CN104753674B - A kind of verification method and equipment of application identity - Google Patents
A kind of verification method and equipment of application identity Download PDFInfo
- Publication number
- CN104753674B CN104753674B CN201310752998.6A CN201310752998A CN104753674B CN 104753674 B CN104753674 B CN 104753674B CN 201310752998 A CN201310752998 A CN 201310752998A CN 104753674 B CN104753674 B CN 104753674B
- Authority
- CN
- China
- Prior art keywords
- application
- information
- server
- security component
- hmac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The embodiment of the invention discloses a kind of verification method of application identity and equipment,Pass through the technical solution proposed using the embodiment of the present invention,HMAC information is determined according to the content of the program file of application,And it is authenticated accordingly,And in the server by the successful HMAC information preservations of certification,To create corresponding white list,When needing to carry out cloud service request,Service request is then carried out to server according to current HMAC information,Only in the case where server judges that this applies legal according to HMAC information,Corresponding cloud service just can be provided for the application,To,The variation of application content can accurately be recognized,It prevents from causing service maliciously to be used because application is distorted,And,Since the transimission and storage of HMAC information is all sightless process,Therefore,It ensure that the accuracy and validity of application identity identification.
Description
Technical field
The present invention relates to field of communication technology more particularly to the verification methods and equipment of a kind of application identity.
Background technology
The platform operation quotient that open service is provided towards smart mobile phone application developer, for being based on its SDK(Software
Development Kit, Software Development Kit)The mobile phone application software of secondary development and publication, it is often necessary to identification request
The identity source of the application of service includes the identity of the identity of application and each application operation example.It so on the one hand can be right
The service condition of own services is counted, on the other hand can also by server end access authentication, prevent high value or
Sensitive service is by unauthorized use.
A kind of more universal smart mobile phone application software identity identification way, is that requirement developer registers at service provider
Using acquisition service provider provides unique identification information(APP ID).It is preserved using by APP ID and corresponding key
On mobile phone, and the when of servicing is being called to provide.Whether service provider judges service invocation request from mandate according to these information
Application.Such as Google Maps SDK, Sina weibo SDK products all authorize application using similar method.
To the usual way of smart mobile phone application software installation/running example identification, including:
(1), acquisition cell phone apparatus identification information, such as IMEI(International Mobile Equipment
Identification Number, international mobile equipment identification number).
(2)The other equipment unique identification provided using system, the ASHWID provided such as Windows Phone platforms
(App Specific Hardware ID, application program specific hardware identifier), the UDID in iOS system(Unique
Device ID, unique device identifier).
(3)Use self-defined UUID.
In the implementation of the present invention, inventor has found to have at least the following problems in the prior art:
Application identification technology based on APP ID and key, major defect are:
(1)The application that None- identified is cracked:After being cracked, APP ID and key are all correct, but logic occurs
It is changing into for malicious application, server side None- identified goes out these applications, thus service ability can not be avoided to be stolen by attacker
With.
(2)Safety is inadequate in certain application scenarios, and APP ID and key pair developer are fully visible, although can pass through
It is certain obscure, the real APP ID of encipherment protection and key, pass to SDK since it must show, lead to crack difficulty not
It is high.
Invention content
The embodiment of the present invention is designed to provide a kind of verification method and equipment of application identity, can be based on HMAC and believe
Breath accurately identifies the legitimacy of application.
In order to achieve the above object, an embodiment of the present invention provides a kind of verification methods of application identity, are applied at least
In system including terminal device and server, wherein on the terminal device include security component and at least one application,
The method includes:
When one on terminal device application starts, the security component according to the program file of the application,
Determine the current HMAC information corresponding to the application;
The security component is according to the current HMAC information, the identity information of the terminal device and the application
Identity information, the certification of the application is carried out to the server;
The security component identifies authentication result, if certification success, the security component is that the application preserves accordingly
Parameters for authentication and certification HMAC information;
When the application needs to initiate cloud service request to the server, the security component judges the application
Whether the corresponding current HMAC information and the certification HMAC information are consistent;
If consistent, the security component is sent out according to the current HMAC information and the parameters for authentication to the server
Cloud service is sent to ask, so that the server in the case where confirming that the application is legal, provides corresponding to the application
Cloud service.
On the other hand, the embodiment of the present invention additionally provides a kind of security component, is applied to include at least terminal device kimonos
It is engaged in the system of device, wherein include security component and at least one application, the security component packet on the terminal device
It includes:
Determining module, for when one on terminal device application starts, according to the program file of the application,
Determine the current HMAC information corresponding to the application;
Authentication module, for according to current HMAC information, the identity of the terminal device determined by the determining module
Information and the identity information of the application, the certification of the application is carried out to the server;
Identification module, the authentication result that the server returns for identification, if certification success, preserves for the application
Corresponding parameters for authentication and certification HMAC information;
Judgment module, for when the application needs to initiate cloud service request to the server, being answered described in judgement
It is whether consistent with the corresponding current HMAC information and the certification HMAC information;
Request module, for when the judging result of the judgment module is consistent, according to the current HMAC information and
The parameters for authentication sends cloud service request to the server, so that the server is described using legal feelings in confirmation
Under condition, corresponding cloud service is provided to the application.
On the other hand, the embodiment of the present invention additionally provides a kind of server, is applied to include at least terminal device and service
In the system of device, wherein include security component and at least one application on the terminal device, the server includes:
Memory module, for according to the successful HMAC information of certification and its corresponding application identity information, preserving HMAC
The white list of information, and record corresponding equipment identity information
Authentication module carries current HMAC information, the identity of terminal device for receive that the security component sends
Information, and the identity information of application certification request, and according to inquiring the white of HMAC information that the memory module is stored
It whether there is corresponding HMAC information in list;
Processing module is to generate parameters for authentication, and carry in certification when being for the query result in the authentication module
The security component is sent in success message, or when the query result of the authentication module is no, to the security component
Send authentification failure message;
Authentication module, for receiving the security component according to cloud service transmitted by current HMAC information and parameters for authentication
Request, and confirm whether the application is legal according to the current HMAC information and parameters for authentication, and tested in the authentication module
In the case of card is successful, corresponding cloud service is provided to the application.
Compared with prior art, the technical solution that the embodiment of the present invention is proposed has the following advantages:
By the technical solution proposed using the embodiment of the present invention, HMAC is determined according to the content of the program file of application
Information, and be authenticated accordingly, and in the server by the successful HMAC information preservations of certification, to create corresponding white name
It is single, when needing to carry out cloud service request, then service request is carried out to server according to current HMAC information, only taken
Business device judges that this, using in the case of legal, just can provide corresponding cloud service for the application according to HMAC information, thus, energy
Enough variations for accurately recognizing application content prevent from causing service maliciously to be used because application is distorted, also, due to
The transimission and storage of HMAC information is all sightless process, thus it is guaranteed that the accuracy and validity of application identity identification.
Description of the drawings
A kind of flow diagram of the verification method for application identity that Fig. 1 is proposed by the embodiment of the present invention;
The flow of the verification method of application identity in a kind of concrete application scene that Fig. 2 is proposed by the embodiment of the present invention
Schematic diagram;
A kind of structure for safety system towards mobile phone application cloud service provider that Fig. 3 is proposed by the embodiment of the present invention
Schematic diagram;
A kind of structural schematic diagram for security component that Fig. 4 is proposed by the embodiment of the present invention;
A kind of structural schematic diagram for server that Fig. 5 is proposed by the embodiment of the present invention.
Specific implementation mode
Below in conjunction with the attached drawing in the present invention, the technical solution in the present invention is clearly and completely described, is shown
So, described embodiment is only the section Example of the present invention, instead of all the embodiments.Based on the reality in the present invention
Example is applied, all other embodiment obtained by those of ordinary skill in the art without making creative efforts all belongs to
In the scope of protection of the invention.
The embodiment of the present invention proposes a kind of verification method of application identity, and the identity of arch-rival's machine application is known
Not, judge the application for whether having passed through and having authorized applied.Technical solution is based primarily upon the program file calculating to mobile phone application software
HMAC, after distribution due to mobile phone application software, program file content are remained unchanged, thus are directed to all program file content meters
The HMAC contents of calculation are also unique.Once program file content is altered, HMAC values necessarily change.It will be calculated
After the encryption of HMAC values and APPID is transferred to server end together, and server end is according to HMAC value white lists, it can be determined that goes out application
Whether changed, to decide whether that the service invocation request to application authorizes.Calculating, storage and the biography of HMAC values
It is defeated, it is all invisible using person, mobile phone application developer for mobile phone, to ensure that the accurate of mobile phone application identity identification
Property and validity.The method that this motion also includes secure storage, safe transmission the HMAC values.
In order to achieve the above object, an embodiment of the present invention provides a kind of verification methods of application identity, as shown in Figure 1,
For the flow diagram of the verification method of application identity provided in an embodiment of the present invention, this method is applied to set including at least terminal
In standby and server system, wherein include security component and at least one application, the method packet on the terminal device
It includes:
Step S101, when an application on the terminal device starts, the security component is according to the application
Program file determines the current HMAC information corresponding to the application.
Step S102, the described security component is according to the current HMAC information, the identity information of the terminal device, and
The identity information of the application carries out the certification of the application to the server.
In actual application scenarios, specifically included in this step:
The security component judges currently to whether there is the effective parameters for authentication corresponding to the application.
When judging result be it is yes, and the security component judge currently without the certification preserved corresponding to the application at
When work(marks, or when judging result is no, the security component sends the certification request of the application to the server,
The current HMAC information is included at least in the certification request, the identity information of the terminal device and the application
Identity information.
Specifically, after this step is completed, the server is locally preserved according to the inquiry of the identity information of the application
The white list of HMAC information judges whether the identity information phase with the current HMAC information and the terminal device
Consistent information if it does, the server generates parameters for authentication, and carries and is sent to the peace in certification success message
Whole assembly, if it does not, the server sends authentification failure message to the security component.
When judging result be it is yes, and the security component judge currently save corresponding to the application certification success
When label, the security component judges whether are the current HMAC information corresponding to the application and the certification HMAC information
Unanimously, if unanimously, confirming that this is initialized successfully, if it is inconsistent, recognizing described in the current HMAC information replacement
HMAC information is demonstrate,proved, and confirms this initialization failure.
Step S103, the described security component identifies authentication result.
If certification success, thens follow the steps S104.
If authentication result is authentification failure, the security component empties the parameters for authentication locally preserved and current HMAC letters
Breath and certification HMAC information.
Step S104, the described security component is that the application preserves corresponding parameters for authentication and certification HMAC information.
In specific application scenarios, the processing of this step includes:
The security component is that the application preserves corresponding parameters for authentication, and the current HMAC message is saved as certification
HMAC information, and add certification and successfully mark
Step S105, when the application needs to initiate cloud service request to the server, the security component is sentenced
Whether the current HMAC information and the certification HMAC information corresponding to the disconnected application are consistent.
Specifically, before this step, further include:
The security component judges whether the parameters for authentication being locally stored is effective;
If parameters for authentication is invalid, or local without preserving initialization successfully label, then confirmation request fails;
If parameters for authentication is effective, and locally preserves initialization successfully label, described in the security component judgement
It is whether consistent using the corresponding current HMAC information and the certification HMAC information.
If consistent, S106 is thened follow the steps;
If inconsistent, the security component confirmation request failure.
Step S106, the described security component is sent out according to the current HMAC information and the parameters for authentication to the server
Cloud service is sent to ask, so that the server in the case where confirming that the application is legal, provides corresponding to the application
Cloud service.
Specifically, the processing procedure of this step includes:
The security component generates token according to the current HMAC information and the parameters for authentication;
The security component sends the cloud service request for carrying the token to the server;
The security component receives the server and is returned in the case where confirming that the application is legal according to the token
The data information returned, and the data information is sent to the application;Or,
The security component receives the server and is returned in the case where confirming that the application is illegal according to the token
The request failure message returned, and the result of request failure is fed back into the application.
The process flow in security component side is proposed in the description of above-mentioned technical proposal, correspondingly, further to service
The processing procedure of device side is described as follows:
The server preserves HMAC letters according to the successful HMAC information of certification and its corresponding application identity information
The white list of breath, and record corresponding equipment identity information;
When what the server received that the security component sends carries current HMAC information, the identity of terminal device
Information, and when the certification request of the identity information of application, the server is inquired local according to the identity information of the application
The white list of the HMAC information of preservation judges whether the identity with the current HMAC information and the terminal device
The consistent information of information;
If it does, the server generates parameters for authentication, and carries and be sent to the safety in certification success message
Component, or, if it does not, the server sends authentification failure message to the security component;
It is taken according to high in the clouds transmitted by current HMAC information and parameters for authentication when the server receives the security component
When business request, the server confirms whether the application is legal according to the current HMAC information and parameters for authentication, if closed
Method then provides corresponding cloud service to the application.
In specific application scenarios, the server is answered according to described in the current HMAC information and parameters for authentication confirmation
With whether legal processing procedure, specifically include following steps:
The server receives the cloud service request of the carrying token transmitted by the security component, wherein the order
Board is generated according to the current HMAC information and the parameters for authentication by the security component;
The server is according to the information in the token, in conjunction with the white list of the HMAC information stored, described in judgement
Using whether legal;
If legal, the corresponding data of cloud service request are sent to the secure group by the server
Part;
If illegal, the server sends request failure message to the security component.
Compared with prior art, the technical solution that the embodiment of the present invention is proposed has the following advantages:
By the technical solution proposed using the embodiment of the present invention, HMAC is determined according to the content of the program file of application
Information, and be authenticated accordingly, and in the server by the successful HMAC information preservations of certification, to create corresponding white name
It is single, when needing to carry out cloud service request, then service request is carried out to server according to current HMAC information, only taken
Business device judges that this, using in the case of legal, just can provide corresponding cloud service for the application according to HMAC information, thus, energy
Enough variations for accurately recognizing application content prevent from causing service maliciously to be used because application is distorted, also, due to
The transimission and storage of HMAC information is all sightless process, thus it is guaranteed that the accuracy and validity of application identity identification.
The processing procedure of above-mentioned technical proposal is described in detail with specific embodiment below, but is not limited to down
State embodiment.
The technical solution that the embodiment of the present invention is proposed mainly ensures that the mobile phone application developed in developer carries out service and asks
Before asking, mobile phone application identity certification is carried out first, has only passed through the mobile phone application of authentication, can just use server
The cloud service of offer.
Authentication is by being supplied to the end side SDK of mobile phone application developer and the authentication module reality of server end
Existing, flow diagram is as shown in Figure 2.
It, can be by above-mentioned processing in order to which the technical solution clearly proposed to the embodiment of the present invention illustrates
Process is divided into two stages, illustrates respectively.
First stage, initial phase.
Before the mobile phone application call cloud service of developer's exploitation, it is necessary to be initialized first.
The purpose of initialization is to obtain a parameters for authentication from server-side(seed), serviced for calculating to server
Required token when request(Token).
Step S201, the initialization process interface for calling SDK, initializes current SDK.
Step S202, SDK calculates the HMAC of current program file.
In the initial of initialization, SDK traverses the program file under the installation directory of mobile phone application software, alphabet sequence point
The HMAC of each program file is not calculated(Using HMAC-SHA-256 algorithms, it is preset from SDK to calculate required key), then
Each HMAC is stitched together, final HMAC is calculated again, is saved in memory and used for follow-up process.In application software
After starting every time, HMAC is only calculated once, and result of calculation is stored in memory, can avoid the expense computed repeatedly.
Step S203, in addition to calculating HMAC, SDK will also check parameters for authentication(Seed)Validity.
If it is valid, executing step S204;
If Seed is expired or is not present, need to execute step S205, network authentication request is initiated to server.
Step S204, SDK judges currently whether saved initialization successfully label.
If it is judged that being no, then need to execute step S205, initiates network authentication request to server, recognized
Card;
If it is judged that being yes, S208 is thened follow the steps.
Step S205, SDK initiates network authentication request.
The purpose for initiating network authentication request is request server authentication application identity and beams back Seed.Because of certification request
Parameter include the sensitive informations such as device id, facility information, MAC, need to carry out band timestamp to the message of request to encrypt, and right
These parameters calculate HMAC, prevent message to be ravesdropping, distort or reset.
Step S206, after server receives request, its APPKEY is known according to APPID, then the HMAC values of checking parameter,
Abandon request if inconsistent and return to failure, otherwise, continue checking for using in HMAC white lists, if exist with APPID, set
Standby information, MAC consistent entry.
If there is no failure is then returned, otherwise generates Seed and encrypt return.
Step S207, SDK checks the response that the server received returns.
It is responded labeled as successful certification request if it is receiving, SDK uses APPKEY encrypting storing Seed, encryption to protect
It deposits and applies HMAC, and HMAC settings initialization is successfully marked, and confirm that this is initialized successfully.
If it is the certification request response received labeled as failure, SDK then directly empties local Seed and HMAC, and really
Recognize this initialization failure.
Step S208, the HMAC that this is calculated is compared by SDK with labeled as the successful HMAC of initialization.
If comparison result is consistent, confirm that this is initialized successfully.
If comparison result be it is inconsistent, with the HMAC that this is calculated replace it is previously stored mark be
Successful HMAC, and confirm this initialization failure.
Second stage, cloud service request stage.
Step S209, mobile phone applies the cloud service calling interface for needing that SDK is called to provide when asking cloud service:
Step S210, SDK first checks for Seed validity, and confirmation have passed through correct initialization.
If Seed is invalid, or successfully marks without initialization, then failure is returned to, reminder application is called again
Initialization process interface.
If Seed is effective, and has initialization successfully label, then step S211 is continued to execute.
Step S211, SDK checks whether HMAC values are consistent with the numerical value preserved after certification success.
If inconsistent, read-me or local data are destroyed, and using may be attacked, SDK is directly to answering
Failed with feedback request.
If consistent, S212 is thened follow the steps.
Step S212, SDK initiates cloud service request.
It is its computational token for all effective cloud service request of Seed and HMAC values(Based on Seed, timestamp is asked
Counter, the information such as Apply Names is asked to be encrypted using APPKEY), service invocation request is initiated to cloud server.
Step S213, cloud server check token.
If verification passes through, corresponding data are returned for service request.
If verification does not pass through, the handling result of request failure is returned.
Step S214, SDK receives the handling result that cloud server returns.
If handling result indicates that cloud service asks successfully, to extract corresponding data feedback to application, current high in the clouds
Service request success.
If handling result indicates cloud service request failure, the knot of current cloud service request failure is fed back to application
Fruit.
Based on the above method, a safety system towards mobile phone application cloud service provider is realized, is provided for it
Service provides safeguard protection, as shown in figure 3, a kind of peace towards mobile phone application cloud service provider proposed by the embodiment of the present invention
The structural schematic diagram of all risk insurance protecting system.
The security system includes mobile phone terminal security component(It is provided in the form of SDK)And high in the clouds application identity Verification System.
Mobile phone terminal security component is supplied to developer in the form of SDK, for the application call of developer's exploitation in the form of library.Peace
Whole assembly realizes AES, HMAC scheduling algorithm, realizes the secure storage of data, and the integrality of application calculates and local verification, realize and
The secure communication of server end.
Server end is present in the form of security authentication module on cloud server, can be deployed in individual Web and be held
In device, the server of cloud service provider can also be integrated into.
The function distribution that security authentication module is mainly realized includes the following aspects.
(1)APPKEY is managed.
When server is that application generates APPID, APPKEY is generated.By in APPKEY encrypting storings to SDK, with whitepack plus
Close algorithm carries out data encryption.
(2)The life cycle management of Seed.
When mobile phone terminal security component initiates initialization/application authorization request, is generated for application and device id uniquely corresponds to
Seed, and set the term of validity.After Seed failures, ceased to be in force automatically based on its calculated Token.
(3)The generation and verification of Token.
After mobile phone terminal security component receives Seed, according to letters such as certain algorithm bonding apparatus ID, timestamp, request countings
Breath realizes one-time pad to request to generate different Token every time.
(4)Mobile phone application HMAC white list management.
For the application of each call capability, HMAC white lists are safeguarded.An application is allowed to possess multiple HMAC.
For specific application scenarios, in above-mentioned security system, mobile phone terminal security component and security authentication module
Communication can be realized based on http protocol.
Compared with prior art, the technical solution that the embodiment of the present invention is proposed has the following advantages:
By the technical solution proposed using the embodiment of the present invention, HMAC is determined according to the content of the program file of application
Information, and be authenticated accordingly, and in the server by the successful HMAC information preservations of certification, to create corresponding white name
It is single, when needing to carry out cloud service request, then service request is carried out to server according to current HMAC information, only taken
Business device judges that this, using in the case of legal, just can provide corresponding cloud service for the application according to HMAC information, thus, energy
Enough variations for accurately recognizing application content prevent from causing service maliciously to be used because application is distorted, also, due to
The transimission and storage of HMAC information is all sightless process, thus it is guaranteed that the accuracy and validity of application identity identification.
In order to realize that above-mentioned technical solution, the embodiment of the present invention additionally provide a kind of security component, structural schematic diagram
As shown in figure 4, applied in the system including at least terminal device and server, wherein include safety on the terminal device
Component and at least one application, the security component include:
Determining module 41 is used for when an application on the terminal device starts, according to the program of application text
Part determines the current HMAC information corresponding to the application;
Authentication module 42 is used for according to current HMAC information determined by the determining module 41, the terminal device
Identity information and the identity information of the application, the certification of the application is carried out to the server;
Identification module 43, the authentication result that the server returns for identification, if certification success, is protected for the application
Deposit corresponding parameters for authentication and certification HMAC information;
Judgment module 44, for when the application needs to initiate cloud service to the server to ask, described in judgement
It is whether consistent using the corresponding current HMAC information and the certification HMAC information;
Request module 45, for when the judging result of the judgment module 44 is consistent, being believed according to the current HMAC
Breath and the parameters for authentication send cloud service request to the server, so that the server is confirming that the application is legal
In the case of, provide corresponding cloud service to the application.
Wherein, the authentication module 42, is additionally operable to:
Judge currently to whether there is the effective parameters for authentication corresponding to the application;
When judging result is yes, and when currently without preserving the certification pass flag corresponding to the application, or work as
When judging result is no, the certification request of the application is sent to the server, is included at least in the certification request described
The identity information of current HMAC information, the identity information of the terminal device and the application;
When judging result is yes, and currently saves the certification pass flag corresponding to the application, described in judgement
It is whether consistent using the corresponding current HMAC information and the certification HMAC information, if unanimously, at the beginning of confirming this
Begin chemical conversion work(, if it is inconsistent, replacing the certification HMAC information with the current HMAC information, and confirms this initialization
Failure.
Further, the identification module 43, is specifically used for:
If authentication result is certification success, corresponding parameters for authentication is preserved for the application, the current HMAC is disappeared
Breath saves as certification HMAC information, and adds certification and successfully mark;
If authentication result is authentification failure, the parameters for authentication locally preserved and current HMAC information and certification are emptied
HMAC information.
Preferably, the judgment module 44, is specifically used for:
Judge whether the parameters for authentication being locally stored is effective;
If parameters for authentication is invalid, or local without preserving initialization successfully label, then confirmation request fails;
If parameters for authentication is effective, and locally preserves initialization successfully label, then judge corresponding to the application
The current HMAC information and the certification HMAC information it is whether consistent.
In specific application scenarios, the request module 45 is specifically used for:
Token is generated according to the current HMAC information and the parameters for authentication;
The cloud service request for carrying the token is sent to the server;
Receive the server according to the token confirm it is described using it is legal in the case of the data information that is returned,
And the data information is sent to the application;Or,
The request that the server is returned in the case where confirming that the application is illegal according to the token is received to fail
Message, and the result of request failure is fed back into the application.
Further, the embodiment of the present invention additionally provides a kind of server, and structural schematic diagram is as shown in figure 5, be applied to
Including at least in the system of terminal device and server, wherein include security component and at least one on the terminal device
Using the server includes:
Memory module 51, for according to the successful HMAC information of certification and its corresponding application identity information, preserving
The white list of HMAC information, and record corresponding equipment identity information
Authentication module 52 carries current HMAC information, the body of terminal device for receive that the security component sends
Part information, and the identity information of application certification request, and according to inquiring HMAC information that the memory module is stored
It whether there is corresponding HMAC information in white list;
Processing module 53 is to generate parameters for authentication, and carry when being for the query result in the authentication module 52
The security component is sent in certification success message, or when the query result of the authentication module 52 is no, to the peace
Whole assembly sends authentification failure message;
Authentication module 54 takes for receiving the security component according to high in the clouds transmitted by current HMAC information and parameters for authentication
Business request, and confirm whether the application is legal according to the current HMAC information and parameters for authentication, and in the authentication module
In the case that 54 are proved to be successful, corresponding cloud service is provided to the application.
Wherein, the authentication module 54, is specifically used for:
Receive the cloud service request of the carrying token transmitted by the security component, wherein the token is by described
Security component is generated according to the current HMAC information and the parameters for authentication;
Judge institute in conjunction with the white list for the HMAC information that the memory module is stored according to the information in the token
Whether legal state application;
If legal, the corresponding data of cloud service request are sent to the security component;
If illegal, request failure message is sent to the security component.
Compared with prior art, the technical solution that the embodiment of the present invention is proposed has the following advantages:
By the technical solution proposed using the embodiment of the present invention, HMAC is determined according to the content of the program file of application
Information, and be authenticated accordingly, and in the server by the successful HMAC information preservations of certification, to create corresponding white name
It is single, when needing to carry out cloud service request, then service request is carried out to server according to current HMAC information, only taken
Business device judges that this, using in the case of legal, just can provide corresponding cloud service for the application according to HMAC information, thus, energy
Enough variations for accurately recognizing application content prevent from causing service maliciously to be used because application is distorted, also, due to
The transimission and storage of HMAC information is all sightless process, thus it is guaranteed that the accuracy and validity of application identity identification.
Through the above description of the embodiments, those skilled in the art can be understood that the present invention can be by
Software adds the mode of required general hardware platform to realize, naturally it is also possible to which by hardware, but the former is more in many cases
Good embodiment.Based on this understanding, technical scheme of the present invention substantially in other words contributes to the prior art
Part can be expressed in the form of software products, which is stored in a storage medium, if including
Dry instruction is used so that a computer equipment(Can be personal computer, server or the network equipment etc.)Execute this hair
Method described in bright each embodiment.
It will be appreciated by those skilled in the art that attached drawing is the schematic diagram of a preferred embodiment, the module in attached drawing or stream
Journey is not necessarily implemented necessary to the present invention.
It will be appreciated by those skilled in the art that the module in device in embodiment can describe be divided according to embodiment
It is distributed in the device of embodiment, respective change can also be carried out and be located in one or more devices different from the present embodiment.On
The module for stating embodiment can be merged into a module, can also be further split into multiple submodule.
The embodiments of the present invention are for illustration only, can not represent the quality of embodiment.
Disclosed above is only several specific embodiments of the present invention, and still, the present invention is not limited to this, any ability
What the technical staff in domain can think variation should all fall into protection scope of the present invention.
Claims (16)
1. a kind of verification method of application identity, which is characterized in that be applied to the system including at least terminal device and server
In, wherein on the terminal device include security component and at least one application, the method includes:
When an application on the terminal device starts, the security component is determined according to the program file of the application
Current HMAC information corresponding to the application;
The security component is according to the current HMAC information, the body of the identity information of the terminal device and the application
Part information, the certification of the application is carried out to the server;
The security component identifies authentication result, if certification success, the security component is that application preservation is recognized accordingly
Demonstrate,prove parameter and certification HMAC information;
When the application needs to initiate cloud service request to the server, the security component judges that the application institute is right
Whether the current HMAC information and the certification HMAC information answered are consistent;
If consistent, the security component sends cloud according to the current HMAC information and the parameters for authentication to the server
Service request is held, so that the server provides corresponding high in the clouds in the case where confirming that the application is legal, to the application
Service.
2. the method as described in claim 1, which is characterized in that the security component is described according to the current HMAC information
The identity information of terminal device and the identity information of the application, the certification of the application are carried out to the server, specifically
Including:
The security component judges currently to whether there is the effective parameters for authentication corresponding to the application;
When judging result is yes, and the security component judges successfully to mark currently without the certification preserved corresponding to the application
It clocks, or when judging result is no, the security component sends the certification request of the application to the server, described
The identity of the current HMAC information, the identity information of the terminal device and the application is included at least in certification request
Information;
When judging result is yes, and the security component judges currently to save certification pass flag corresponding to the application
When, the security component judge the current HMAC information corresponding to the application and the certification HMAC information whether one
It causes, if unanimously, confirming that this is initialized successfully, if it is inconsistent, replacing the certification with the current HMAC information
HMAC information, and confirm this initialization failure.
3. method as claimed in claim 2, which is characterized in that the security component is described according to the current HMAC information
The identity information of terminal device and the identity information of the application, after the certification that the application is carried out to the server,
Further include:
The white list for the HMAC information that the server is locally preserved according to the inquiry of the identity information of the application, judges whether to deposit
In the information consistent with the identity information of the current HMAC information and the terminal device;
If it does, the server generates parameters for authentication, and carries and be sent to the security component in certification success message;
If it does not, the server sends authentification failure message to the security component.
4. method as claimed in claim 3, which is characterized in that the security component identifies authentication result, specifically includes:
If authentication result is certification success, the security component is that the application preserves corresponding parameters for authentication, is worked as by described in
Preceding HMAC message saves as certification HMAC information, and adds certification and successfully mark;
If authentication result be authentification failure, the security component empty the parameters for authentication locally preserved and current HMAC information with
And certification HMAC information.
5. the method as described in claim 1, which is characterized in that the security component judged corresponding to the application described works as
Before whether preceding HMAC information and the certification HMAC information are consistent, further include:
The security component judges whether the parameters for authentication being locally stored is effective;
If parameters for authentication is invalid, or local without preserving initialization successfully label, then confirmation request fails;
If parameters for authentication is effective, and locally preserves initialization successfully label.
6. method as claimed in claim 5, which is characterized in that the security component judged corresponding to the application described works as
After whether preceding HMAC information and the certification HMAC information are consistent, further include:
If inconsistent, the security component confirmation request failure.
7. method as claimed in claim 5, which is characterized in that the security component is according to the current HMAC information and described
Parameters for authentication sends cloud service request to the server, so that the server is described using legal situation in confirmation
Under, corresponding cloud service is provided to the application, is specifically included:
The security component generates token according to the current HMAC information and the parameters for authentication;
The security component sends the cloud service request for carrying the token to the server;
The security component receive the server according to the token confirm it is described using it is legal in the case of returned
Data information, and the data information is sent to the application;Or,
The security component receives what the server was returned in the case where confirming that the application is illegal according to the token
Request failure message, and the result of request failure is fed back into the application.
8. a kind of security component, which is characterized in that be applied to including at least in the system of terminal device and server, wherein institute
It includes security component and at least one application to state on terminal device, and the security component includes:
Determining module, for when an application on the terminal device starts, according to the program file of the application, determining
Current HMAC information corresponding to the application;
Authentication module is used for according to current HMAC information determined by the determining module, the identity information of the terminal device,
And the identity information of the application, the certification of the application is carried out to the server;
Identification module, the authentication result that the server returns for identification preserve corresponding if certification success for the application
Parameters for authentication and certification HMAC information;
Judgment module, for when the application needs to initiate cloud service request to the server, judging described using institute
Whether the corresponding current HMAC information and the certification HMAC information are consistent;
Request module, for when the judging result of the judgment module is consistent, according to the current HMAC information and described
Parameters for authentication sends cloud service request to the server, so that the server is described using legal situation in confirmation
Under, provide corresponding cloud service to the application.
9. security component as claimed in claim 8, which is characterized in that the authentication module is additionally operable to:
Judge currently to whether there is the effective parameters for authentication corresponding to the application;
When judging result is yes, and when currently without preserving the certification pass flag corresponding to the application, or when judging
When being as a result no, the certification request of the application is sent to the server, is included at least in the certification request described current
The identity information of HMAC information, the identity information of the terminal device and the application;
When judging result is yes, and currently saves the certification pass flag corresponding to the application, the application is judged
Whether the corresponding current HMAC information and the certification HMAC information are consistent, if unanimously, confirming this initialization
Success if it is inconsistent, replacing the certification HMAC information with the current HMAC information, and confirms that this initialization is lost
It loses.
10. security component as claimed in claim 9, which is characterized in that the identification module is specifically used for:
If authentication result is certification success, corresponding parameters for authentication is preserved for the application, the current HMAC message is protected
Certification HMAC information is saved as, and adds certification and successfully marks;
If authentication result is authentification failure, the parameters for authentication locally preserved and current HMAC information and certification HMAC letters are emptied
Breath.
11. security component as claimed in claim 8, which is characterized in that the judgment module is specifically used for:
Judge whether the parameters for authentication being locally stored is effective;
If parameters for authentication is invalid, or local without preserving initialization successfully label, then confirmation request fails;
If parameters for authentication is effective, and locally preserves initialization successfully label, then the institute corresponding to the application is judged
It states current HMAC information and whether the certification HMAC information is consistent.
12. security component as claimed in claim 8, which is characterized in that the request module is specifically used for:
Token is generated according to the current HMAC information and the parameters for authentication;
The cloud service request for carrying the token is sent to the server;
Receive the server according to the token confirm it is described using it is legal in the case of the data information that is returned, and will
The data information is sent to the application;Or,
The request failure message that the server is returned in the case where confirming that the application is illegal according to the token is received,
And the result of request failure is fed back into the application.
13. a kind of verification method of application identity, which is characterized in that be applied to the system including at least terminal device and server
In, wherein on the terminal device include security component and at least one application, the method includes:
The server preserves HMAC information according to the successful HMAC information of certification and its corresponding application identity information
White list, and record corresponding equipment identity information;
When the server receives the current HMAC information that carries of the security component transmission, the identity letter of terminal device
Breath, and when the certification request of the identity information of application, the server inquires local protect according to the identity information of the application
The white list for the HMAC information deposited judges whether to believe with the current HMAC information and the identity of the terminal device
The consistent information of manner of breathing;
If it does, the server generates parameters for authentication, and carries and is sent to the security component in certification success message,
Or, if it does not, the server sends authentification failure message to the security component;
It is asked according to cloud service transmitted by current HMAC information and parameters for authentication when the server receives the security component
When asking, the server confirms whether the application is legal according to the current HMAC information and parameters for authentication, if legal,
Corresponding cloud service is provided to the application.
14. method as claimed in claim 13, which is characterized in that the server is according to the current HMAC information and certification
Parameter confirms whether the application is legal, specifically includes:
The server receives the cloud service request of the carrying token transmitted by the security component, wherein the token is
It is generated according to the current HMAC information and the parameters for authentication by the security component;
The server judges the application according to the information in the token in conjunction with the white list of the HMAC information stored
It is whether legal;
If legal, the corresponding data of cloud service request are sent to the security component by the server;
If illegal, the server sends request failure message to the security component.
15. a kind of server, which is characterized in that be applied to including at least in the system of terminal device and server, wherein described
Include security component and at least one application on terminal device, the server includes:
Memory module, for according to the successful HMAC information of certification and its corresponding application identity information, preserving HMAC information
White list, and record corresponding equipment identity information;
Authentication module, the current HMAC information that carries for receiving the security component transmission, the identity information of terminal device,
And the certification request of the identity information of application, and inquire in the white list for the HMAC information that the memory module is stored whether
There are corresponding HMAC information;
Processing module is to generate parameters for authentication when being, and carry in certification success for the query result in the authentication module
It is sent to the security component in message, or when the query result of the authentication module is no, is sent to the security component
Authentification failure message;
Authentication module is asked for receiving the security component according to cloud service transmitted by current HMAC information and parameters for authentication
It asks, and confirms whether the application is legal according to the current HMAC information and parameters for authentication, and verified in the authentication module
In the case of successfully, corresponding cloud service is provided to the application.
16. server as claimed in claim 15, which is characterized in that the authentication module is specifically used for:
Receive the cloud service request of the carrying token transmitted by the security component, wherein the token is by the safety
Component is generated according to the current HMAC information and the parameters for authentication;
According to the information in the token, in conjunction with the white list for the HMAC information that the memory module is stored, answered described in judgement
With whether legal;
If legal, the corresponding data of cloud service request are sent to the security component;
If illegal, request failure message is sent to the security component.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310752998.6A CN104753674B (en) | 2013-12-31 | 2013-12-31 | A kind of verification method and equipment of application identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310752998.6A CN104753674B (en) | 2013-12-31 | 2013-12-31 | A kind of verification method and equipment of application identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104753674A CN104753674A (en) | 2015-07-01 |
| CN104753674B true CN104753674B (en) | 2018-10-12 |
Family
ID=53592835
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310752998.6A Active CN104753674B (en) | 2013-12-31 | 2013-12-31 | A kind of verification method and equipment of application identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104753674B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105993156B (en) * | 2015-10-23 | 2020-01-14 | 深圳市元征科技股份有限公司 | Server access verification method and device |
| CN106878233B (en) * | 2015-12-10 | 2020-11-10 | 联芯科技有限公司 | Method for reading security data, security server, terminal and system |
| CN106549957B (en) * | 2016-10-26 | 2020-01-31 | 上海众人网络安全技术有限公司 | terminal application copyright authentication method and system |
| CN107066380B (en) * | 2017-02-23 | 2023-05-16 | 海信视像科技股份有限公司 | Authentication method and device for application containing redundancy function |
| CN107919960A (en) * | 2017-12-04 | 2018-04-17 | 北京深思数盾科技股份有限公司 | The authentication method and system of a kind of application program |
| CN110098933B (en) * | 2018-01-29 | 2021-09-14 | 卓望数码技术(深圳)有限公司 | Automatic identity authentication method and system for mobile phone application |
| TWI753102B (en) * | 2018-02-09 | 2022-01-21 | 劉根田 | Real-name authentication service system and real-name authentication service method |
| CN110581833B (en) * | 2018-06-11 | 2022-08-23 | 中移(杭州)信息技术有限公司 | Service security protection method and device |
| CN110581897A (en) * | 2019-09-30 | 2019-12-17 | 山东浪潮通软信息科技有限公司 | Method for realizing data interaction between two systems under unidirectional network environment |
| CN111552928A (en) * | 2020-04-26 | 2020-08-18 | 北京学之途网络科技有限公司 | Authentication method and device |
| CN112688920B (en) * | 2020-12-09 | 2021-09-21 | 北京博瑞彤芸科技股份有限公司 | Method and system for judging authenticity of meeting event |
| CN113542235B (en) * | 2021-06-28 | 2023-04-07 | 上海浦东发展银行股份有限公司 | Safe mutual access method based on token mutual trust mechanism |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227286A (en) * | 2008-01-31 | 2008-07-23 | 北京飞天诚信科技有限公司 | Method for generating message authentication code |
| CN102045356A (en) * | 2010-12-14 | 2011-05-04 | 中国科学院软件研究所 | Cloud-storage-oriented trusted storage verification method and system |
| CN102378170A (en) * | 2010-08-27 | 2012-03-14 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7325143B2 (en) * | 2001-10-15 | 2008-01-29 | Linux Foundation | Digital identity creation and coalescence for service authorization |
-
2013
- 2013-12-31 CN CN201310752998.6A patent/CN104753674B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227286A (en) * | 2008-01-31 | 2008-07-23 | 北京飞天诚信科技有限公司 | Method for generating message authentication code |
| CN102378170A (en) * | 2010-08-27 | 2012-03-14 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
| CN102045356A (en) * | 2010-12-14 | 2011-05-04 | 中国科学院软件研究所 | Cloud-storage-oriented trusted storage verification method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104753674A (en) | 2015-07-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104753674B (en) | A kind of verification method and equipment of application identity | |
| CN108064440B (en) | FIDO authentication method, device and system based on block chain | |
| CN102378170B (en) | Method, device and system of authentication and service calling | |
| US20180082050A1 (en) | Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| CN108462710B (en) | Authentication and authorization method, device, authentication server and machine-readable storage medium | |
| EP3346660A1 (en) | Authentication information update method and device | |
| CN102572815B (en) | Method, system and device for processing terminal application request | |
| CN108243176B (en) | Data transmission method and device | |
| CN105357186B (en) | A kind of secondary authentication method based on out-of-band authentication and enhancing OTP mechanism | |
| CN111131416B (en) | Service providing method and device, storage medium and electronic device | |
| CN103685138A (en) | Method and system for authenticating application software of Android platform on mobile internet | |
| CN112559993B (en) | Identity authentication method, device and system and electronic equipment | |
| CN110381075B (en) | Block chain-based equipment identity authentication method and device | |
| CN111800262B (en) | Digital asset processing method and device and electronic equipment | |
| CN111512608A (en) | Trusted execution environment based authentication protocol | |
| CN108156601A (en) | A kind of method and device of locking SIM card | |
| CN103516524A (en) | Security authentication method and system | |
| CN102868702A (en) | System login device and system login method | |
| CN111130798A (en) | Request authentication method and related equipment | |
| CN110944300B (en) | Short message service system, forwarding interface device and defense server | |
| CN104901967A (en) | Registration method for trusted device | |
| KR102053993B1 (en) | Method for Authenticating by using Certificate | |
| CN103107881A (en) | Access method, device and system of smart card | |
| KR101221728B1 (en) | The certification process server and the method for graphic OTP certification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |