective, and this locality is preserved initialization and is successfully marked, and described security component judges that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information.
If consistent, then perform step S106;
If inconsistent, described security component confirms to ask unsuccessfully.
Step S106, described security component send cloud service request according to described current HMAC information and described parameters for authentication to described server, to make described server when confirming that described application is legal, provide corresponding cloud service to described application.
Concrete, the processing procedure of this step comprises:
Described security component generates token according to described current HMAC information and described parameters for authentication;
Described security component sends the cloud service request of carrying described token to described server;
Described security component receives described server when confirming according to described token the data message that described application returns legal, and described data message is sent to described application; Or,
Described security component receives described server when confirming according to described token the request failure message that described application returns illegal, and by result feedback failed for request to described application.
Propose the handling process in security component side in the description of technique scheme, accordingly, further the processing procedure of server side be described as follows:
Described server is according to the HMAC information of authentication success, and corresponding application identity information, preserves the white list of HMAC information, and records corresponding equipment identity information;
When described server receive described security component send carry current HMAC information, the identity information of terminal equipment, and during the authentication request of identity information of application, described server is according to the white list of the local HMAC information of preserving of identity information inquiry of described application, judge whether to exist and described current HMAC information, and the information that the identity information of described terminal equipment is consistent;
If existed, described server generates parameters for authentication, and is carried in authentication success message and sends to described security component, or if there is no, described server sends authentification failure message to described security component;
When described server receive described security component send cloud service request according to current HMAC information and parameters for authentication time, according to described current HMAC information and parameters for authentication, described server confirms that whether described application is legal, if legal, then provide corresponding cloud service to described application.
In concrete application scenarios, described server confirms specifically to comprise the following steps the processing procedure whether described application is legal according to described current HMAC information and parameters for authentication:
Described server receives the cloud service request of carrying token that described security component sends, and wherein, described token is generated according to described current HMAC information and described parameters for authentication by described security component;
Described server, according to the information in described token, in conjunction with the white list of stored HMAC information, judges that whether described application is legal;
If legal, then the data corresponding to described cloud service request are sent to described security component by described server;
If illegal, then described server sends request failed message to described security component.
Compared with prior art, the technical scheme that the embodiment of the present invention proposes has the following advantages:
By the technical scheme that the application embodiment of the present invention proposes, content according to the program file of application determines HMAC information, and carry out certification accordingly, and the HMAC information of authentication success is preserved in the server, thus create corresponding white list, when needs carry out cloud service request, then carry out service request according to current HMAC information to server, only when according to HMAC information, server judges that this application is legal, just can provide corresponding cloud service for this application, thus, the change of application content can be recognized accurately, prevent from causing service maliciously to be used because application is distorted, and, due to HMAC information transmission and store be all sightless process, therefore, ensure that accuracy and the validity of application identity identification.
Be described in detail with the processing procedure of specific embodiment to technique scheme below, but be not limited to following embodiment.
The technical scheme that the embodiment of the present invention proposes mainly is guaranteed before service request is carried out in the mobile phone application of developer's exploitation, first the certification of mobile phone application identity is carried out, only have passed the mobile phone application of authentication, just can use the cloud service that server provides.
Authentication is realized by the authentication module of the end side SDK and server end that are supplied to mobile phone application developer, and its schematic flow sheet as shown in Figure 2.
In order to clearly be described the technical scheme that the embodiment of the present invention proposes, above-mentioned processing procedure can be divided into two stages, be described respectively.
First stage, initial phase.
Before the mobile phone application call cloud service of developer's exploitation, first must carry out initialization.
Initialized object obtains a parameters for authentication (seed) from service end, for calculating the token (Token) when carrying out service request to server.
Step S201, call the initialization process interface of SDK, initialization is carried out to current SDK.
Step S202, SDK calculate the HMAC of current program file.
At first initialized, SDK travels through the program file under the installation directory of mobile phone application software, the HMAC(that alphabet sequence calculates each program file respectively uses HMAC-SHA-256 algorithm, key required for calculating is preset from SDK), then each HMAC is stitched together and again calculates final HMAC, be saved in internal memory for follow-up flow process.After application software starts at every turn, HMAC only calculates once, and result of calculation is kept at internal memory, can avoid the expense of double counting.
Step S203, except calculating HMAC except, SDK also will check the validity of parameters for authentication (Seed).
If effectively, then perform step S204;
If Seed is expired or do not exist, then needs to perform step S205, initiate network authentication request to server.
Step S204, SDK judge currently whether saved initialization and successfully mark.
If judged result is no, then needs to perform step S205, initiate network authentication request to server, carry out certification;
If judged result is yes, then perform step S208.
Step S205, SDK initiate network authentication request.
The object initiating network authentication request is request server authentication application identity and beams back Seed.Because the parameter of authentication request comprises the sensitive informations such as device id, facility information, MAC, need that band timestamp is carried out to the message of request and encrypt, and to these calculation of parameter HMAC, prevent message to be ravesdropping, distort or reset.
After step S206, server receive request, know its APPKEY according to APPID, then the HMAC value of checking parameter, if inconsistent, the request of abandoning returns failure, otherwise, continue to check in application HMAC white list whether there is the entry consistent with APPID, facility information, MAC.
If there is no then return failure, otherwise generate Seed and encryption return.
Step S207, SDK check the response that the server received returns.
Be labeled as the response of successful authentication request if receive, SDK uses APPKEY encrypting storing Seed, encrypting storing application HMAC, and arranges initialization to this HMAC and successfully mark, and confirms that this initialization successfully.
If receive the authentication request response being labeled as failure, SDK then directly empties local Seed and HMAC, and confirms this initialization failure.
The HMAC that this calculates by step S208, SDK be labeled as the successful HMAC of initialization and compare.
If comparative result is consistent, then confirm this initialization success.
If comparative result is inconsistent, then that preserves before replacing with this HMAC calculated is labeled as the successful HMAC of initialization, and confirms this initialization failure.
Second stage, cloud service request stage.
When step S209, mobile phone are applied in request cloud service, need to call the cloud service calling interface that SDK provides:
First step S210, SDK check Seed validity, confirm to have passed through correct initialization.
If Seed is invalid, or do not have initialization successfully to mark, then return failure, reminder application calls initialization process interface again.
If Seed is effective, and there is initialization and successfully mark, then continue to perform step S211.
Step S211, SDK check that whether HMAC value is consistent with the numerical value preserved after authentication success.
If inconsistent, read-me or local data are destroyed, and application may be attacked, and SDK is directly to the failure of application feedback request.
If consistent, then perform step S212.
Step S212, SDK initiate cloud service request.
For all effective cloud service request of Seed and HMAC value, be its computational token (based on Seed, timestamp, request counter, the information such as Apply Names, use APPKEY encryption), initiate service invocation request to cloud server.
Step S213, cloud server check token.
If verification is passed through, then for service request returns corresponding data.
If verification is not passed through, then return the result that request is failed.
Step S214, SDK receive the result that cloud server returns.
If result represents cloud service request success, then extract corresponding data feedback to application, current cloud service request success.
If result represents cloud service request failure, then to the result of the current cloud service request failure of application feedback.
Based on said method; achieve a safety system towards mobile phone application cloud service provider; the service provided for it provides safeguard protection, as shown in Figure 3, is the structural representation of a kind of safety system towards mobile phone application cloud service provider that the embodiment of the present invention proposes.
This safety system comprises mobile phone terminal security component (providing with SDK form), and high in the clouds application identity Verification System.
Mobile phone terminal security component is supplied to developer with SDK form, with the application call of storehouse form for developer's exploitation.Security component realizes AES, HMAC scheduling algorithm, realizes the safe storage of data, and the integrality of application calculates and local verification, the secure communication of realization and server end.
Server end is present on cloud server with the form of security authentication module, can be deployed in independent Web container, also can integrated enter the server of cloud service provider.
The function distribution that security authentication module mainly realizes comprises the following aspects.
(1) APPKEY management.
When server generates APPID for application, generate APPKEY.By APPKEY encrypting storing in SDK, carry out data encryption with white box cryptographic algorithm.
(2) life cycle management of Seed.
When mobile phone terminal security component initiates initialization/application authorization request, for application generates and the unique corresponding Seed of device id, and set the term of validity.After Seed lost efficacy, the Token calculated based on it ceased to be in force automatically.
(3) generation of Token and verification.
After mobile phone terminal security component receives Seed, according to certain information such as algorithm bonding apparatus ID, timestamp, request counting, for asking to generate different Token at every turn, realize one-time pad.
(4) mobile phone application HMAC white list management.
For the application of each call capability, safeguard HMAC white list.An application is allowed to have multiple HMAC.
For concrete application scenarios, in above-mentioned safety system, mobile phone terminal security component can realize based on http protocol with communicating of security authentication module.
Compared with prior art, the technical scheme that the embodiment of the present invention proposes has the following advantages:
By the technical scheme that the application embodiment of the present invention proposes, content according to the program file of application determines HMAC information, and carry out certification accordingly, and the HMAC information of authentication success is preserved in the server, thus create corresponding white list, when needs carry out cloud service request, then carry out service request according to current HMAC information to server, only when according to HMAC information, server judges that this application is legal, just can provide corresponding cloud service for this application, thus, the change of application content can be recognized accurately, prevent from causing service maliciously to be used because application is distorted, and, due to HMAC information transmission and store be all sightless process, therefore, ensure that accuracy and the validity of application identity identification.
In order to realize above-mentioned technical scheme, the embodiment of the present invention additionally provides a kind of security component, its structural representation as shown in Figure 4, be applied in the system at least comprising terminal equipment and server, wherein, described terminal equipment comprises security component and at least one application, described security component comprises:
Determination module 41, when the application start of on described terminal equipment, according to the program file of described application, determines the current HMAC information corresponding to described application;
Authentication module 42, for according to the determined current HMAC information of described determination module 41, the identity information of described terminal equipment, and the identity information of described application, carry out the certification of described application to described server;
Identification module 43, for identifying the authentication result that described server returns, if authentication success, for corresponding parameters for authentication and certification HMAC information are preserved in described application;
Judge module 44, during for needing in described application to initiate cloud service request to described server, judges that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information;
Request module 45, for when the judged result of described judge module 44 is consistent, cloud service request is sent to described server according to described current HMAC information and described parameters for authentication, to make described server when confirming that described application is legal, provide corresponding cloud service to described application.
Wherein, described authentication module 42, also for:
Judge the current effective parameters for authentication whether existed corresponding to described application;
When judged result is yes, and when the current authentication success do not preserved corresponding to described application marks, or when judged result is no, the authentication request of described application is sent to described server, described current HMAC information is at least comprised in described authentication request, the identity information of described terminal equipment, and the identity information of described application;
When judged result is yes, and when the current authentication success saved corresponding to described application marks, judge that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information, if consistent, then confirm this initialization success, if inconsistent, then replace described certification HMAC information by described current HMAC information, and confirm this initialization failure.
Further, described identification module 43, specifically for:
If authentication result is authentication success, for corresponding parameters for authentication is preserved in described application, described current HMAC message is saved as certification HMAC information, and adds the mark of authentication success;
If authentication result is authentification failure, empty the parameters for authentication and current HMAC information and certification HMAC information of preserving this locality.
Preferably, described judge module 44, specifically for:
Judge that whether the local parameters for authentication stored is effective;
If parameters for authentication is invalid, or this locality is not preserved initialization and is successfully marked, then confirm to ask unsuccessfully;
If parameters for authentication is effective, and this locality is preserved initialization and is successfully marked, then judge that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information.
In concrete application scenarios, described request module 45, specifically for:
Token is generated according to described current HMAC information and described parameters for authentication;
The cloud service request of carrying described token is sent to described server;
Receive described server when confirming according to described token the data message that described application returns legal, and described data message is sent to described application; Or,
Receive described server when confirming according to described token the request failure message that described application returns illegal, and by result feedback failed for request to described application.
Further, the embodiment of the present invention additionally provides a kind of server, and its structural representation as shown in Figure 5, be applied in the system at least comprising terminal equipment and server, wherein, described terminal equipment comprises security component and at least one application, described server comprises:
Memory module 51, for the HMAC information according to authentication success, and corresponding application identity information, preserve the white list of HMAC information, and record corresponding equipment identity information
Authentication module 52, for receive described security component send carry current HMAC information, the identity information of terminal equipment, and the authentication request of identity information of application, and whether there is corresponding HMAC information in the white list of the HMAC information stored according to the described memory module of inquiry;
Processing module 53, for when the Query Result of described authentication module 52 is for being, generates parameters for authentication, and being carried in authentication success message and sending to described security component, or when the Query Result of described authentication module 52 is no, send authentification failure message to described security component;
Authentication module 54, cloud service request is sent according to current HMAC information and parameters for authentication for receiving described security component, and confirm that whether described application is legal according to described current HMAC information and parameters for authentication, and when described authentication module 54 is proved to be successful, provide corresponding cloud service to described application.
Wherein, described authentication module 54, specifically for:
Receive the cloud service request of carrying token that described security component sends, wherein, described token is generated according to described current HMAC information and described parameters for authentication by described security component;
According to the information in described token, in conjunction with the white list of the HMAC information that described memory module stores, judge that whether described application is legal;
If legal, then the data corresponding to described cloud service request are sent to described security component;
If illegal, then send request failed message to described security component.
Compared with prior art, the technical scheme that the embodiment of the present invention proposes has the following advantages:
By the technical scheme that the application embodiment of the present invention proposes, content according to the program file of application determines HMAC information, and carry out certification accordingly, and the HMAC information of authentication success is preserved in the server, thus create corresponding white list, when needs carry out cloud service request, then carry out service request according to current HMAC information to server, only when according to HMAC information, server judges that this application is legal, just can provide corresponding cloud service for this application, thus, the change of application content can be recognized accurately, prevent from causing service maliciously to be used because application is distorted, and, due to HMAC information transmission and store be all sightless process, therefore, ensure that accuracy and the validity of application identity identification.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform method described in each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device in embodiment can carry out being distributed in the device of embodiment according to embodiment description, also can carry out respective change and be arranged in the one or more devices being different from the present embodiment.The module of above-described embodiment can merge into a module, also can split into multiple submodule further.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
Be only several specific embodiment of the present invention above, but the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (16)
1. a verification method for application identity, is characterized in that, is applied in the system at least comprising terminal equipment and server, and wherein, described terminal equipment comprises security component and at least one application, described method comprises:
When the application start of on described terminal equipment, described security component, according to the program file of described application, determines the current HMAC information corresponding to described application;
Described security component is according to described current HMAC information, and the identity information of described terminal equipment, and the identity information of described application, carry out the certification of described application to described server;
Described security component identification authentication result, if authentication success, described security component is that corresponding parameters for authentication and certification HMAC information are preserved in described application;
When described application needs to initiate cloud service request to described server, described security component judges that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information;
If consistent, described security component sends cloud service request according to described current HMAC information and described parameters for authentication to described server, to make described server when confirming that described application is legal, provides corresponding cloud service to described application.
2. the method for claim 1, is characterized in that, described security component according to described current HMAC information, the identity information of described terminal equipment, and the identity information of described application, carry out the certification of described application to described server, specifically comprise:
Described security component judges the current effective parameters for authentication whether existed corresponding to described application;
When judged result is yes, and when described security component judges the current authentication success mark do not preserved corresponding to described application, or when judged result is no, described security component sends the authentication request of described application to described server, described current HMAC information is at least comprised in described authentication request, the identity information of described terminal equipment, and the identity information of described application;
When judged result is yes, and when described security component judges the current authentication success mark saved corresponding to described application, described security component judges that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information, if consistent, then confirm this initialization success, if inconsistent, then replace described certification HMAC information by described current HMAC information, and confirm this initialization failure.
3. method as claimed in claim 2, it is characterized in that, described security component is according to described current HMAC information, and the identity information of described terminal equipment, and the identity information of described application, after described server carries out the certification of described application, also comprise:
Described server, according to the white list of the local HMAC information of preserving of identity information inquiry of described application, judges whether to exist and described current HMAC information, and the information that the identity information of described terminal equipment is consistent;
If existed, described server generates parameters for authentication, and is carried in authentication success message and sends to described security component;
If there is no, described server sends authentification failure message to described security component.
4. method as claimed in claim 3, it is characterized in that, described security component identification authentication result, specifically comprises:
If authentication result is authentication success, described security component is that corresponding parameters for authentication is preserved in described application, described current HMAC message is saved as certification HMAC information, and adds the mark of authentication success;
If authentication result is authentification failure, described security component empties the parameters for authentication and current HMAC information and certification HMAC information of preserving this locality.
5. the method for claim 1, is characterized in that, described security component also comprises before judging that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information:
Described security component judges that whether the local parameters for authentication stored is effective;
If parameters for authentication is invalid, or this locality is not preserved initialization and is successfully marked, then confirm to ask unsuccessfully;
If parameters for authentication is effective, and this locality is preserved initialization and is successfully marked, and described security component judges that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information.
6. method as claimed in claim 5, it is characterized in that, described security component also comprises after judging that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information:
If inconsistent, described security component confirms to ask unsuccessfully.
7. method as claimed in claim 5, it is characterized in that, described security component sends cloud service request according to described current HMAC information and described parameters for authentication to described server, to make described server when confirming that described application is legal, there is provided corresponding cloud service to described application, specifically comprise:
Described security component generates token according to described current HMAC information and described parameters for authentication;
Described security component sends the cloud service request of carrying described token to described server;
Described security component receives described server when confirming according to described token the data message that described application returns legal, and described data message is sent to described application; Or,
Described security component receives described server when confirming according to described token the request failure message that described application returns illegal, and by result feedback failed for request to described application.
8. a security component, is characterized in that, is applied in the system at least comprising terminal equipment and server, and wherein, described terminal equipment comprises security component and at least one application, described security component comprises:
Determination module, when the application start of on described terminal equipment, according to the program file of described application, determines the current HMAC information corresponding to described application;
Authentication module, for according to the determined current HMAC information of described determination module, the identity information of described terminal equipment, and the identity information of described application, carry out the certification of described application to described server;
Identification module, for identifying the authentication result that described server returns, if authentication success, for corresponding parameters for authentication and certification HMAC information are preserved in described application;
Judge module, during for needing in described application to initiate cloud service request to described server, judges that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information;
Request module, for when the judged result of described judge module is consistent, cloud service request is sent to described server according to described current HMAC information and described parameters for authentication, to make described server when confirming that described application is legal, provide corresponding cloud service to described application.
9. security component as claimed in claim 8, is characterized in that, described authentication module, also for:
Judge the current effective parameters for authentication whether existed corresponding to described application;
When judged result is yes, and when the current authentication success do not preserved corresponding to described application marks, or when judged result is no, the authentication request of described application is sent to described server, described current HMAC information is at least comprised in described authentication request, the identity information of described terminal equipment, and the identity information of described application;
When judged result is yes, and when the current authentication success saved corresponding to described application marks, judge that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information, if consistent, then confirm this initialization success, if inconsistent, then replace described certification HMAC information by described current HMAC information, and confirm this initialization failure.
10. security component as claimed in claim 9, is characterized in that, described identification module, specifically for:
If authentication result is authentication success, for corresponding parameters for authentication is preserved in described application, described current HMAC message is saved as certification HMAC information, and adds the mark of authentication success;
If authentication result is authentification failure, empty the parameters for authentication and current HMAC information and certification HMAC information of preserving this locality.
11. security components as claimed in claim 8, is characterized in that, described judge module, specifically for:
Judge that whether the local parameters for authentication stored is effective;
If parameters for authentication is invalid, or this locality is not preserved initialization and is successfully marked, then confirm to ask unsuccessfully;
If parameters for authentication is effective, and this locality is preserved initialization and is successfully marked, then judge that whether the described current HMAC information corresponding to described application is consistent with described certification HMAC information.
12. security components as claimed in claim 8, is characterized in that, described request module, specifically for:
Token is generated according to described current HMAC information and described parameters for authentication;
The cloud service request of carrying described token is sent to described server;
Receive described server when confirming according to described token the data message that described application returns legal, and described data message is sent to described application; Or,
Receive described server when confirming according to described token the request failure message that described application returns illegal, and by result feedback failed for request to described application.
The verification method of 13. 1 kinds of application identity, is characterized in that, is applied in the system at least comprising terminal equipment and server, and wherein, described terminal equipment comprises security component and at least one application, described method comprises:
Described server is according to the HMAC information of authentication success, and corresponding application identity information, preserves the white list of HMAC information, and records corresponding equipment identity information;
When described server receive described security component send carry current HMAC information, the identity information of terminal equipment, and during the authentication request of identity information of application, described server is according to the white list of the local HMAC information of preserving of identity information inquiry of described application, judge whether to exist and described current HMAC information, and the information that the identity information of described terminal equipment is consistent;
If existed, described server generates parameters for authentication, and is carried in authentication success message and sends to described security component, or if there is no, described server sends authentification failure message to described security component;
When described server receive described security component send cloud service request according to current HMAC information and parameters for authentication time, according to described current HMAC information and parameters for authentication, described server confirms that whether described application is legal, if legal, then provide corresponding cloud service to described application.
14. methods as claimed in claim 13, is characterized in that, according to described current HMAC information and parameters for authentication, described server confirms that whether described application is legal, specifically comprise:
Described server receives the cloud service request of carrying token that described security component sends, and wherein, described token is generated according to described current HMAC information and described parameters for authentication by described security component;
Described server, according to the information in described token, in conjunction with the white list of stored HMAC information, judges that whether described application is legal;
If legal, then the data corresponding to described cloud service request are sent to described security component by described server;
If illegal, then described server sends request failed message to described security component.
15. 1 kinds of servers, is characterized in that, are applied in the system at least comprising terminal equipment and server, and wherein, described terminal equipment comprises security component and at least one application, described server comprises:
Memory module, for the HMAC information according to authentication success, and corresponding application identity information, preserve the white list of HMAC information, and record corresponding equipment identity information;
Authentication module, for receive described security component send carry current HMAC information, the identity information of terminal equipment, and the authentication request of the identity information of application, and inquire about in the white list of the HMAC information that described memory module stores whether there is corresponding HMAC information;
Processing module, for when the Query Result of described authentication module is for being, generates parameters for authentication, and being carried in authentication success message and sending to described security component, or when the Query Result of described authentication module is no, send authentification failure message to described security component;
Authentication module, cloud service request is sent according to current HMAC information and parameters for authentication for receiving described security component, and confirm that whether described application is legal according to described current HMAC information and parameters for authentication, and when described authentication module is proved to be successful, provide corresponding cloud service to described application.
16. servers as claimed in claim 15, is characterized in that, described authentication module, specifically for:
Receive the cloud service request of carrying token that described security component sends, wherein, described token is generated according to described current HMAC information and described parameters for authentication by described security component;
According to the information in described token, in conjunction with the white list of the HMAC information that described memory module stores, judge that whether described application is legal;
If legal, then the data corresponding to described cloud service request are sent to described security component;
If illegal, then send request failed message to described security component.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310752998.6A CN104753674B (en) | 2013-12-31 | 2013-12-31 | A kind of verification method and equipment of application identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310752998.6A CN104753674B (en) | 2013-12-31 | 2013-12-31 | A kind of verification method and equipment of application identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104753674A true CN104753674A (en) | 2015-07-01 |
| CN104753674B CN104753674B (en) | 2018-10-12 |
Family
ID=53592835
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310752998.6A Active CN104753674B (en) | 2013-12-31 | 2013-12-31 | A kind of verification method and equipment of application identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104753674B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105993156A (en) * | 2015-10-23 | 2016-10-05 | 深圳还是威健康科技有限公司 | Server access authentication method and device |
| CN106549957A (en) * | 2016-10-26 | 2017-03-29 | 上海众人网络安全技术有限公司 | A kind of legal authentication method of terminal applies and system |
| CN106878233A (en) * | 2015-12-10 | 2017-06-20 | 联芯科技有限公司 | The read method of secure data, security server, terminal and system |
| CN107066380A (en) * | 2017-02-23 | 2017-08-18 | 青岛海信电器股份有限公司 | The authentication method and device of a kind of application comprising redundancy feature |
| CN107919960A (en) * | 2017-12-04 | 2018-04-17 | 北京深思数盾科技股份有限公司 | The authentication method and system of a kind of application program |
| CN110098933A (en) * | 2018-01-29 | 2019-08-06 | 卓望数码技术(深圳)有限公司 | A kind of mobile phone application automatic identity authentication method and system |
| CN110581897A (en) * | 2019-09-30 | 2019-12-17 | 山东浪潮通软信息科技有限公司 | Method for realizing data interaction between two systems under unidirectional network environment |
| CN110581833A (en) * | 2018-06-11 | 2019-12-17 | 中移(杭州)信息技术有限公司 | Service security protection method and device |
| CN111552928A (en) * | 2020-04-26 | 2020-08-18 | 北京学之途网络科技有限公司 | Authentication method and device |
| CN112688920A (en) * | 2020-12-09 | 2021-04-20 | 北京博瑞彤芸科技股份有限公司 | Method and system for judging authenticity of meeting event |
| CN113542235A (en) * | 2021-06-28 | 2021-10-22 | 上海浦东发展银行股份有限公司 | Security mutual access system and method based on token mutual trust mechanism |
| TWI753102B (en) * | 2018-02-09 | 2022-01-21 | 劉根田 | Real-name authentication service system and real-name authentication service method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030093681A1 (en) * | 2001-10-15 | 2003-05-15 | Wettstein Gregory H. | Digital identity creation and coalescence for service authorization |
| CN101227286A (en) * | 2008-01-31 | 2008-07-23 | 北京飞天诚信科技有限公司 | Method for generating message authentication code |
| CN102045356A (en) * | 2010-12-14 | 2011-05-04 | 中国科学院软件研究所 | Cloud-storage-oriented trusted storage verification method and system |
| CN102378170A (en) * | 2010-08-27 | 2012-03-14 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
-
2013
- 2013-12-31 CN CN201310752998.6A patent/CN104753674B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030093681A1 (en) * | 2001-10-15 | 2003-05-15 | Wettstein Gregory H. | Digital identity creation and coalescence for service authorization |
| CN101227286A (en) * | 2008-01-31 | 2008-07-23 | 北京飞天诚信科技有限公司 | Method for generating message authentication code |
| CN102378170A (en) * | 2010-08-27 | 2012-03-14 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
| CN102045356A (en) * | 2010-12-14 | 2011-05-04 | 中国科学院软件研究所 | Cloud-storage-oriented trusted storage verification method and system |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017066994A1 (en) * | 2015-10-23 | 2017-04-27 | 深圳还是威健康科技有限公司 | Method and device for verifying access to server |
| CN105993156A (en) * | 2015-10-23 | 2016-10-05 | 深圳还是威健康科技有限公司 | Server access authentication method and device |
| CN105993156B (en) * | 2015-10-23 | 2020-01-14 | 深圳市元征科技股份有限公司 | Server access verification method and device |
| CN106878233A (en) * | 2015-12-10 | 2017-06-20 | 联芯科技有限公司 | The read method of secure data, security server, terminal and system |
| CN106549957A (en) * | 2016-10-26 | 2017-03-29 | 上海众人网络安全技术有限公司 | A kind of legal authentication method of terminal applies and system |
| CN106549957B (en) * | 2016-10-26 | 2020-01-31 | 上海众人网络安全技术有限公司 | terminal application copyright authentication method and system |
| CN107066380A (en) * | 2017-02-23 | 2017-08-18 | 青岛海信电器股份有限公司 | The authentication method and device of a kind of application comprising redundancy feature |
| CN107919960A (en) * | 2017-12-04 | 2018-04-17 | 北京深思数盾科技股份有限公司 | The authentication method and system of a kind of application program |
| CN110098933B (en) * | 2018-01-29 | 2021-09-14 | 卓望数码技术(深圳)有限公司 | Automatic identity authentication method and system for mobile phone application |
| CN110098933A (en) * | 2018-01-29 | 2019-08-06 | 卓望数码技术(深圳)有限公司 | A kind of mobile phone application automatic identity authentication method and system |
| TWI753102B (en) * | 2018-02-09 | 2022-01-21 | 劉根田 | Real-name authentication service system and real-name authentication service method |
| CN110581833A (en) * | 2018-06-11 | 2019-12-17 | 中移(杭州)信息技术有限公司 | Service security protection method and device |
| CN110581833B (en) * | 2018-06-11 | 2022-08-23 | 中移(杭州)信息技术有限公司 | Service security protection method and device |
| CN110581897A (en) * | 2019-09-30 | 2019-12-17 | 山东浪潮通软信息科技有限公司 | Method for realizing data interaction between two systems under unidirectional network environment |
| CN111552928A (en) * | 2020-04-26 | 2020-08-18 | 北京学之途网络科技有限公司 | Authentication method and device |
| CN112688920A (en) * | 2020-12-09 | 2021-04-20 | 北京博瑞彤芸科技股份有限公司 | Method and system for judging authenticity of meeting event |
| CN112688920B (en) * | 2020-12-09 | 2021-09-21 | 北京博瑞彤芸科技股份有限公司 | Method and system for judging authenticity of meeting event |
| CN113542235A (en) * | 2021-06-28 | 2021-10-22 | 上海浦东发展银行股份有限公司 | Security mutual access system and method based on token mutual trust mechanism |
| CN113542235B (en) * | 2021-06-28 | 2023-04-07 | 上海浦东发展银行股份有限公司 | Safe mutual access method based on token mutual trust mechanism |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104753674B (en) | 2018-10-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111429254B (en) | Business data processing method and device and readable storage medium | |
| CN104753674B (en) | A kind of verification method and equipment of application identity | |
| EP3800909B1 (en) | Remote management method, and device | |
| CN102378170B (en) | Method, device and system of authentication and service calling | |
| CN108173662B (en) | Equipment authentication method and device | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| CN111131416B (en) | Service providing method and device, storage medium and electronic device | |
| CN108243176B (en) | Data transmission method and device | |
| CN103685138A (en) | Method and system for authenticating application software of Android platform on mobile internet | |
| CN112559993B (en) | Identity authentication method, device and system and electronic equipment | |
| CN104125565A (en) | Method for realizing terminal authentication based on OMA DM, terminal and server | |
| KR102137122B1 (en) | Security check method, device, terminal and server | |
| CN109145628B (en) | Data acquisition method and system based on trusted execution environment | |
| CN112187466B (en) | Identity management method, device, equipment and storage medium | |
| CN111800262B (en) | Digital asset processing method and device and electronic equipment | |
| CN112257093B (en) | Authentication method, terminal and storage medium for data object | |
| CN109729000B (en) | Instant messaging method and device | |
| CN108768650B (en) | Short message verification system based on biological characteristics | |
| CN112769789B (en) | Encryption communication method and system | |
| CN111970122B (en) | Official APP identification method, mobile terminal and application server | |
| CN108234125B (en) | System and method for identity authentication | |
| CN108234126B (en) | System and method for remote account opening | |
| CN115459929B (en) | Security verification method, security verification device, electronic equipment, security verification system, security verification medium and security verification product | |
| KR102053993B1 (en) | Method for Authenticating by using Certificate | |
| CN111148213A (en) | Registration method of 5G user terminal, user terminal equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |