CN110674475A - Authorization control method and device and trusted computing terminal - Google Patents
Authorization control method and device and trusted computing terminal Download PDFInfo
- Publication number
- CN110674475A CN110674475A CN201910937159.9A CN201910937159A CN110674475A CN 110674475 A CN110674475 A CN 110674475A CN 201910937159 A CN201910937159 A CN 201910937159A CN 110674475 A CN110674475 A CN 110674475A
- Authority
- CN
- China
- Prior art keywords
- target client
- authorization certificate
- certificate file
- authorization
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 265
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012795 verification Methods 0.000 claims abstract description 68
- 238000012545 processing Methods 0.000 claims description 13
- 230000006870 function Effects 0.000 claims description 5
- 230000007123 defense Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000006854 communication Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000003213 activating effect Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses an authorization control method and device and a trusted computing terminal. Wherein, the method comprises the following steps: acquiring a hardware code file of a target client, and generating an authorization certificate file based on the hardware code file, wherein the authorization certificate file is used for indicating the authorized target client to operate trusted protection software, and the trusted protection software is used for performing active security protection on the target client; and uploading the authorization certificate file to a trusted management center, wherein the trusted management center is used for sending the authorization certificate file to a target client, and the target client is used for performing authorization permission verification when trusted protection software is started or operated after receiving the authorization certificate file. The invention solves the technical problem that the prior art can not provide effective certificate files for the client to carry out authorization permission verification on the trusted protection software of the client.
Description
Technical Field
The invention relates to the technical field of trusted management, in particular to an authorization control method and device and a trusted computing terminal.
Background
In the related art, when a client communicates with a trusted management center, a file transmitted in a communication process is often encrypted in a simple file encryption mode, and the processing mode cannot ensure that the client can perform real-time security protection; and the client can not carry out authorization processing, namely the client can be always in a protected state and can not provide an effective certificate file for verification processing, and on the basis, authorization permission verification can not be carried out on trusted protection software running in the client, so that the trusted protection software of the client is in a scattered state and is not effectively managed.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides an authorization control method and device and a trusted computing terminal, and at least solves the technical problem that effective certificate files cannot be provided for a client to carry out authorization permission verification on trusted protection software of the client in the related art.
According to an aspect of an embodiment of the present invention, there is provided an authorization control method, including: acquiring a hardware code file of a target client, and generating an authorization certificate file based on the hardware code file, wherein the authorization certificate file is used for indicating that the target client is authorized to run trusted protection software, and the trusted protection software is used for performing active security protection on the target client; and uploading the authorization certificate file to a trusted management center, wherein the trusted management center is used for sending the authorization certificate file to the target client, and the target client is used for performing authorization permission verification when the trusted protection software is started or operated after receiving the authorization certificate file.
Optionally, the obtaining the hardware code file of the target client includes: receiving a hardware code generation instruction, wherein the hardware code generation instruction comprises an identifier of the target client, and the hardware code generation instruction is used for requesting generation of a hardware code file of the target client; and if the identification of the target client passes the verification, generating a hardware code file of the target client based on the identification of the target client.
Optionally, uploading the authorization certificate file to a trusted management center includes: carrying out decryption verification on the authorization certificate file; if the decryption verification of the authorization certificate file is passed, uploading the authorization certificate file to the trusted management center for storage; sending a restart instruction to the trusted management center, wherein the restart instruction is used for instructing the trusted management center to restart so as to enable the authorization certificate file to be effective in the trusted management center.
Optionally, the target client is configured to, after receiving the authorization certificate file, perform authorization permission check when the trusted defense software is started, including: the target client loads the authorization certificate file after the trusted protection software is started; if the loading of the authorization certificate file is successful, verifying the authorization certificate file; and if the authorization certificate file passes the verification, starting a function module customized by the trusted management center for the target client, wherein the function module is used for actively installing and protecting the target client.
Optionally, verifying the authorization certificate file includes: verifying whether the authorization certificate file matches the target client; if the matching is successful, determining that the authorization certificate file can be normally used; if the matching fails, determining that the authorization certificate file cannot be normally used; and/or verifying whether the validity period of the authorization certificate file is over; if the validity period of the authorization certificate file is not finished, determining that the authorization certificate file can be normally used; and if the validity period of the authorization certificate file is finished, determining that the authorization certificate file cannot be normally used.
Optionally, the target client is configured to, after receiving the authorization certificate file, perform authorization permission check when running the trusted defense software, and further includes: when the target client runs the trusted protection software, starting a timer; after the time counted by the timer reaches the effective use time of the authorization certificate file, verifying the authorization certificate file again; if the verification of the authorization certificate file fails, controlling the trusted protection software to stop running and sending prompt information, wherein the prompt information is used for informing the target client to activate the authorization certificate file; and if the authorization certificate file passes the verification, controlling the timer to count again.
According to another aspect of the embodiments of the present invention, there is also provided an authorization control apparatus, including: the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a hardware code file of a target client and generating an authorization certificate file based on the hardware code file, the authorization certificate file is used for indicating that the target client is authorized to run trusted protection software, and the trusted protection software is used for performing active security protection on the target client; and the uploading unit is used for uploading the authorization certificate file to a trusted management center, wherein the trusted management center is used for sending the authorization certificate file to the target client, and the target client is used for performing authorization permission verification when the trusted protection software is started or operated after receiving the authorization certificate file.
Optionally, the obtaining unit includes: the system comprises a receiving module, a sending module and a processing module, wherein the receiving module is used for receiving a hardware code generating instruction, the hardware code generating instruction comprises an identifier of a target client, and the hardware code generating instruction is used for requesting to generate a hardware code file of the target client; and the generation module is used for generating a hardware code file of the target client based on the identifier of the target client if the identifier of the target client passes the verification.
Optionally, the uploading unit includes: the first verification module is used for carrying out decryption verification on the authorization certificate file; the first uploading module is used for uploading the authorization certificate file to the trusted management center for storage when the decryption verification of the authorization certificate file is passed; the first sending module is configured to send a restart instruction to the trusted management center, where the restart instruction is used to instruct the trusted management center to restart, so that the authorization certificate file is validated in the trusted management center.
Optionally, the uploading unit includes: the second loading module is used for loading the authorization certificate file after the target client side starts the trusted protection software; the second verification module is used for verifying the authorization certificate file when the authorization certificate file is successfully loaded; and the starting module is used for starting the functional module customized by the trusted management center for the target client when the authorization certificate file passes verification, wherein the functional module is used for actively installing and protecting the target client.
Optionally, the second check module comprises: the first verification submodule is used for verifying whether the authorization certificate file is matched with the target client; the first determining submodule is used for determining that the authorization certificate file can be normally used when the matching is successful; the second determining submodule is used for determining that the authorization certificate file cannot be normally used when the matching fails; and/or verifying whether the validity period of the authorization certificate file is over; the third determining submodule is used for determining that the authorization certificate file can be normally used when the validity period of the authorization certificate file is not finished; and the fourth determining submodule is used for determining that the authorization certificate file cannot be normally used when the validity period of the authorization certificate file is finished.
Optionally, the uploading unit further includes: the timer starting module is used for starting a timer when the target client runs the trusted protection software; the third verification module is used for verifying the authorization certificate file again after the timing of the timer reaches the effective use duration of the authorization certificate file; the first control module is used for controlling the trusted protection software to stop running and sending prompt information when the verification of the authorization certificate file fails, wherein the prompt information is used for informing the target client of activating the authorization certificate file; and the second control module is used for controlling the timer to count again when the authorization certificate file passes the verification.
According to another aspect of the embodiments of the present invention, there is also provided a trusted computing terminal, including: a memory, a processor coupled with the memory, the memory and the processor communicating over a bus system; the memory is used for storing a program, wherein the program, when executed by the processor, controls the device in which the memory is located to execute any one of the authorization control methods, and the processor is used for executing the program, wherein the program executes to execute any one of the authorization control methods.
According to another aspect of the embodiments of the present invention, there is also provided a processor, configured to execute a program, where the program executes to perform any one of the authorization control methods described above.
In the embodiment of the invention, a hardware code file of a target client side can be obtained firstly, and an authorization certificate file is generated based on the hardware code file, wherein the authorization certificate file is used for indicating the authorized target client side to operate trusted protection software, and the trusted protection software is used for performing active security protection on the target client side; and uploading the authorization certificate file to a trusted management center, wherein the trusted management center is used for sending the authorization certificate file to a target client, and the target client is used for performing authorization permission verification when trusted protection software is started or operated after receiving the authorization certificate file. In the embodiment, the authorization certificate file can be generated through the hardware code file of the client, and authorization permission verification is performed on the trusted protection software running in the client through the authorization certificate file, so that the security protection degree of authorization on the client can be improved, the satisfaction degree of a user using the trusted protection software is improved, and the technical problem that effective certificate files cannot be provided for the client to perform authorization permission verification on the trusted protection software of the client in the related technology is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow chart of an alternative authorization control method according to an embodiment of the invention;
fig. 2 is a schematic diagram of an alternative authorization control device according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The execution main body of the authorization control method in each embodiment of the invention is a server (controlling and operating the trusted protection program/trusted protection software) connected with the target client, the execution main body can also be understood as a protection program, the server controls the target client to operate the trusted protection software, the trusted protection software is used for acquiring a hardware code file of the client, so as to generate an authorization certificate file, and then the authorization certificate file is uploaded to the trusted management center/trusted management platform. The trusted management center/trusted security management platform related in each embodiment of the invention is used for supporting and maintaining a plurality of clients, the clients run trusted protection software and carry out active security protection through the trusted protection software, each client comprises a computing subsystem and a protection subsystem which are parallel, the computing subsystem is used for completing computing tasks, the protection subsystem is used for carrying out active measurement on the computing subsystem according to a trusted policy, and the clients are responsible for collecting access behavior data of an application program and reporting the access behavior data to the trusted security management platform.
The aforementioned clients may include, but are not limited to: tablet, mobile terminal, PC, IPAD, etc. Different immune credible strategies need to be formulated for different business applications and user scenes, and after the client is actively measured through the credible strategies, whether the security protection of the client by the credible strategies is comprehensive and accurate is determined, so that the credible strategy conformity of each client exceeds a preset conformity value.
In accordance with an embodiment of the present invention, there is provided an authorization control method embodiment, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 1 is a flowchart of an alternative authorization control method according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
step S102, acquiring a hardware code file of a target client, and generating an authorization certificate file based on the hardware code file, wherein the authorization certificate file is used for indicating the authorized target client to operate trusted protection software, and the trusted protection software is used for performing active security protection on the target client;
and step S104, uploading the authorization certificate file to a trusted management center, wherein the trusted management center is used for sending the authorization certificate file to a target client, and the target client is used for performing authorization permission verification when starting or running trusted protection software after receiving the authorization certificate file.
Through the steps, a hardware code file of a target client side can be obtained firstly, and an authorization certificate file is generated based on the hardware code file, wherein the authorization certificate file is used for indicating the authorized target client side to operate trusted protection software, and the trusted protection software is used for performing active security protection on the target client side; and uploading the authorization certificate file to a trusted management center, wherein the trusted management center is used for sending the authorization certificate file to a target client, and the target client is used for performing authorization permission verification when trusted protection software is started or operated after receiving the authorization certificate file. In the embodiment, the authorization certificate file can be generated through the hardware code file of the client, and authorization permission verification is performed on the trusted protection software running in the client through the authorization certificate file, so that the security protection degree of authorization on the client can be improved, the satisfaction degree of a user using the trusted protection software is improved, and the technical problem that effective certificate files cannot be provided for the client to perform authorization permission verification on the trusted protection software of the client in the related technology is solved.
The present invention will be described in detail with reference to the respective steps.
Step S102, acquiring a hardware code file of a target client, and generating an authorization certificate file based on the hardware code file, wherein the authorization certificate file is used for indicating the authorized target client to operate trusted protection software, and the trusted protection software is used for performing active security protection on the target client.
As an optional embodiment of the present invention, acquiring the hardware code file of the target client includes: receiving a hardware code generation instruction, wherein the hardware code generation instruction comprises an identifier of a target client, and the hardware code generation instruction is used for requesting to generate a hardware code file of the target client; and if the identification of the target client passes the verification, generating a hardware code file of the target client based on the identification of the target client.
The identification of the target client may include, but is not limited to: client identification ID, client address, etc. When the identification of the target client is verified, if the verification is not passed, an error prompt message can be sent to the user operation interface.
The hardware code file can be understood as a hardware code file which is generated by calling a target client background service.
Optionally, when the hardware code file is generated, in addition to the identifier of the target client, an identifier of a server connected to the target client may also be used, and after the identifier of the server passes verification, the hardware code file corresponding to the identifier of the server is generated.
The hardware code file obtained by the above embodiment can directly generate an authorization certificate file (which can be understood as license); or the hardware code file is sent to a company server for managing the trusted protection software, and the authorization certificate file is obtained through the company server.
And step S104, uploading the authorization certificate file to a trusted management center, wherein the trusted management center is used for sending the authorization certificate file to a target client, and the target client is used for performing authorization permission verification when starting or running trusted protection software after receiving the authorization certificate file.
In an alternative embodiment of the present invention, uploading the authorization certificate file to the trusted authority includes: carrying out decryption verification on the authorization certificate file; if the decryption verification of the authorization certificate file is passed, uploading the authorization certificate file to a trusted management center for storage; and sending a restart instruction to the trusted management center, wherein the restart instruction is used for instructing the trusted management center to restart so as to enable the authorization certificate file to be effective in the trusted management center.
In the embodiment of the invention, when the authorization certificate file is transmitted to the target client, two situations are adopted: firstly, a target client and a trusted management center are in a networking mode, an authorization certificate file is uploaded to the trusted management center as described above, and then the authorization certificate file is sent to the target client through the trusted management center; second, the target client is in an offline mode, and the authorization certificate file can be directly stored in the target client, for example, copied to the operating system of the target client through external software such as a usb disk.
As an optional embodiment of the present invention, the target client, after receiving the authorization certificate file, performing authorization permission verification when starting the trusted defense software includes: after the trusted protection software is started, the target client loads an authorization certificate file; if the loading of the authorization certificate file is successful, verifying the authorization certificate file; and if the authorization certificate file passes the verification, starting a functional module customized by the trusted management center for the target client, wherein the functional module is used for actively installing and protecting the target client.
In the embodiment of the present invention, when verifying the authorization certificate file, the verification content includes but is not limited to: whether it is an identification of the target client, an identification of the trusted management center, whether it is an authorization for the application protection software, and so forth.
Optionally, the verifying the authorization certificate file includes: verifying whether the authorization certificate file is matched with the target client; if the matching is successful, determining that the authorization certificate file can be normally used; if the matching fails, determining that the authorization certificate file cannot be normally used; and/or verifying whether the validity period of the authorization certificate file is over; if the validity period of the authorization certificate file is not finished, determining that the authorization certificate file can be normally used; and if the validity period of the authorization certificate file is over, determining that the authorization certificate file cannot be normally used.
When loading the authorization certificate file, if loading fails, loading the trial authorization certificate file; if loading the trial authorization certificate file fails, prompting the user to reactivate, and normally using the trusted protection software until activation is completed.
Before loading the authorization certificate file, the authorization control method further comprises the following steps: after the operating system of the target client runs, running trusted protection software and acquiring an authorization certificate file; storing the authorization certificate file into a control server connected with a target client; and restarting the control server to enable the new authorization certificate file license to take effect.
As another optional embodiment of the present invention, the target client, after receiving the authorization certificate file, performing authorization license check when running the trusted defense software further includes: starting a timer when the target client runs the trusted protection software; after the time counted by the timer reaches the effective use time of the authorization certificate file, verifying the authorization certificate file again; if the verification of the authorization certificate file fails, controlling the trusted protection software to stop running and sending prompt information, wherein the prompt information is used for informing a target client to activate the authorization certificate file; and if the authorization certificate file passes the verification, controlling the timer to count again.
Optionally, before starting the timer, after the authorization certificate file passes verification, the trusted protection software is normally started, and the valid use duration of the authorization certificate file is obtained; and calculating a timer interval according to the current system time and the effective use time of the target client, and controlling the timer to work through the timer interval.
By the embodiment, the authorization certificate file can be generated based on the hardware code file of the client, and the validity period and the use information of the trusted protection software used by the target client are verified based on the authorization certificate file after the trusted protection software is started, so that the trusted protection software can normally work, and the software operation efficiency is improved.
Fig. 2 is a schematic diagram of an alternative authorization control device according to an embodiment of the present invention, as shown in fig. 2, the authorization control device may include: an acquisition unit 21, an upload unit 23, wherein,
the system comprises an obtaining unit 21, a processing unit and a processing unit, wherein the obtaining unit 21 is used for obtaining a hardware code file of a target client and generating an authorization certificate file based on the hardware code file, the authorization certificate file is used for indicating the authorized target client to operate trusted protection software, and the trusted protection software is used for performing active security protection on the target client;
the uploading unit 23 is configured to upload the authorization certificate file to a trusted management center, where the trusted management center is configured to send the authorization certificate file to a target client, and the target client is configured to perform authorization permission verification when the trusted protection software is started or run after receiving the authorization certificate file.
The authorization control device can acquire a hardware code file of a target client through the acquisition unit 21, and generate an authorization certificate file based on the hardware code file, wherein the authorization certificate file is used for indicating the authorized target client to operate trusted protection software, and the trusted protection software is used for performing active security protection on the target client; and uploading the authorization certificate file to a trusted management center through an uploading unit 23, wherein the trusted management center is used for sending the authorization certificate file to a target client, and the target client is used for performing authorization permission verification when trusted security software is started or operated after receiving the authorization certificate file. In the embodiment, the authorization certificate file can be generated through the hardware code file of the client, and authorization permission verification is performed on the trusted protection software running in the client through the authorization certificate file, so that the security protection degree of authorization on the client can be improved, the satisfaction degree of a user using the trusted protection software is improved, and the technical problem that effective certificate files cannot be provided for the client to perform authorization permission verification on the trusted protection software of the client in the related technology is solved.
Optionally, the obtaining unit includes: the system comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving a hardware code generating instruction, the hardware code generating instruction comprises an identifier of a target client, and the hardware code generating instruction is used for requesting to generate a hardware code file of the target client; and the generating module is used for generating a hardware code file of the target client based on the identifier of the target client if the identifier of the target client passes the verification.
Another optional, the uploading unit includes: the first verification module is used for carrying out decryption verification on the authorization certificate file; the first uploading module is used for uploading the authorization certificate file to a trusted management center for storage when the decryption and verification of the authorization certificate file are passed; the first sending module is used for sending a restarting instruction to the trusted management center, wherein the restarting instruction is used for indicating the trusted management center to restart so that the authorization certificate file can take effect in the trusted management center.
As an alternative embodiment of the present invention, the upload unit includes: the second loading module is used for loading the authorization certificate file after the trusted protection software is started by the target client; the second verification module is used for verifying the authorization certificate file when the authorization certificate file is successfully loaded; and the starting module is used for starting a functional module customized by the trusted management center for the target client when the authorization certificate file passes verification, wherein the functional module is used for actively installing and protecting the target client.
Optionally, the second check module includes: the first verification submodule is used for verifying whether the authorization certificate file is matched with the target client; the first determining submodule is used for determining that the authorization certificate file can be normally used when the matching is successful; the second determining submodule is used for determining that the authorization certificate file cannot be normally used when the matching fails; and/or verifying whether the validity period of the authorization certificate file is over; the third determining submodule is used for determining that the authorization certificate file can be normally used when the validity period of the authorization certificate file is not finished; and the fourth determining submodule is used for determining that the authorization certificate file cannot be normally used when the validity period of the authorization certificate file is ended.
In an embodiment of the present invention, the uploading unit further includes: the timer starting module is used for starting a timer when the target client runs the trusted protection software; the third verification module is used for verifying the authorization certificate file again after the timing of the timer reaches the effective use duration of the authorization certificate file; the first control module is used for controlling the trusted protection software to stop running and sending prompt information when the verification of the authorization certificate file fails, wherein the prompt information is used for informing a target client to activate the authorization certificate file; and the second control module is used for controlling the timer to count again when the authorization certificate file passes the verification.
The authorization control device may further include a processor and a memory, where the acquiring unit 21, the uploading unit 23, and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor comprises a kernel, and the kernel calls a corresponding program unit from the memory. The kernel can set one or more, and generates an authorization verification file by adjusting kernel parameters so as to carry out authorization permission verification on the trusted protection software.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
According to another aspect of the embodiments of the present invention, there is also provided a trusted computing terminal, including: a memory, a processor coupled to the memory, the memory and the processor communicating via a bus system; the memory is used for storing a program, wherein the program is used for controlling the equipment where the memory is located to execute any one of the authorization control methods when being executed by the processor, and the processor is used for executing the program, wherein the program executes the any one of the authorization control methods when being executed.
According to another aspect of the embodiments of the present invention, there is also provided a processor, configured to execute a program, where the program executes the authorization control method described in any one of the above.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: acquiring a hardware code file of a target client, and generating an authorization certificate file based on the hardware code file, wherein the authorization certificate file is used for indicating the authorized target client to operate trusted protection software, and the trusted protection software is used for performing active security protection on the target client; and uploading the authorization certificate file to a trusted management center, wherein the trusted management center is used for sending the authorization certificate file to a target client, and the target client is used for performing authorization permission verification when trusted protection software is started or operated after receiving the authorization certificate file.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (10)
1. An authorization control method, comprising:
acquiring a hardware code file of a target client, and generating an authorization certificate file based on the hardware code file, wherein the authorization certificate file is used for indicating that the target client is authorized to run trusted protection software, and the trusted protection software is used for performing active security protection on the target client;
and uploading the authorization certificate file to a trusted management center, wherein the trusted management center is used for sending the authorization certificate file to the target client, and the target client is used for performing authorization permission verification when the trusted protection software is started or operated after receiving the authorization certificate file.
2. The method of claim 1, wherein obtaining the hardware code file of the target client comprises:
receiving a hardware code generation instruction, wherein the hardware code generation instruction comprises an identifier of the target client, and the hardware code generation instruction is used for requesting generation of a hardware code file of the target client;
and if the identification of the target client passes the verification, generating a hardware code file of the target client based on the identification of the target client.
3. The method of claim 1, wherein uploading the authorization certificate file to a trusted management center comprises:
carrying out decryption verification on the authorization certificate file;
if the decryption verification of the authorization certificate file is passed, uploading the authorization certificate file to the trusted management center for storage;
sending a restart instruction to the trusted management center, wherein the restart instruction is used for instructing the trusted management center to restart so as to enable the authorization certificate file to be effective in the trusted management center.
4. The method of claim 1, wherein the target client is configured to perform an authorization permission check upon launching the trusted security software after receiving the authorization credential file comprises:
the target client loads the authorization certificate file after the trusted protection software is started;
if the loading of the authorization certificate file is successful, verifying the authorization certificate file;
and if the authorization certificate file passes the verification, starting a function module customized by the trusted management center for the target client, wherein the function module is used for actively installing and protecting the target client.
5. The method of claim 4, wherein verifying the authorization certificate file comprises:
verifying whether the authorization certificate file matches the target client; if the matching is successful, determining that the authorization certificate file can be normally used; if the matching fails, determining that the authorization certificate file cannot be normally used; and/or the presence of a gas in the gas,
verifying whether the validity period of the authorization certificate file is over; if the validity period of the authorization certificate file is not finished, determining that the authorization certificate file can be normally used; and if the validity period of the authorization certificate file is finished, determining that the authorization certificate file cannot be normally used.
6. The method of claim 1, wherein the target client is configured to perform an authorization permission check while running the trusted security software after receiving the authorization credential file further comprises:
when the target client runs the trusted protection software, starting a timer;
after the time counted by the timer reaches the effective use time of the authorization certificate file, verifying the authorization certificate file again;
if the verification of the authorization certificate file fails, controlling the trusted protection software to stop running and sending prompt information, wherein the prompt information is used for informing the target client to activate the authorization certificate file;
and if the authorization certificate file passes the verification, controlling the timer to count again.
7. An authorization control device, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a hardware code file of a target client and generating an authorization certificate file based on the hardware code file, the authorization certificate file is used for indicating that the target client is authorized to run trusted protection software, and the trusted protection software is used for performing active security protection on the target client;
and the uploading unit is used for uploading the authorization certificate file to a trusted management center, wherein the trusted management center is used for sending the authorization certificate file to the target client, and the target client is used for performing authorization permission verification when the trusted protection software is started or operated after receiving the authorization certificate file.
8. The apparatus of claim 7, wherein the obtaining unit comprises:
the system comprises a receiving module, a sending module and a processing module, wherein the receiving module is used for receiving a hardware code generating instruction, the hardware code generating instruction comprises an identifier of a target client, and the hardware code generating instruction is used for requesting to generate a hardware code file of the target client;
and the generation module is used for generating a hardware code file of the target client based on the identifier of the target client if the identifier of the target client passes the verification.
9. A trusted computing terminal, comprising:
a memory, a processor coupled with the memory, the memory and the processor communicating over a bus system;
the memory is used for storing a program, wherein the program when executed by the processor controls the device in which the memory is located to execute the authorization control method according to any one of claims 1 to 6,
the processor is configured to execute a program, wherein the program executes the authorization control method according to any one of claims 1 to 6.
10. A processor, characterized in that the processor is configured to run a program, wherein the program is configured to execute the authorization control method according to any one of claims 1 to 6 when running.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910937159.9A CN110674475B (en) | 2019-09-29 | 2019-09-29 | Authorization control method and device and trusted computing terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910937159.9A CN110674475B (en) | 2019-09-29 | 2019-09-29 | Authorization control method and device and trusted computing terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110674475A true CN110674475A (en) | 2020-01-10 |
| CN110674475B CN110674475B (en) | 2022-04-22 |
Family
ID=69080434
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910937159.9A Active CN110674475B (en) | 2019-09-29 | 2019-09-29 | Authorization control method and device and trusted computing terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110674475B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111259347A (en) * | 2020-01-19 | 2020-06-09 | 苏州浪潮智能科技有限公司 | Authorization method and device for judging machine uniqueness |
| CN113378119A (en) * | 2021-06-25 | 2021-09-10 | 成都卫士通信息产业股份有限公司 | Software authorization method, device, equipment and storage medium |
| CN113536238A (en) * | 2021-06-29 | 2021-10-22 | 上海浩霖汇信息科技有限公司 | Software use authorization authentication method and system based on cryptographic technology and related products |
| CN113704700A (en) * | 2020-05-22 | 2021-11-26 | 网神信息技术(北京)股份有限公司 | Method, device, system, electronic equipment and medium for software authorization |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103632071A (en) * | 2012-08-28 | 2014-03-12 | 北京超图软件股份有限公司 | Copyright protection method and system for geospatial data products |
| CN104317626A (en) * | 2014-11-13 | 2015-01-28 | 北京奇虎科技有限公司 | Application software permission control method, device and system for terminal equipment |
| US20170303075A1 (en) * | 2016-04-14 | 2017-10-19 | Buildwin International (Zhuhai) Limited | System and method for playing licensed music based on bluetooth communication cross-reference to related application |
| CN108073792A (en) * | 2016-11-10 | 2018-05-25 | 中标软件有限公司 | A kind of version authorization control system and method under (SuSE) Linux OS |
-
2019
- 2019-09-29 CN CN201910937159.9A patent/CN110674475B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103632071A (en) * | 2012-08-28 | 2014-03-12 | 北京超图软件股份有限公司 | Copyright protection method and system for geospatial data products |
| CN104317626A (en) * | 2014-11-13 | 2015-01-28 | 北京奇虎科技有限公司 | Application software permission control method, device and system for terminal equipment |
| US20170303075A1 (en) * | 2016-04-14 | 2017-10-19 | Buildwin International (Zhuhai) Limited | System and method for playing licensed music based on bluetooth communication cross-reference to related application |
| CN108073792A (en) * | 2016-11-10 | 2018-05-25 | 中标软件有限公司 | A kind of version authorization control system and method under (SuSE) Linux OS |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111259347A (en) * | 2020-01-19 | 2020-06-09 | 苏州浪潮智能科技有限公司 | Authorization method and device for judging machine uniqueness |
| CN113704700A (en) * | 2020-05-22 | 2021-11-26 | 网神信息技术(北京)股份有限公司 | Method, device, system, electronic equipment and medium for software authorization |
| CN113378119A (en) * | 2021-06-25 | 2021-09-10 | 成都卫士通信息产业股份有限公司 | Software authorization method, device, equipment and storage medium |
| CN113378119B (en) * | 2021-06-25 | 2023-04-07 | 成都卫士通信息产业股份有限公司 | Software authorization method, device, equipment and storage medium |
| CN113536238A (en) * | 2021-06-29 | 2021-10-22 | 上海浩霖汇信息科技有限公司 | Software use authorization authentication method and system based on cryptographic technology and related products |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110674475B (en) | 2022-04-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110674475B (en) | Authorization control method and device and trusted computing terminal | |
| CN109510849B (en) | Cloud-storage account authentication method and device | |
| CN108734028B (en) | Data management method based on block chain, block chain link point and storage medium | |
| US11051162B2 (en) | Method for anonymously identifying a security module | |
| WO2016014120A1 (en) | Device authentication agent | |
| CN108965331B (en) | Login verification method, device and system | |
| CN111478967A (en) | Request processing method and device | |
| WO2015024261A1 (en) | Internet account number management method, manager, server and system | |
| CN106357694B (en) | Access request processing method and device | |
| US20190205539A1 (en) | Method and device for verifying upgrade of diagnosis connector of diagnostic equipment, and diagnosis connector | |
| CN110688653A (en) | Client security protection method and device and terminal equipment | |
| CN110276193B (en) | Risk feature output method, application operation control method, system and device | |
| CN111770087A (en) | Service node verification method and related equipment | |
| CN110011796B (en) | Certificate updating method and device, computer equipment and storage medium | |
| CN104753864A (en) | Permission validation system and permission validation method | |
| US20190138707A1 (en) | System and method for facilitating authentication via a short-range wireless token | |
| CN103841081A (en) | Capability scheduling method and system | |
| CN112466053A (en) | Control system of household appliance and execution method and device of target operation | |
| CN109710692B (en) | User information processing method and device in block chain network and storage medium | |
| CN109818915B (en) | Information processing method and device, server and readable storage medium | |
| CN113538777B (en) | Authorization method, intelligent container, server and computer storage medium | |
| CN108574658B (en) | Application login method and device | |
| CN110704849B (en) | Client information processing method and device | |
| CN110677483B (en) | Information processing system and trusted security management system | |
| CN111310130A (en) | Authorization authentication processing method, device, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |