CN106372497B - Application programming interface API protection method and protection device - Google Patents
Application programming interface API protection method and protection device Download PDFInfo
- Publication number
- CN106372497B CN106372497B CN201610797722.3A CN201610797722A CN106372497B CN 106372497 B CN106372497 B CN 106372497B CN 201610797722 A CN201610797722 A CN 201610797722A CN 106372497 B CN106372497 B CN 106372497B
- Authority
- CN
- China
- Prior art keywords
- key
- random number
- verification
- time
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Abstract
The invention provides an Application Programming Interface (API) protection method and device, wherein the method comprises the following steps: s1: receiving a first access request at an application program side, wherein the first access request comprises information of an interface function requested by the application program; s2: calling an interface function corresponding to the first access request based on the first access request, and sending a second access request subjected to encryption processing by a first key to a system kernel when the interface function is operated, wherein the second access request comprises kernel data required by execution of the interface function; s3: and receiving return information including the kernel data which is returned from the system kernel and encrypted by the second key. The invention has stronger anti-deciphering performance and higher safety.
Description
Technical Field
The present invention relates to the field of API protection, and in particular, to a protection method and a protection device for an application programming interface API.
Background
When an existing application program accesses an interface function API in a dynamic link library, specific logic information of the interface function or specific information of the application program can be analyzed in a breakpoint debugging and application program reverse analysis mode, and the safety is poor. Moreover, no matter how the dynamic link library is protected in the software, including using shell code obfuscation virtualization and the like, external calls cannot be well hidden, and after all, the system interfaces are uniform.
Disclosure of Invention
The invention provides an Application Programming Interface (API) protection method and device capable of strengthening safety protection of an interface function.
In order to solve the technical problems, the invention provides the following technical scheme:
an Application Programming Interface (API) protection method, the method comprising the steps of:
s1: receiving a first access request at an application program side, wherein the first access request comprises information of an interface function requested by the application program;
s2: calling an interface function corresponding to the first access request based on the first access request, and sending a second access request subjected to encryption processing by a first key to a system kernel when the interface function is operated, wherein the second access request comprises kernel data required by execution of the interface function;
s3: and receiving return information including the kernel data which is returned from the system kernel and encrypted by the second key.
Wherein the return information including the kernel data encrypted by the second key is generated at the system kernel side by the following steps:
a1: receiving the second access request;
a2, decrypting the information about the kernel data from the second access request;
a3: and reading the kernel data, and performing encryption processing on return information comprising the kernel data by using a second key.
The first key and the second key are symmetric keys obtained through key agreement between the application program side and the system kernel side.
The method for generating the first key comprises the following steps:
s11: generating a first verification message at an application program side, wherein the first verification message comprises a first time representing the current time, a randomly generated first random number encrypted by using a pre-stored communication key and a preset communication identifier;
s12: sending the encrypted first verification message to a system kernel side;
s13: receiving a second verification message from the system kernel side, decrypting the second verification message by using a first random number, if the decryption is successful, executing the step S14, and if the decryption is failed, ending the step;
s14: and acquiring a second random number in the second verification message as the first key.
Wherein the method for generating the first verification message comprises:
s111: acquiring a first time representing a current time, and generating the first random number;
s112: processing the first time by using a preset algorithm to generate the communication key;
s113: encrypting the first random number and a preset communication identifier by using the communication key;
s114: the first time and the encrypted data obtained in step S113 are combined to generate the first verification message.
Wherein the method for generating the second key comprises:
a11: receiving the first verification message at a system kernel side, and analyzing the communication key from the first verification message by using a preset algorithm;
a12: decrypting the first random number and a preset communication identifier in the first verification message by using the communication key;
a13: verifying the communication identifier, if the verification is successful, executing the step A14, and if the verification is failed, ending the step A14;
a14: generating a second random number as a second encryption key, and encrypting the second random number with the first random number in the first authentication message to generate the second authentication message.
Wherein the method for generating the second key comprises:
a11: receiving the first verification message at a system kernel side, and analyzing the communication key from the first verification message by using a preset algorithm;
a12: decrypting the first random number and a preset communication identifier in the first verification message by using the communication key;
a13: verifying the communication identifier, if the verification is successful, executing the step A141, and if the verification is failed, ending the step A;
a141: generating a second random number as a second encryption key and encrypting the second random number using the first random number in the first authentication message;
a142: signing the encrypted second random number in A141 by using a private key of a system kernel side and loading a timestamp to generate a second verification message;
the step S13 is further configured to: and receiving the second verification message, verifying the signature by using a pre-stored public key, decrypting the second verification message by using a first random number if the verification is successful, and ending if the decryption is failed.
Wherein, step a11 still further includes:
a111: receiving the first verification message and acquiring a first time in the first verification message;
a112: acquiring current second time, comparing the first time with the second time, executing the step A113 if the difference value between the first time and the second time is less than first preset time, otherwise, exiting the program;
a113: and analyzing the communication key from the first verification message by using a preset algorithm.
Wherein the step S13 further includes:
s131: receiving the second verification message, and acquiring a third time in the timestamp;
s132: comparing the first time with the third time, if the difference value between the first time and the third time is less than a second preset time, executing step S133, otherwise, ending, wherein the second preset time is more than the first preset time;
s133: and decrypting the second verification message by using the first random number, and ending if the decryption fails.
Wherein the preset algorithm comprises a hash algorithm.
Wherein, also include step S0: and executing code customization processing on the API interface function.
The invention also provides an application programming interface API protection device, which comprises:
an intermediate driver component comprising a first driver located at an application side and a second driver located at a system kernel side, wherein,
the first driver is internally stored with an API interface function and receives a first access request, and the first access request comprises information of the interface function requested by an application program;
the first driver component is configured to call an interface function corresponding to the first access request based on the first access request, and send a second access request subjected to encryption processing to the second driver when the interface function is executed, wherein the second access request comprises kernel data required by executing the interface function;
the second driver is configured to read the kernel data from the system kernel after receiving the second access request, encrypt return information including the kernel data by using a second key, and return the encrypted return information to the first driver.
Wherein the first driver comprises:
an interface function storage unit in which an API interface function is stored;
the first data processing part is configured to receive the first access request, call an interface function requested by the first access request, generate the second access request according to kernel data required by the interface function, and send the second access request to the second driver.
Wherein the first driver includes a first key agreement portion including:
a first authentication unit configured to generate a first authentication message at a key agreement time, and transmit the first authentication message to the second driver, wherein the first authentication message includes a first time representing a current time, and a randomly generated first random number and a preset communication identification encrypted with a pre-stored communication key;
and the first encryption and decryption unit is configured to decrypt a second authentication message returned by the second driving piece by using the first random number, and obtain a second random number in the second authentication message as the first key.
The first authentication unit is configured to process the first time through a preset algorithm to generate the communication key, and combine the first time and data information obtained by encrypting the first random number and a preset communication identifier with the communication key to generate the first authentication message.
Wherein the second drive member comprises:
and the second data processing part is configured to receive the second access request, read kernel data corresponding to the second access request from the system kernel, and return a return message which is encrypted by using a second key and comprises the kernel data to the first driver.
Wherein the second driver further comprises a second key agreement section comprising:
a second verification unit configured to analyze the communication key from the first verification message by using a preset algorithm, decrypt the first random number and the communication identifier in the first verification message by using the communication key, verify the communication identifier by using pre-stored identification information, randomly generate a second random number if verification is successful, and send an encrypted second verification message including the second random number to the first driver;
and a second encryption/decryption unit that acquires the second random number generated by the second authentication unit as a second key, and encrypts the second random number using the first random number in the first authentication message to generate the second authentication message.
Wherein the second driver further comprises a second key agreement section comprising:
the second verification unit is configured to analyze the communication key from the first verification message by using a preset algorithm, decrypt the first random number and the communication identifier in the first verification message by using the communication key, verify the communication identifier by using prestored identification information, randomly generate a second random number if the verification is successful, sign the encrypted second random number by using a private key prestored in the second random number and load a timestamp to generate a second verification message;
a second encryption/decryption unit that acquires the second random number generated by the second authentication unit as a second key and encrypts the second random number using the first random number in the first authentication message,
and the first driver is further configured to: and receiving the second verification message, verifying the signature by using a public key stored in the second verification message, decrypting the second verification message by using a first random number if the verification is successful, and acquiring a second random number in the second verification message as a first key of key agreement if the decryption is successful.
Wherein the first authentication message comprises a first time, the second authentication unit further configured to: and when the difference value between the first time and the current second time in the first verification message is smaller than a first preset time, analyzing the communication key from the first verification message by using a preset algorithm.
Wherein the first authentication message comprises a first time, and the first driver is further configured to decrypt the second authentication message with a first random number when a difference between a third time of the timestamp loaded in the second authentication message and the first time is less than a second preset time, and obtain a second random number in the second authentication message as a first key of key agreement.
Compared with the prior art, the invention has the advantages that,
according to the method and the device, the corresponding access request to the system kernel side is generated according to the first access request to the interface function received at the application program side so as to obtain the required kernel data, wherein data information in the data interaction process needs to be encrypted, and the safety protection level is improved.
Drawings
FIG. 1 is a flowchart of an API protection method in an embodiment of the present invention;
fig. 2 is a flowchart of a method for generating, at a kernel side, return information including the kernel data encrypted by a second key according to an embodiment of the present invention;
FIG. 3 is a flowchart of a method for generating a first key at an application side according to an embodiment of the present invention;
FIG. 4 is a flow chart of a method of generating a first verification message in an embodiment of the invention;
FIG. 5 is a flowchart of a method for generating a second key at a system kernel side according to an embodiment of the present invention;
FIG. 6 is a flowchart of a method for generating a second key at the kernel side of the system according to another embodiment of the present invention;
FIG. 7 is a schematic block diagram of an API protection apparatus according to an embodiment of the present invention;
FIG. 8 is an exemplary block diagram of a first driver in an embodiment of the present invention;
fig. 9 is an exemplary structural view of the second driving member in the embodiment of the present invention.
Description of the reference numerals
100-first drive member 200-second drive member
101-interface function storage 102-first data processing unit
103-first authentication unit 104-first encryption/decryption unit
201-second data processing part 202-second verification unit
203-second encryption/decryption unit
Detailed Description
Hereinafter, specific embodiments of the present invention will be described in more detail with reference to the accompanying drawings, but the present invention is not limited thereto.
Fig. 1 is a flowchart of an application programming interface API protection method in an embodiment of the present invention, where the method includes the following steps:
s1: receiving a first access request at an application program side, wherein the first access request comprises information of an interface function requested by the application program;
in this embodiment, on the application program side, when a corresponding application program is executed and an API interface function needs to be accessed, a corresponding first access request may be generated, where the first access request may include information of the interface function requested by the application program, such as a function name, a parameter type, a return value type, and the like, and may also include information of the application program calling the interface function, such as information of the name, the address, and the like of the application program. The function library as the API interface function in this embodiment may be a static link library, or may be a driver located on the application program side, or a driver customized by the application layer.
S2: calling an interface function corresponding to the first access request based on the first access request, and sending a second access request subjected to encryption processing by the first key to a system kernel when the interface function is operated, wherein the second access request comprises kernel data required by execution of the interface function;
in this embodiment, when the corresponding second access request is sent, the second access request is encrypted to increase the security of data.
S3: and receiving return information including the kernel data which is returned from the system kernel and encrypted by the second key.
On the system kernel side, the kernel data required by the second access request can be acquired according to the second access request, and the kernel data is returned to the application program side after the return information including the kernel data is encrypted, so that the data requested by the application program can be returned to the application program on the application program side. In this embodiment, the first key on the application side and the second key on the system kernel side may be obtained through key agreement, and the keys on both sides may be the same.
In addition, it is preferable that the method further includes, before the step S1, a step S0: executing code self-defining processing on the API interface function; the customization processing may include customizing the API interface function, and may perform obfuscation or encryption to increase the difficulty of deciphering the API interface function.
Specifically, as shown in fig. 2, a flowchart of a method for generating, at a kernel side, return information including kernel data encrypted by a second key in the embodiment of the present invention is shown. Which may include the steps of:
a1: receiving the second access request;
a2, decrypting the information about the kernel data from the second access request;
a3: and reading the kernel data from the system kernel, and performing encryption processing on the return information comprising the kernel data by using a second key.
The kernel data in this embodiment may include, but is not limited to, current time, a program running process, system running time, and other data in hardware, a hard disk, and the like, and may also be data that can be acquired by other kernels.
Next, a detailed description is given of a key agreement process between the system kernel and the application side, and as shown in fig. 3, it is a flowchart of a method for generating a first key at the application side in the embodiment of the present invention. The method comprises the following steps:
s11: generating a first verification message at the application program side, wherein the first verification message comprises a first time representing the current time, a randomly generated first random number encrypted by using a pre-stored communication key and a preset communication identifier;
the same communication identifiers are respectively and correspondingly stored on the application program side and the system kernel side, so that the same communication identifiers are used for identity authentication in the key agreement process.
In addition, as shown in fig. 4, a flowchart of a method for generating a first verification message in an embodiment of the present invention is shown, where the method may include:
s111: acquiring a first time representing a current time, and generating the first random number;
s112: processing the first time by using a preset algorithm to generate the communication key; the preset algorithm in this embodiment may be a hash algorithm;
s113: encrypting the first random number and a preset communication identifier by using the communication key;
s114: the first time and the encrypted data obtained in step S113 are combined to generate the first verification message.
Through the above configuration, a first verification message may be generated, and the subsequent processing of the first verification message may be continued, which specifically includes:
s12: sending the encrypted first verification message to a system kernel side;
that is, when the first verification message is sent to the system kernel side, the first verification message needs to be encrypted to prevent malicious acquisition of the verification message;
s13: receiving a second verification message from the system kernel side, decrypting the second verification message by using the first random number, if the decryption is successful, executing the step S14, and if the decryption is failed, ending the step;
s14: and acquiring a second random number in the second verification message as the first key.
In this embodiment, in the key agreement process, the system kernel side may verify the first verification message sent from the application program side, and when the verification is successful, or generate a second verification message, and send the second verification message to the application program side for further verification, if the application program side can decrypt the second verification message by using the first random number, the verification is successful, and obtain the first random number therein to be used as the first key, and if the decryption is unsuccessful, the verification is ended, preferably, a verification failure message is sent to the system kernel side to perform the next negotiation.
Specifically, as shown in fig. 5, it is a flowchart of a method for generating a second key at a system kernel side in the embodiment of the present invention; which may include:
a11: receiving a first verification message from an application program side at a system kernel side, and analyzing a communication key in the first verification message by using a preset algorithm; correspondingly, the preset algorithm is also a hash algorithm;
a12: decrypting a first random number and a preset communication identifier in the first verification message by using the communication key;
a13: verifying the communication identifier, if the verification is successful, executing the step A14, and if the verification is failed, ending the step A14;
in this embodiment, the communication identifier is verified through the identifier information stored on the system kernel side, if the two are consistent, the verification is successful, and if the two are inconsistent, an error message may be generated and returned to the application program side, and the verification program may be exited.
A14: a second random number is generated as a second encryption key, and the randomly generated second random number is encrypted with the first random number in the first authentication message to generate a second authentication message.
It should be noted that, in this embodiment, both the first random number and the second random number are randomly generated, and may be randomly generated in real time, so as to enhance the decoding difficulty.
Additionally, a flow chart of a method of generating a second key at the system kernel side in another embodiment as shown in FIG. 6; which may include:
a11: receiving the first verification message at a system kernel side, and analyzing the communication key from the first verification message by using a preset algorithm;
a12: decrypting the first random number and a preset communication identifier in the first verification message by using the communication key;
a13: verifying the communication identifier, if the verification is successful, executing the step A141, and if the verification is failed, ending the step A;
a141: generating a second random number as a second encryption key and encrypting the second random number using the first random number in the first authentication message;
a142: signing the encrypted second random number in A141 by using a private key of a system kernel side and loading a timestamp to generate a second verification message;
the step S13 is further configured to: and receiving the second verification message, verifying the signature by using a pre-stored public key, decrypting the second verification message by using a first random number if the verification is successful, and ending if the decryption is failed.
That is, the system kernel side can use its private key to sign data and load a timestamp, and the application side can use the stored corresponding public key to verify whether the signature is valid, and obtain the timestamp therein for verification.
For the system kernel side, it may verify the information such as the time when the first verification message is sent when receiving the first verification message, that is, step a11 may further include the following steps:
a111: receiving the first verification message and acquiring a first time in the first verification message;
a112: acquiring current second time, comparing the first time with the second time, executing the step A113 if the difference value between the first time and the second time is less than first preset time, otherwise, exiting the program;
a113: and analyzing the communication key from the first verification message by using a preset algorithm.
That is, if the interval between the time of receiving the first verification message and the time of generating the first verification message is greater than the first preset time, it may be determined that the first verification message is invalid, and at this time, an error message may be returned to the application side.
Meanwhile, when the application side receives the second verification message, the sending time of the second verification message may also be verified, that is, step S13 may further include the following steps:
s131: receiving the second verification message and acquiring a third time in a timestamp included in the second verification message;
s132: a first time and the third time in the first verification message, if a difference between the first time and the third time is less than a second preset time, executing step S133, otherwise, ending the step, wherein the second preset time is greater than the first preset time, and the first preset time and the second preset time can be set by the user according to the requirement;
s133: and decrypting the second verification message by using the first random number, and ending if the decryption fails.
Similarly, when the time difference between the third time of the timestamp in the received second verification message and the first time in the first verification message is greater than the second preset time, it may be indicated that the second verification message is invalid, and at this time, an error message may be returned to the system kernel side.
In summary, the API protection method for the application programming interface provided in the embodiment of the present invention removes the call to the library and the system library when the original application program runs, and directly interacts with the kernel component, thereby greatly reducing the possibility of setting a debugging breakpoint and deciphering a function.
In addition, the embodiment of the invention also provides an application programming interface API protection device.
Fig. 7 is a schematic structural block diagram of an API protection apparatus in an embodiment of the present invention, where the apparatus may include: the intermediate driving component may include a first driver 100 located at the application program side and a second driver 200 located at the system kernel side, where the first driver 100 stores therein an API interface function, and the API interface function may be a dynamic link library updated in the system or an interface function library processed by a user. The customization processing may include customizing the API interface function, and may perform obfuscation or encryption to increase the difficulty of deciphering the API interface function.
In addition, the first driver 100 may receive a first access request of an application program on the application program side, where the first access request may include information of an interface function requested by the application program, such as a function name, a parameter type, a return value type, and the like, and may further include information of an application program calling the interface function, such as a name, an address, and the like of the application program.
And, the first driver component 100 may be further configured to call an interface function corresponding to the first access request based on the first access request, and send an encrypted second access request to the second driver 200 on the system kernel side when the interface function is executed, where the second access request includes kernel data required to execute the interface function.
Meanwhile, the second driver 200 may be configured to read corresponding kernel data from the system kernel after receiving the second access request, encrypt return information including the kernel data using the second key, and return the encrypted return information to the first driver 100. That is, when the corresponding second access request is sent, the second access request needs to be encrypted, so as to further increase the security of the data. In this embodiment, the first key on the application side and the second key on the system kernel side may be obtained through key agreement, and the keys on both sides may be the same.
The kernel data in this embodiment may include, but is not limited to, current time, a program running process, system running time, and other data in hardware, a hard disk, and the like, and may also be data that can be acquired by other kernels.
Specifically, as shown in fig. 8, a schematic structure diagram of the first driving element in the embodiment of the present invention is shown, where the schematic structure diagram may include: an interface function storage section 101, a first data processing section 102, and a first key agreement section.
The interface function storage unit 101 may store an API interface function; that is, the interface function storage 101 may be configured as a dynamic link library or other customized interface function library.
The first data processing unit 102 may receive a first access request generated by an application on the application side, call an interface function requested by the first access request, generate a second access request according to kernel data required by the interface function, encrypt the second access request, and send the encrypted second access request to the second driver 200.
In addition, the first key agreement section may include: a first authentication unit 103 and a first encryption/decryption unit 104; the first authentication unit 101 may be configured to generate a first authentication message when performing key agreement with the second driver 200, and send the generated first authentication message to the second driver 200 for authentication and processing.
The first authentication message in the present embodiment may include a first time representing the current time, a randomly generated first random number encrypted by using a pre-stored communication key, and a preset communication identifier. The same communication identifiers are respectively and correspondingly stored in the first driver 100 on the application program side and the second driver 200 on the system kernel side, so as to be used for authentication in the key agreement process.
The first encryption/decryption unit 102 may be configured to decrypt the second authentication message returned by the second driver 200 using the first random number in the first authentication message, and obtain the second random number in the second authentication message as the first key.
In addition, the first authentication unit 103 may also process the first time by a preset algorithm to generate the communication key, and combine the first time and the data information obtained by encrypting the first random number and the preset communication identifier by using the communication key to generate the first authentication message.
The first authentication unit 103 and the first encryption/decryption unit 104 in the present embodiment may communicate with each other to share data, and in addition, may be configured in a structural configuration independent from the interface function storage part 101 and the first data processing part 102, or may be connected to the first data processing part 102, respectively, to perform a corresponding functional configuration according to the control of the first data processing part 102.
In addition, as shown in fig. 8, a schematic structure diagram of the second driving element in the embodiment of the present invention is shown, wherein the second driving element 200 may include: a second data processing part 201 and a second key agreement part. In one embodiment, the second key agreement section may include the second authentication unit 102 and the second encryption/decryption unit 103.
The second data processing unit 201 may receive the second access request from the first verification unit 103, may read core data corresponding to the second access request from the system core, may encrypt a return message including the core data by using a second key stored therein, and may return the encrypted return message to the first driver 100. Specifically, the second data processing unit 201 may send a return message to the first encryption/decryption unit 104, or send the return message to the first data processing unit 102 for being transmitted to the first encryption/decryption unit 104, and for data transmitted by the system kernel side, each component in the first driver 100 may be shared, and for data transmitted by the application program side, each component in the second driver 200 may also be shared.
In addition, the second verification unit 202 may parse the communication key from the first verification message by using a preset algorithm, decrypt the first random number and the communication identifier in the first verification message by using the communication key, verify the communication identifier by using the pre-stored identification information, randomly generate the second random number if the verification is successful, and send the encrypted second verification message including the second random number to the first driver 100, and if the verification is unsuccessful, generate an error message to return to the first driver 100.
Further, since the first verification message may include a first time indicating generation of the first verification message, the second verification unit may parse a communication key from the first verification message by using a preset algorithm when it is determined that a difference between the first time in the first verification message and the current second time is less than a first preset time, decrypt the first random number and the communication identifier in the first verification message by using the communication key, verify the communication identifier by using the prestored identification information, randomly generate a second random number if the verification is successful, and send the encrypted second verification message including the second random number to the first driver 100, and if the verification is unsuccessful, generate an error message to return to the first driver 100.
The second encryption/decryption unit 103 may acquire the second random number generated by the second authentication unit 102 as the second key, and encrypt the second random number using the first random number in the first authentication message to generate the second authentication message.
In another embodiment, the second verification unit 102 may be configured to parse a communication key from the first verification message by using a preset algorithm, decrypt a first random number and a communication identifier in the first verification message by using the communication key, verify the communication identifier by using pre-stored identification information, randomly generate a second random number if the verification is successful, sign the encrypted second random number by using a private key pre-stored in the second random number, and load a timestamp to generate the second verification message.
Meanwhile, the second encryption/decryption unit 103 may acquire the second random number generated by the second authentication unit as the second key and encrypt the second random number using the first random number in the first authentication message.
And correspondingly, the first encryption/decryption unit 104 in the first driver 100 may be further configured to: and receiving the returned second verification message, verifying the signature in the second verification message by using the public key stored in the second verification message, decrypting the second verification message by using the first random number if the verification is successful, and acquiring the second random number in the second verification message as the first key of the key agreement if the decryption is successful.
Likewise, the first encryption/decryption unit 104 of the first driver 100 may be further configured to decrypt the second verification message with the first random number when a difference between a third time of the timestamp loaded in the second verification message and the first time is less than a second preset time, and obtain the second random number in the second verification message as the first key of the key agreement.
Through the above configuration, it is possible to implement key agreement between the first driver 100 and the second driver 200 and acquire the corresponding first key and second key. Therefore, the security of the data is further ensured and the decoding difficulty is improved in the subsequent data transmission and verification process.
The above embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and the scope of the present invention is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present invention, and such modifications and equivalents should also be considered as falling within the scope of the present invention.
Claims (18)
1. An Application Programming Interface (API) protection method, the method comprising the steps of:
s1: receiving a first access request at an application program side, wherein the first access request comprises information of an interface function requested by the application program;
s2: calling an interface function corresponding to the first access request based on the first access request, and sending a second access request subjected to encryption processing by a first key to a system kernel when the interface function is operated, wherein the second access request comprises kernel data required by execution of the interface function;
s3: receiving return information including the kernel data which is returned from a system kernel and encrypted by a second key; wherein the content of the first and second substances,
the method further comprises generating the first key, the generating the first key comprising:
s11: generating a first verification message at an application program side, wherein the first verification message comprises a first time representing the current time, a randomly generated first random number encrypted by using a pre-stored communication key and a preset communication identifier;
s12: sending the encrypted first verification message to a system kernel side;
s13: receiving a second verification message from the system kernel side, decrypting the second verification message by using a first random number, if the decryption is successful, executing the step S14, and if the decryption is failed, ending the step;
s14: and acquiring a second random number in the second verification message as the first key.
2. The API protection method of claim 1, wherein the second key-encrypted return message including the kernel data is generated at a system kernel side by:
a1: receiving the second access request;
a2, decrypting the information about the kernel data from the second access request;
a3: and reading the kernel data, and performing encryption processing on return information comprising the kernel data by using a second key.
3. The API protection method of claim 1, wherein the first key and the second key are symmetric keys obtained via a key agreement between an application side and a system kernel side.
4. The API protection method of claim 1, wherein generating the first verification message comprises:
s111: acquiring a first time representing a current time, and generating the first random number;
s112: processing the first time by using a preset algorithm to generate the communication key;
s113: encrypting the first random number and a preset communication identifier by using the communication key;
s114: the first time and the encrypted data obtained in step S113 are combined to generate the first verification message.
5. The API protection method of claim 1, wherein generating the second key comprises:
a11: receiving the first verification message at a system kernel side, and analyzing the communication key from the first verification message by using a preset algorithm;
a12: decrypting the first random number and a preset communication identifier in the first verification message by using the communication key;
a13: verifying the communication identifier, if the verification is successful, executing the step A14, and if the verification is failed, ending the step A14;
a14: and generating a second random number as a second key, and encrypting the second random number by using the first random number in the first verification message to generate the second verification message.
6. The API protection method of claim 1, wherein generating the second key comprises:
a11: receiving the first verification message at a system kernel side, and analyzing the communication key from the first verification message by using a preset algorithm;
a12: decrypting the first random number and a preset communication identifier in the first verification message by using the communication key;
a13: verifying the communication identifier, if the verification is successful, executing the step A141, and if the verification is failed, ending the step A;
a141: generating a second random number as a second key and encrypting the second random number using the first random number in the first authentication message;
a142: signing the encrypted second random number in A141 by using a private key of a system kernel side and loading a timestamp to generate a second verification message;
the S13 is further configured to: and receiving the second verification message, verifying the signature by using a pre-stored public key, decrypting the second verification message by using a first random number if the verification is successful, and ending if the decryption is failed.
7. The API protection method of claim 5 or 6, wherein the step A11 further includes:
a111: receiving the first verification message and acquiring a first time in the first verification message;
a112: acquiring current second time, comparing the first time with the second time, executing the step A113 if the difference value between the first time and the second time is less than first preset time, otherwise, exiting the program;
a113: and analyzing the communication key from the first verification message by using a preset algorithm.
8. The API protection method of claim 6, wherein the step S13 further includes:
s131: receiving the second verification message, and acquiring a third time in the timestamp;
s132: comparing the first time with the third time, if the difference value between the first time and the third time is less than a second preset time, executing step S133, otherwise, ending, wherein the second preset time is more than the first preset time;
s133: and decrypting the second verification message by using the first random number, and ending if the decryption fails.
9. The API protection method of any of claims 4-6, wherein the pre-set algorithm comprises a hash algorithm.
10. The API protection method of claim 1, further comprising step S0: and executing code customization processing on the API interface function.
11. An Application Programming Interface (API) protection apparatus, the apparatus comprising:
an intermediate driver component comprising a first driver located at an application side and a second driver located at a system kernel side, wherein,
the first driver is internally stored with an API interface function and receives a first access request, and the first access request comprises information of the interface function requested by an application program;
the first driver is configured to call an interface function corresponding to the first access request based on the first access request, and send a second access request subjected to encryption processing to the second driver when the interface function is run, wherein the second access request comprises kernel data required by execution of the interface function;
the second driver is configured to read the kernel data from a system kernel after receiving the second access request, encrypt return information including the kernel data by using a second key, and return the encrypted return information to the first driver; wherein the content of the first and second substances,
the first driver includes a first key agreement section including:
a first authentication unit configured to generate a first authentication message at a key agreement time, and transmit the first authentication message to the second driver, wherein the first authentication message includes a first time representing a current time, and a randomly generated first random number and a preset communication identification encrypted with a pre-stored communication key;
and the first encryption and decryption unit is configured to decrypt a second authentication message returned by the second driving piece by using the first random number, and obtain a second random number in the second authentication message as the first key.
12. The API protection device of claim 11, wherein the first driver comprises:
an interface function storage unit in which an API interface function is stored;
the first data processing part is configured to receive the first access request, call an interface function requested by the first access request, generate the second access request according to kernel data required by the interface function, and send the second access request to the second driver.
13. The API protection apparatus of claim 11, wherein the first verification unit is configured to process the first time by a preset algorithm to generate the communication key, and combine the first time and data information obtained by encrypting the first random number and a preset communication identifier with the communication key to generate the first verification message.
14. The API protection device of claim 11, wherein the second driver comprises:
and the second data processing part is configured to receive the second access request, read kernel data corresponding to the second access request from the system kernel, and return a return message which is encrypted by using a second key and comprises the kernel data to the first driver.
15. The API protection device of claim 13, wherein said second driver further comprises a second key agreement section comprising:
a second verification unit configured to analyze the communication key from the first verification message by using a preset algorithm, decrypt the first random number and the communication identifier in the first verification message by using the communication key, verify the communication identifier by using pre-stored identification information, randomly generate a second random number if verification is successful, and send an encrypted second verification message including the second random number to the first driver;
and a second encryption/decryption unit that acquires the second random number generated by the second authentication unit as a second key, and encrypts the second random number using the first random number in the first authentication message to generate the second authentication message.
16. The API protection device of claim 13, wherein said second driver further comprises a second key agreement section comprising:
the second verification unit is configured to analyze the communication key from the first verification message by using a preset algorithm, decrypt the first random number and the communication identifier in the first verification message by using the communication key, verify the communication identifier by using prestored identification information, randomly generate a second random number if the verification is successful, sign the encrypted second random number by using a private key prestored in the second random number and load a timestamp to generate a second verification message;
a second encryption/decryption unit that acquires the second random number generated by the second authentication unit as a second key and encrypts the second random number using the first random number in the first authentication message,
and the first driver is further configured to: and receiving the second verification message, verifying the signature by using a public key stored in the second verification message, decrypting the second verification message by using a first random number if the verification is successful, and acquiring a second random number in the second verification message as a first key of key agreement if the decryption is successful.
17. The API protection device of claim 15 or 16, wherein the first verification message comprises a first time, and wherein the second verification unit is further configured to: and when the difference value between the first time and the current second time in the first verification message is smaller than a first preset time, analyzing the communication key from the first verification message by using a preset algorithm.
18. The API protection device of claim 16, wherein the first authentication message comprises a first time, and wherein the first driver is further configured to decrypt the second authentication message using a first random number when a difference between a third time of the timestamp loaded in the second authentication message and the first time is less than a second predetermined time, and obtain a second random number in the second authentication message as the first key for key agreement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610797722.3A CN106372497B (en) | 2016-08-31 | 2016-08-31 | Application programming interface API protection method and protection device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610797722.3A CN106372497B (en) | 2016-08-31 | 2016-08-31 | Application programming interface API protection method and protection device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106372497A CN106372497A (en) | 2017-02-01 |
| CN106372497B true CN106372497B (en) | 2020-01-03 |
Family
ID=57899110
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610797722.3A Active CN106372497B (en) | 2016-08-31 | 2016-08-31 | Application programming interface API protection method and protection device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106372497B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108133147B (en) * | 2017-12-20 | 2023-12-22 | 中兴通讯股份有限公司 | Method and device for protecting executable code and readable storage medium |
| CN109391689A (en) * | 2018-10-08 | 2019-02-26 | 郑州云海信息技术有限公司 | A kind of method and device that micro services application programming interface is called |
| CN109450649A (en) * | 2018-12-28 | 2019-03-08 | 北京金山安全软件有限公司 | Gateway verification method and device based on application program interface and electronic equipment |
| CN114402322A (en) * | 2019-11-13 | 2022-04-26 | 深圳市欢太科技有限公司 | Function calling method and device, electronic equipment and computer readable medium |
| CN111523154B (en) * | 2020-03-20 | 2021-03-02 | 北京元心科技有限公司 | Method and system for obtaining hardware unique identifier and corresponding computer equipment |
| CN112653671A (en) * | 2020-12-10 | 2021-04-13 | 杭州安恒信息技术股份有限公司 | Network communication method, device, equipment and medium for client and server |
| CN114443161A (en) * | 2021-12-31 | 2022-05-06 | 北京达佳互联信息技术有限公司 | Application docking method, device, equipment and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103593238A (en) * | 2012-08-16 | 2014-02-19 | 腾讯科技(深圳)有限公司 | Method and device for controlling invocation of application programming interfaces |
| CN103873439B (en) * | 2012-12-11 | 2018-07-06 | 联想(北京)有限公司 | The method and electronic equipment of a kind of networking |
| US9503268B2 (en) * | 2013-01-22 | 2016-11-22 | Amazon Technologies, Inc. | Securing results of privileged computing operations |
| CN103605927B (en) * | 2013-11-08 | 2017-01-11 | 深圳市道通科技股份有限公司 | Encryption and decryption method and device based on embedded Linux system |
| CN104156658B (en) * | 2014-07-30 | 2016-04-27 | 努比亚技术有限公司 | A kind of mobile terminal and under dual system the method and apparatus of visit data |
-
2016
- 2016-08-31 CN CN201610797722.3A patent/CN106372497B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN106372497A (en) | 2017-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106372497B (en) | Application programming interface API protection method and protection device | |
| CN108810894B (en) | Terminal authorization method, device, computer equipment and storage medium | |
| US9270466B2 (en) | System and method for temporary secure boot of an electronic device | |
| US11258792B2 (en) | Method, device, system for authenticating an accessing terminal by server, server and computer readable storage medium | |
| CN110519309B (en) | Data transmission method, device, terminal, server and storage medium | |
| US7457960B2 (en) | Programmable processor supporting secure mode | |
| CN113014539B (en) | Internet of things equipment safety protection system and method | |
| US10027683B2 (en) | Shared symmetric key encryption | |
| JP5827692B2 (en) | Bound data card and mobile host authentication method, apparatus and system | |
| CN107944234B (en) | Machine refreshing control method for Android equipment | |
| CN110621014A (en) | Vehicle-mounted equipment, program upgrading method thereof and server | |
| EP1042882A1 (en) | Method for strongly authenticating another process in a different address space | |
| CN113872770A (en) | Security verification method, system, electronic device and storage medium | |
| US11288381B2 (en) | Calculation device, calculation method, calculation program and calculation system | |
| CN105975867A (en) | Data processing method | |
| CN113553572A (en) | Resource information acquisition method and device, computer equipment and storage medium | |
| CN109150811B (en) | Method and device for realizing trusted session and computing equipment | |
| US20150047001A1 (en) | Application program execution device | |
| CN117240625B (en) | Tamper-resistant data processing method and device and electronic equipment | |
| CN109784072B (en) | Security file management method and system | |
| CN114546506B (en) | Authorization method, device, equipment and medium for embedded operating system | |
| KR20150072007A (en) | Method for accessing temper-proof device and apparatus enabling of the method | |
| CN114244620A (en) | Board card network access verification method and device and board card control center | |
| CN113127844A (en) | Variable access method, device, system, equipment and medium | |
| CN115361168B (en) | Data encryption method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100094 510, 5th floor, building 5, East District, yard 10, northwest Wangdong Road, Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100094 510, 5th floor, building 5, East District, yard 10, northwest Wangdong Road, Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |