CN110996319A - System and method for performing activation authorization management on software service - Google Patents
System and method for performing activation authorization management on software service Download PDFInfo
- Publication number
- CN110996319A CN110996319A CN201911058213.9A CN201911058213A CN110996319A CN 110996319 A CN110996319 A CN 110996319A CN 201911058213 A CN201911058213 A CN 201911058213A CN 110996319 A CN110996319 A CN 110996319A
- Authority
- CN
- China
- Prior art keywords
- authorization
- license
- activation
- product
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 440
- 230000004913 activation Effects 0.000 title claims abstract description 272
- 238000000034 method Methods 0.000 title claims abstract description 18
- 230000004044 response Effects 0.000 claims description 49
- 238000012795 verification Methods 0.000 claims description 41
- 230000003213 activating effect Effects 0.000 claims description 18
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000001994 activation Methods 0.000 abstract description 207
- 238000005516 engineering process Methods 0.000 abstract description 17
- 238000012423 maintenance Methods 0.000 abstract description 6
- 238000007726 management method Methods 0.000 description 74
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Abstract
The invention discloses a system and a method for performing activation authorization management on software service, wherein the system comprises the following steps: the system comprises a product to be activated, an activation authorization service program and a unified authorization license management system, wherein the product to be activated is preset in a terminal with a trusted execution environment after leaving a factory. The invention carries out unified management on the license file through the unified license management system, can distribute the activation or authorization use right of the product to be activated to the authorization agent layer, namely, the authorization service program, effectively decouple and control functions, reduce the upgrade and maintenance cost and simultaneously facilitate the expansion of the support for the authorization of new products; and the TEE technology and the cryptography encryption and decryption technology are used for carrying out security protection on the authorized license file and the product activation process, so that the security of the product activation process is greatly improved.
Description
Technical Field
The invention relates to the field of software service activation authorization, in particular to a system and a method for performing activation authorization management on software service.
Background
With the wide application of the TEE technology, more and more security products based on the TEE architecture are generated, and a security product named as a mobile phone shield based on the technical architecture in the current market realizes the functions of identity authentication, data message security transmission, data encryption and decryption, data signature and the like on a mobile phone, so that the transaction security of a mobile phone user is ensured, the risks of stealing and attacking sensitive data of the user are reduced, and the property loss of the user is avoided.
The mobile phone shield products in the current market are adopted by police service communication items of the third institute of public security, customized development is carried out on products with TEE architecture, which are of models of mobile phones, mobile phone shield applications are preset in the factory, and data information security protection is carried out by using the mobile phone shield applications. The mobile phone shield cannot be directly used in a preset factory state, and can be normally used only after being activated and authorized.
Since each provincial unit under the jurisdiction of the third ministry of public security has respective requirements on the mobile phone shield and needs to be used and managed independently, a set of activation server and shield opening server needs to be deployed in each provincial unit to perform classification management on provincial regional mobile phone shield products and services.
Meanwhile, since the terminal (including the mobile phone) on which the mobile phone shield depends is not a related product, a final user cannot be determined in advance after the terminal is sold, and therefore, the binding relationship with the user cannot be performed before the mobile phone shield product leaves a factory. Therefore, the later dynamic binding mode is adopted to carry out authorized binding on information such as users, terminals, mobile phone shield products, provinces and the like.
Considering that different provinces have own activation authorization servers, and other subsequent projects or products customize and activate authorization service programs according to requirements, the activation authorization modes and types are various, and it is inconvenient to maintain the mobile phone shield application activation authorization in such many activation authorization servers, later maintenance and upgrade management are difficult, and the maintenance cost is high, so that a unified activation authorization management system for different product activation services is urgently needed to be designed, management and later maintenance are convenient, the cost is reduced, and meanwhile, the security of sensitive data in the authorization management process is also needed to be ensured.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a system and a method for performing activation authorization management on software service, which realize the unified management of activation authorization license on the software service and use the cryptography encryption and decryption technology and the TEE security architecture technology to safely store and use keys.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a system for activation authorization management of a software service, the system comprising: the system comprises a product to be activated, an activation authorization service program and a unified authorization license management system, wherein the product to be activated leaves a factory and is preset in a terminal with a trusted execution environment;
the activation authorization service program is used for sending a license authorization request order to the unified authorization license management system and receiving a fed-back authorization license ciphertext file;
the unified authorization license management system is used for auditing the received license authorization request order, and generating an authorization license ciphertext file after the approval is passed and feeding the authorization license ciphertext file back to the activation authorization service program;
the product to be activated is used for sending an identity authentication request to the activation authorization service program and receiving feedback identity authentication response information, and after passing the identity authentication, the product to be activated sends an activation or authorization request to the activation authorization service program and receives the feedback activation or authorization response information to determine the success of activation or authorization;
the activation authorization service program is also used for carrying out identity authentication validity verification on the received identity authentication request, generating the identity authentication response information and feeding back the identity authentication response information to the product to be activated, and is also used for generating the activation or authorization response information according to the received activation or authorization request and the authorization license ciphertext file and feeding back the activation or authorization response information to the product to be activated.
Further, according to the system for performing activation authorization management on software services, when the product to be activated leaves a factory, product information of the product to be activated is stored in a TA layer or an SE layer of the terminal, and the product information includes a product number, an activation policy, an activation algorithm, and an activation key.
Further, the system for performing activation authorization management on software services as described above, the unified authorization license management system is configured to configure a license signature key pair, the product information of the product to be activated, the authorization ID of the activation authorization service program, and a license protection sub-key of the activation authorization service program, where the license signature key pair includes a license signature public key and a license signature private key.
Further, in the system for performing activation authorization management on software services as described above, the activation authorization service program is further configured to set an authorization ID and a license protection sub-key that are distributed and issued by the unified authorization license management system, and a license signature public key.
Further, the system for performing activation authorization management on software service as described above, where the activation authorization service program is specifically configured to:
and encrypting the license authorization request order through the license signature public key of the license, and sending the encrypted license authorization request order to the unified authorization license management system.
Further, the system for performing activation authorization management on software services as described above, where the unified authorization license management system is specifically configured to:
decrypting the received license authorization request order through the license signature private key, verifying the decrypted license authorization request order, generating authorization license data after the verification is passed, encrypting the license protection sub-key corresponding to the activation authorization service program after the data signature is performed on the authorization license data through the license signature private key, acquiring an authorization license ciphertext, obfuscating the authorization license ciphertext through an obfuscating algorithm, performing MAC calculation on the obfuscated authorization license ciphertext through the license protection sub-key corresponding to the activation authorization service program, acquiring an MAC result, and generating an authorization license ciphertext file together with the obfuscated authorization license ciphertext and sending the authorization license ciphertext to the activation authorization service program.
Further, the system for performing activation authorization management on software service as described above, where the activation authorization service program is specifically configured to:
and performing data signature verification on the received license ciphertext file through the license signature public key of the license verifying server, decrypting the license ciphertext file through the license protection sub-key of the license verifying server after the verification is passed, obtaining the license data corresponding to the license authorization request order, and storing the license data in a database or an encryption machine.
Further, a system for performing activation authorization management on a software service as described above, the product to be activated is further configured to:
sensitive data in the activation or authorization request is encrypted and integrity protected by the activation key.
Further, the system for performing activation authorization management on software service as described above, where the activation authorization service program is specifically configured to:
searching product authorization information corresponding to the activation or authorization request in authorized license data, verifying the product authorization information through an activation key in the authorized license data after the product authorization information is found, generating an activation code after the product authorization information is verified, encrypting the activation code through the activation key in the authorized license data, generating activation or authorization response information and sending the activation or authorization response information to the product to be activated, and recording and dynamically binding the product to be activated, the terminal and the user information;
the product to be activated is particularly useful for:
and verifying the received activation or authorization response information through the activation key, determining that the activation or authorization is successful after the verification is passed, and converting the state from the initial state to the authorized enabling state.
The embodiment of the invention also provides a method for performing activation authorization management on software service, which comprises the following steps:
(1) products to be activated leave a factory and are preset in a terminal with a trusted execution environment, product information of the products to be activated is stored in a TA layer or an SE layer of the terminal, and the product information comprises a product number, an activation strategy, an activation algorithm and an activation key;
(2) the unified license management system configures a license signature key pair, the product information of the product to be activated, the authorization ID of the activation authorization service program and a license protection sub-key of the activation authorization service program through a license protection root key, wherein the license signature key pair comprises a license signature public key and a license signature private key;
(3) the activation authorization service program is configured and set with an authorization ID, a license protection sub-key and a license signature public key distributed and issued by the unified authorization license management system;
(4) the activating authorization service program encrypts a license authorization request order through a license signature public key of the activating authorization service program, and sends the encrypted license authorization request order to the unified authorization license management system;
(5) the unified authorization license management system decrypts the received license authorization request order through the license signature private key, verifies the decrypted license authorization request order, generates authorization license data after the verification is passed, encrypts the authorization license data through a license protection sub-key corresponding to the activation authorization service program after the data signature is carried out on the authorization license data through the license signature private key, acquires an authorization license ciphertext, obfuscates the authorization license ciphertext through an obfuscation algorithm, performs MAC calculation on the obfuscated authorization license ciphertext through the license protection sub-key corresponding to the activation authorization service program, acquires an MAC result, and generates an authorization license ciphertext file together with the obfuscated authorization license ciphertext and sends the authorization license ciphertext file to the activation authorization service program;
(6) the activation authorization service program carries out data signature verification on the received authorization license ciphertext file through a license signature public key of the activation authorization service program, decrypts through a license protection key of the activation authorization service program after the verification is passed, obtains authorization license data corresponding to the license authorization request order, and stores the authorization license data in a database or an encryption machine;
(7) the product to be activated sends an identity authentication request to the activation authorization service program;
(8) the activation authorization service program carries out identity authentication validity verification on the received identity authentication request, generates the identity authentication response information after passing the verification and sends the identity authentication response information to the product to be activated;
(9) after the product to be activated determines that the identity authentication passes according to the identity authentication response information, an activation or authorization request is sent to the activation authorization service program;
(10) the activation authorization service program searches product authorization information corresponding to the activation or authorization request in authorized license data, verifies the product authorization information through an activation key in the authorized license data after the product authorization information is found, generates an activation code after the product authorization information is verified, encrypts the activation code through the activation key in the authorized license data, generates activation or authorization response information and sends the activation or authorization response information to the product to be activated, and records and dynamically binds the product to be activated, the terminal and the user information;
(11) and the product to be activated verifies the received activation or authorization response information through the activation key, determines the successful activation or authorization after the verification is passed, and converts the state from the initial state into the authorized enabling state.
The invention has the beneficial effects that: the invention carries out unified management on the license file through the unified license management system, can distribute the activation or authorization use right of the product to be activated to the authorization agent layer, namely, the authorization service program, effectively decouple and control functions, reduce the upgrade and maintenance cost and simultaneously facilitate the expansion of the support for the authorization of new products; and the TEE technology and the cryptography encryption and decryption technology are used for carrying out security protection on the authorized license file and the product activation process, so that the security of the product activation process is greatly improved.
Drawings
FIG. 1 is a diagram illustrating a relationship model of a system for performing activation authorization management on a software service according to an embodiment of the present invention;
FIG. 2 is a block diagram illustrating an architectural model of a system for performing activation authorization management on a software service according to an embodiment of the present invention;
FIG. 3 is a diagram of a TEE basic partition architecture provided in an embodiment of the present invention;
fig. 4 is a schematic diagram of a process for generating an authorized License ciphertext file according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating a method for performing activation authorization management on a software service according to an embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and the detailed description.
The invention combines TEE (Trusted Execution Environment) technology and cryptography encryption and decryption technology to establish a set of uniform and safe system for activating, authorizing and managing software services. Through the system, the unified management of the license for activating the mobile phone shield software service is realized, the cryptographic encryption and decryption technology and the TEE security architecture technology are used for realizing the secure storage and use of the secret key, and the terminal can realize the dynamic activation and binding of the product and the user information after the terminal is in the hands of the user.
The invention mainly provides a set of uniform and safe system for activating license management for a mobile phone shield product which can be used only after activation and authorization. The system provides license authorization files of mobile phone shield products in each activation authorization service program, and guarantees the security of the license authorization files and the activation process by using TEE technology and cryptography encryption and decryption technology.
The system mainly comprises a product to be activated, an activation authorization service program and a unified authorization license management system. The relationship model between the three is shown in figure 1.
The product to be activated: software and hardware products or service programs which can be used only after being activated or authorized run in a trusted execution environment TEE, and the programs are preset in a terminal with the trusted execution environment after leaving factories, wherein the terminal can be a Woofer mobile phone with the TEE function.
Activating the authorization service program: the service program provides activation or authorization function for the product to be activated, wherein the activated product authorization license information used by the authorization service module is distributed and issued by the unified authorization license management system. The functions of the system mainly comprise a product activation or authorization function, a product authorization license file import and analysis function, a sensitive information security storage function, a product activation or authorization record information management and statistics function and the like, and the data security is ensured by using a cryptography encryption and decryption technology in combination with database security storage or encryption machine security storage in the service program.
The unified license management system comprises: and the service program is used for uniformly managing the authorized license file. The core functions of the system mainly comprise a license order management function, a license order auditing function, an authorized license file generating and managing function, a product authorization information configuration management function, an activated authorization service program configuration management function, a license order and authorized license file counting management function and the like, wherein the service program uses a cryptography encryption and decryption technology and is combined with database security storage or encryption machine security storage to ensure data security.
Example one
As shown in fig. 2, a system for activation authorization management of a software service includes: the system comprises a product to be activated, an activation authorization service program and a unified authorization license management system, wherein the product to be activated leaves a factory and is preset in a terminal with a trusted execution environment;
the activation authorization service program is used for sending a license authorization request order to the unified authorization license management system and receiving a fed-back authorization license ciphertext file;
the unified authorization license management system is used for auditing the received license authorization request order, generating an authorization license ciphertext file after the auditing is passed and feeding the authorization license ciphertext file back to the activation authorization service program;
the product to be activated is used for sending an identity authentication request to the activation authorization service program and receiving the fed back identity authentication response information, and after passing the identity authentication, the product to be activated sends an activation or authorization request to the activation authorization service program and receives the fed back activation or authorization response information to determine the success of activation or authorization;
the activation authorization service program is also used for carrying out identity authentication validity verification on the received identity authentication request, generating identity authentication response information and feeding back the identity authentication response information to the product to be activated, and is also used for generating activation or authorization response information according to the received activation or authorization request and the authorization license ciphertext file and feeding back the activation or authorization response information to the product to be activated.
When the product to be activated leaves a factory, product information of the product to be activated is stored in a TA layer or an SE layer of the terminal, and the product information comprises a product number, an activation strategy, an activation algorithm and an activation key.
The unified license management system is also used for configuring a license signature key pair, the product information of the product to be activated, the authorization ID of the activation authorization service program, and a license protection sub-key for configuring the activation authorization service program through a license protection root key, wherein the license signature key pair comprises a license signature public key and a license signature private key.
The activation authorization service program is also used for configuring and setting an authorization ID, a license protection sub-key and a license signature public key distributed and issued by the unified authorization license management system.
The activation authorization service is specifically configured to:
and encrypting the license authorization request order through the license signature public key of the license, and sending the encrypted license authorization request order to the unified authorization license management system.
The unified license management system is specifically used for:
decrypting the received license authorization request order through the license signature private key, verifying the decrypted license authorization request order, generating authorization license data after the verification is passed, encrypting the authorization license data through a license protection sub-key corresponding to an activation authorization service program after the data signature is performed on the authorization license data through the license signature private key, obtaining an authorization license ciphertext, obfuscating the authorization license ciphertext through an obfuscation algorithm, performing MAC calculation on the obfuscated authorization license ciphertext through the license protection sub-key corresponding to the activation authorization service program, obtaining an MAC result, generating an authorization license ciphertext file by combining the obfuscated authorization license ciphertext and the MAC result, and transmitting the authorization license ciphertext file to the activation authorization service program.
The activation authorization service is specifically configured to:
and verifying the data signature of the received authorized license ciphertext file through the license signature public key of the license signing public key, decrypting through the license protection sub-key of the license signing public key after the verification is passed to obtain authorized license data corresponding to the license authorization request order, and storing the authorized license data in a database or an encryption machine.
The products to be activated are also used for:
sensitive data in the activation or authorization request is encrypted and integrity protected by the activation key.
The activation authorization service is specifically configured to:
searching product authorization information corresponding to the activation or authorization request in authorized license data, verifying the product authorization information through an activation key in the authorized license data after the product authorization information is found, generating an activation code after the product authorization information is verified, encrypting the activation code through the activation key in the authorized license data, generating activation or authorization response information, sending the activation or authorization response information to a product to be activated, recording and dynamically binding the product to be activated, a terminal and user information;
the product to be activated is used in particular for:
and verifying the received activation or authorization response information through the activation key, determining that the activation or authorization is successful after the verification is passed, and converting the state from the initial state to an authorized enabled state.
The system is mainly used for activating and authorizing the opening and the use of the prefabricated application in the terminal with the security environment such as TEE, and the activation key of the product can be delivered to the factory and prefabricated in the security environment of TA and SE layers in a TEE frame, so that the security of the key is ensured. The TEE employs a hardware-based isolation technique. And ensuring the safety and the credibility of the execution environment. The basic partition architecture is shown in fig. 3.
The product to be activated in the present invention will involve the non-secure and secure areas of the TEE, but the sensitive data storage and operation of the product must be within the secure area.
The product to be activated in the present invention should have status features of not enabled and enabled, which may include but not be limited to derivative status, such as initial status (not enabled), authorized status (enabled), disabled (unable to continue using), and the like. The product to be activated can be preset in factory settings of terminals such as mobile phones and the like, and can be activated by activating the service when needed, and an address for activating the authorization service can be dynamically or silently set for activation or authorization activation when activated according to actual business needs.
In the invention, the product to be activated is only provided with necessary product number, activation key, activation algorithm, activation strategy, service function and the like in the factory state, and the environment (such as a mobile phone terminal and the like) where the product is located is not related and bound, so that the factory relevance of the factory product and the terminal where the product is located is decoupled, and the relation between the product and the terminal is dynamically bound in the product activation process, thereby reducing the links of factory preparation of the product, improving the factory delivery flow efficiency of the product and reducing the cost. The product of the type has universality and flexibility, the final owner of the terminal where the product is located does not need to be concerned when the product leaves a factory, and dynamic binding and setting can be carried out when the final owner is activated on the hand of a final user.
The environment where the product to be activated is located in the invention is called a terminal, the terminal includes but is not limited to a mobile phone, a PC and the like, and the use of the terminal with the TEE function is recommended.
The license data in the invention mainly includes but is not limited to the following: order number, order date, authorization ID for activating an authorization service program, number of product authorization licenses, product authorization information (product number, activation policy, activation key, activation algorithm, etc.), and the like. Of course, the method can be expanded to support other contents or customize authorized contents according to different products.
The authorization license ciphertext file transmitted by the invention adopts algorithms such as data encryption, data signature, data confusion and the like to carry out security protection, thereby preventing the authorization license ciphertext file from being illegally intercepted or tampered or forged.
The process of generating the authorized License ciphertext file is shown in fig. 4. Authorized License plaintext contents (authorized License data) are signed by a unified authorized License management system by using a License signature private key, encrypted by activating a License protection sub-key of an authorized service program to obtain a License ciphertext, obfuscated by an obfuscation algorithm, and then MAC calculation is performed on the obfuscated License ciphertext by using the License protection sub-key to obtain an MAC result. And finally writing the confused license ciphertext and the MAC result into an authorized license ciphertext file.
The license protected key system is designed as follows:
license signing key pair: and the asymmetric key pair is generated and safely stored by the unified authorization license management system by using an asymmetric algorithm, wherein the private key can only be used by the unified authorization license management system and cannot be leaked, and the public key is provided for each activation authorization service program to carry out validity verification on the content of the authorization license ciphertext file.
License protected root key: and the symmetric key is generated and safely stored by the unified authorization license management system by using a symmetric algorithm, can be used by the unified authorization license management system only and cannot be leaked, and is used for dispersing license protection sub-keys of all the activated authorization service programs.
License protected subkey: the symmetric key is safely stored in the unified license management system and the activated authorization service program by using a symmetric algorithm, and each activated authorization service program has a license protection sub-key. The license protection sub-key is obtained by dispersing the license protection root key of the unified authorization license management system to the number of the activated authorization service program, and certainly, other rules can be agreed by self and configured in the system.
Sensitive data in the invention are all stored safely, and storage media comprise hardware or software resources such as an encryption machine, a password card, an intelligent password key, a safety database, a safe dynamic library, a TEE and the like without limitation.
Example two
A method of activation authorization management for a software service, the method comprising:
(1) products to be activated leave a factory and are preset in a terminal with a trusted execution environment, product information of the products to be activated is stored in a TA layer or an SE layer of the terminal, and the product information comprises product numbers, activation strategies, activation algorithms and activation keys;
(2) the unified license management system configures a license signature key pair, product information of a product to be activated, an authorization ID of an authorization service program, and a license protection sub-key of the authorization service program through a license protection root key configuration, wherein the license signature key pair comprises a license signature public key and a license signature private key;
(3) the activation authorization service program configuration sets an authorization ID, a license protection sub-key and a license signature public key distributed and issued by a unified authorization license management system;
(4) the license authorization request order is encrypted by the activated authorization service program through the license signature public key of the activated authorization service program, and the encrypted license authorization request order is sent to the unified authorization license management system;
(5) the unified authorization license management system decrypts the received license authorization request order through a license signature private key, verifies the decrypted license authorization request order, generates authorization license data after the verification is passed, encrypts a license protection sub-key corresponding to an authorization service program through activating a license protection sub-key corresponding to the authorization service program after data signature is carried out on the authorization license data through the license signature private key, acquires an authorization license ciphertext, obfuscates the authorization license ciphertext through an obfuscating algorithm, performs MAC calculation on the obfuscated authorization license ciphertext through activating the license protection sub-key corresponding to the authorization service program, acquires an MAC result, and generates an authorization license ciphertext file and transmits the obfuscated authorization license ciphertext and the MAC result to the activation authorization service program;
(6) the method comprises the steps that an authorization service program is activated to carry out data signature verification on a received authorization license ciphertext file through a license signature public key of the authorization service program, and after the verification is passed, the authorization service program is decrypted through a license protection key of the authorization service program to obtain authorization license data corresponding to a license authorization request order, and the authorization license data are stored in a database or an encryption machine;
(7) the product to be activated sends an identity authentication request to the activation authorization service program;
(8) the activation authorization service program carries out identity authentication validity verification on the received identity authentication request, and generates identity authentication response information and sends the identity authentication response information to the product to be activated after the verification is passed;
(9) after the product to be activated determines that the identity authentication passes according to the identity authentication response information, an activation or authorization request is sent to the activation authorization service program;
(10) the activation authorization service program searches product authorization information corresponding to the activation or authorization request in authorized license data, verifies the product authorization information through an activation key in the authorized license data after the product authorization information is found, generates an activation code after the verification is passed, encrypts the activation code through the activation key in the authorized license data, generates activation or authorization response information and sends the activation or authorization response information to a product to be activated, and records and dynamically binds the product to be activated, a terminal and user information;
(11) and the product to be activated verifies the received activation or authorization response information through the activation key, determines the success of activation or authorization after the verification is passed, and converts the state from the initial state into the authorized enabling state.
As shown in fig. 5, the process flow for activating authorization management is as follows:
1. the product to be activated is preset in a factory terminal, the terminal should have a TEE architecture, and information such as an activation key, an activation algorithm, an activation strategy, a product number and the like is safely stored in a safety area (a TA layer or an SE layer) of the terminal to ensure the safety of the sensitive data. When the product leaves the factory, the product is ensured to be in an initial state (unauthorized activation), and the product is not bound with the terminal and the user information in the background when leaving the factory.
2. The unified license management system configures a license signature key pair, a product number, a product activation strategy, a product activation key and other information; and configuring an authorization ID (identity) and a license protection key for activating the authorization service.
3. The activation authorization service program configuration sets data such as authorization ID, authorization license protection key, license signature public key and the like distributed by the unified authorization license management system, and the data is safely stored in a database or an encryption machine.
4. And activating an authorization service program organization and submitting a license authorization request order to the unified authorization license management system, wherein order information needs to be encrypted and protected by using a license signature public key.
5. The unified authorization license management system receives the request order, decrypts the request order by using the license signature private key, verifies the order after decryption is successful, organizes authorization license data after verification is passed, generates an authorization license ciphertext file, encrypts and protects the authorization license data by using a license protection key corresponding to the activation authorization service, performs data signature protection by using the license signature private key, ensures the confidentiality and integrity of the file, and simultaneously realizes the identity validity verification protection of the file.
6. And the unified authorization license management system issues the authorization license ciphertext file to the activation authorization service program.
7. And the activation authorization service program analyzes after receiving the authorization license ciphertext file, verifies the legality of the file (signature verification is carried out through a license signature public key and decryption is carried out through a license protection key), and analyzes the authorization content and carries out safe storage if the verification is passed. And if the verification fails, the processing is not carried out.
8. The product to be activated submits an identity authentication request to the activation authorization service program.
9. And after receiving the identity authentication request, the activation authorization service program performs identity authentication validity check.
10. And the activation authorization service program returns the identity authentication response information to the product to be activated.
11. After the identity authentication between the product to be activated and the activation authorization service program passes, an activation or authorization request (containing product data, terminal data and the like) is submitted to the activation authorization service program, sensitive data (a product number, an activation algorithm type, an activation strategy and the like) in request information needs to be encrypted and integrity protected by using an activation key, and the activation key needs to be acquired and used in a TEE security zone and cannot go out of the security zone.
12. And after receiving the activation or authorization request, the activation authorization service program records request data, searches corresponding product authorization information in the authorized license, if the request data is found, uses the activation key to verify the data, if the verification is passed, generates an activation code, encrypts and protects the integrity through the product activation key, generates authorization response information, successfully activates, and records and dynamically binds the product, the terminal and the user information.
13. The activation authorization service program returns activation or authorization response information to the product to be activated.
14. And the product to be activated is verified by using the activation key after receiving the activation or authorization response information, if the verification is passed, the activation or authorization is successful, the product is enabled, and the state is converted from the initial state to the authorized enabled state.
The technical scheme of the invention has the following beneficial effects:
(1) the license authorization file is uniformly managed by the uniform authorization license management system, the activation or authorization use right of a product to be activated can be distributed to an authorization agent layer (an activation authorization service program) in a control manner, effective function decoupling and management and control are achieved, the upgrade maintenance cost is reduced, and meanwhile, the support of new product authorization is conveniently expanded; and the license file and the product activation process are safely protected by using the TEE technology and the cryptography encryption and decryption technology, so that the safety of the product activation process is greatly improved.
(2) The license management system for the products to be activated in the initial state does not need to care about the environment of the products, factory preparation work before the products are activated and used is reduced, the product release speed is increased, and related cost is reduced.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is intended to include such modifications and variations.
Claims (10)
1. A system for activation authorization management for a software service, the system comprising: the system comprises a product to be activated, an activation authorization service program and a unified authorization license management system, wherein the product to be activated leaves a factory and is preset in a terminal with a trusted execution environment;
the activation authorization service program is used for sending a license authorization request order to the unified authorization license management system and receiving a fed-back authorization license ciphertext file;
the unified authorization license management system is used for auditing the received license authorization request order, and generating an authorization license ciphertext file after the approval is passed and feeding the authorization license ciphertext file back to the activation authorization service program;
the product to be activated is used for sending an identity authentication request to the activation authorization service program and receiving feedback identity authentication response information, and after passing the identity authentication, the product to be activated sends an activation or authorization request to the activation authorization service program and receives the feedback activation or authorization response information to determine the success of activation or authorization;
the activation authorization service program is also used for carrying out identity authentication validity verification on the received identity authentication request, generating the identity authentication response information and feeding back the identity authentication response information to the product to be activated, and is also used for generating the activation or authorization response information according to the received activation or authorization request and the authorization license ciphertext file and feeding back the activation or authorization response information to the product to be activated.
2. The system according to claim 1, wherein product information of the product to be activated is stored in a TA layer or a SE layer of the terminal when the product to be activated leaves a factory, and the product information includes a product number, an activation policy, an activation algorithm, and an activation key.
3. The system for performing activation authorization management on software services according to claim 2, wherein the unified authorization license management system is configured to configure a license signature key pair, the product information of the product to be activated, the authorization ID of the activation authorization service program, and a license protection sub-key of the activation authorization service program through a license protection root key, and the license signature key pair includes a license signature public key and a license signature private key.
4. The system for performing activation authorization management on software services according to claim 3, wherein the activation authorization service program is further configured to configure and set an authorization ID, a license protection sub-key and a license signature public key that are distributed and issued by the unified authorization license management system.
5. The system for activation authorization management of software services according to claim 4, wherein the activation authorization service program is specifically configured to:
and encrypting the license authorization request order through the license signature public key of the license, and sending the encrypted license authorization request order to the unified authorization license management system.
6. The system for activation authorization management of software services according to claim 5, wherein the unified authorization license management system is specifically configured to:
decrypting the received license authorization request order through the license signature private key, verifying the decrypted license authorization request order, generating authorization license data after the verification is passed, encrypting the license protection sub-key corresponding to the activation authorization service program after the data signature is performed on the authorization license data through the license signature private key, acquiring an authorization license ciphertext, obfuscating the authorization license ciphertext through an obfuscating algorithm, performing MAC calculation on the obfuscated authorization license ciphertext through the license protection sub-key corresponding to the activation authorization service program, acquiring an MAC result, and generating an authorization license ciphertext file together with the obfuscated authorization license ciphertext and sending the authorization license ciphertext to the activation authorization service program.
7. The system for activation authorization management of software services according to claim 6, wherein the activation authorization service program is specifically configured to:
and performing data signature verification on the received license ciphertext file through the license signature public key of the license verifying server, decrypting the license ciphertext file through the license protection sub-key of the license verifying server after the verification is passed, obtaining the license data corresponding to the license authorization request order, and storing the license data in a database or an encryption machine.
8. The system for activation authorization management for software services according to claim 7, wherein the product to be activated is further configured to:
sensitive data in the activation or authorization request is encrypted and integrity protected by the activation key.
9. The system for activation authorization management of software services according to claim 8, wherein the activation authorization service program is specifically configured to:
searching product authorization information corresponding to the activation or authorization request in authorized license data, verifying the product authorization information through an activation key in the authorized license data after the product authorization information is found, generating an activation code after the product authorization information is verified, encrypting the activation code through the activation key in the authorized license data, generating activation or authorization response information and sending the activation or authorization response information to the product to be activated, and recording and dynamically binding the product to be activated, the terminal and the user information;
the product to be activated is particularly useful for:
and verifying the received activation or authorization response information through the activation key, determining that the activation or authorization is successful after the verification is passed, and converting the state from the initial state to the authorized enabling state.
10. A method for activation authorization management for a software service, the method comprising:
(1) products to be activated leave a factory and are preset in a terminal with a trusted execution environment, product information of the products to be activated is stored in a TA layer or an SE layer of the terminal, and the product information comprises a product number, an activation strategy, an activation algorithm and an activation key;
(2) the unified license management system configures a license signature key pair, the product information of the product to be activated, the authorization ID of the activation authorization service program and a license protection sub-key of the activation authorization service program through a license protection root key, wherein the license signature key pair comprises a license signature public key and a license signature private key;
(3) the activation authorization service program is configured and set with an authorization ID, a license protection sub-key and a license signature public key distributed and issued by the unified authorization license management system;
(4) the activating authorization service program encrypts a license authorization request order through a license signature public key of the activating authorization service program, and sends the encrypted license authorization request order to the unified authorization license management system;
(5) the unified authorization license management system decrypts the received license authorization request order through the license signature private key, verifies the decrypted license authorization request order, generates authorization license data after the verification is passed, encrypts the authorization license data through a license protection sub-key corresponding to the activation authorization service program after the data signature is carried out on the authorization license data through the license signature private key, acquires an authorization license ciphertext, obfuscates the authorization license ciphertext through an obfuscation algorithm, performs MAC calculation on the obfuscated authorization license ciphertext through the license protection sub-key corresponding to the activation authorization service program, acquires an MAC result, and generates an authorization license ciphertext file together with the obfuscated authorization license ciphertext and sends the authorization license ciphertext file to the activation authorization service program;
(6) the activation authorization service program carries out data signature verification on the received authorization license ciphertext file through a license signature public key of the activation authorization service program, decrypts through a license protection key of the activation authorization service program after the verification is passed, obtains authorization license data corresponding to the license authorization request order, and stores the authorization license data in a database or an encryption machine;
(7) the product to be activated sends an identity authentication request to the activation authorization service program;
(8) the activation authorization service program carries out identity authentication validity verification on the received identity authentication request, generates the identity authentication response information after passing the verification and sends the identity authentication response information to the product to be activated;
(9) after the product to be activated determines that the identity authentication passes according to the identity authentication response information, an activation or authorization request is sent to the activation authorization service program;
(10) the activation authorization service program searches product authorization information corresponding to the activation or authorization request in authorized license data, verifies the product authorization information through an activation key in the authorized license data after the product authorization information is found, generates an activation code after the product authorization information is verified, encrypts the activation code through the activation key in the authorized license data, generates activation or authorization response information and sends the activation or authorization response information to the product to be activated, and records and dynamically binds the product to be activated, the terminal and the user information;
(11) and the product to be activated verifies the received activation or authorization response information through the activation key, determines the successful activation or authorization after the verification is passed, and converts the state from the initial state into the authorized enabling state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911058213.9A CN110996319A (en) | 2019-11-01 | 2019-11-01 | System and method for performing activation authorization management on software service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911058213.9A CN110996319A (en) | 2019-11-01 | 2019-11-01 | System and method for performing activation authorization management on software service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110996319A true CN110996319A (en) | 2020-04-10 |
Family
ID=70082873
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911058213.9A Pending CN110996319A (en) | 2019-11-01 | 2019-11-01 | System and method for performing activation authorization management on software service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110996319A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112966226A (en) * | 2021-03-05 | 2021-06-15 | 山东英信计算机技术有限公司 | License authorization method, device, equipment and readable medium for application software |
| CN114448986A (en) * | 2022-01-04 | 2022-05-06 | 上海弘积信息科技有限公司 | License control method based on MC centralized management system |
| CN115567314A (en) * | 2022-10-14 | 2023-01-03 | 中电云数智科技有限公司 | License security agent method and platform based on hardware trusted trust chain |
| CN116318982A (en) * | 2023-03-10 | 2023-06-23 | 深圳市银拓科技有限公司 | License-based method for activating software of product to be authorized and electronic equipment |
| CN116415222A (en) * | 2023-05-09 | 2023-07-11 | 南京中图数码科技有限公司 | Authorization management method and system for cloud design platform of process industrial digital factory |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020174356A1 (en) * | 2001-03-27 | 2002-11-21 | Microsoft Corporation | Method and system for licensing a software product |
| US7752140B1 (en) * | 2006-10-24 | 2010-07-06 | Adobe Systems Inc. | Software license distribution and bypassing |
| US20110197077A1 (en) * | 2010-02-05 | 2011-08-11 | General Instrument Corporation | Software feature authorization through delegated agents |
| CN103258151A (en) * | 2012-10-30 | 2013-08-21 | 中国科学院沈阳自动化研究所 | Real-time authorization software License control method |
| CN105224832A (en) * | 2015-10-16 | 2016-01-06 | 浪潮电子信息产业股份有限公司 | A kind of method of License authorization set management |
| CN106503492A (en) * | 2016-10-27 | 2017-03-15 | 厦门中控生物识别信息技术有限公司 | A kind of authorization management method, server, customer equipment and system |
| CN106778084A (en) * | 2016-11-18 | 2017-05-31 | 畅捷通信息技术股份有限公司 | Software activation method and device and software activation system |
| CN108848153A (en) * | 2018-06-08 | 2018-11-20 | 山东超越数控电子股份有限公司 | A kind of high-availability cluster software License registration, Activiation method and system |
| CN109388915A (en) * | 2017-08-02 | 2019-02-26 | 东软集团股份有限公司 | A kind of software authorization method, apparatus and system |
-
2019
- 2019-11-01 CN CN201911058213.9A patent/CN110996319A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020174356A1 (en) * | 2001-03-27 | 2002-11-21 | Microsoft Corporation | Method and system for licensing a software product |
| US7752140B1 (en) * | 2006-10-24 | 2010-07-06 | Adobe Systems Inc. | Software license distribution and bypassing |
| US20110197077A1 (en) * | 2010-02-05 | 2011-08-11 | General Instrument Corporation | Software feature authorization through delegated agents |
| CN103258151A (en) * | 2012-10-30 | 2013-08-21 | 中国科学院沈阳自动化研究所 | Real-time authorization software License control method |
| CN105224832A (en) * | 2015-10-16 | 2016-01-06 | 浪潮电子信息产业股份有限公司 | A kind of method of License authorization set management |
| CN106503492A (en) * | 2016-10-27 | 2017-03-15 | 厦门中控生物识别信息技术有限公司 | A kind of authorization management method, server, customer equipment and system |
| CN106778084A (en) * | 2016-11-18 | 2017-05-31 | 畅捷通信息技术股份有限公司 | Software activation method and device and software activation system |
| CN109388915A (en) * | 2017-08-02 | 2019-02-26 | 东软集团股份有限公司 | A kind of software authorization method, apparatus and system |
| CN108848153A (en) * | 2018-06-08 | 2018-11-20 | 山东超越数控电子股份有限公司 | A kind of high-availability cluster software License registration, Activiation method and system |
Non-Patent Citations (2)
| Title |
|---|
| SOMCHART FUGKEAW等: "Multi-Application Authentication based on Multi-Agent System", 《IAENG INTERNATIONAL JOURNAL OF COMPUTER SCIENCE》, vol. 33, no. 2, 24 May 2007 (2007-05-24) * |
| 卿昱;: "基于PKI/PMI的授权管理模型设计", 《信息安全与通信保密》, no. 08, 10 August 2008 (2008-08-10) * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112966226A (en) * | 2021-03-05 | 2021-06-15 | 山东英信计算机技术有限公司 | License authorization method, device, equipment and readable medium for application software |
| CN114448986A (en) * | 2022-01-04 | 2022-05-06 | 上海弘积信息科技有限公司 | License control method based on MC centralized management system |
| CN114448986B (en) * | 2022-01-04 | 2024-03-01 | 上海弘积信息科技有限公司 | License control method based on MC centralized management system |
| CN115567314A (en) * | 2022-10-14 | 2023-01-03 | 中电云数智科技有限公司 | License security agent method and platform based on hardware trusted trust chain |
| CN115567314B (en) * | 2022-10-14 | 2024-01-30 | 中电云计算技术有限公司 | License security agent method and platform based on hardware trusted trust chain |
| CN116318982A (en) * | 2023-03-10 | 2023-06-23 | 深圳市银拓科技有限公司 | License-based method for activating software of product to be authorized and electronic equipment |
| CN116318982B (en) * | 2023-03-10 | 2023-11-17 | 深圳市银拓科技有限公司 | License-based method for activating software of product to be authorized and electronic equipment |
| CN116415222A (en) * | 2023-05-09 | 2023-07-11 | 南京中图数码科技有限公司 | Authorization management method and system for cloud design platform of process industrial digital factory |
| CN116415222B (en) * | 2023-05-09 | 2023-10-20 | 南京中图数码科技有限公司 | Authorization management method and system for cloud design platform of process industrial digital factory |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10595201B2 (en) | Secure short message service (SMS) communications | |
| JP4366037B2 (en) | System and method for controlling and exercising access rights to encrypted media | |
| US7051211B1 (en) | Secure software distribution and installation | |
| CN102271037B (en) | Based on the key protectors of online key | |
| EP1349034B1 (en) | Service providing system in which services are provided from service provider apparatus to service user apparatus via network | |
| CN110996319A (en) | System and method for performing activation authorization management on software service | |
| RU2584500C2 (en) | Cryptographic authentication and identification method with real-time encryption | |
| US20080123843A1 (en) | Method for binding a security element to a mobile device | |
| US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
| EP1714459A1 (en) | Accessing protected data on network storage from multiple devices | |
| CN103248479A (en) | Cloud storage safety system, data protection method and data sharing method | |
| JP2004509398A (en) | System for establishing an audit trail for the protection of objects distributed over a network | |
| CN101243438A (en) | Distributed single sign-on service | |
| WO1998045975A2 (en) | Bilateral authentication and information encryption token system and method | |
| JP2004509399A (en) | System for protecting objects distributed over a network | |
| CN111815814B (en) | Electronic lock security system and binding authentication method thereof | |
| CN102271124A (en) | Data processing equipment and data processing method | |
| KR20080065661A (en) | A method for controlling access to file systems, related system, sim card and computer program product for use therein | |
| CN101335754B (en) | Method for information verification using remote server | |
| CN111815812B (en) | Third-party unlocking control method and system for electronic lock | |
| JPH07325785A (en) | Network user identifying method, ciphering communication method, application client and server | |
| US20020021804A1 (en) | System and method for data encryption | |
| CN101305542A (en) | Method for downloading digital certificate and cryptographic key | |
| CN103177225A (en) | Method and system of data management | |
| CN106992978A (en) | Network safety managing method and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |