CN107704731B - Cloud platform mirror image anti-piracy method based on HOTP - Google Patents
Cloud platform mirror image anti-piracy method based on HOTP Download PDFInfo
- Publication number
- CN107704731B CN107704731B CN201710898660.XA CN201710898660A CN107704731B CN 107704731 B CN107704731 B CN 107704731B CN 201710898660 A CN201710898660 A CN 201710898660A CN 107704731 B CN107704731 B CN 107704731B
- Authority
- CN
- China
- Prior art keywords
- count
- verification
- platform
- instance
- cloud platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000012795 verification Methods 0.000 claims abstract description 116
- 230000002265 prevention Effects 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 7
- 230000006855 networking Effects 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 6
- 230000006870 function Effects 0.000 description 7
- 238000013475 authorization Methods 0.000 description 5
- 230000004913 activation Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000003213 activating effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
Abstract
The invention discloses a cloud platform mirror image anti-piracy method based on HOTP, which comprises the following steps: making a mirror image through service software provided by a cloud platform, and hard coding a platform trademark identification and a symmetric encryption KEY in the mirror image; a user creates an example for the mirror image of the cloud platform; generating a parameter VALUE and a verification URL of a final request; verifying the URL and accessing a verification server; verifying the symmetric encryption KEY in the server, searching the MAC record corresponding to the symmetric encryption KEY and verifying; when the verification passes, the verification server records the relevant information and generates a verification PIN code and a local PIN check code; comparing the verification PIN code with the local PIN check code: the same is that: the service will start, the COUNT is modified to COUNT +1 in the example; different from each other: the service is not started; the invention effectively prevents the virtual machine instance mirror image deployed in the cloud environment from being copied and pirated randomly; the intellectual property protection capability is improved.
Description
Technical Field
The invention relates to the technical field, in particular to a cloud platform mirror image anti-piracy method based on HOTP.
Background
With the rapid development of the cloud computing industry, related cloud technologies and cloud applications are continuously emerging, and various cloud service products start to rush to the market. When the cloud platform construction direction provides third party cloud service products to enterprise cloud users, the cloud platform construction method shows several characteristics of the cloud:
1. virtualization, no hardware dependents;
2. isolating or private network environment, unable to be activated online;
3. the third party cannot effectively count the use of the cloud service products. How to protect the benefit of the third party becomes a problem to be solved urgently.
In a cloud platform virtualization environment, an image is a data file containing a basic operating system and third-party software, the cloud platform will use the image as a boot disk of a virtual machine, and the process of creating and running the virtual machine is an image instantiation process, and the running virtual machine is generally called an image instance. The mirror instance can be packaged as a mirror image again; while the original image that is not instantiated is generally referred to as the base image.
Under the circumstance, a third-party verification server is built in the cloud platform by a common solution, and the problem cannot be solved well by the method:
1. the software type authentication server cannot effectively protect itself;
2. the hardware type verification server is too high in installation and deployment cost, difficult to access in different cloud environments, and has the problems of maintenance, data recovery and the like.
The mirror image is characterized in that a binary data file of pure software can be easily copied in a cloud environment and is difficult to control:
1. the base image is copied:
after the basic mirror image is delivered to the cloud platform provider by the third-party software manufacturer, the cloud platform provider can copy the basic mirror image to other cloud platform providers again for sale.
Therefore, third party software manufacturers generally add information of platform merchants to the basic image for distinguishing, and similarly apply watermarks to the film, and meanwhile, the third party software manufacturers are more based on mutual trust and legal constraints. However, many private cloud environments do not have internet connectivity, and thus cannot check information of platform vendors.
2. And packaging into a mirror copy after instantiation:
the mirror image instance is packaged into the mirror image again after the function license is loaded, and the step of loading the function license can be bypassed to a certain extent by using a new mirror image to create the instance.
Although a third party software vendor can do some logical processing through the common difference of the cloud platform running instances, such as recording the MAC addresses of the instances, the MAC addresses of the network are relatively unique in a platform environment, such as recording the CPU types after instantiation, the memory size, etc., all of these ways, the platform vendor can simulate an environment identical to the environment where the instances were originally run relatively easily. The platform business can also require the software to be differentiated in the checking process according to the requirements of capacity expansion, migration and the like.
3. Hardware protection in a traditional manner is not supported:
cloud platform manufacturers generally do not support third-party software manufacturers to place a trusted hardware server in the internal environment of a cloud platform, and software dog protection such as USB (universal serial bus) is not convenient to insert and map, and the mode of hardware protection does not conform to the concept of cloud.
4. Network closure of the cloud:
a large number of private clouds or enterprise intranets are internet-free; strict network isolation and network rules exist even in an environment where public clouds and private clouds have internet connection; this also makes it difficult for software applications to connect directly to the authentication server of third party software vendors.
Disclosure of Invention
The invention aims to provide a cloud platform mirror image piracy prevention method based on HOTP, which effectively prevents the problem that a virtual machine instance mirror image deployed in a cloud environment is copied and pirated randomly and used, and improves intellectual property protection capability.
The invention is realized by the following technical scheme: a cloud platform mirror image anti-piracy method based on HOTP specifically comprises the following steps:
step S1: making a mirror image through service software provided by a cloud platform, and hard coding a platform trademark identification and a symmetric encryption KEY in the mirror image;
step S2: a user selects a mirror image provided by a mirror image provider to the cloud platform on the cloud platform, and an example is created;
step S3: generating a parameter VALUE and a verification URL of the final request according to step S2;
step S4: a verification URL to access the verification server in a networked mode or an offline mode;
step S5: the authentication server receives the symmetric encryption KEY in step S1, searches for the MAC record corresponding to the symmetric encryption KEY, and performs authentication;
step S6: when the verification is passed in the step S5, the verification server records the relevant information, and generates a verification PIN code and a local PIN check code;
step S7: comparing the verification PIN code generated in step S6 with the local PIN check code:
if the verification PIN code is the same as the local PIN check code: the service is started normally, and the COUNT is changed into COUNT +1 in the example;
if the verification PIN code is different from the local PIN check code: the service is not started.
Further, in order to better implement the present invention, the step S1 specifically includes the following steps:
the step S1 specifically includes the following steps:
step S11: the cloud platform manufacturer makes mirror images, platform trademark identifications and symmetric encryption KEY are arranged in the mirror images, the symmetric encryption KEY associated with each platform trademark identification are different, and the COUNT of the mirror image built-in COUNT is 0;
step S12: the mirror image provider registers the platform trademark identification corresponding to the mirror image in the verification server, and establishes a one-to-one relationship with the symmetric encryption KEY.
Further, in order to better implement the present invention, step S2 specifically refers to:
creating an instance within an image of a cloud platform; the cloud platform will pass the instance a MAC address for the network connection, with this MAC as the unique identification MAC of the instance in the platform, the instance does not provide software services, and the instance COUNT is 0.
In the invention, a user selects the mirror image provided by the mirror image provider to the cloud platform on the cloud platform, and an example is created. When the instance is created, the cloud platform automatically transmits the MAC address for network connection to the instance, the MAC is used as the unique identity of the instance in the platform, the instance does not provide software service, and the COUNT of the instance is 0.
Further, in order to better implement the present invention, step S3 specifically refers to:
step S31: the method comprises the steps that an instance starts a service initialization process, and an instance unique identifier MAC and a COUNT COUNT value are encrypted through a common standard symmetric encryption algorithm by using a symmetric encryption KEY as a KEY to generate an encrypted data segment;
step S32: merging the platform trademark identification and the encrypted data segment to generate a parameter VALUE;
step S33: the parameter VALUE, along with the domain name address of the authentication server, generates the authentication URL of the final request.
Further, in order to better implement the present invention, the step S4 includes:
accessing the authentication server in a networked mode, namely: when the instance is connected with the Internet and is in a networking state, the instance accesses a verification server through a verification URL address, wherein the URL contains verification use information;
accessing the authentication server in the offline mode, namely: when the instance is in an off-line state without internet connection, the instance generates the two-dimensional code by the verification URL and displays or supports downloading as a file, and the two-dimensional code is scanned by a mobile phone connected with the internet to indirectly access the verification server.
Further, in order to better implement the present invention, the step S5 specifically includes the following steps:
step S51: the verification server takes out the parameter VALUE in the verification URL and splits the platform quotient identifier in the parameter VALUE; the platform identification that has been registered at step S12 is searched for:
if the corresponding platform logo does not exist, returning an error;
if a valid platform quotient identifier is found, acquiring a symmetric encryption KEY through the one-to-one relationship between the platform quotient identifier and the symmetric encryption KEY in the step S12;
symmetrically decrypting the encrypted data segment using the symmetric encryption KEY:
if the decryption fails, returning an error;
if the decryption is successful, acquiring a COUNT COUNT and an instance unique identifier MAC;
step S52: a platform business record table for storing MAC addresses and COUNT COUNTs is arranged in the authentication server; searching whether a record consistent with the example unique identifier MAC exists or not through a platform merchant record table corresponding to the platform merchant identifier;
if the same MAC exists, continuing the next step;
if the same MAC does not exist, then check if the COUNT COUNT is 0: adding the instance unique identifier MAC and the COUNT COUNT 0 to a platform quotient MAC record table when the COUNT COUNT is equal to 0; when the COUNT is not equal to 0, returning a failure;
step S53: setting the COUN COUNT in the record table corresponding to the obtained platform quotient identifier and consistent with the example unique identifier MAC as the COUNT COUNT of the record table through the step S52; comparing the COUNT COUNT obtained after the URL is verified and analyzed with the COUNT COUNT in the record table;
if the two are the same, continuing the next step;
if the COUNT is equal to the COUNT of the record table COUNT plus 1, updating the platform business record table to ensure that the COUNT of the record table COUNT is the same as the COUNT of the record table COUNT, and continuing the subsequent steps;
if the COUNT is not equal to the record table COUNT +1, a failure is returned.
Further, in order to better implement the present invention, the step S6 specifically includes the following steps:
step S61: generating a 6-8 bit verification PIN code by using an HOTP algorithm;
the verification PIN code = HOTP (symmetric encryption KEY + instance unique identifier MAC, record table COUNT COUNT);
expanded representation: truncate (HMAC-SHA-1 (symmetric encryption KEY + instance unique identifier MAC, record table COUNT COUNT));
step S62: returning by directly using the URL on line, and displaying the content of the verification PIN code off line;
when the instance is connected with the Internet and is in a networking state, the instance accesses the verification server through the verification URL address, and directly returns a verification PIN code to the instance through HTTP protocol response; URL access generally refers to interaction through a browser using the HTTP protocol.
When the instance is in an off-line state without internet connection, the cloud platform scans the two-dimensional code through the mobile phone connected with the internet, indirectly accesses the verification server through the verification URL, returns the verification PIN code to the mobile phone through HTTP response, and the user can conveniently read and generate the 6-8 verification PIN code; the 6-8 bit verification PIN code is entered on the page of the example.
Further, in order to better implement the present invention, step S7 specifically refers to:
the instance acquires the verification PIN code returned by the verification server from the step S62; in the example, the local PIN check code is generated in the same HOTP function manner as step S61: comparing the verification PIN code with the local PIN check code;
the local PIN check code = HOTP (symmetric encryption KEY + instance unique identifier MAC, COUNT);
if the verification PIN code is the same as the local PIN check code: the service is started normally, and the COUNT of the COUNT in the example is updated to a value of COUNT + 1;
if the verification PIN code is different from the local PIN check code: the service is not started.
Compared with the prior art, the invention has the following advantages and beneficial effects:
(1) the method and the system effectively prevent the virtual machine instance mirror image deployed in the cloud environment from being copied and pirated randomly;
(2) the invention effectively improves the intellectual property protection capability.
Drawings
FIG. 1 is a schematic flow chart of the present invention;
FIG. 2 is a flowchart illustrating the operation of step S11 according to the present invention;
FIG. 3 is a flowchart of the operation of step 2 in the present invention;
FIG. 4 is a flowchart of the operation of step 3 in the present invention;
FIG. 5 is a flowchart of the operation of step 4 in the present invention;
FIG. 6 is a flowchart illustrating the operation of step S51 according to the present invention;
FIG. 7 is a flowchart illustrating the operation of step S52 according to the present invention;
FIG. 8 is a flowchart illustrating the operation of step S53 according to the present invention;
fig. 9 is a flowchart of the operation of step S62 in the present invention.
Detailed Description
Reference will now be made in detail to the embodiments of the present invention, wherein the terms "mounted," "connected," "secured," and the like are used broadly and encompass, unless otherwise explicitly stated or limited, devices that can be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example 1:
the invention is realized by the following technical scheme, as shown in fig. 1-9, a cloud platform mirror image anti-piracy method based on HOTP specifically comprises the following steps:
step S1: making a mirror image through service software provided by a cloud platform, and hard coding a platform trademark identification and a symmetric encryption KEY in the mirror image;
step S2: a user selects a mirror image provided by a mirror image provider to the cloud platform on the cloud platform, and an example is created;
step S3: generating a parameter VALUE and a verification URL of the final request according to step S2;
step S4: a verification URL to access the verification server in a networked mode or an offline mode;
step S5: the authentication server receives the symmetric encryption KEY in step S1, searches for the MAC record corresponding to the symmetric encryption KEY, and performs authentication;
step S6: when the verification is passed in the step S5, the verification server records the relevant information, and generates a verification PIN code and a local PIN check code;
step S7: comparing the verification PIN code generated in step S6 with the local PIN check code:
if the verification PIN code is the same as the local PIN check code: the service is started normally, and the COUNT is changed into COUNT +1 in the example;
if the verification PIN code is different from the local PIN check code: the service is not started.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 2:
the present embodiment is further optimized based on the above embodiment, and as shown in fig. 7, the step S52 in the present invention specifically refers to: inside the authentication server, the platform quotient record table is a two-dimensional structure table, which stores MAC addresses and COUNT COUNTs, and is in the form of:
Id identify count
0 00:2d:00:00:12:03 5
1 00:2D:00:00:13:01 0
2 00:2d:00:00:14:02 3
searching whether a record consistent with the example unique identifier MAC exists or not through a platform merchant record table corresponding to the platform merchant identifier;
if the same MAC exists, continuing the next step;
if the same MAC does not exist, then check if the COUNT COUNT is 0: adding the instance unique identifier MAC and the COUNT COUNT 0 to a platform quotient MAC record table when the COUNT COUNT is equal to 0; when the COUNT is not equal to 0, returning a failure;
other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 3:
this embodiment is further optimized based on the above embodiment, as shown in fig. 1, the verification PIN code = HOTP (symmetric encryption KEY + instance unique identifier MAC, record table COUNT) in step S61;
expanded representation: truncate (HMAC-SHA-1 (symmetric encryption KEY + instance unique identification MAC, record table COUNT COUNT)).
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 4:
the present embodiment is further optimized based on the above embodiment, and as shown in fig. 1, the step S7 specifically refers to:
in the example, the local PIN check code is generated in the same HOTP function manner as step S61: the local PIN check code = HOTP (symmetric encrypted KEY + instance unique identity MAC, COUNT).
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 5:
as shown in fig. 1-9, 1. a cloud platform image anti-piracy method based on HOTP is characterized in that: the method specifically comprises the following steps:
step S1: making a mirror image through service software provided by a cloud platform, and hard coding a platform trademark identification and a symmetric encryption KEY in the mirror image; the method specifically comprises the following steps:
step S11: the cloud platform manufacturer makes mirror images, platform trademark identifications and symmetric encryption KEY are arranged in the mirror images, the symmetric encryption KEY associated with each platform trademark identification are different, and the COUNT of the mirror image built-in COUNT is 0;
step S12: the mirror image provider registers the platform trademark identification corresponding to the mirror image in the verification server, and establishes a one-to-one relationship with the symmetric encryption KEY.
Step S2: a user selects a mirror image provided by a mirror image provider to the cloud platform on the cloud platform, and an example is created; the method specifically comprises the following steps:
a user selects an image provided by an image provider to the cloud platform on the cloud platform, and an example is created. When the instance is created, the cloud platform automatically transmits the MAC address for network connection to the instance, the MAC is used as the unique identity of the instance in the platform, the instance does not provide software service, and the COUNT of the instance is 0.
Step S3: generating a parameter VALUE and a verification URL of the final request according to step S2; the method specifically comprises the following steps:
step S31: the method comprises the steps that an instance starts a service initialization process, and an instance unique identifier MAC and a COUNT COUNT value are encrypted through a common standard symmetric encryption algorithm by using a symmetric encryption KEY as a KEY to generate an encrypted data segment;
step S32: merging the platform trademark identification and the encrypted data segment to generate a parameter VALUE;
step S33: the parameter VALUE, along with the domain name address of the authentication server, generates the authentication URL of the final request.
Step S4: a verification URL to access the verification server in a networked mode or an offline mode; the step S4 includes:
accessing the authentication server in a networked mode, namely: when the instance is connected with the Internet and is in a networking state, the instance accesses a verification server through a verification URL address, wherein the URL contains verification use information;
accessing the authentication server in the offline mode, namely: when the instance is in an off-line state without internet connection, the instance generates the two-dimensional code by the verification URL and displays or supports downloading as a file, and the two-dimensional code is scanned by a mobile phone connected with the internet to indirectly access the verification server.
Step S5: the authentication server receives the symmetric encryption KEY in step S1, searches for the MAC record corresponding to the symmetric encryption KEY, and performs authentication; the method specifically comprises the following steps:
step S51: the verification server takes out the parameter VALUE in the verification URL and splits the platform quotient identifier in the parameter VALUE; the platform identification that has been registered at step S12 is searched for:
if the corresponding platform logo does not exist, returning an error;
if a valid platform quotient identifier is found, acquiring a symmetric encryption KEY through the one-to-one relationship between the platform quotient identifier and the symmetric encryption KEY in the step S12;
symmetrically decrypting the encrypted data segment using the symmetric encryption KEY:
if the decryption fails, returning an error;
if the decryption is successful, acquiring a COUNT COUNT and an instance unique identifier MAC;
step S52: inside the authentication server, the platform quotient record table is a two-dimensional structure table, which stores MAC addresses and COUNT COUNTs, and is in the form of:
Id identify count
0 00:2d:00:00:12:03 5
1 00:2D:00:00:13:01 0
2 00:2d:00:00:14:02 3
searching whether a record consistent with the example unique identifier MAC exists or not through a platform merchant record table corresponding to the platform merchant identifier;
if the same MAC exists, continuing the next step;
if the same MAC does not exist, then check if the COUNT COUNT is 0: adding the instance unique identifier MAC and the COUNT COUNT 0 to a platform quotient MAC record table when the COUNT COUNT is equal to 0; when the COUNT is not equal to 0, returning a failure;
step S53: setting the COUN COUNT in the record table corresponding to the obtained platform quotient identifier and consistent with the example unique identifier MAC as the COUNT COUNT of the record table through the step S52; comparing the COUNT COUNT obtained after the URL is verified and analyzed with the COUNT COUNT in the record table;
if the two are the same, continuing the next step;
if the COUNT is equal to the COUNT of the record table COUNT plus 1, updating the platform business record table to ensure that the COUNT of the record table COUNT is the same as the COUNT of the record table COUNT, and continuing the subsequent steps;
if the COUNT is not equal to the record table COUNT +1, a failure is returned.
Step S6: when the verification is passed in the step S5, the verification server records the relevant information, and generates a verification PIN code and a local PIN check code; the method specifically comprises the following steps:
step S61: generating a 6-8 bit verification PIN code by using an HOTP algorithm;
the verification PIN code = HOTP (symmetric encryption KEY + instance unique identifier MAC, record table COUNT COUNT);
expanded representation: truncate (HMAC-SHA-1 (symmetric encryption KEY + instance unique identification MAC, record table COUNT COUNT)).
Step S62: returning by directly using the URL on line, and displaying the content of the verification PIN code off line;
when the instance is connected with the Internet and is in a networking state, the instance accesses the verification server through the verification URL address, and directly returns a verification PIN code to the instance through HTTP protocol response;
when the instance is in an off-line state without internet connection, the cloud platform scans the two-dimensional code through the mobile phone connected with the internet, indirectly accesses the verification server through the verification URL, returns the verification PIN code to the mobile phone through HTTP response, and the user can conveniently read and generate the 6-8 verification PIN code; the 6-8 bit verification PIN code is entered on the page of the example.
Step S7: comparing the verification PIN code generated in step S6 with the local PIN check code:
if the verification PIN code is the same as the local PIN check code: the service is started normally, and the COUNT is changed into COUNT +1 in the example;
if the verification PIN code is different from the local PIN check code: the service is not started.
The step S7 specifically includes:
the instance acquires the verification PIN code returned by the verification server from the step S62; in the example, the local PIN check code is generated in the same HOTP function manner as step S61: comparing the verification PIN code with the local PIN check code;
if the verification PIN code is the same as the local PIN check code: the service is started normally, and the COUNT of the COUNT in the example is updated to a value of COUNT + 1;
if the verification PIN code is different from the local PIN check code: the service is not started.
Through the improvement, the problem that the virtual machine instance mirror image deployed in the cloud environment is copied and pirated randomly is effectively solved, and the intellectual property protection capability is improved.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 6:
the software manufacturer XX company issues a basic mirror image fort machine V1.0 to a cloud platform company A, the internal management of the company A causes leakage of the basic mirror image, and a cloud platform company B uses the basic mirror image without authorization of the company XX.
The XX company and the cloud platform business a company sign a management agreement, and only authorize the use right of a total amount of 500 instances each year.
After a user of a cloud platform provider B company creates an instance through a basic image, the instance needs to verify a start service through an HOTP method, and information of a cloud platform provider A with key 3 elements is transmitted. The XX company's authentication server records a new instance, and the authorization amount of the instance available to the cloud platform merchant a company is reduced by 1.
After several months, the cloud platform provider B company uses 200 authorizations, the cloud platform provider A company uses 300 authorizations, the cloud platform provider A company receives feedback and finds that a new instance cannot be created, and communicates with the XX company to find leakage problems. The XX corporation distinguishes between 500 authorized instance signatures and stops the activation of services to unknown B corporation's instances. The XX company does not republish a new platform logo image for the cloud platform business A company, and does not re-extend the authorization of the use right for the image of the original platform business logo.
Cloud platform company A also realizes that the base image needs to be strictly managed, and the leakage of the image can influence the use of users of the platform.
In order to find out the leakage source, the XX company and the cloud platform company A shift the identified HOTP authentication source of the non-A company to an information collection page, and collect the information and evidence of the platform B business in order to protect the user from continuing to use the platform B through warning.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 7:
software company XX issues the basic mirror image fort machine V1.0 to cloud platform company B. In order to obtain benefits illegally, the cloud platform business B company creates an example and activates function permission, and then images the example again. The platform user purchase license fee is charged by completely simulating the operation and maintenance state of the instance, bypassing the process of activating the function license in the instance and using the license by the platform user. Before the method of not adding HOTP, the software vendor XX company cannot know this behavior that compromises interest, especially if the network is completely isolated.
After the method of HOTP is added, different users on the platform distinguish and create an instance X and an instance Y, and the initial states of the 2 instances are all based on the remanufactured mirror image and are consistent. Instance X, instance Y initial COUNT, e.g., both COUNT5, may all deactivate service within an instance by hoatp for the first time.
The user of instance X turns on and off the instance multiple times, the COUNT of instances X and the authentication server both change to, for example, COUNT10, while instance Y the user did not turn off, the COUNT of instances is again COUNT 5; when the user of instance Y next closes the instance to start the service again, instance Y is not passed through the check of COUNT5 and the authentication server COUNT 10. That is, as usage continues, the differentiation becomes progressively larger while the authentication server retains the final running state of the instance.
When a new user on the platform creates instance Z, the created COUNT5, which is still in the original state, is also unusable.
(the case and the similar situation are also solved by the HOTP way, and part of cloud platform merchants allow users to self-make images and export the images, and the users export the self-made images of the instances to other environments for continuous use).
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 5:
software vendor XX issues a base image bastion V1.0 to cloud platform vendor C, the image containing a default license (the user does not need to re-import a functional license for convenience of user usage and platform billing).
When the cloud platform merchant C performs fee settlement with the XX company of the software manufacturer, the cloud platform merchant C reduces the actual sales volume. Before the method of not adding HOTP, the software vendor XX company cannot know this behavior that compromises interest, especially if the network is completely isolated.
Under the condition of using the HOTP method, the XX company of the software manufacturer can measure the platform sales condition according to the activation amount and the activation time corresponding to the C company of the cloud platform, and provides a basis for settlement of expenses as a credible basis for cooperation.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.
Claims (8)
1. A cloud platform mirror image anti-piracy method based on HOTP is characterized in that: the method specifically comprises the following steps:
step S1: making a mirror image through service software provided by a cloud platform, and hard coding a platform trademark identification and a symmetric encryption KEY in the mirror image;
step S2: a user selects a mirror image provided by a mirror image provider to the cloud platform on the cloud platform, and an example is created;
step S3: generating a parameter VALUE and a verification URL of the final request according to step S2;
step S4: a verification URL to access the verification server in a networked mode or an offline mode;
step S5: the authentication server receives the symmetric encryption KEY in step S1, searches for the MAC record corresponding to the symmetric encryption KEY, and performs authentication;
step S6: when the verification is passed in the step S5, the verification server records the relevant information, and generates a verification PIN code and a local PIN check code;
step S7: comparing the verification PIN code generated in step S6 with the local PIN check code:
if the verification PIN code is the same as the local PIN check code: the service is started normally, and the COUNT is changed into COUNT +1 in the example;
if the verification PIN code is different from the local PIN check code: the service is not started.
2. The HOTP-based cloud platform image piracy prevention method of claim 1, wherein: the step S1 specifically includes the following steps:
step S11: the cloud platform manufacturer makes mirror images, platform trademark identifications and symmetric encryption KEY are arranged in the mirror images, the symmetric encryption KEY associated with each platform trademark identification is different, and the COUNT of the mirror image built-in COUNT is 0;
step S12: the mirror image provider registers the platform trademark identification corresponding to the mirror image in the verification server, and establishes a one-to-one relationship with the symmetric encryption KEY.
3. The HOTP-based cloud platform image piracy prevention method of claim 1, wherein: the step S2 specifically includes:
a user selects a mirror image provided by a mirror image provider to the cloud platform on the cloud platform, and an example is created; when the instance is created, the cloud platform automatically transmits the MAC address for network connection to the instance, the MAC is used as the unique identity of the instance in the platform, the instance does not provide software service, and the COUNT of the instance is 0.
4. The HOTP-based cloud platform image piracy prevention method of claim 3, wherein: the step S3 specifically includes:
step S31: the method comprises the steps that an instance starts a service initialization process, and an instance unique identifier MAC and a COUNT COUNT value are encrypted through a common standard symmetric encryption algorithm by using a symmetric encryption KEY as a KEY to generate an encrypted data segment;
step S32: merging the platform trademark identification and the encrypted data segment to generate a parameter VALUE;
step S33: the parameter VALUE, along with the domain name address of the authentication server, generates the authentication URL of the final request.
5. The HOTP-based cloud platform image piracy prevention method of claim 4, wherein: the step S4 includes:
accessing the authentication server in a networked mode, namely: when the instance is connected with the Internet and is in a networking state, the instance accesses a verification server through a verification URL address, wherein the URL contains verification use information;
accessing the authentication server in the offline mode, namely: when the instance is in an off-line state without internet connection, the instance generates the two-dimensional code by the verification URL and displays or supports downloading as a file, and the two-dimensional code is scanned by a mobile phone connected with the internet to indirectly access the verification server.
6. The HOTP-based cloud platform image piracy prevention method of claim 5, wherein: the step S5 specifically includes the following steps:
step S51: the verification server takes out the parameter VALUE in the verification URL and splits the platform quotient identifier in the parameter VALUE; the platform identification that has been registered at step S12 is searched for:
if the corresponding platform logo does not exist, returning an error;
if a valid platform quotient identifier is found, acquiring a symmetric encryption KEY through the one-to-one relationship between the platform quotient identifier and the symmetric encryption KEY in the step S12;
symmetrically decrypting the encrypted data segment using the symmetric encryption KEY:
if the decryption fails, returning an error;
if the decryption is successful, acquiring a COUNT COUNT and an instance unique identifier MAC;
step S52: a platform business record table for storing MAC addresses and COUNT COUNTs is arranged in the authentication server; searching whether a record consistent with the example unique identifier MAC exists or not through a platform merchant record table corresponding to the platform merchant identifier;
if the same MAC exists, continuing the next step;
if the same MAC does not exist, then check if the COUNT COUNT is 0: adding the instance unique identifier MAC and the COUNT COUNT 0 to a platform quotient MAC record table when the COUNT COUNT is equal to 0; when the COUNT is not equal to 0, returning a failure;
step S53: recording the COUNT COUNT in the record table corresponding to the obtained platform quotient identifier and consistent with the instance unique identifier MAC as a record table COUNT COUNT through the step S52; comparing the COUNT COUNT obtained after the URL is verified and analyzed with the COUNT COUNT in the record table;
if the two are the same, continuing the next step;
if the COUNT is equal to the COUNT of the record table COUNT plus 1, updating the platform business record table to ensure that the COUNT of the record table COUNT is the same as the COUNT of the record table COUNT, and continuing the subsequent steps;
if the COUNT is not equal to the record table COUNT +1, a failure is returned.
7. The HOTP-based cloud platform image piracy prevention method of claim 6, wherein: the step S6 specifically includes the following steps:
step S61: generating a 6-8 bit verification PIN code by using an HOTP algorithm;
step S62: returning by directly using the URL on line, and displaying the content of the verification PIN code off line;
when the instance is connected with the Internet and is in a networking state, the instance accesses the verification server through the verification URL address, and directly returns a verification PIN code to the instance through HTTP protocol response;
when the instance is in an off-line state without internet connection, the cloud platform scans the two-dimensional code through the mobile phone connected with the internet, indirectly accesses the verification server through the verification URL, returns the verification PIN code to the mobile phone through HTTP response, and the user can conveniently read and generate the 6-8 verification PIN code; the 6-8 bit verification PIN code is entered on the page of the example.
8. The HOTP-based cloud platform image piracy prevention method of claim 7, wherein: step S7 specifically includes:
the instance acquires the verification PIN code returned by the verification server from the step S62; in the example, the local PIN check code is generated in the same HOTP function manner as step S61: comparing the verification PIN code with the local PIN check code;
if the verification PIN code is the same as the local PIN check code: the service is started normally, and the COUNT of the COUNT in the example is updated to a value of COUNT + 1;
if the verification PIN code is different from the local PIN check code: the service is not started.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710898660.XA CN107704731B (en) | 2017-09-28 | 2017-09-28 | Cloud platform mirror image anti-piracy method based on HOTP |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710898660.XA CN107704731B (en) | 2017-09-28 | 2017-09-28 | Cloud platform mirror image anti-piracy method based on HOTP |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107704731A CN107704731A (en) | 2018-02-16 |
| CN107704731B true CN107704731B (en) | 2021-03-09 |
Family
ID=61175906
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710898660.XA Active CN107704731B (en) | 2017-09-28 | 2017-09-28 | Cloud platform mirror image anti-piracy method based on HOTP |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107704731B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112613083A (en) * | 2021-01-04 | 2021-04-06 | 北京数字认证股份有限公司 | Application authorization verification method and device based on application container engine |
| CN115168816B (en) * | 2022-08-03 | 2023-08-04 | 明阳产业技术研究院(沈阳)有限公司 | Software anti-piracy method, device, equipment and medium |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20010079030A (en) * | 2001-06-07 | 2001-08-22 | 전용옥 | MAC CD-KEY omitted |
| CN101777106A (en) * | 2010-01-22 | 2010-07-14 | 中兴通讯股份有限公司 | Method and device for preventing mobile terminal software from being stolen |
| CN102324009A (en) * | 2011-09-07 | 2012-01-18 | 上海普元信息技术股份有限公司 | Software copyright control system based on cloud computing platform and method thereof |
| CN102867138A (en) * | 2012-08-23 | 2013-01-09 | 深圳市同洲电子股份有限公司 | Copyright protection method and device for STB (set top box) middleware |
| CN103077345A (en) * | 2012-12-27 | 2013-05-01 | 深信服网络科技(深圳)有限公司 | Software authorization method and system based on virtual machine |
| CN103164642A (en) * | 2011-12-19 | 2013-06-19 | 比亚迪股份有限公司 | Method and system for preventing software piracy |
| WO2013109139A1 (en) * | 2012-01-19 | 2013-07-25 | Mimos Berhad | System for enabling node-locked application to operate in cloud computing environment |
| CN103745139A (en) * | 2013-12-29 | 2014-04-23 | 国云科技股份有限公司 | Software authorization control method |
| US8966581B1 (en) * | 2011-04-07 | 2015-02-24 | Vmware, Inc. | Decrypting an encrypted virtual machine using asymmetric key encryption |
| CN104484586A (en) * | 2015-01-05 | 2015-04-01 | 北京飞音时代技术有限公司 | Software copyright protecting method |
| CN105007261A (en) * | 2015-06-02 | 2015-10-28 | 华中科技大学 | Security protection method for image file in virtual environment |
| US9342669B2 (en) * | 2013-07-11 | 2016-05-17 | Dialogic, Inc. | Systems and methods of licensing and identification of virtual network appliances |
| CN105743638A (en) * | 2016-05-13 | 2016-07-06 | 江苏中天科技软件技术有限公司 | System client authorization authentication method based on B/S framework |
| CN106919859A (en) * | 2015-12-25 | 2017-07-04 | 研祥智能科技股份有限公司 | Basic input output system guard method and device |
-
2017
- 2017-09-28 CN CN201710898660.XA patent/CN107704731B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20010079030A (en) * | 2001-06-07 | 2001-08-22 | 전용옥 | MAC CD-KEY omitted |
| CN101777106A (en) * | 2010-01-22 | 2010-07-14 | 中兴通讯股份有限公司 | Method and device for preventing mobile terminal software from being stolen |
| US8966581B1 (en) * | 2011-04-07 | 2015-02-24 | Vmware, Inc. | Decrypting an encrypted virtual machine using asymmetric key encryption |
| CN102324009A (en) * | 2011-09-07 | 2012-01-18 | 上海普元信息技术股份有限公司 | Software copyright control system based on cloud computing platform and method thereof |
| CN103164642A (en) * | 2011-12-19 | 2013-06-19 | 比亚迪股份有限公司 | Method and system for preventing software piracy |
| WO2013109139A1 (en) * | 2012-01-19 | 2013-07-25 | Mimos Berhad | System for enabling node-locked application to operate in cloud computing environment |
| CN102867138A (en) * | 2012-08-23 | 2013-01-09 | 深圳市同洲电子股份有限公司 | Copyright protection method and device for STB (set top box) middleware |
| CN103077345A (en) * | 2012-12-27 | 2013-05-01 | 深信服网络科技(深圳)有限公司 | Software authorization method and system based on virtual machine |
| US9342669B2 (en) * | 2013-07-11 | 2016-05-17 | Dialogic, Inc. | Systems and methods of licensing and identification of virtual network appliances |
| CN103745139A (en) * | 2013-12-29 | 2014-04-23 | 国云科技股份有限公司 | Software authorization control method |
| CN104484586A (en) * | 2015-01-05 | 2015-04-01 | 北京飞音时代技术有限公司 | Software copyright protecting method |
| CN105007261A (en) * | 2015-06-02 | 2015-10-28 | 华中科技大学 | Security protection method for image file in virtual environment |
| CN106919859A (en) * | 2015-12-25 | 2017-07-04 | 研祥智能科技股份有限公司 | Basic input output system guard method and device |
| CN105743638A (en) * | 2016-05-13 | 2016-07-06 | 江苏中天科技软件技术有限公司 | System client authorization authentication method based on B/S framework |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107704731A (en) | 2018-02-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11888989B2 (en) | Methods and systems for key generation | |
| US8374968B2 (en) | License auditing for distributed applications | |
| EP1443381B1 (en) | System and method for secure software activation with volume licenses | |
| US8533860B1 (en) | Personalized digital media access system—PDMAS part II | |
| TWI413908B (en) | Flexible licensing architecture for licensing digital application | |
| CN102073826B (en) | Utilize the system and method for the digital copyright management of lightweight digital watermark adding component | |
| US20060253395A1 (en) | Format and systems for secure utilization of electronic fonts | |
| US20050060561A1 (en) | Protection of data | |
| KR20070122508A (en) | Supplementary trust model for software licensing/commercial digital distribution policy | |
| US8474052B2 (en) | User-administered license state verification | |
| US20050177823A1 (en) | License management | |
| US20070239617A1 (en) | Method and apparatus for temporarily accessing content using temporary license | |
| Nair et al. | Enabling DRM-preserving digital content redistribution | |
| CN107704731B (en) | Cloud platform mirror image anti-piracy method based on HOTP | |
| JP2002041347A (en) | Information presentation system and device | |
| KR20090048581A (en) | Portable mass storage with virtual machine activation | |
| KR20030075948A (en) | Method and System for Providing a Universal Solution for Flash Contents by Using The DRM | |
| WO2019235450A1 (en) | Information processing device, information processing method, information processing program, and information processing system | |
| JP5018558B2 (en) | Storage area allocation method and information processing apparatus | |
| CN111611551A (en) | Dynamic link library protection method and system based on state cryptographic algorithm | |
| JP3840580B1 (en) | Software management system and software management program | |
| JP4784319B2 (en) | Content usage right management system, electronic ticket issuing system and program | |
| Mumtaz et al. | Development of a methodology for piracy protection of software installations | |
| KR100716719B1 (en) | Method and apparatus for providing package contents using d.r.m | |
| JP2005189913A (en) | Software license management method and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |