CN110324283B - Permission method, device and system based on asymmetric encryption - Google Patents
Permission method, device and system based on asymmetric encryption Download PDFInfo
- Publication number
- CN110324283B CN110324283B CN201810276390.3A CN201810276390A CN110324283B CN 110324283 B CN110324283 B CN 110324283B CN 201810276390 A CN201810276390 A CN 201810276390A CN 110324283 B CN110324283 B CN 110324283B
- Authority
- CN
- China
- Prior art keywords
- request
- usb key
- license
- verification
- permission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the application discloses a licensing method, a licensing device and a licensing system based on asymmetric encryption. The method comprises the steps of receiving a permission verification request which is sent by network equipment and comprises permission verification information, and then verifying the permission verification information to obtain a permission verification result; verifying the request serial number, the request random number and the client number in the permission verification request based on a preset non-copy condition to obtain a permission verification result; and sending a permission verification response to the network equipment, wherein the permission verification response comprises a permission verification result so that the network equipment executes the operation indicated by the permission verification result. Therefore, the method verifies the permission verification information of the network equipment to obtain the permission verification result, controls the network equipment to operate the corresponding function or uninstall the current permission according to the verification result, and improves the operation safety of the network equipment.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for permission based on asymmetric encryption.
Background
Currently, with the development of Network Function Virtualization (NFV) technology, the sales form of Network devices is gradually changed from a hardware form to a software form. Network devices often need to control their own functions and performance operations by way of permissions. When the network device is in a hardware form, the network device generates effective license information according to the ID of the hardware, and the purpose of controlling the license is achieved through the characteristic that the ID of the hardware cannot be copied. When the network device is presented in a software form, the network device cannot predict the running hardware environment in advance, and the license information cannot be made in advance by binding the hardware information. Therefore, the network device at this time obtains the license information through a special file, such as an authentication code, networking activation, etc., but the above method has some problems, such as: the license management mechanism is easy to be cracked, and a large amount of information exists in the enterprise private network and is illegally copied, so that the license information is illegally copied (or leaked).
In view of the above problems, the following two solutions exist in the prior art:
according to the first scheme, an asymmetric encryption and decryption technology is used, a private key is embedded into a program of the network equipment in advance, license information is encrypted through a public key, the encrypted license information is imported into the network equipment, the network equipment decrypts the encrypted license information through the embedded private key, if decryption is successful, the network equipment is considered to be an effective license, namely, other network equipment does not use the license, and the network equipment operates normally.
And a second scheme is that a license management server is introduced, and the license information of the batch is introduced into the license management server. When the license management server is deployed in an enterprise intranet environment, the network equipment interacts with the license management server, the license management server authenticates the network equipment, if the authentication is successful, the network equipment is considered to be an effective license, and the network equipment normally operates.
However, the program and the license information of the network device in the first scheme and the license information of the license management server in the second scheme are both easily copied illegally, and after the illegal copying, a plurality of sets of network devices can use the license, so that the security of the operation of the network device is low.
Disclosure of Invention
The embodiment of the application provides a permission method, a permission device and a permission system based on asymmetric encryption, and the operation safety of network equipment is improved.
In a first aspect, there is provided an asymmetric encryption-based licensing method applied to a license management server in a licensing system, and the method may include:
receiving a permission verification request sent by network equipment, wherein the permission verification request is used for requesting permission verification on a function to be operated of the network equipment, and comprises permission verification information, and the permission verification information comprises a request serial number, a request random number and a client number; wherein the request sequence number indicates the number of requests for the license verification request; the request random number is a random number generated when a permission verification request is sent out, the random numbers generated by the permission verification request are different every time, and the client number is a uniform identifier of a preset permission system; verifying the request serial number, the request random number and the client number based on a preset non-copying condition to obtain a permission verification result; and sending a license verification response to the network device, wherein the license verification response comprises a license verification result so that the network device executes the operation indicated by the license verification result. Therefore, the method verifies the permission verification information of the network equipment to obtain the permission verification result, controls the network equipment to operate the corresponding function or uninstall the current permission according to the verification result, and improves the operation safety of the network equipment.
In an alternative implementation, the verifying the request serial number, the request random number and the client number based on a preset uncopying condition to obtain the license verification result includes: if the request serial number is verified to be zero and the client number is consistent with the stored client number, obtaining a permission verification result indicating that the verification is successful; if the request serial number is verified to be equal to the stored previous request serial number plus 1, the request random number is not equal to the stored previous request random number, and the client number is consistent with the stored client number, obtaining a permission verification result indicating successful verification; and if the request serial number is verified to be equal to the stored previous request serial number, the request random number is equal to the stored previous request random number, and the client number is consistent with the stored client number, obtaining a permission verification result indicating successful verification. The mode is a mode for acquiring the uniqueness and consistency of the license verification information, and the running safety of the network equipment is further ensured.
In an alternative implementation, when the license verification result indicates that the license verification is successful, sending a license verification response to the network device includes: when the permission verification result shows that the permission verification is successful, sending a signature request to a USB Key, wherein the signature request comprises information to be signed, the information to be signed comprises the permission verification result and a USB Key certificate, and the USB Key certificate is acquired from the USB Key before the signature request is sent to the USB Key; receiving signature information sent by a USB Key, wherein the signature information is information obtained by encrypting information to be signed by the USB Key by using a private Key; and sending a permission verification response to the network equipment, wherein the permission verification response comprises a permission verification result, a USB Key certificate and signature information so as to enable the network equipment to run the function to be run, and the signature information comprises an encrypted permission verification result and an encrypted USB Key certificate. Therefore, the network equipment can verify the signature information by the USB Key certificate, namely verify the USB Key and check the matching between the USB Key certificate and the private Key, thereby further ensuring the running safety of the network equipment.
In an optional implementation, before sending the signature request to the USB Key, the method further includes: receiving a USB Key certificate sent by a USB Key according to an access request of a license management server; if the stored CA certificate verifies that the USB Key certificate is valid, a text to be signed is sent to the USB Key, and the text to be signed is any text of the license management server; receiving a signature text sent by a USB Key, wherein the signature text is a text obtained by encrypting a text to be signed by the USB Key by using a private Key; decrypting the signature text based on the received USB Key certificate to obtain a decrypted text; if the decrypted text is consistent with the text to be signed, sending a name acquisition request to a USB Key; receiving the current name of the USB Key sent by the USB Key according to the name acquisition request; determining the USB Key as a USB Key which is not illegally copied according to the current name of the USB Key; renaming the current name of the USB Key to obtain a new current name of the USB Key; and sending the new current name to the USB Key. Therefore, the validity of the USB Key certificate in the USB Key and the matching between the USB Key certificate and a private Key stored in the USB Key are sequentially verified through interaction with the USB Key, and whether the USB Key is illegally copied or not is judged by checking the current name of the USB Key, so that the running safety of network equipment is further ensured.
In an optional implementation, determining, according to the current name of the USB Key, that the USB Key is an illegally copied USB Key includes: if the name of the stored USB Key is detected to be consistent with the current name, determining that the USB Key is not illegally copied; or if the name of the USB Key is not stored, the USB Key is determined not to be illegally copied.
In an optional implementation, the method further comprises: and after the first preset time period, determining the new current name as the current name, and returning to execute the step of receiving the USB Key certificate sent by the USB Key according to the access request of the license management server.
In a second aspect, another asymmetric encryption-based licensing method is provided, which is applied to a network device in a licensing system, and includes: sending a permission verification request to a permission management server, wherein the permission verification request is a request for carrying out permission verification on a function to be operated of the network equipment, the permission verification request comprises permission verification information, and the permission verification information comprises a request serial number, a request random number and a client number; wherein the request sequence number indicates the number of requests for the license verification request; the request random number is generated by each license verification request, the random numbers generated by each license verification request are different, and the client number is a uniform identifier of a preset license system; receiving a license verification response sent by the license management server according to the request serial number, the request random number and the client number, wherein the license verification response comprises a license verification result; the operation indicated by the license verification result is performed. Therefore, the network equipment of the method operates the corresponding function or unloads the current license according to the obtained license verification result, and the operation safety of the network equipment is improved.
In an alternative implementation, the operation of performing the license verification result indication includes: if the permission verification result shows that the permission verification is successful, the function to be operated is operated; and if the permission verification result indicates that the permission verification fails, performing uninstalling permission operation and/or self-restarting operation.
In an alternative implementation, the license verification response further includes a USB Key certificate and signature information, the signature information including the encrypted license verification result and the encrypted USB Key certificate; decrypting the encrypted permission verification result and the encrypted USB Key certificate according to the received USB Key certificate to obtain a decrypted permission verification result and a decrypted USB Key certificate; and when the USB Key certificate is consistent with the decrypted USB Key certificate and the permission verification result is consistent with the decrypted permission verification result, operating the function to be operated. Therefore, the network equipment can verify the signature information by the USB Key certificate, namely verify the USB Key and check the matching between the USB Key certificate and the private Key, thereby further ensuring the running safety of the network equipment.
In a third aspect, a license management apparatus is provided, which may include:
the device comprises a receiving unit, a judging unit and a judging unit, wherein the receiving unit is used for receiving a permission verification request sent by the network equipment, the permission verification request is used for requesting permission verification on a function to be operated of the network equipment, the permission verification request comprises permission verification information, and the permission verification information comprises a request serial number, a request random number and a client number; wherein the request sequence number indicates the number of requests for the license verification request; the request random number is a random number generated when a permission verification request is sent out, the random numbers generated by the permission verification request are different every time, and the client number is a uniform identifier of a preset permission system;
the verification unit is used for verifying the request serial number, the request random number and the client number based on a preset non-copy condition to obtain a permission verification result;
and a sending unit, configured to send a license verification response to the network device, where the license verification response includes a license verification result, so that the network device performs an operation indicated by the license verification result.
In an optional implementation, the verifying unit is specifically configured to obtain a permission verification result indicating that the verification is successful if the request serial number is verified to be zero and the client number is consistent with the stored client number;
if the request serial number is verified to be equal to the stored previous request serial number plus 1, the request random number is not equal to the stored previous request random number, and the client number is consistent with the stored client number, obtaining a permission verification result indicating successful verification;
and if the request serial number is verified to be equal to the stored previous request serial number, the request random number is equal to the stored previous request random number, and the client number is consistent with the stored client number, obtaining a permission verification result indicating successful verification.
In an optional implementation, the sending unit is further configured to send a signature request to the USB Key when the license verification result indicates that the license verification is successful, where the signature request includes information to be signed, and the information to be signed includes the license verification result and a USB Key certificate, where the USB Key certificate is obtained from the USB Key before the signature request is sent to the USB Key;
the receiving unit is also used for receiving the signature information sent by the USB Key, and the signature information is the information obtained by encrypting the information to be signed by the USB Key by using a private Key;
and the sending unit is also used for sending a permission verification response to the network equipment, wherein the permission verification response comprises a permission verification result, a USB Key certificate and signature information so that the network equipment runs a function to be run, and the signature information comprises an encrypted permission verification result and an encrypted USB Key certificate.
In an alternative implementation, the apparatus further comprises a decryption unit, a determination unit and a naming unit;
the receiving unit is also used for receiving a USB Key certificate sent by the USB Key according to the access request of the permission management server before sending the signature request to the USB Key;
the sending unit is also used for sending a text to be signed to the USB Key if the stored CA certificate verifies that the USB Key certificate is valid, wherein the text to be signed is any text of the license management server;
the receiving unit is also used for receiving a signature text sent by the USB Key, wherein the signature text is a text obtained by encrypting the text to be signed by the USB Key by using a private Key;
the decryption unit is used for decrypting the signature text based on the received USB Key certificate to obtain a decrypted text;
the sending unit is also used for sending a name acquisition request to the USB Key if the decrypted text is consistent with the text to be signed;
the receiving unit is also used for receiving the current name of the USB Key sent by the USB Key according to the name acquisition request;
the determining unit is used for determining the USB Key as the USB Key which is not illegally copied according to the current name of the USB Key;
the naming unit is used for renaming the current name of the USB Key to obtain a new current name of the USB Key;
and the sending unit is also used for sending the new current name to the USB Key.
In an optional implementation, the determining unit is specifically configured to determine that the USB Key is not illegally copied if it is detected that the name of the stored USB Key is consistent with the current name;
or if the name of the USB Key is not stored, the USB Key is determined not to be illegally copied.
In an optional implementation, the determining unit is further configured to determine, after the first preset time period, the new current name as the current name, and return to the step of triggering the receiving unit to execute the step of receiving the USB Key certificate sent by the USB Key according to the access request of the license management server.
In a fourth aspect, a network device is provided, which may include:
a sending unit, configured to send a license verification request to a license management server, where the license verification request is a request for performing license verification on a function to be operated of a network device, and the license verification request includes license verification information, and the license verification information includes a request serial number, a request random number, and a client number; wherein the request sequence number indicates the number of requests for the license verification request; the request random number is generated by each license verification request, the random numbers generated by each license verification request are different, and the client number is a uniform identifier of a preset license system;
a receiving unit configured to receive a license verification response sent by the license management server according to the request sequence number, the request random number, and the client number, the license verification response including a license verification result;
and an execution unit configured to execute an operation indicated by the license verification result.
In an optional implementation, the execution unit is specifically configured to execute the function to be executed if the license verification result indicates that the license verification is successful; and if the permission verification result indicates that the permission verification fails, performing uninstalling permission operation and/or self-restarting operation.
In an alternative implementation, the apparatus comprises a decryption unit;
the permission verification response also comprises a USB Key certificate and signature information, and the signature information comprises an encrypted permission verification result and an encrypted USB Key certificate;
the decryption unit is used for decrypting the encrypted permission verification result and the encrypted USB Key certificate according to the received USB Key certificate to obtain a decrypted permission verification result and a decrypted USB Key certificate;
and the running unit is specifically used for running the function to be run when the USB Key certificate is consistent with the decrypted USB Key certificate and the permission verification result is consistent with the decrypted permission verification result.
In a fifth aspect, a license management server is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any one of the above first aspects when executing a program stored in the memory.
In a sixth aspect, a network device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of the above second aspects when executing a program stored in the memory.
In a seventh aspect, a licensing system is provided, which may include the license management server of the fifth aspect, the network device of the sixth aspect, and the USB Key.
In an eighth aspect, a computer-readable storage medium is provided, having a computer program stored therein, which computer program, when being executed by a processor, performs the method steps of any of the above-mentioned first aspects or the method steps of any of the above-mentioned second aspects.
Therefore, the technical scheme of the application is that a permission verification request sent by network equipment is received to request permission verification of a function to be operated of the network equipment, and the permission verification request comprises permission verification information; verifying the permission verification information to obtain a permission verification result; when the license verification result indicates that the license verification is successful, sending a license verification response including the license verification result to the network equipment so as to enable the network equipment to operate the function to be operated; and when the license verification result indicates that the license verification fails, sending a license verification response to the network equipment, wherein the license verification response comprises the license verification result and indication information to instruct the network server to unload the current license and/or execute the restarting operation. Therefore, the method verifies the permission verification information of the network equipment to obtain the permission verification result, controls the network equipment to operate the corresponding function or uninstall the current permission according to the verification result, and improves the operation safety of the network equipment.
Drawings
Fig. 1 is a schematic structural diagram of a licensing system according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a licensing method based on asymmetric encryption according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of another asymmetric encryption-based licensing method according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a license management device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a network device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a license management server according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another network device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without any creative effort belong to the protection scope of the present application.
The asymmetric encryption-based licensing method provided by the embodiment of the invention is applied to a licensing system shown in fig. 1, and the licensing system can be applied to a cloud server. The license system may include a USB Key, a license management server, and a network device.
The USB Key is a hardware device of a USB interface, is embedded in a single chip microcomputer or an intelligent card chip and comprises a storage module, wherein the storage module is used for storing a private Key of a user and a corresponding USB Key certificate and communicating with an admission management server.
And the permission management server is used for managing the permission verification information of the network equipment and controlling the running state through the USB Key. The license management server may include a license monitoring module, a USB Key interaction module, a USB Key verification module, and a Transport Layer protocol (TLS) encryption Transport module.
The permission monitoring module is used for monitoring and receiving a permission verification request sent by the network equipment, identifying whether the permission of the network equipment is valid or not according to permission verification information in the request, and returning a permission verification result and corresponding execution operation to the network equipment. The license authentication information may include information such as a request serial number, a client number, a request random number, and the like. The request sequence number indicates the number of requests for the license verification request; the request random number is a random number generated when the license verification request is sent, the random numbers generated by the license verification request are different every time, and the client number is a preset uniform identifier of the license system.
And the USB Key interaction module is used for acquiring a USB Key certificate and the name of the USB Key stored in the USB Key, modifying the name of the USB Key, storing the USB Key certificate and the name of the USB Key, and sending a text to be signed to the USB Key, wherein the text to be signed is any text in the permission management server.
The USB Key verification module is used for verifying the validity of the USB Key Certificate by using a prestored Certificate Authority (CA) Certificate, verifying the matching of a private Key in the USB Key by using the received USB Key Certificate, verifying the consistency of the current name of the USB Key by using the name of the USB Key stored last time, and setting the running finishing time of the USB Key.
The TLS encryption transmission module is configured to establish an encrypted transmission channel with the USB Key and the network device through an Application Program Interface (API) associated with a Secure Socket Layer (SSL) protocol, where the transmission channel is used for information transmission in communication interaction.
And the network equipment is used for communicating with the license management server and executing the instruction operation sent by the license management server. The network device may include a license verification module and a TLS encrypted transport module.
The license verification module is used for sending a license verification request to the license management server, and receiving a license verification result and corresponding execution operations sent by the license management server, such as license deletion operation, restart operation and the like.
And the TLS encryption transmission module is used for establishing an encryption transmission channel with the license management server by using the SSL related API, and the transmission channel is used for information transmission in communication interaction.
The license method executed by the license system can comprise a process of verifying the USB Key by the license management server, a process of verifying the license of the network equipment by the license management server and a process of applying the license to the license management server by the network equipment. Therefore, through the characteristic that the USB Key certificate and the private Key in the USB Key cannot be copied, the license management server and the license information can be effectively guaranteed to be incapable of being normally used after being illegally copied. Meanwhile, an encrypted transmission channel is adopted in the permission system for communication, so that the safety of interactive messages is effectively guaranteed, and a permission management mechanism cannot be cracked.
The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are merely for illustrating and explaining the present invention and are not intended to limit the present invention, and that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Fig. 2 is a flowchart illustrating a licensing method based on asymmetric encryption according to an embodiment of the present invention. As shown in fig. 2, the main execution subject of the method is a license management server, and the method may include:
step 210, receiving a license verification request sent by a network device, where the license verification request includes license verification information, and the license verification information includes a request serial number, a request random number, and a client number.
The license verification request is used for requesting license verification of a function to be run of the network device, and the license verification information may include a request serial number, a request random number, and a client number. Wherein, the request sequence number represents the request times of the permission verification request sent by the network equipment; the request random number is a random number generated when the license verification request is sent, the random numbers generated by the license verification request are different every time, the client number is a unified identifier of a preset license system, and the same client number is preset by a set of license systems.
Before executing the step, the license management server acquires the USB Key certificate of the USB Key by sending an access request to the USB Key. If the CA certificate stored in the license management server verifies that the USB Key certificate is invalid, terminating the verification process; if the CA certificate stored in the license management server verifies that the USB Key certificate is valid, sending a text to be signed to the USB Key, wherein the text to be signed is any text of the license management server, receiving a signature text sent by the USB Key, and the signature text is a text obtained by encrypting the text to be signed by the USB Key by using a private Key; and based on the received USB Key certificate, decrypting the signature text to obtain a decrypted text. If the decrypted text is inconsistent with the text to be signed, terminating the verification process; if the decrypted text is consistent with the text to be signed, sending a name acquisition request to the USB Key so as to acquire the current name of the USB Key; according to the current name of the USB Key, the USB Key is determined to be the USB Key which is not illegally copied, then the current name of the USB Key is renamed to obtain a new current name of the USB Key, the new current name is stored, and then updating indication information is sent to the USB Key to indicate the USB Key to replace the current name with the new current name.
Optionally, if it is detected that the stored name of the USB is consistent with the current name, the license management server determines that the USB Key is a USB Key that has not been illegally copied. Or if the name of the USB Key is not stored, the USB Key is determined to be the USB Key which is not illegally copied.
Therefore, the validity of the USB Key certificate is verified through the CA certificate, the USB Key certificate and the private Key in the USB Key are verified to be matched through the signature file encrypted by the USB Key certificate and the private Key, and therefore the USB Key is a legal USB Key.
Optionally, after the first preset time period, the license management server determines the new current name as the current name, and returns to execute the step of receiving the USB Key certificate sent by the USB Key according to the access request of the license management server, so as to check whether the USB Key is illegally copied, that is, whether the USB Key is used by another license management server.
Returning to step 210, after the network device is started, the network device needs to send a license verification request to the license management server with the established connection in order to run the function to be run that the network device has.
Wherein, the process of establishing connection from the network device to the license management server comprises the following conditions:
under the condition that the network equipment prestores the address of the license management server, the network equipment sends a connection request to the license management server according to the address of the preset license management server;
if the connection fails, the network device sends the connection request to the permission management server again after every preset reconnection time period until the number of times of retransmission reaches a preset retransmission threshold value, so as to ensure that the permission verification process of the network device can be normally carried out. It should be noted that, if the number of times of retransmission does not reach the preset retransmission threshold and the pre-connection time exceeds the preset maximum connection time, the network device performs a restart operation.
And under the condition that the network equipment does not have permission to manage the server address, if the waiting time of the network equipment exceeds the preset maximum connection time, the network equipment performs restarting operation.
If the connection is successful, the network device sends a license verification request to the license management server.
And step 220, verifying the request serial number, the request random number and the client number based on a preset non-copy condition to obtain a permission verification result.
Firstly, verifying the license verification information includes verifying the uniqueness and consistency of the received license verification information, specifically:
verifying whether the request serial number of the permission verification request sent by the network equipment is zero;
when the request serial number is verified to be zero, namely the network user sends the license verification request to the license management server for the first time, the license verification information has uniqueness at the moment.
When the request serial number is verified to be nonzero, namely the network equipment sends a permission verification request to the permission management server, if the request serial number is verified to be equal to the stored previous request serial number plus 1 and the request random number is not equal to the stored previous request random number, then the permission verification information has uniqueness. On the contrary, if the request serial number is verified to be equal to the stored previous request serial number plus 1, the request random number is equal to the stored previous request random number; or if the request serial number is not equal to the stored previous request serial number plus 1, the request random number is not equal to the stored previous request random number; or, if the request sequence number is verified to be not equal to the stored previous request sequence number plus 1 and the request random number is equal to the stored previous request random number, the permission verification information does not have uniqueness.
When the network device resends the same license verification request to the license management server, if the request serial number is verified to be equal to the stored previous request serial number and the request random number is equal to the stored previous request random number, the license verification information has uniqueness. Otherwise, if the request serial number is verified to be not equal to the stored previous request serial number, the request random number is equal to the stored previous request random number; or if the request serial number is not equal to the stored previous request serial number, the request random number is not equal to the stored previous request random number; or, if the request sequence number is verified to be equal to the stored previous request sequence number, and the request random number is not equal to the stored previous request random number, the permission verification information does not have uniqueness.
That is, if one of the above three cases of uniqueness is satisfied, the license authentication information is considered to be unique, i.e., not illegally copied. Second, when the client number coincides with the stored client number, the license verification information is considered to have consistency. On the other hand, when the client number does not coincide with the stored client number, the license verification information is considered to be inconsistent. The uniqueness and consistency of the license verification information can ensure the operation safety of the network equipment.
The license verification result is a result indicating whether the license verification is successful, if the license verification information has uniqueness and consistency, the license verification information is considered to be successfully verified, otherwise, the license verification information is considered to be failed to be verified.
Step 230, sending a license validation response to the network device, the license validation response including the license validation result.
And when the permission verification result indicates that the permission verification is successful, sending a permission verification response to the network equipment, wherein the permission verification response comprises the permission verification result so that the network equipment runs the function to be run.
When the request serial number is verified to be zero and the client number is consistent with the client number stored in the license management server, a license verification result indicating that the verification is successful is obtained.
And when the verification result shows that the request serial number is not zero, the verification result shows that the request serial number is equal to the stored previous request serial number plus 1, the request random number is not equal to the stored previous request random number, and the client number is consistent with the stored client number, so that the permission verification result shows that the verification is successful is obtained.
When the network equipment resends the same permission verification request to the permission management server, the verification result shows that the request serial number is equal to the stored previous request serial number, the request random number is equal to the stored previous request random number, and the client serial number is consistent with the stored client serial number, thereby obtaining the permission verification result showing that the verification is successful.
When the license management server detects that the verification condition occurs, the license management server can inform the network device of running the function to be run by directly sending the license verification result to the network device.
Optionally, in order to improve the accuracy of the license verification, when the license verification result indicates that the license verification is successful, the license management server may send a signature request to the USB Key, where the signature request includes information to be signed, and the information to be signed includes the license verification result and the USB Key certificate.
The USB Key encrypts the information to be signed by using a private Key to obtain signature information and sends the signature information to the license management server.
Then, the license management server sends a license verification response to the network device, the license verification response including a license verification result, the USB Key certificate, and signature information, the signature information including the encrypted license verification result and the encrypted USB Key certificate.
The network equipment decrypts the encrypted permission verification result and the encrypted USB Key certificate according to the received USB Key certificate to obtain a decrypted permission verification result and a decrypted USB Key certificate; and when the USB Key certificate is consistent with the decrypted USB Key certificate and the permission verification result is consistent with the decrypted permission verification result, the network equipment runs the function to be run. Therefore, the network equipment can verify the signature information by the USB Key certificate, namely verify the USB Key and check the matching between the USB Key certificate and the private Key, thereby further ensuring the running safety of the network equipment.
It can be understood that the content of the license verification response received by the network device each time may be adjusted accordingly according to the actual operating condition and the actually required license verification accuracy, and the embodiment of the present invention is not limited herein. For example, the license verification response that the license management server sends to the network device for the first time includes only the license verification result; the permission verification response sent to the same network equipment for the second time comprises a permission verification result, a USB Key certificate and signature information; the license verification response sent to the same network device for the third time only includes the license verification result, and so on.
Further, if the license verification information cannot have uniqueness and consistency at the same time, the license verification information fails to be verified at this time, and the license management server sends a license verification response to the network device at this time, where the license verification response includes a license verification result to instruct the network server to uninstall the current license and/or perform the restart operation.
Fig. 3 is a flowchart illustrating another asymmetric encryption-based licensing method according to an embodiment of the present invention. As shown in fig. 3, the method may include:
step 301, the license management server sends an access request to the USB Key.
Step 302, the USB Key sends an access response including the USB Key certificate to the license management server.
Step 303, the license management server verifies the validity of the USB Key certificate based on the stored CA certificate, and if the validity is verified, step 304 is executed; if not, go to step 314.
And step 304, the license management server sends the text to be signed to the USB Key.
And 305, encrypting the text to be signed by the USB Key based on the stored private Key to obtain the signed text.
Step 306, the USB Key sends the signature text to the license management server.
And 307, the license management server decrypts the signature text based on the USB Key certificate to obtain a decrypted text.
Step 308, the license management server judges the consistency of the decrypted text and the text to be signed, if so, the step 309 is executed; if not, go to step 314.
Step 309, the license management server sends a name acquisition request to the USB Key.
And step 310, the USB Key sends the current name of the USB Key to the permission management server according to the name acquisition request.
And 311, judging whether the USB Key is not illegally copied according to the current name of the USB Key, if so, executing step 312, and if not, executing step 314.
Step 312, the license management server renames the current name of the USB Key to obtain a new current name of the USB Key.
Step 313, the license management server sends the new current name of the USB Key to the USB Key.
Step 314 terminates the license verification process.
Step 315, the network device sends a license verification request to the license management server, the license verification request including the license verification information.
Step 316, the license management server verifies the license verification information based on a preset non-copy condition, and if the verification is successful, step 317 is executed; if the verification fails, go to step 322.
The following describes in detail, taking as an example that the license verification response that succeeds in license verification includes signature information:
step 317, the license management server sends a signature request to the USB Key, where the signature request includes information to be signed.
The information to be signed comprises a permission verification result and a USB Key certificate.
And step 318, the USB Key encrypts the license verification result based on the stored private Key to obtain signature information.
The signature information includes the encrypted license verification result and the encrypted USB Key certificate.
Step 319, the license management server receives the signature information sent by the USB Key.
Step 320, the license management server sends a license verification response to the network device, where the license verification response includes a result that the license verification is successful, the USB Key certificate, and the signature information.
Step 321, the network device executes the function to be run.
Step 322, the license management server sends a license verification response to the network device, the license verification response including the result of the license verification failure.
Step 323, the network device performs offloading the current license and/or performs a reboot operation.
Therefore, in the above embodiments of the present application, the license management server receives a license verification request including license verification information sent by the network device; then, based on the preset condition of no copy, the permission verification information is verified to obtain a permission verification result; and sending a license verification response to the network device, wherein the license verification response comprises a license verification result so that the network device executes the operation indicated by the license verification result. Therefore, the method verifies the permission verification information of the network equipment to obtain the permission verification result, controls the network equipment to operate the corresponding function or uninstall the current permission according to the verification result, and improves the operation safety of the network equipment.
An embodiment of the present invention corresponding to the foregoing method provides a license management device, which may include, as shown in fig. 4: a receiving unit 410, an authentication unit 420 and a transmitting unit 430.
A receiving unit 410, configured to receive a license verification request sent by a network device, where the license verification request is used to request license verification for a function to be run of the network device, and the license verification request includes license verification information, and the license verification information includes a request serial number, a request random number, and a client number; wherein the request sequence number indicates the number of requests for the license verification request; the request random number is a random number generated when a permission verification request is sent out, the random numbers generated by the permission verification request are different every time, and the client number is a uniform identifier of a preset permission system;
a verification unit 420, configured to verify the request sequence number, the request random number, and the client number based on a preset un-copied condition, so as to obtain a permission verification result;
a sending unit 430, configured to send a license verification response to the network device, where the license verification response includes a license verification result, so that the network device performs an operation indicated by the license verification result.
Optionally, the verifying unit 420 is specifically configured to obtain a permission verification result indicating that the verification is successful if the request serial number is verified to be zero and the client number is consistent with the stored client number;
if the request serial number is verified to be equal to the stored previous request serial number plus 1, the request random number is not equal to the stored previous request random number, and the client number is consistent with the stored client number, obtaining a permission verification result indicating successful verification;
and if the request serial number is verified to be equal to the stored previous request serial number, the request random number is equal to the stored previous request random number, and the client number is consistent with the stored client number, obtaining a permission verification result indicating successful verification.
Optionally, the sending unit 430 is further configured to send a signature request to the USB Key when the license verification result indicates that the license verification is successful, where the signature request includes information to be signed, and the information to be signed includes the license verification result and a USB Key certificate, where the USB Key certificate is obtained from the USB Key before the signature request is sent to the USB Key;
the receiving unit 410 is further configured to receive signature information sent by the USB Key, where the signature information is information obtained by encrypting, by using a private Key, information to be signed by the USB Key;
the sending unit 430 is further configured to send a license verification response to the network device, where the license verification response includes a license verification result, a USB Key certificate, and signature information, so that the network device runs a function to be run, and the signature information includes an encrypted license verification result and an encrypted USB Key certificate.
Optionally, the apparatus further comprises a decryption unit 440, a determination unit 450 and a naming unit 460;
the receiving unit 410 is further configured to receive a USB Key certificate sent by the USB Key according to the access request of the license management server before sending the signature request to the USB Key;
the sending unit 430 is further configured to send a text to be signed to the USB Key if the stored CA certificate verifies that the USB Key certificate is valid, where the text to be signed is any text of the license management server;
the receiving unit 410 is further configured to receive a signature text sent by the USB Key, where the signature text is a text obtained by encrypting, by using a private Key, the text to be signed by the USB Key;
the decryption unit 440 is configured to decrypt the signed text based on the received USB Key certificate to obtain a decrypted text;
the sending unit 430 is further configured to send a name obtaining request to the USB Key if the decrypted text is consistent with the text to be signed;
the receiving unit 410 is further configured to receive a current name of the USB Key sent by the USB Key according to the name obtaining request;
the determining unit 450 is configured to determine, according to the current name of the USB Key, that the USB Key is an illegal-copy USB Key;
the naming unit is used for renaming the current name of the USB Key to obtain a new current name of the USB Key;
and the sending unit 430 is further configured to send the new current name to the USB Key.
Optionally, the determining unit 450 is specifically configured to determine that the USB Key is not illegally copied if it is detected that the name of the stored USB Key is consistent with the current name;
or if the name of the USB Key is not stored, the USB Key is determined not to be illegally copied.
Optionally, the determining unit 450 is further configured to determine the new current name as the current name after the first preset time period, and return to execute the step of receiving the USB Key certificate sent by the USB Key according to the access request of the license management server.
The above-mentioned embodiment of the present invention provides the functions of each functional unit of the license management device, which can be realized through the above-mentioned method steps, and therefore, the embodiment of the present invention provides specific working processes and beneficial effects of each unit in the license management device, which are not described herein again.
An embodiment of the present invention corresponding to the foregoing method provides a network device, as shown in fig. 5, where the network device may include: a transmitting unit 510, a receiving unit 520 and an executing unit 530.
A sending unit 510, configured to send a license verification request to a license management server, where the license verification request is a request for performing license verification on a function to be run of a network device, and the license verification request includes license verification information, and the license verification information includes a request serial number, a request random number, and a client number; wherein the request sequence number indicates the number of requests for the license verification request; the request random number is generated by each license verification request, the random numbers generated by each license verification request are different, and the client number is a uniform identifier of a preset license system;
a receiving unit 520, configured to receive a license verification response sent by the license management server according to the request sequence number, the request random number, and the client number, where the license verification response includes a license verification result;
an executing unit 530, configured to execute the operation indicated by the license verification result.
Optionally, the execution unit is specifically configured to run the function to be run if the permission verification result indicates that the permission verification is successful; and if the permission verification result indicates that the permission verification fails, performing uninstalling permission operation and/or self-restarting operation.
Optionally, the apparatus further comprises a decryption unit 540;
the permission verification response also comprises a USB Key certificate and signature information, and the signature information comprises an encrypted permission verification result and an encrypted USB Key certificate;
a decryption unit 540, configured to decrypt the encrypted permission verification result and the encrypted USB Key certificate according to the received USB Key certificate, so as to obtain a decrypted permission verification result and a decrypted USB Key certificate;
the running unit 530 is specifically configured to run the function to be run when the USB Key certificate is consistent with the decrypted USB Key certificate, and the permission verification result is consistent with the decrypted permission verification result.
The above-mentioned embodiments of the present invention provide functions of each functional unit of the network device, which can be implemented by the above-mentioned method steps, and therefore, the embodiments of the present invention provide specific working processes and beneficial effects of each unit in the network device, which are not described herein again.
The embodiment of the present invention further provides a license management server, as shown in fig. 6, including a processor 610, a communication interface 620, a memory 630 and a communication bus 640, where the processor 610, the communication interface 620 and the memory 630 complete communication with each other through the communication bus 640.
A memory 630 for storing computer programs;
the processor 610, when executing the program stored in the memory 630, implements the following steps:
receiving a permission verification request sent by network equipment, wherein the permission verification request is used for requesting permission verification on a function to be operated of the network equipment, and comprises permission verification information, and the permission verification information comprises a request serial number, a request random number and a client number; wherein the request sequence number indicates the number of requests for the license verification request; the request random number is a random number generated when a permission verification request is sent out, the random numbers generated by the permission verification request are different every time, and the client number is a uniform identifier of a preset permission system;
verifying the request serial number, the request random number and the client number based on a preset non-copying condition to obtain a permission verification result;
and sending a license verification response to the network device, wherein the license verification response comprises a license verification result so that the network device executes the operation indicated by the license verification result.
Since the implementation manner and the beneficial effect of solving the problem of each device of the license management server in the foregoing embodiment can be implemented by referring to each step in the embodiment shown in fig. 2, the specific working process and the beneficial effect of the license management server provided in the embodiment of the present invention are not described herein again.
An embodiment of the present invention further provides a network device, as shown in fig. 7, including a processor 710, a communication interface 720, a memory 730, and a communication bus 740, where the processor 710, the communication interface 720, and the memory 730 complete mutual communication through the communication bus 740.
A memory 730 for storing a computer program;
the processor 710, when executing the program stored in the memory 730, implements the following steps:
sending a permission verification request to a permission management server, wherein the permission verification request is a request for carrying out permission verification on a function to be operated of the network equipment, the permission verification request comprises permission verification information, and the permission verification information comprises a request serial number, a request random number and a client number; wherein the request sequence number indicates the number of requests for the license verification request; the request random number is generated by each license verification request, the random numbers generated by each license verification request are different, and the client number is a uniform identifier of a preset license system;
receiving a license verification response sent by the license management server according to the request serial number, the request random number and the client number, wherein the license verification response comprises a license verification result;
the operation indicated by the license verification result is performed.
Since the implementation and beneficial effects of solving the problems of the devices of the network device in the foregoing embodiment can be implemented by referring to the steps in the embodiment shown in fig. 2, detailed working processes and beneficial effects of the network device provided in the embodiment of the present invention are not described herein again.
The communication bus mentioned above may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In still another embodiment provided by the present invention, there is also provided a license system including the license management server shown in fig. 6 and the network device shown in fig. 7.
In yet another embodiment of the present invention, there is also provided a computer-readable storage medium having stored therein instructions, which when run on a computer, cause the computer to perform the licensing method of any of the above embodiments.
In a further embodiment provided by the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the licensing method of any of the above embodiments.
As will be appreciated by one of skill in the art, the embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the true scope of the embodiments of the present application.
It is apparent that those skilled in the art can make various changes and modifications to the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the embodiments of the present application and their equivalents, the embodiments of the present application are also intended to include such modifications and variations.
Claims (20)
1. An asymmetric encryption based licensing method, applied on a license management server in a licensing system, comprising:
receiving a permission verification request sent by network equipment, wherein the permission verification request is used for requesting permission verification on a function to be operated of the network equipment, the permission verification request comprises permission verification information, and the permission verification information comprises a request serial number, a request random number and a client number; wherein the request sequence number indicates the number of requests of the license verification request; the request random number is generated when a permission verification request is sent out, the random numbers generated by the permission verification request are different every time, and the client number is a uniform identifier of a preset permission system;
verifying the request serial number, the request random number and the client number based on a preset non-copying condition to obtain a permission verification result;
sending a license verification response to the network device, wherein the license verification response comprises the license verification result so that the network device executes the operation indicated by the license verification result;
wherein, the verifying the request serial number, the request random number and the client number based on a preset un-copying condition to obtain a permission verification result comprises:
if the request serial number is verified to be zero and the client number is consistent with the stored client number, obtaining the permission verification result which represents successful verification;
if the request serial number is verified to be equal to the stored previous request serial number plus 1, the request random number is not equal to the stored previous request random number, and the client number is consistent with the stored client number, obtaining the permission verification result indicating successful verification;
and if the request serial number is verified to be equal to the stored previous request serial number, the request random number is equal to the stored previous request random number, and the client number is consistent with the stored client number, obtaining the permission verification result indicating successful verification.
2. The method of claim 1, wherein the sending a license verification response to the network device comprises:
when the permission verification result shows that the permission verification is successful, sending a signature request to a USB Key, wherein the signature request comprises information to be signed, the information to be signed comprises the permission verification result and a USB Key certificate, and the USB Key certificate is acquired from the USB Key before the signature request is sent to the USB Key;
receiving signature information sent by the USB Key, wherein the signature information is information obtained by encrypting the information to be signed by the USB Key by using a private Key;
sending a license verification response to the network device, wherein the license verification response comprises the license verification result, the USB Key certificate and the signature information, so that the network device runs the function to be run, and the signature information comprises an encrypted license verification result and an encrypted USB Key certificate.
3. The method of claim 2, wherein prior to sending the signature request to the USB Key, the method further comprises:
receiving a USB Key certificate sent by a USB Key according to an access request of a license management server;
if the stored CA certificate verifies that the USB Key certificate is valid, a text to be signed is sent to the USB Key, and the text to be signed is any text of the license management server;
receiving a signature text sent by the USB Key, wherein the signature text is a text obtained by encrypting the text to be signed by the USB Key by using a private Key;
decrypting the signature text based on the received USB Key certificate to obtain a decrypted text;
if the decrypted text is consistent with the text to be signed, sending a name acquisition request to the USB Key;
receiving the current name of the USB Key sent by the USB Key according to the name acquisition request;
determining the USB Key as a USB Key which is not illegally copied according to the current name of the USB Key;
renaming the current name of the USB Key to obtain a new current name of the USB Key;
and sending the new current name to the USB Key.
4. The method according to claim 3, wherein the determining the USB Key is a USB Key that has not been illegally copied according to the current name of the USB Key comprises:
if the name of the stored USB Key is detected to be consistent with the current name, determining that the USB Key is not illegally copied;
or if the name of the USB Key is not stored, determining that the USB Key is not illegally copied.
5. The method of claim 3, wherein the method further comprises:
and after a first preset time period, determining the new current name as the current name, and returning to execute the step of receiving the USB Key certificate sent by the USB Key according to the access request of the license management server.
6. An asymmetric encryption based licensing method, applied to a network device in a licensing system, comprising:
sending a license verification request to a license management server, wherein the license verification request is a request for license verification of a function to be operated of the network equipment, the license verification request comprises license verification information, and the license verification information comprises a request serial number, a request random number and a client number; wherein the request sequence number indicates the number of requests of the license verification request; the request random number is generated when a permission verification request is sent out, the random numbers generated by the permission verification request are different every time, and the client number is a uniform identifier of a preset permission system;
receiving a license verification response sent by the license management server according to the request sequence number, the request random number and the client number, wherein the license verification response comprises a license verification result;
and executing the operation indicated by the permission verification result.
7. The method of claim 6, wherein the performing the operation indicated by the permission verification result comprises:
if the permission verification result shows that the permission verification is successful, the function to be operated is operated;
and if the permission verification result shows that the permission verification fails, executing uninstalling permission operation and/or self-restarting operation.
8. The method of claim 6, wherein the license verification response further includes a USB Key certificate and signature information, the signature information including the encrypted license verification result and the encrypted USB Key certificate;
decrypting the encrypted permission verification result and the encrypted USB Key certificate according to the received USB Key certificate to obtain a decrypted permission verification result and a decrypted USB Key certificate;
and when the USB Key certificate is consistent with the decrypted USB Key certificate and the permission verification result is consistent with the decrypted permission verification result, the function to be run is run.
9. A license management apparatus, characterized in that the apparatus comprises:
a receiving unit, configured to receive a license verification request sent by a network device, where the license verification request is used to request license verification for a function to be run of the network device, and the license verification request includes license verification information, where the license verification information includes a request sequence number, a request random number, and a client number; wherein the request sequence number indicates the number of requests of the license verification request; the request random number is generated when a permission verification request is sent out, the random numbers generated by the permission verification request are different every time, and the client number is a uniform identifier of a preset permission system;
the verification unit is used for verifying the request serial number, the request random number and the client number based on a preset non-copy condition to obtain a permission verification result;
a sending unit configured to send a license verification response to the network device, the license verification response including a license verification result so that the network device performs an operation indicated by the license verification result;
the verification unit is specifically configured to obtain the permission verification result indicating that verification is successful if the request serial number is verified to be zero and the client number is consistent with the stored client number;
if the request serial number is verified to be equal to the stored previous request serial number plus 1, the request random number is not equal to the stored previous request random number, and the client number is consistent with the stored client number, obtaining the permission verification result indicating successful verification;
and if the request serial number is verified to be equal to the stored previous request serial number, the request random number is equal to the stored previous request random number, and the client number is consistent with the stored client number, obtaining the permission verification result indicating successful verification.
10. The apparatus according to claim 9, wherein the sending unit is further configured to send a signature request to a USB Key when the license verification result indicates that the license verification is successful, the signature request including information to be signed, the information to be signed including the license verification result and a USB Key certificate, the USB Key certificate being obtained from the USB Key before the sending of the signature request to the USB Key;
the receiving unit is further configured to receive signature information sent by the USB Key, where the signature information is information obtained by encrypting the information to be signed by using a private Key by the USB Key;
the sending unit is further configured to send a license verification response to the network device, where the license verification response includes the license verification result, the USB Key certificate, and the signature information, so that the network device runs the function to be run, and the signature information includes an encrypted license verification result and an encrypted USB Key certificate.
11. The apparatus of claim 10, wherein the apparatus further comprises a decryption unit, a determination unit, and a naming unit;
the receiving unit is also used for receiving a USB Key certificate sent by the USB Key according to the access request of the permission management server before sending the signature request to the USB Key;
the sending unit is further configured to send a text to be signed to the USB Key if the stored CA certificate verifies that the USB Key certificate is valid, where the text to be signed is any text of the license management server;
the receiving unit is further configured to receive a signature text sent by the USB Key, where the signature text is a text obtained by encrypting the text to be signed by using a private Key through the USB Key;
the decryption unit is used for decrypting the signature text based on the received USB Key certificate to obtain a decrypted text;
the sending unit is further configured to send a name acquisition request to the USB Key if the decrypted text is consistent with the text to be signed;
the receiving unit is further configured to receive a current name of the USB Key sent by the USB Key according to the name acquisition request;
the determining unit is used for determining the USB Key as a USB Key which is not illegally copied according to the current name of the USB Key;
the naming unit is used for renaming the current name of the USB Key to obtain a new current name of the USB Key;
the sending unit is further configured to send the new current name to the USB Key.
12. The apparatus according to claim 11, wherein the determining unit is specifically configured to determine that the USB Key has not been illegally copied if it is detected that the stored name of the USB Key is consistent with the current name;
or if the name of the USB Key is not stored, determining that the USB Key is not illegally copied.
13. The apparatus of claim 11, wherein the determining unit is further configured to determine the new current name as the current name after a first preset time period, and return a step that triggers the receiving unit to execute the USB Key certificate sent by the receiving USB Key according to the access request of the license management server.
14. A network device, the device comprising:
a sending unit, configured to send a license verification request to a license management server, where the license verification request is a request for performing license verification on a function to be operated of the network device, and the license verification request includes license verification information, where the license verification information includes a request serial number, a request random number, and a client number; wherein the request sequence number indicates the number of requests of the license verification request; the request random number is generated when a permission verification request is sent out, the random numbers generated by the permission verification request are different every time, and the client number is a uniform identifier of a preset permission system;
a receiving unit, configured to receive a license verification response sent by the license management server according to the request sequence number, the request random number, and the client number, where the license verification response includes a license verification result;
and the execution unit is used for executing the operation indicated by the permission verification result.
15. The device according to claim 14, wherein the execution unit is specifically configured to execute the function to be executed if the license verification result indicates that the license verification is successful;
and if the permission verification result shows that the permission verification fails, executing uninstalling permission operation and/or self-restarting operation.
16. The apparatus of claim 14, wherein the apparatus comprises a decryption unit;
the permission verification response also comprises a USB Key certificate and signature information, wherein the signature information comprises an encrypted permission verification result and an encrypted USB Key certificate;
the decryption unit is used for decrypting the encrypted permission verification result and the encrypted USB Key certificate according to the received USB Key certificate to obtain a decrypted permission verification result and a decrypted USB Key certificate;
the running unit is specifically configured to run the function to be run when the USB Key certificate is consistent with the decrypted USB Key certificate, and the permission verification result is consistent with the decrypted permission verification result.
17. A license management server is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any one of claims 1 to 5 when executing a program stored in the memory.
18. The network equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 6 to 8 when executing a program stored in the memory.
19. A licensing system, wherein said system comprises a USB Key, the license management server of claim 17 and the network device of claim 18.
20. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any of the claims 1-5 or the method steps of any of the claims 6-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810276390.3A CN110324283B (en) | 2018-03-30 | 2018-03-30 | Permission method, device and system based on asymmetric encryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810276390.3A CN110324283B (en) | 2018-03-30 | 2018-03-30 | Permission method, device and system based on asymmetric encryption |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110324283A CN110324283A (en) | 2019-10-11 |
| CN110324283B true CN110324283B (en) | 2021-08-06 |
Family
ID=68111456
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810276390.3A Active CN110324283B (en) | 2018-03-30 | 2018-03-30 | Permission method, device and system based on asymmetric encryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110324283B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113852621B (en) * | 2021-09-18 | 2023-10-31 | 中汽创智科技有限公司 | License information determining method and device based on Jenkins server and storage medium |
| CN114928453A (en) * | 2022-05-19 | 2022-08-19 | 芯跳科技(广州)有限公司 | USB device security verification method, system, electronic device and storage medium |
| CN115622811B (en) * | 2022-12-14 | 2023-04-07 | 深圳市鑫宇鹏电子科技有限公司 | Verification method, device and system of burning license and electronic equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916390A (en) * | 2014-03-20 | 2014-07-09 | 汉柏科技有限公司 | License control method and device in cloud calculating system |
| CN104579663A (en) * | 2013-10-24 | 2015-04-29 | 上海中移通信技术工程有限公司 | Method for limiting validity of digital certificate |
| CN105491062A (en) * | 2015-12-30 | 2016-04-13 | 北京神州绿盟信息安全科技股份有限公司 | Client software protection method and device, and client |
| CN106650404A (en) * | 2016-10-28 | 2017-05-10 | 美的智慧家居科技有限公司 | Terminal legality verifying method and device |
| CN107404382A (en) * | 2016-05-18 | 2017-11-28 | 奥多比公司 | Use the licensable feature of access token control software |
| CN107682160A (en) * | 2017-10-31 | 2018-02-09 | 美的智慧家居科技有限公司 | The authentication method and device of a kind of production equipment, electronic equipment |
| CN107832589A (en) * | 2017-11-29 | 2018-03-23 | 苏州科达科技股份有限公司 | Software copyright protecting method and its system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060174110A1 (en) * | 2005-01-31 | 2006-08-03 | Microsoft Corporation | Symmetric key optimizations |
| TWM519864U (en) * | 2015-12-15 | 2016-04-01 | Nuvoton Technology Corp | Operator identity authentication system for unmanned aerial vehicle |
-
2018
- 2018-03-30 CN CN201810276390.3A patent/CN110324283B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104579663A (en) * | 2013-10-24 | 2015-04-29 | 上海中移通信技术工程有限公司 | Method for limiting validity of digital certificate |
| CN103916390A (en) * | 2014-03-20 | 2014-07-09 | 汉柏科技有限公司 | License control method and device in cloud calculating system |
| CN105491062A (en) * | 2015-12-30 | 2016-04-13 | 北京神州绿盟信息安全科技股份有限公司 | Client software protection method and device, and client |
| CN107404382A (en) * | 2016-05-18 | 2017-11-28 | 奥多比公司 | Use the licensable feature of access token control software |
| CN106650404A (en) * | 2016-10-28 | 2017-05-10 | 美的智慧家居科技有限公司 | Terminal legality verifying method and device |
| CN107682160A (en) * | 2017-10-31 | 2018-02-09 | 美的智慧家居科技有限公司 | The authentication method and device of a kind of production equipment, electronic equipment |
| CN107832589A (en) * | 2017-11-29 | 2018-03-23 | 苏州科达科技股份有限公司 | Software copyright protecting method and its system |
Non-Patent Citations (2)
| Title |
|---|
| "Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities";Ernie Brickell、Jiangtao Li;《IEEE Transactions on Dependable and Secure Computing》;20120630;第9卷(第3期);全文 * |
| "具有许可控制功能可认证的群组密钥协商方案";温海龙、谷大武;《上海交通大学学报》;20051230;第98-102页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110324283A (en) | 2019-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11637707B2 (en) | System and method for managing installation of an application package requiring high-risk permission access | |
| CN109474606B (en) | File transmission method and device, computer equipment and storage medium | |
| US8838961B2 (en) | Security credential deployment in cloud environment | |
| US9306945B2 (en) | Client authentication during network boot | |
| US9184918B2 (en) | Trusted hardware for attesting to authenticity in a cloud environment | |
| US8863255B2 (en) | Security credential deployment in cloud environment | |
| EP2278514B1 (en) | System and method for providing secure virtual machines | |
| EP2065800B1 (en) | Remote provisioning utilizing device identifier | |
| CN110324283B (en) | Permission method, device and system based on asymmetric encryption | |
| CN110611657A (en) | File stream processing method, device and system based on block chain | |
| US10282549B2 (en) | Modifying service operating system of baseboard management controller | |
| CN111669351B (en) | Authentication method, service server, client and computer readable storage medium | |
| WO2019051839A1 (en) | Data processing method and device | |
| US9323911B1 (en) | Verifying requests to remove applications from a device | |
| US10154023B1 (en) | Method and system for secure instantiation of an operation system within the cloud | |
| CN113360868A (en) | Application program login method and device, computer equipment and storage medium | |
| CN110838919B (en) | Communication method, storage method, operation method and device | |
| KR102389727B1 (en) | Method and apparatus for evaluating security of electronic controller in vehicle | |
| KR101711024B1 (en) | Method for accessing temper-proof device and apparatus enabling of the method | |
| CN111046383B (en) | Terminal attack defense method and device, terminal and cloud server | |
| TW201638826A (en) | System for using trust token to make application obtain digital certificate signature from another application on device and method thereof | |
| US20220078026A1 (en) | Verifications of workload signatures | |
| TWM505130U (en) | System to use safety credential to obtain digital certificate signing of different programs on mobile device | |
| WO2022176023A1 (en) | Remote approval control system, resource access device, authentication device, remote approval control method, and program | |
| KR101611104B1 (en) | Method for preventing unauthorized software usage by internet authentication and encryption of secondary files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |