A kind of application authentication system and authentication method
Technical field
The present invention relates to application authentications, and in particular to a kind of application authentication system and authentication method.
Background technique
COS is Chip Operating System, referred to as chip operating system.With the internal intelligence for having microprocessor
The appearance with safety chip can be blocked, so that the work of management this complexity of card itself is implemented as reality.The appearance of COS
The interaction of card and reader is not only significantly improved, use is safer, and makes smart card itself towards individual calculus
The direction of machine has strided forward major step.The major function of COS is to control smart card and extraneous information exchange, depositing in management card
Reservoir and the processing that various orders are completed inside card.
It loads and Native card is known as with the card of the native languages such as assembler language, C language exploitation COS, in Native card,
COS platform and application, which will not generally separate, develops.The same producer, not only carries out the exploitation of COS platform, but also that is applied open
Hair.The card for loading JavaCard platform is known as Java card, and Java card is the product that Java technology is combined with smart card techniques, is
A kind of novel smart card system.The characteristics such as the object-oriented of Java language, cross-platform and high security are introduced into intelligence by it
In capable of blocking.Java card introduce unified standard Application Programming Interface (Application Processing Interface,
API), Java card platform and application and development are separated.
Java card API is one of the important component of Java card running environment, it provide a set of unification for answering
With interfaces such as the programming interface of exploitation, including I/O interface, exception management, safety management, so that application and development and platform development can
To be kept completely separate.The API that standard can be used in application on Java card is programmed and debugs, and generation can download file (CAP text
Part).After card issuing, the application managements such as downloading, installation and the deletion that can be applied again.
After application is separated with platform development, any one is called the application of standard API exploitation that can be loaded into another family
On the Java card platform that identical version API is provided.In this way, the application of an application developers can provide in business associate
It is issued to the platform of another platform development quotient, to develop product cooperatively.In this process, the application of application developers
The Downloadable application program (CAP file) generated is provided to platform development quotient.In this way, application program just have it is stolen or
The risk of project and access times beyond commercial contract engagement.After the completion of project cooperation, platform development quotient can also continue to send out
The application program is exercised, in this way, there is very big risk for application provider.Therefore, it is necessary to find a method
Protect the use of application program.
Summary of the invention
In existing Java card Mode of Cooperative Exploitation, the possible needs of file (CAP file) of downloading of application developers are mentioned
Supply platform developer issues.In distribution process, there are CAP files arbitrarily to be used, and beyond contract engagement
The case where access times.In transmit process, it is also possible to there is a situation where the loss of CAP file or it is stolen, so that application
CAP file cannot get effective security protection.
The present invention prevents the generation of above-mentioned phenomenon using technological means, to guarantee the application program of application developers offer
The safety of (CAP file) use scope and the controllability of access times, and other people unrelated with project can be made to get
After the application program, cannot arbitrarily it use.
The present invention provides a kind of application authentication module, comprising:
First true random number generation module, for generating the first true random number;
First authentication key generation module, for truly random according to the first true random number and second from certification terminal acquisition
Number generates the first authentication key;
Identify submodule, for compare the first authentication key with from certification terminal obtain the second authentication key whether one
It causes, the function of application program allows to be called by external equipment if consistent;Otherwise do not allow to be called.
First authentication key generation module includes:
First process key generates submodule, fixed key for being stored according to application authentication module and from certification
The second true random number that terminal obtains generates the first process key;
First authentication key generates submodule, for generating the first certification according to the first true random number and the first process key
Key.
The application authentication module further include: for storing the memory module of fixed key.
The present invention provides a kind of certification terminal, comprising:
Second true random number generation module, for generating the second true random number;
It authenticates number and identifies module, for obtaining the first true random number from application authentication module, and to application program
Be compared by access times with the preset times upper limit, if passing through after adding 1 by access times without departing from the preset times upper limit
Second authentication key generation module generates the second authentication key;Otherwise the first true random number is retracted into application authentication module;
Second authentication key generation module, it is close for generating the second certification according to the first true random number and the second true random number
Key.
The second authentication key generation module includes:
Second process key generates submodule, for raw according to the fixed key of certification terminal storage and the second true random number
At the second process key;
Second authentication key generates submodule, for generating the second certification according to the first true random number and the second process key
Key.
The certification terminal further include:
Memory module, for store application program by access times and the preset times upper limit and fixed key.
The present invention provides a kind of application authentication system, comprising: application authentication module as described above and institute
The certification terminal stated.
The present invention provides a kind of application authentication method, comprising:
First true random number of generation is sent to certification terminal by application authentication module;
Certification terminal being compared with the preset times upper limit by access times to application program, if by access times
The preset times upper limit is less than after adding 1, then the certification terminal generates second true according to the first true random number and certification terminal
The second authentication key of generating random number is simultaneously sent to the application authentication module;Otherwise by first, very number retracts application at any time
Program authentication module;
The application authentication module is according to the first true random number and from the second authentication key that certification terminal obtains
The second true random number generate the first authentication key, and whether first authentication key and the second authentication key consistent,
The function of application program allows to be called by external equipment if consistent;Otherwise do not allow to be called.
The certification terminal generates the second certification according to the second true random number that the first true random number and certification terminal generate
Key includes:
The certification terminal generates the second true random number;
The fixed key and the encryption of the second true random number that the certification terminal stores it generate the second process key;
The certification terminal generates the second authentication key to the first true random number and the encryption of the second process key.
The application authentication module is according to the first true random number and from the second authentication key that certification terminal obtains
The second true random number generate the first authentication key include:
The fixed key that the application authentication module stores it and the second authentication key obtained from certification terminal
In the second true random number encryption generate the first process key;
The application authentication module generates the first authentication key to the first true random number and the encryption of the first process key.
The Encryption Algorithm for generating first process key is identical as the Encryption Algorithm for generating second process key;It is raw
It is identical as the Encryption Algorithm for generating second authentication key at the Encryption Algorithm of first authentication key.
The present invention provides a kind of application authentication module, comprising:
First true random number generation module, for generating the first true random number;
First authentication key authentication module, for verifying the decryption generation from the second authentication key that certification terminal obtains
The first true random number that first true random number, the second true random number and the first true random number generation module generate and from certification terminal
The consistency of the second true random number obtained, if consistent, the function permission of application program is called by external equipment;Otherwise not
Allow to be called.
First authentication key authentication module includes:
First authentication key verifies submodule, for generation to be decrypted to the second authentication key obtained from certification terminal
Second process key and the first true random number, and verify that first true random number and the first true random number generation module generate the
The consistency of one random number;
First process key verifies submodule, and the second process key for generating to the decryption of the second authentication key solves
The second random number is generated after close, and it is consistent with the second true random number from certification terminal acquisition to verify second true random number
Property;
Implementation sub-module, if the first authentication key verifying submodule and the first process key verifying submodule verify consistency
Pass through, then the function permission of application program is called by external equipment;Otherwise do not allow to be called.
The present invention provides a kind of Verification System, comprising: one of above-mentioned application authentication module and certification terminal.
The present invention provides a kind of authentication method, comprising:
First true random number of generation is sent to certification terminal by application authentication module;
Certification terminal being compared with the preset times upper limit by access times to application program, if by access times
The preset times upper limit is less than after adding 1, then the certification terminal generates second true according to the first true random number and certification terminal
The second authentication key of generating random number is simultaneously sent to the application authentication module;Otherwise by first, very number retracts application at any time
Program authentication module;
The application authentication module decrypts the first of generation according to from the second authentication key that certification terminal obtains
The first true random number and obtained from certification terminal that true random number, the second true random number and the first true random number generation module generate
The second true random number consistency, if consistent, the function permission of application program is called by external equipment;Otherwise do not allow
It is called.
Compared with the latest prior art, technical solution provided by the invention has the advantages that
Technical solution provided by the invention, application authentication terminal use certification number identification submodule identification certification time
Number ensure that the controllability of application program access times, and generates authentication key by Encryption Algorithm and ensure that application program uses
The safety of range;
Technical solution provided by the invention, application authentication module are calculated according to true random number and process key by encryption
Method, which generates authentication key, ensure that the safety of application program use scope, and after making irrelevant personnel get the application program
It cannot arbitrarily use;
Technical solution provided by the invention, application authentication system identify submodule identification certification time by certification number
Number ensure that the controllability of application program access times, and generates authentication key by Encryption Algorithm and reflect to authentication key
Surely it ensure that the safety of application program use scope;
Technical solution provided by the invention, application authentication method, which first carries out certification to certification number, ensure that using journey
The controllability of sequence access times, the case where avoiding the access times beyond contract engagement;It is kept away by the identification to authentication key
Exempt from the case where application program is stolen, ensure that the safety of application program use scope.
Detailed description of the invention
Fig. 1 is a kind of structural schematic diagram of application authentication module in the embodiment of the present invention;
Fig. 2 is a kind of structural schematic diagram for authenticating terminal in the embodiment of the present invention;
Fig. 3 is a kind of structural schematic diagram of application authentication system in the embodiment of the present invention;
Fig. 4 is a kind of flow chart of application authentication method in the embodiment of the present invention.
Specific embodiment
The present invention will be further described in detail with reference to the accompanying drawing:
In existing intelligent chip Mode of Cooperative Exploitation, application developers are downloaded application program and may be provided to
Platform development quotient issues.In distribution process, there are application programs arbitrarily to be used, and exceeds the use of contract engagement
The case where number.In transmit process, it is also possible to there is a situation where the loss of application program or be stolen, so that application call
Less than effective security protection.
Embodiment one
In order to solve the defect that can be arbitrarily used after application program downloading installation in the prior art, the present invention provides one
Kind application authentication module, the structure of the authentication module are as shown in Figure 1, comprising:
First true random number generation module, for generating the first true random number, this random number is generated as authentication key
Input parameter;
First authentication key generation module, for truly random according to the first true random number and second from certification terminal acquisition
Number generates the first authentication key;
Identify submodule, for compare the first authentication key with from certification terminal obtain the second authentication key whether one
It causes, the function of application program allows to be called by external equipment if consistent;Otherwise do not allow to be called.
Optionally, the first authentication key generation module can further comprise:
First process key generates submodule, fixed key for being stored according to application authentication module and from certification
The second true random number that terminal obtains generates the first process key, the key that this process key is generated as authentication key;
First authentication key generates submodule, for generating the first certification according to the first true random number and the first process key
Key.The algorithm for generating authentication key can be symmetry algorithm or asymmetric arithmetic.
The present invention also provides a kind of certification terminal, application program (CAP file) is had recorded in the certification terminal and is able to use
Upper limit number can not also be authenticated after CAP file is certified number more than this upper limit.The certification terminal is according to encapsulation
The difference of form can be smart card, module or USB KEY etc., and the structure of the certification terminal is as shown in Figure 2, comprising:
Second true random number generation module, for generating the second true random number;
It authenticates number and identifies module, for obtaining the first true random number from application authentication module, and to application program
Be compared by access times with the preset times upper limit, if passing through after adding 1 by access times without departing from the preset times upper limit
Second authentication key generation module generates the second authentication key;Otherwise the first true random number is retracted into application authentication module;
Second authentication key generation module, it is close for generating the second certification according to the first true random number and the second true random number
Key.
The certification terminal further include:
Memory module, for store application program by access times and the preset times upper limit and fixed key.
The second authentication key generation module includes:
Second process key generates submodule, for raw according to the fixed key of certification terminal storage and the second true random number
At the second process key;
Second authentication key generates submodule, for generating the second certification according to the first true random number and the second process key
Key.The algorithm for generating authentication key can be symmetry algorithm or asymmetric arithmetic.
As shown in figure 3, the present invention also provides a kind of Verification Systems, comprising: application authentication module as shown in Figure 1 and
Certification terminal as shown in Figure 2, the algorithm that the certification terminal generates authentication key is symmetry algorithm.
As shown in figure 4, the present invention provides a kind of authentication method, comprising:
Java card platform through safety certification after, by Java card apply application program download on platform, use it
Before, authentication command is sent to application authentication module;
First true random number of generation is added in authentication command by application authentication module is sent to certification terminal;
The certification terminal is carried out application program by access times and the preset times upper limit after receiving authentication command
Compare, if being less than the preset times upper limit after adding 1 by access times, the certification terminal is according to the first true random number and certification
The second true random number that terminal generates generates the second authentication key and is sent to the application authentication module;Otherwise by first
Very number retracts application authentication module at any time;
The application authentication module is according to the first true random number and from the second authentication key that certification terminal obtains
The second true random number generate the first authentication key, and whether first authentication key and the second authentication key consistent,
The function of application program can be called by external equipment if consistent;Otherwise it cannot be called.
The certification terminal generates the second certification according to the second true random number that the first true random number and certification terminal generate
Key includes:
The certification terminal generates the second true random number;
The fixed key and the encryption of the second true random number that the certification terminal stores it generate the second process key;
The certification terminal generates the second authentication key to the first true random number and the encryption of the second process key.
The application authentication module is according to the first true random number and from the second authentication key that certification terminal obtains
The second true random number generate the first authentication key include:
The fixed key that the application authentication module stores it and the second authentication key obtained from certification terminal
In the second true random number encryption generate the first process key;
The application authentication module generates the first authentication key to the first true random number and the encryption of the first process key.
The Encryption Algorithm for generating first process key is identical as the Encryption Algorithm for generating second process key;It is raw
It is identical as the Encryption Algorithm for generating second authentication key at the Encryption Algorithm of first authentication key.
The Encryption Algorithm uses symmetric encipherment algorithm.
Embodiment two
The present invention provides a kind of application authentication module, comprising:
First true random number generation module, for generating the first true random number;
First authentication key authentication module, for verifying the decryption generation from the second authentication key that certification terminal obtains
The first true random number that first true random number, the second true random number and the first true random number generation module generate and from certification terminal
The consistency of the second true random number obtained, if consistent, the function permission of application program is called by external equipment;Otherwise not
Allow to be called.
First authentication key generation module includes:
First authentication key verifies submodule, for generation to be decrypted to the second authentication key obtained from certification terminal
Second process key and the first true random number, and verify that first true random number and the first true random number generation module generate the
The consistency of one random number;
First process key verifies submodule, and the second process key for generating to the decryption of the second authentication key solves
The second random number is generated after close, and it is consistent with the second true random number from certification terminal acquisition to verify second true random number
Property;
Implementation sub-module, if the first authentication key verifying submodule and the first process key verifying submodule verify consistency
Pass through, then the function permission of application program is called by external equipment;Otherwise do not allow to be called.
The present invention provides a kind of Verification System, comprising: above-mentioned application authentication module and embodiment in the present embodiment
One of one certification terminal, the algorithm that the certification terminal generates authentication key is asymmetric arithmetic.
The present invention also provides a kind of authentication methods, comprising:
First true random number of generation is sent to certification terminal by application authentication module;
Certification terminal being compared with the preset times upper limit by access times to application program, if by access times
The preset times upper limit is less than after adding 1, then the certification terminal generates second true according to the first true random number and certification terminal
The second authentication key of generating random number is simultaneously sent to the application authentication module;Otherwise by first, very number retracts application at any time
Program authentication module;
The application authentication module decrypts the first of generation according to from the second authentication key that certification terminal obtains
The first true random number and obtained from certification terminal that true random number, the second true random number and the first true random number generation module generate
The second true random number consistency, if consistent, the function permission of application program is called by external equipment;Otherwise do not allow
It is called.
The certification terminal generates the second certification according to the second true random number that the first true random number and certification terminal generate
Key includes:
The certification terminal generates the second true random number;
The fixed key and the encryption of the second true random number that the certification terminal stores it generate the second process key;
The certification terminal generates the second authentication key to the first true random number and the encryption of the second process key.
The application authentication module decrypts the first of generation according to from the second authentication key that certification terminal obtains
The first true random number and obtained from certification terminal that true random number, the second true random number and the first true random number generation module generate
The second true random number consistency, comprising:
The application authentication module is decrypted the second authentication key obtained from certification terminal and generates the second mistake
Journey key and the first true random number, and it is random to verify first true random number and the first true random number generation module generate first
Several consistency;
The second process key that the application authentication module generates the decryption of the second authentication key is raw after being decrypted
At the second random number, and verify the consistency of second true random number with the second true random number obtained from certification terminal;If the
One authentication key verifying submodule and the first process key verifying submodule verifying consistency pass through, then the function of application program
Permission is called by external equipment;Otherwise do not allow to be called.
Encryption and decryption are all made of rivest, shamir, adelman in embodiment two.
Application authentication module proposed by the present invention, terminal, system and method prevent the generation of phenomenon here, to guarantee
Application developers provide application program use scope safety and access times controllability, and can make with project without
Close other people get the application program after, cannot arbitrarily use.
The inventive concept that those skilled in the art provide according to the present invention be easy to construct it is a kind of based on asymmetric plus
Application authentication module, certification terminal and the certification system being made of application authentication module and certification terminal of close algorithm
System.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Finally it should be noted that: the above examples are only used to illustrate the technical scheme of the present invention rather than to its protection scope
Limitation, although the application is described in detail referring to above-described embodiment, those of ordinary skill in the art should
Understand: those skilled in the art read the specific embodiment of application can still be carried out after the application various changes, modification or
Person's equivalent replacement, but these changes, modification or equivalent replacement, are applying within pending claims.