CN112784243A

CN112784243A - Authorization management method and device, electronic equipment and storage medium

Info

Publication number: CN112784243A
Application number: CN202110241348.XA
Authority: CN
Inventors: 闫海成; 周明骏; 周桓; 梁延鹏; 胡二洋; 吴军甫
Original assignee: Beijing Sensetime Technology Development Co Ltd
Current assignee: Beijing Sensetime Technology Development Co Ltd
Priority date: 2021-03-04
Filing date: 2021-03-04
Publication date: 2021-05-11

Abstract

The present disclosure relates to an authorization management method and apparatus, an electronic device, and a storage medium, wherein the method includes: when target software in a target equipment cluster is in an authorized state, acquiring a local fingerprint of the target equipment cluster at a preset time interval; matching the local fingerprint with an authorized original fingerprint of the target device cluster; maintaining an authorizable state of the target software in the cluster of target devices if the local fingerprint matches the original fingerprint.

Description

Authorization management method and device, electronic equipment and storage medium

Technical Field

The present disclosure relates to the field of information security technologies, and in particular, to an authorization management method and apparatus, an electronic device, and a storage medium based on machine fingerprints.

Background

For commercial software, a given user may be enabled to use the software by way of authorization to the software. When software is provided for a user, the software and an authorization identifier of the software are generally used separately, and installation and use of the software are limited by using the authorization identifier, as is common in a manner of performing authorization management on the software through an authorization code.

However, the existing software authorization management method cannot meet the requirement of software security when the software runs in a designated cluster.

Disclosure of Invention

The present disclosure provides an authorization management technical scheme for machine fingerprints.

According to an aspect of the present disclosure, there is provided a machine fingerprint-based authorization management method applied to a service node in a plurality of local devices of a target device cluster, including:

when target software in a target equipment cluster is in an authorized state, acquiring a local fingerprint of the target equipment cluster at a preset time interval; matching the local fingerprint with an authorized original fingerprint of the target device cluster; maintaining an authorizable state of the target software in the cluster of target devices if the local fingerprint matches the original fingerprint.

In one or more possible implementations, the obtaining a local fingerprint of a target device cluster includes: determining at least one information item for information acquisition of the target device cluster based on the original fingerprint; acquiring information of the target equipment cluster according to the at least one information item to obtain current acquisition information of the target equipment cluster; and generating a local fingerprint of the target equipment cluster according to the current acquisition information.

In one or more possible implementations, the method further includes: under an offline condition, acquiring an original fingerprint authorized by the target device cluster from an authorization file stored locally, wherein the authorization file is generated by authorization equipment, the authorization equipment is used for decrypting an imported fingerprint file, writing a machine fingerprint obtained by decryption into the authorization file as the original fingerprint authorized by the target device cluster, and obtaining the authorization file of a ciphertext, and the fingerprint file is generated based on original acquisition information obtained by acquiring information of the target device cluster.

In one or more possible implementations, the method further includes: in the event that the local fingerprint is confirmed to not match the original fingerprint, ceasing an authorizable state of the target software.

In one or more possible implementations, the method further includes: sending registration information to an authorization device, wherein the registration information includes an authorization identifier and a local fingerprint, and the authorization device is configured to return activation information to the target device cluster when it is determined that the local fingerprint matches an original fingerprint to which an authorization file indicated by the authorization identifier is bound based on the registration information; the matching the local fingerprint with an authorized original fingerprint of the target device cluster comprises: and matching the local fingerprint with an original fingerprint obtained by analysis in the activation information.

In one or more possible implementations, the method further includes: analyzing the activation information to obtain the validity period of the activation information; said maintaining an authorizeable state of the target software in the cluster of target devices if the local fingerprint matches the original fingerprint, comprising: maintaining an authorizable state of the target software in the cluster of target devices if the local fingerprint matches the original fingerprint and the validity period has not expired.

In one or more possible implementations, the method further includes: stopping the target software's authorizable state if the local fingerprint does not match the original fingerprint or the validity period has expired.

In one or more possible implementations, the method further includes: receiving authentication failure information sent by the authorization device, wherein the authorization device is used for returning the authentication failure information based on the registration information under the condition that the number of the clusters bound by the authorization file is confirmed to reach a preset number and the local fingerprint is not matched with the original fingerprint bound by the authorization file; and setting the authorization state of the target software to be a stop authorization state in response to the authentication failure information.

In one or more possible implementations, the registration information further includes a local fingerprint of the target cluster; the sending registration information to the authorized device includes: and sending the registration information to the authorization equipment at a preset time interval when the target software is in an authorized state, wherein the authorization equipment is used for confirming that the target software is in an abnormal operation state when the receiving frequency of the registration information is greater than a preset value.

According to an aspect of the present disclosure, there is provided an authorization management method based on machine fingerprint, applied to an authorization device, including: receiving registration information sent by a service node of a target equipment cluster, wherein the registration information comprises an authorization identifier and a local fingerprint of the target equipment cluster; judging whether the local fingerprint is matched with an original fingerprint bound by the authorization file indicated by the authorization identifier; under the condition that the local fingerprint is confirmed to be matched with the original fingerprint bound by the authorization file, returning activation information to the service node; the service node of the target device cluster is configured to match a local fingerprint of the target device cluster with an original fingerprint in the activation information at a preset time interval when target software in the target device cluster is in an authorized state, and maintain the authorized state of the target software in the target device cluster when the local fingerprint is matched with the original fingerprint.

In one or more possible implementations, the method further includes: judging whether the number of the clusters bound by the authorization file reaches a preset number or not; and under the condition that the local fingerprint is not matched with the original fingerprint bound by the authorization file and the number of the clusters bound by the authorization file does not reach the preset number, binding the authorization file with the local fingerprint carried in the registration information.

In one or more possible implementations, the method further includes: and sending authentication failure information to a service node when the number of the clusters bound by the authorization file reaches the preset number and the local fingerprint is not matched with the original fingerprint bound by the authorization file.

In one or more possible implementations, the method further includes: determining the receiving frequency of the registration information; judging whether the receiving frequency of the registration information is smaller than a preset value; and under the condition that the receiving frequency is greater than the preset value, confirming that the target software is in an abnormal operation state.

According to an aspect of the present disclosure, there is provided a machine fingerprint-based authorization management apparatus, applied to a service node in a plurality of local devices of a target device cluster, including:

the acquisition module is used for acquiring the local fingerprint of the target equipment cluster at a preset time interval when the target software in the target equipment cluster is in an authorized state;

a matching module for matching the local fingerprint with an authorized original fingerprint of the cluster of target devices;

a setting module for maintaining an authorizeable state of the target software in the cluster of target devices if the local fingerprint matches the original fingerprint.

In one or more possible implementations, the obtaining module is configured to determine, based on the original fingerprint, at least one information item for performing information acquisition on the target device cluster; acquiring information of the target equipment cluster according to the at least one information item to obtain current acquisition information of the target equipment cluster; and generating a local fingerprint of the target equipment cluster according to the current acquisition information.

In one or more possible implementation manners, the obtaining module is further configured to obtain, in an offline situation, an original fingerprint authorized by the target device cluster from an authorization file stored locally, where the authorization file is generated by an authorization device, the authorization device is configured to decrypt an imported fingerprint file, write a machine fingerprint obtained by decryption into the authorization file as the original fingerprint authorized by the target device cluster, and obtain the authorization file of a ciphertext, where the fingerprint file is generated based on original acquisition information obtained by acquiring information of the target device cluster.

In one or more possible implementations, the setting module is further configured to stop the authorized state of the target software if it is confirmed that the local fingerprint does not match the original fingerprint.

In one or more possible implementations, the apparatus further includes: the device comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending registration information to an authorization device, the registration information comprises an authorization identifier and a local fingerprint, and the authorization device is used for returning activation information to the target device cluster under the condition that the local fingerprint is matched with an original fingerprint bound by an authorization file indicated by the authorization identifier; and the matching module is used for matching the local fingerprint with the original fingerprint obtained by analysis in the activation information.

In one or more possible implementations, the apparatus further includes: the analysis module is used for analyzing the activation information to obtain the validity period of the activation information; the setting module is used for keeping the authorized state of the target software in the target equipment cluster under the condition that the local fingerprint is matched with the original fingerprint and the validity period is not expired.

In one or more possible implementations, the setting module is further configured to stop the authorized state of the target software if the local fingerprint does not match the original fingerprint or the validity period has expired.

In one or more possible implementations, the apparatus further includes: a receiving module, configured to receive authentication failure information sent by the authorization device, where the authorization device is configured to return the authentication failure information based on the registration information when it is determined that the number of clusters to which the authorization file is bound reaches a preset number and the local fingerprint does not match the original fingerprint to which the authorization file is bound; the setting module is used for responding to the authentication failure information and setting the authorization state of the target software to be a stop authorization state.

In one or more possible implementations, the registration information further includes a local fingerprint of the target cluster; the sending module is configured to send the registration information to the authorization device at a preset time interval when the target software is in an authorized state, where the authorization device is configured to confirm that the target software is in an abnormal operation state when the receiving frequency of the registration information is greater than a preset value.

According to an aspect of the present disclosure, there is provided an authorization management apparatus based on machine fingerprint, applied to an authorization device, including:

the system comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving registration information sent by a service node of a target equipment cluster, and the registration information comprises an authorization identifier and a local fingerprint of the target equipment cluster;

the judging module is used for judging whether the local fingerprint is matched with an original fingerprint bound by the authorization file indicated by the authorization identifier;

the sending module is used for returning activation information to the service node under the condition that the local fingerprint is matched with the original fingerprint bound by the authorization file; the service node of the target device cluster is configured to match a local fingerprint of the target device cluster with an original fingerprint in the activation information at a preset time interval when target software in the target device cluster is in an authorized state, and maintain the authorized state of the target software in the target device cluster when the local fingerprint is matched with the original fingerprint.

In one or more possible implementation manners, the determining module is further configured to determine whether the number of clusters to which the authorization file is bound reaches a preset number; and under the condition that the local fingerprint is not matched with the original fingerprint bound by the authorization file and the number of the clusters bound by the authorization file does not reach the preset number, binding the authorization file with the local fingerprint carried in the registration information.

In one or more possible implementation manners, the sending module is further configured to send authentication failure information to a service node when the number of clusters to which the authorization file is bound reaches the preset number and the local fingerprint does not match the original fingerprint to which the authorization file is bound.

In one or more possible implementations, the apparatus further includes: the confirming module is used for determining the receiving frequency of the registration information; judging whether the receiving frequency of the registration information is smaller than a preset value; and under the condition that the receiving frequency is greater than the preset value, confirming that the target software is in an abnormal operation state.

According to an aspect of the present disclosure, there is provided an electronic device including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to invoke the memory-stored instructions to perform the above-described method.

According to an aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the above-described method.

In the embodiment of the present disclosure, when target software in a target device cluster is in an authorized state, a local fingerprint of the target device cluster may be acquired at a preset time interval, and then the local fingerprint may be matched with an authorized original fingerprint of the target device cluster. In the event that the local fingerprint matches the original fingerprint, an authorizable state of the target software in the cluster of target devices is maintained. Therefore, the running environment of the target software can be limited through the fingerprint of the target equipment cluster, the local fingerprint of the target equipment cluster is repeatedly verified at certain time intervals, the situation that the configuration of the target equipment cluster is changed when the target software is in an authorized state is reduced, the target software can run in the specified equipment cluster, the reliability of the authorization of the target software is improved, meanwhile, the authorization management scheme based on the machine fingerprint is suitable for the equipment clusters in networking environments and non-networking environments, and the authorization requirements of the software on different networking environments are met.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure. Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure.

Fig. 1 shows a flow diagram of a method of machine fingerprint based authorization management according to an embodiment of the present disclosure.

Fig. 2 shows a flowchart of an example of a method for machine fingerprint-based authorization management according to an embodiment of the present disclosure.

Fig. 3 shows a flowchart of an example of a method for machine fingerprint-based authorization management according to an embodiment of the present disclosure.

Fig. 4 shows a flowchart of an example of a method for machine fingerprint-based authorization management according to an embodiment of the present disclosure.

Fig. 5 illustrates a block diagram of a machine fingerprint-based authorization management device, according to an embodiment of the present disclosure.

Fig. 6 illustrates a block diagram of a machine fingerprint-based authorization management device, according to an embodiment of the present disclosure.

FIG. 7 shows a block diagram of an example of an electronic device in accordance with an embodiment of the present disclosure.

FIG. 8 shows a block diagram of an example of an electronic device in accordance with an embodiment of the present disclosure.

Detailed Description

Various exemplary embodiments, features and aspects of the present disclosure will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers can indicate functionally identical or similar elements. While the various aspects of the embodiments are presented in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.

The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.

The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the term "at least one" herein means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.

Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements and circuits that are well known to those skilled in the art have not been described in detail so as not to obscure the present disclosure.

The authorization management scheme based on the machine fingerprint provided by the embodiment of the disclosure can be applied to software authorization, software authentication and other scenes in equipment. For example, for a non-networked or networked target device cluster, the original fingerprint is matched with the authorized original fingerprint, and the service of the target software is provided only under the condition that the local fingerprint is the same as the original fingerprint, so that the target software is limited to operate in a specified environment, the situation that the target software is randomly copied to other devices for use is reduced, and the safety and the reliability of the operation of the target software are improved.

The authorization management method based on machine fingerprint provided by the embodiment of the present disclosure may be executed by a terminal device, a server, or other types of electronic devices, where the terminal device may be a User Equipment (UE), a mobile device, a User terminal, a cellular phone, a cordless phone, a Personal Digital Assistant (PDA), a handheld device, a computing device, an in-vehicle device, a wearable device, or the like. In some possible implementations, the data processing method may be implemented by a processor calling computer readable instructions stored in a memory. Alternatively, the method may be performed by a server.

Fig. 1 is a flowchart illustrating a machine fingerprint-based authorization management method according to an embodiment of the present disclosure, where as shown in fig. 1, the machine fingerprint-based authorization management method is applied to a service node in a plurality of local devices of a target device cluster, and the machine fingerprint-based authorization management method includes:

step S11, when the target software in the target device cluster is in an authorized state, the local fingerprint of the target device cluster is obtained at preset time intervals.

In an embodiment of the present disclosure, the target device cluster may include a plurality of local devices, and the service node may be at least one local device of the plurality of local devices. In some implementations, in order to improve reliability of the target device cluster, one local device may be selected as a primary device and another local device may be selected as a standby device in the local devices, where the primary device may serve as a service node in a case where the primary device is operating normally, and the standby device may serve as a service node in a case where the primary device fails. The service node can acquire the local fingerprint of the target device cluster at preset time intervals when the target software is in an authorized state. The local fingerprint may be a machine fingerprint of the local device. The local fingerprint of the target device cluster may include one or more of motherboard information, Central Processing Unit (CPU) information, display card information, hard disk information, memory information, and network card information, and in some ways, the local fingerprint of the target device cluster may further include a unique identifier of the cloud host in a case where the local device is a cloud device. For example, a collection function of a Local Authorization Service (LAS) may be called through a management port of the Service node, so as to collect information of the target device cluster, for example, collect information of one or more items of motherboard information, central processing unit information, display card information, hard disk information, memory information, and network card information of the target device cluster, so as to obtain current collection information of the target device cluster. In some implementation manners, when the local device is a cloud device, the unique cloud host identifier of the target device cluster may be acquired, so as to obtain current acquisition information of the target device cluster. The collected information can be set according to the actual application scene or requirement, for example, the collected information can be set through the collection parameters transmitted by the management port, so that the flexibility and compatibility of fingerprint information collection can be improved. Further, a local fingerprint of the target device cluster may be generated based on the current collection information, for example, the current collection information may be directly used as the local fingerprint, and in some implementations, in order to reduce the data amount of the local fingerprint, a hash value of the current collection information may be calculated by using a hash algorithm, for example, a hash algorithm with a security strength not lower than sha256 is used to calculate the hash value of the current collection information, so as to obtain the local fingerprint of the target device cluster.

Here, the preset time interval may be set according to an actual application scenario or a requirement, for example, the preset time interval may be set to 3 days, 5 days, and the like, the preset time interval for acquiring the local fingerprint of the target device cluster every two times may be the same or different, and the present disclosure does not limit a specific preset time interval. For example, the preset time interval may be set according to the duration that the target device cluster is in the authorizeable state, and the preset time interval may be positively correlated to the duration that the target device cluster is in the authorizeable state, that is, the longer the duration that the target device cluster is in the authorizeable state indicates that the target device cluster provides a safe environment for the target device cluster to run the target software, and the time for acquiring the local fingerprint of the target device cluster next time may be prolonged, thereby saving processing resources of the service node.

Here, when information is collected for the target device cluster, information may be collected for a service node in the target device cluster, and a local fingerprint may be generated based on current collection information of the service node. In some implementations, information may also be collected for a plurality of local devices in the target device cluster, and a local fingerprint may be generated based on current collection information of the plurality of local devices. The present disclosure is not so limited.

Step S12, matching the local fingerprint with an authorized original fingerprint of the target device cluster.

In the embodiment of the present disclosure, the service node may obtain an original fingerprint that the target device cluster has obtained authorization from the authorization device, and then match the local fingerprint with the original fingerprint to obtain a matching result. The authorizing device may be a device that provides authorization rights for the target software. The authorization device may bind the original fingerprint of the target device cluster with an authorization file issued to the target device cluster, and authorize the original fingerprint of the target device cluster. The original fingerprint of the target cluster device may be generated based on original acquisition information of the target cluster device, where the original acquisition information may be obtained by first acquiring information for the target cluster device. Here, the service node may pre-store an original fingerprint authorized by the target device cluster. In some implementations, the service node may send registration information to the authorizing device, and the authorizing device may return an original fingerprint authorized by the target device cluster to the service node based on the registration information.

Here, when the local fingerprint is matched with the original fingerprint, the hash value of the above-mentioned current collected information may be matched with the hash value of the original collected information. If the hash value of the current gather information is the same as the hash value of the original gather information, the local fingerprint of the target device cluster may be considered to match the authorized original fingerprint. If the hash value of the current gather is different from the hash value of the original gather, the local fingerprint of the target device cluster may be considered to not match the authorized original fingerprint.

Step S13, maintaining an authorizable state of the target software in the cluster of target devices if the local fingerprint matches the original fingerprint.

In the embodiment of the present disclosure, the target device cluster may be installed with target software, the authorization device may issue an authorization file of the target software for the target device cluster, and the service node may match the local fingerprint with an authorized original fingerprint of the target device cluster at a preset time interval. Under the condition that the service node confirms that the local fingerprint is matched with the authorized original fingerprint for the first time, the target software installed in the target device cluster can be considered to have the operation authority, and the target software in the target device cluster is determined to be in an authorized state. Further, the service node may set target software in the target device cluster to an authorizeable state. In the event that the service node again confirms that the local fingerprint matches the authorized original fingerprint, the authorizable state of the target software in the target device cluster may be maintained. In an authorized state, the service node can authorize the client when receiving an authorization request sent by the client of the target software, so that the client can provide the service of the target software. Here, the available functions of the target software in the authorizeable state are determined from the authorization file issued by the authorizing device, i.e., it can be understood that the available functions of the target software in the authorizeable state may not be all functions of the target software, some functions may be available, and some functions may not be available, which is related to the authorization file issued by the authorizing device for the cluster of target devices.

Accordingly, in the case that the local fingerprint does not match the original fingerprint, it may be considered that the target software installed in the target device cluster does not have the operation authority, and the authorization state of the target software in the target device cluster may be set to the authorization-disabled state. In the authorization stop state, the service node rejects all authorization requests of the target software in the target device cluster.

Here, the local fingerprint of the target device cluster is acquired at preset time intervals when the target software is in an authorized state, so that the service node can verify the local fingerprint at the preset time intervals, that is, match the local fingerprint with an authorized original fingerprint of the target device cluster. In the event that the local fingerprint is confirmed to match the original fingerprint, the target software in the cluster of target devices is determined to be in an authorizeable state, and the authorizeable state of the target software can be maintained. In the case that the local fingerprint is confirmed not to be matched with the original fingerprint, the authorized state of the target software can be stopped, and the authorized state of the target software can be changed from the authorized state to the authorization stopped state. The local fingerprints of the target device cluster are acquired at preset time intervals, whether the target device cluster has the operation authority of the target software or not can be checked at regular time, and the authorization authentication of the target software fails in scenes that the configuration of the target device cluster is changed or the target software is copied to other environments for operation, so that the service of the target software is stopped, the operation environment of the target software is effectively limited, and the operation safety of the target software is improved.

The authorization management scheme based on the machine fingerprint provided by the embodiment of the disclosure can be applied to a target device cluster with a plurality of local devices, and the target device cluster can be a traditional physical machine cluster and also can be a cloud device cluster. By verifying the local fingerprint of the target device cluster, the possibility that the target software is randomly copied to other devices or clusters for use can be reduced, and the reliability of the target software authorization is improved.

The authorization management scheme based on the machine fingerprint can be applied to networked target equipment clusters and non-networked target equipment clusters, so that the requirements of the equipment clusters on various authorization scenes are met. The machine fingerprint based authorization management scheme provided by the present disclosure is described below in one or more implementations.

In some implementations, in an offline situation, that is, in a situation where the target device cluster cannot communicate with the authorization device through the network, the service node may obtain, in the locally stored authorization file, the original fingerprint authorized by the target device cluster. The authorization file may be issued by the authorization device for the target device cluster, for example, the authorization device may import an encrypted fingerprint file of the target device cluster according to a user operation, where the fingerprint file is generated based on original acquisition information obtained by acquiring information of the target device cluster. The authorization equipment decrypts the encrypted fingerprint file, and can obtain the machine fingerprint after successful decryption, and the authorization equipment can write the machine fingerprint obtained by decryption into the authorization file as the original fingerprint of the target equipment cluster. In some implementations, the authorization file may also be encrypted, for example, the authorization file is encrypted by using a private key of the authorization device to obtain an authorization file of a ciphertext. The service node can import the authorization file according to the user operation. Further, the service node may obtain the original fingerprint authorized by the target device cluster in a locally stored authorization file. If the authorization file is the authorization file of the ciphertext, the authorization file of the ciphertext can be decrypted first, for example, the pre-stored public key of the authorization device is used for decrypting the authorization file. And then obtaining the authorized original fingerprint of the target device cluster from the decrypted authorization file. In this way, the authorized original fingerprint of the target device cluster can be acquired in the offline condition, so that the target software can be safely authorized in the offline condition.

In step S11, the local fingerprint of the target device cluster may be obtained, so that the authorization status of the target software may be determined by the local fingerprint of the target device cluster. In order to improve the accuracy of the local fingerprint, at least one information item for performing information acquisition on the target device cluster may be determined based on the original fingerprint, and then information acquisition is performed on the target device cluster according to the determined at least one information item, so as to obtain current acquisition information of the target device cluster. And generating the local fingerprint of the target equipment cluster according to the current acquisition information.

Here, the original fingerprint of the target cluster device may be stored in the service node in advance, and when the local fingerprint of the target cluster device is acquired, the service node may determine at least one information item included in the original collected information according to the original fingerprint. In some implementations, the original fingerprint may be generated based on a hash value of the original collected information and an information collection list, where the information collection list may indicate at least one information item included in the information collection, for example, the service node may concatenate the hash value of the original collected information with field names of the information items in the information collection list, and then encrypt the concatenated information with an authorization public key of the authorization device to generate the original fingerprint. The authorization public key of the authorization device can be obtained in the authorization file, or the service node can be agreed with the authorization device in advance. Based on this, the service node may parse the original fingerprint, for example, decrypt the original fingerprint through an authorization private key extracted from the authorization file to obtain a hash value of the original acquisition information and a field name of the information acquisition list, then determine at least one information item for information acquisition according to the field name of each information item in the information acquisition list, and further may acquire information indicated by the at least one information item for the target device cluster to obtain the current acquisition information. Furthermore, the hash value of the current acquisition information can be calculated to obtain the local fingerprint of the target device cluster. By the method, the target equipment cluster can be subjected to information acquisition based on at least one information item included in the original acquisition information, and the current acquisition information with the same information item as the original acquisition information can be obtained, so that the information item included in the current acquisition information is consistent with the original acquisition information, and the local fingerprint has higher accuracy.

It should be noted that a local authorization service for authorization management of the target software may be run in the target device cluster, and the local authorization service may perform the above steps S101 to S103, that is, the local authorization service may be used to implement an authorization management scheme executed by the service node. The authorization device may operate a public network authorization center service, and the public network authorization center service may be used to implement an authorization management scheme executed by the authorization device.

The machine fingerprint-based authorization management scheme provided by the present disclosure is illustrated by way of an example below. Fig. 2 is a flowchart illustrating an example of a machine fingerprint-based authorization management method according to an embodiment of the present disclosure, which may be applied to software authorization in an offline scenario, and the machine fingerprint-based authorization management method may include the following steps:

step S201, the service node collects information of the target equipment cluster to obtain original collected information.

Step S202, the service node generates a machine fingerprint of the target device cluster based on the original acquisition information.

Step S203, the service node encrypts the machine fingerprint by using the authorization public key of the authorization device to obtain a fingerprint file.

Step S204, the fingerprint file of the target device cluster is imported into the authorization device, and the fingerprint file is decrypted.

The authorization device may decrypt the encrypted fingerprint file using the authorization private key.

In step S205, it is determined whether the decryption is successful.

In the case where the decryption is successful, step S206 is executed; in the case where the decryption fails, step S09 is executed.

In step S206, the authorization device writes the machine fingerprint in the fingerprint file into the authorization file as the original fingerprint authorized by the target device.

Step S207, the service node imports the authorization file generated by the authorization device, and acquires the original fingerprint in the authorization file.

In step S208, the service node determines whether the local fingerprint is the same as the original fingerprint.

In case the local fingerprint and the original fingerprint are identical, step S209 is performed. In the case where the local fingerprint and the original fingerprint are different, it returns to step S201.

In step S209, the authorization status of the target software is set to an authorizeable status.

Step S210, an error message is presented.

When the target software is in an authorized state, the service node may execute step S208 at preset time intervals to determine whether the resource configuration of the target device cluster changes, and when detecting that the local fingerprint is different from the original fingerprint, the service node sets the target software to an authorized stop state, thereby improving the operation security of the target software.

In some implementations, in a networking scenario, i.e., where the cluster of target devices may communicate with the authorizing device, the service node may send registration information to the authorizing device, which may include an authorization identification and a local fingerprint of an authorization file issued by the authorizing device to the cluster of target devices. The authorization identifier is used to indicate an authorization file issued by the target device cluster, and for example, the authorization identifier may be an authorization serial number of the authorization file. After receiving the registration information, the authorization device may determine, based on the registration information, whether the local fingerprint matches the original fingerprint bound to the authorization file indicated by the authorization identifier, and under a condition that it is determined that the local fingerprint matches the original fingerprint bound to the authorization file, the authorization device may consider that the original fingerprint of the target device cluster is bound to the authorization file, and return activation information to the target device cluster, where the activation information may be an activation code. The original fingerprint of the target device cluster may be carried in the activation information. Further, the service node receives the activation information, acquires an original fingerprint of the target device cluster from the activation information, then matches the currently generated local fingerprint with the original fingerprint obtained by analysis in the activation information, determines that the target software in the target device cluster is in an authorized state under the condition that the local fingerprint is matched with the original fingerprint, and otherwise determines that the target software in the target device cluster is in an authorized stop state. By the method, the service node can acquire the authorized original fingerprint of the target device cluster from the activation information returned by the authorization device in a networking scene, and verify the local fingerprint of the target device cluster by using the authorized original fingerprint, so that the safety of the running environment of the target software is improved.

In some implementations, the service node may also carry the local fingerprint generated by the service node in the registration information. And under the condition that the authorization device confirms that the original fingerprint of the target device cluster is not bound to the authorization file indicated by the authorization identifier, the local fingerprint in the registration information can be bound with the authorization file, and the bound local fingerprint can be the authorized original fingerprint of the target device cluster, so that the dynamic binding of the original fingerprint is realized. In some implementations, the authorization device can unbind the authorization file from the original fingerprint according to the user instruction, thereby terminating authorization of the original fingerprint.

In some implementation manners, in order to further reduce the possibility that the service node repeatedly sends the registration information to the authorization node, the activation information returned by the authorization device to the service node may also carry a validity period of the activation information. After receiving the activation information, the service node may parse the activation information to obtain a validity period of the activation information. The validity period may be set according to actual application scenarios or requirements, and may indicate the validity period of the activation information. The service node may determine whether the current time is within the validity period, and may determine that the target software in the target device cluster is in an authorized state if the local fingerprint matches the original fingerprint and the validity period has not expired. In this way, during the validity period of the activation information, the service node can authenticate the running environment of the target software by using the original fingerprint in the activation information, thereby reducing the number of times the service node can send the registration information.

Correspondingly, when the service node confirms that the local fingerprint is not matched with the original fingerprint or the validity period of the registration information is expired, the authorized state of the target software can be stopped, so that the validity period of the registration information can also be used as a verification condition of authorization authentication, and the security of software authorization is further improved.

In some implementation manners, the registration information sent by the service node to the authorization device may also carry a validity period of the registration information, the authorization device may determine whether the registration information is valid according to the validity period of the registration information, and the authorization device returns the activation information to the service node when the validity period of the registration information is not expired. In the event that the validity period of the registration information expires, the authorized device does not respond to the registration information.

In some implementations, the authorization file may bind the original fingerprints of multiple device clusters, i.e., multiple device clusters may share the same authorization file. Each authorization file may be provided with a preset number of bindable device clusters, which may be the maximum number of device clusters to which the authorization file may be bound. The preset number can be set according to actual application scenes or requirements. After receiving the registration information sent by the service node, the authorization device may further determine, based on the authorization information, whether the number of clusters to which the authorization file indicated by the authorization identifier is bound reaches a preset number. If the number of clusters bound by the authorization file reaches the preset number and the local fingerprint carried in the registration information is not matched with at least one original fingerprint bound by the authorization file, the target device cluster is considered to have no authorization authority for using the target software service, so that the authorization device can return authentication failure information to the service node of the target device cluster. The service node sets the authorization state of the target software to be an authorization stop state corresponding to the received authentication failure information, so that the target device cluster cannot run the target software, and further authorization limitation is performed on the target software in the target device cluster by confirming whether the cluster number bound by the authorization file reaches a preset number or not under the scene that the authorization file can bind a plurality of device clusters, and the running safety of the target software is improved.

In some implementations, when the target software is in an authorized state, the service node may send registration information to the authorization device at preset time intervals, so that the service node may match the original fingerprint returned by the authorization device with the local fingerprint at regular time to authenticate whether the running environment of the current target software is safe.

Further, the authorization device may also determine a receiving frequency of the registration information according to the registration information sent by the service node, for example, count a receiving number of the registration information in a preset time period, and determine the receiving frequency of the registration information. When the receiving frequency of the registration information is greater than the preset value, the target software can be considered to be in an abnormal operation state, and abnormal alarm information can be generated, or an authorization service stopping indication can be sent to the service node, and the service node can set the authorization state of the target software to be in an authorization stopping state according to the authorization service indication, so that the target device cluster cannot use the service of the target software.

In some implementation manners, the authorization file issued by the authorization device to the target device cluster may be bound to multiple device clusters, that is, it may be understood that multiple device clusters may share the same authorization file. The preset number of the authorized files capable of being bound to the cluster can be set according to actual application scenes or requirements. The preset number may be the maximum number of clusters to which the authorization file can bind. After receiving the registration information sent by the service node, the authorization device may also determine the authorization file indicated by the authorization identifier according to the authorization identifier carried in the registration information, and then check whether the number of clusters to which the authorization file is bound reaches a preset number. And under the condition that the number of the clusters bound by the authorization file reaches a preset number and the original fingerprint bound by the authorization file is not matched with the local fingerprint carried by the registration information, the target software can be confirmed to be in an abnormal operation state, and authentication failure information can be returned to the service node. The service node may set the authorization status of the target software to a stop authorization status according to the authentication failure information. If the number of clusters bound by the authorization file does not reach the preset number and the original fingerprint bound by the authorization file is matched with the local fingerprint carried by the registration information, the registration information carrying the original fingerprint of the target equipment cluster can be returned to the service node. Therefore, the safety authorization of the target software can be further realized, and the service of the target software can be stopped in time under the condition that the running environment of the target software is changed.

Fig. 3 is a flowchart illustrating an example of a machine fingerprint-based authorization management method according to an embodiment of the present disclosure, which is applied to an authorization device, and the machine fingerprint-based authorization management method may include the following steps:

step S31, receiving registration information sent by a service node of a target device cluster, wherein the registration information comprises an authorization identifier and a local fingerprint of the target device cluster;

step S32, judging whether the local fingerprint matches the original fingerprint bound by the authorization file indicated by the authorization identifier;

and step S33, returning activation information to the service node under the condition that the local fingerprint is matched with the original fingerprint bound by the authorization file.

In the embodiment of the present disclosure, in a case that the target device cluster may communicate with the authorization device, the authorization device may receive registration information sent by a service node of the target device cluster. The registration information may include an authorization identifier and a local fingerprint of the target device cluster. After receiving the registration information, the authorization device can determine the authorization file indicated by the authorization identifier according to the authorization identifier, and then determine the original fingerprint to which the authorization file is bound. Here, the original fingerprint to which the authorization file is bound may be recorded by means of an authorization list. Further, the authorization device may compare the local fingerprint carried in the activation information with at least one original fingerprint bound to the authorization file, and determine whether the local fingerprint matches the original fingerprint bound to the authorization file. Under the condition that the local fingerprint in the activation information is the same as the original fingerprint bound by the authorization file, the authorization file can be confirmed to be bound with the original fingerprint of the target device cluster, and further the activation information can be returned to the service node. The original fingerprint of the target device cluster may be carried in the activation information.

The service node of the target device cluster may receive the activation information, and analyze the activation information to obtain an original fingerprint of the target device cluster. And the service node matches the local fingerprint of the target equipment cluster with the original fingerprint in the activation information, and determines that the target software in the target equipment cluster is in an authorized state under the condition that the local fingerprint is matched with the original fingerprint.

In some implementation manners, after receiving the registration information sent by the service node, the authorization device may further determine whether the number of clusters to which the authorization file indicated by the authorization identifier is bound reaches a preset number, where one authorization file may bind original fingerprints of a plurality of device clusters, and one device cluster corresponds to one original fingerprint, so that the number of the bound clusters may be determined according to the number of the original fingerprints to which the authorization file is bound. When the local fingerprint in the activation information is not matched with the at least one original fingerprint bound by the authorization file, and the number of clusters bound by the authorization file does not reach a preset number, it can be considered that the authorization file is not bound to the target device cluster and the number of clusters bound by the authorization file does not reach a maximum value, the authorization file can be bound to the local fingerprint carried in the registration information, and the bound local fingerprint can be used as the original fingerprint authorized by the target device cluster. By the method, the authorization of the target equipment cluster can be realized by taking the bound fingerprint as a basis in a mode of dynamically binding the local fingerprint of the target equipment cluster under the condition that the number of the clusters bound by the authorization file does not reach the maximum value, so that the target software can be operated in a specified environment, and the authorization steps can be simplified.

For example, when the authorization device issues an authorization file, the preset number corresponding to the authorization file is set to 1. Under the condition that the target software and the authorization file are deployed to the target device cluster, the service node of the first target device cluster can acquire the authorization of the target software in a mode of sending registration information to the authorization device, the authorization device binds the first target device cluster to the authorization file according to the registration information, and the target software in the first target device cluster is in an authorized state. When the target software and the authorization file are deployed to the second target device cluster, the second device cluster cannot acquire the authorization of the target software because the authorization file is bound to the first target device cluster.

In some implementations, when the number of clusters to which the authorization file is bound reaches a preset number and the local fingerprint in the activation information does not match the original fingerprint to which the authorization file is bound, it may be considered that the number of clusters to which the authorization file is bound reaches a maximum value and the target device cluster does not bind the authorization file, in which case it may be considered that the target device cluster does not have the authorization condition, and the authorization device may send authentication failure information to the service node. The service node receives the authentication failure information, and in response to the authentication failure information, the authorization state of the target software in the target device cluster may be set to a stop authorization state. In this way, the target software can be operated in a specified environment, and the authorization of the target software in the device cluster is limited by the maximum number of the device clusters which can be bound by the authorization file.

In some implementations, to further improve the reliability of software authorization, the authorization device may further determine a frequency of receiving the registration information, for example, count the number of registration information received within a preset time period, and determine the frequency of receiving the registration information. And further judging whether the receiving frequency of the registration information is less than a preset value. And under the condition that the receiving frequency of the registration information is greater than a preset value, the target software can be confirmed to be in an abnormal operation state. Further, the abnormal alarm information may be generated, or an authorization service stop instruction may be sent to the service node, and the service node may set the authorization state of the target software to an authorization stop state according to the authorization service instruction, so that the target device cluster cannot use the service of the target software. By the method, the abnormal operation behavior of the target software in the target equipment cluster can be analyzed, and the reliability of software authorization is further improved.

The following describes, by way of an example, a method for authorization management based on machine fingerprints according to an embodiment of the present disclosure. The present example may be applicable to a networking scenario. Fig. 4 shows a flowchart of an example of a machine fingerprint-based authorization management method according to an embodiment of the present disclosure, which may include the following steps:

step S401, the authorization device issues an authorization file.

The authorization device may issue the authorization file according to a user operation, and may set a maximum number of device clusters to which the authorization file may be bound, that is, may set a number corresponding to the authorization file. The authorization device can also encrypt the issued authorization file to obtain an authorization file of the ciphertext.

Step S402, the service node of the target device cluster imports the authorization file.

The service node sends the activation information to the authorizing device to activate authorization of the target software, and the target software is in a stop authorization state.

Step S403, the service node obtains the local fingerprint of the target device cluster and the authorization serial number of the authorization file.

Step S404, the service node encrypts the local fingerprint and the authorization sequence number using the authorization public key of the authorization device, and generates registration information.

In step S405, the service node sends registration information to the authorization device.

In step S406, the authorization device receives the registration information and decrypts the registration information.

Step S407, determine whether decryption is successful.

And under the condition that the decryption is successful, obtaining the local fingerprint and the authorization serial number carried by the registration information, executing step S408 under the condition that the authorization file indicated by the authorization serial number is not bound to the target device cluster, and executing step S409 under the condition that the authorization file indicated by the authorization serial number is bound to the target device cluster. In the case where the decryption fails, step S415 is executed.

Step S408, determining whether the number of clusters to which the authorization file indicated by the authorization sequence number is bound reaches a preset number.

If the number of clusters to which the authorization file has been bound does not reach the preset number, the authorization device binds the authorization file with a local fingerprint carried in the registration information, and the local fingerprint can be used as an authorized original fingerprint of the target device cluster, and then step S409 is executed. If the number of clusters to which the authorization file is bound reaches the preset number, and the local fingerprint to which the authorization file is bound does not include the local fingerprint carried by the registration information, step S415 is executed.

And step S409, generating an activation code according to the original fingerprint, the authorization serial number and a preset validity period.

In step S410, the authorization device encrypts the activation code using the authorization public key and returns the encrypted activation code to the service node.

Step S411, the service node extracts the authorization private key from the local authorization file to decrypt the activation code;

in step S412, the service node determines whether the activation code is valid according to the validity period, and determines whether the original fingerprint in the activation code is consistent with the local fingerprint.

In case the activation code is valid and the original fingerprint in the activation code coincides with the local fingerprint, step S413 is performed. In case the activation code has expired or the original fingerprint does not correspond to the local fingerprint, step S414 is performed.

In step S413, the service node sets the authorization status of the target software to an authorizeable status.

In step S414, the service node sets the authorization status of the target software to an unauthorized status.

In step S415, the service node prompts an error message.

It should be noted that, in order to enable the target software to run in the specified device cluster, the service node may further send a registration request to the authorized device at regular time intervals, that is, the foregoing steps S405 to S414 are executed in a loop, so as to determine whether the device cluster environment where the target software is located changes.

Here, the authorization device may further determine whether the target software may be copied and operated according to the receiving frequency of the registration request, and may generate abnormal warning information when the receiving frequency of the registration information is greater than a preset value, and may unbind the machine fingerprint bound to a certain authorization file through manual intervention, so as to implement migration and operation of the target software.

It is understood that the above-mentioned method embodiments of the present disclosure can be combined with each other to form a combined embodiment without departing from the logic of the principle, which is limited by the space, and the detailed description of the present disclosure is omitted. Those skilled in the art will appreciate that in the above methods of the specific embodiments, the specific order of execution of the steps should be determined by their function and possibly their inherent logic.

In addition, the present disclosure also provides an authorization management device based on a machine fingerprint, an electronic device, a computer-readable storage medium, and a program, which can all be used to implement any one of the authorization management methods based on a machine fingerprint provided by the present disclosure, and the corresponding technical solutions and descriptions and corresponding descriptions in the method section are not repeated.

Fig. 5 is a block diagram illustrating an authorization management apparatus based on machine fingerprint, which is applied to a service node in a plurality of local devices of a target device cluster, according to an embodiment of the present disclosure, and as shown in fig. 5, the apparatus includes:

an obtaining module 51, configured to obtain a local fingerprint of a target device cluster at a preset time interval when target software in the target device cluster is in an authorized state;

a matching module 52, configured to match the local fingerprint with an authorized original fingerprint of the target device cluster;

a setting module 53, configured to maintain an authorizeable state of the target software in the target device cluster if the local fingerprint matches the original fingerprint.

In one or more possible implementations, the obtaining module 51 is configured to determine, based on the original fingerprint, at least one information item for performing information acquisition on the target device cluster; acquiring information of the target equipment cluster according to the at least one information item to obtain current acquisition information of the target equipment cluster; and generating a local fingerprint of the target equipment cluster according to the current acquisition information.

In one or more possible implementation manners, the obtaining module 51 is further configured to obtain, in an offline situation, an original fingerprint authorized by the target device cluster from an authorization file stored locally, where the authorization file is generated by an authorization device, the authorization device is configured to decrypt an imported fingerprint file, write a machine fingerprint obtained by decryption into the authorization file as the original fingerprint authorized by the target device cluster, and obtain the authorization file of a ciphertext, where the fingerprint file is generated based on original acquisition information obtained by acquiring information of the target device cluster.

In one or more possible implementations, the setting module 53 is further configured to stop the authorized state of the target software if it is determined that the local fingerprint does not match the original fingerprint.

In one or more possible implementations, the apparatus further includes:

the device comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending registration information to an authorization device, the registration information comprises an authorization identifier and a local fingerprint, and the authorization device is used for returning activation information to the target device cluster under the condition that the local fingerprint is matched with an original fingerprint bound by an authorization file indicated by the authorization identifier;

the matching module 52 is configured to match the local fingerprint with an original fingerprint obtained by parsing in the activation information.

In one or more possible implementations, the apparatus further includes:

the analysis module is used for analyzing the activation information to obtain the validity period of the activation information;

the setting module 52 is configured to maintain an authorized status of the target software in the target device cluster if the local fingerprint matches the original fingerprint and the validity period does not expire.

In one or more possible implementations, the setting module 53 is further configured to stop the authorized state of the target software if the local fingerprint does not match the original fingerprint or the validity period has expired.

In one or more possible implementations, the apparatus further includes:

a receiving module, configured to receive authentication failure information sent by the authorization device, where the authorization device is configured to return the authentication failure information based on the registration information when it is determined that the number of clusters to which the authorization file is bound reaches a preset number and the local fingerprint does not match the original fingerprint to which the authorization file is bound;

the setting module 53 is configured to set the authorization status of the target software to a stop authorization status in response to the authentication failure information.

Fig. 6 shows a block diagram of an authorization management apparatus based on machine fingerprint, which is applied to an authorization device according to an embodiment of the present disclosure, and as shown in fig. 6, the apparatus includes:

a receiving module 61, configured to receive registration information sent by a service node of a target device cluster, where the registration information includes an authorization identifier and a local fingerprint of the target device cluster;

a judging module 62, configured to judge whether the local fingerprint matches an original fingerprint bound to the authorization file indicated by the authorization identifier;

a sending module 63, configured to return activation information to the service node when it is determined that the local fingerprint matches the original fingerprint to which the authorization file is bound; the service node of the target device cluster is configured to match a local fingerprint of the target device cluster with an original fingerprint in the activation information at a preset time interval when target software in the target device cluster is in an authorized state, and maintain the authorized state of the target software in the target device cluster when the local fingerprint is matched with the original fingerprint.

In one or more possible implementation manners, the determining module 62 is further configured to determine whether the number of clusters to which the authorization file is bound reaches a preset number; and under the condition that the local fingerprint is not matched with the original fingerprint bound by the authorization file and the number of the clusters bound by the authorization file does not reach the preset number, binding the authorization file with the local fingerprint carried in the registration information.

In one or more possible implementation manners, the sending module 61 is further configured to send authentication failure information to a service node when the number of clusters to which the authorization file is bound reaches the preset number and the local fingerprint does not match the original fingerprint to which the authorization file is bound.

In one or more possible implementations, the apparatus further includes:

the confirming module is used for determining the receiving frequency of the registration information; judging whether the receiving frequency of the registration information is smaller than a preset value; and under the condition that the receiving frequency is greater than the preset value, confirming that the target software is in an abnormal operation state.

In some embodiments, functions of or modules included in the apparatus provided in the embodiments of the present disclosure may be used to execute the method described in the above method embodiments, and specific implementation thereof may refer to the description of the above method embodiments, and for brevity, will not be described again here.

Embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the above-mentioned method. The computer readable storage medium may be a non-volatile computer readable storage medium.

An embodiment of the present disclosure further provides an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to invoke the memory-stored instructions to perform the above-described method.

The disclosed embodiments also provide a computer program product comprising computer readable code, which when run on a device, a processor in the device executes instructions for implementing the machine fingerprint based authorization management method provided in any of the above embodiments.

The disclosed embodiments also provide another computer program product for storing computer readable instructions, which when executed cause a computer to perform the operations of the machine fingerprint-based authorization management method provided in any of the above embodiments.

The electronic device may be provided as a terminal, server, or other form of device.

Fig. 7 illustrates a block diagram of an electronic device 800 in accordance with an embodiment of the disclosure. For example, the electronic device 800 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, a fitness device, a personal digital assistant, or the like terminal.

Referring to fig. 7, electronic device 800 may include one or more of the following components: processing component 802, memory 804, power component 806, multimedia component 808, audio component 810, input/output (I/O) interface 812, sensor component 814, and communication component 816.

The processing component 802 generally controls overall operation of the electronic device 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing components 802 may include one or more processors 820 to execute instructions to perform all or a portion of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interaction between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.

The memory 804 is configured to store various types of data to support operations at the electronic device 800. Examples of such data include instructions for any application or method operating on the electronic device 800, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 804 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

The power supply component 806 provides power to the various components of the electronic device 800. The power components 806 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the electronic device 800.

The multimedia component 808 includes a screen that provides an output interface between the electronic device 800 and a user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 808 includes a front facing camera and/or a rear facing camera. The front camera and/or the rear camera may receive external multimedia data when the electronic device 800 is in an operation mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.

The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the electronic device 800 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may further be stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 also includes a speaker for outputting audio signals.

The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.

The sensor assembly 814 includes one or more sensors for providing various aspects of state assessment for the electronic device 800. For example, the sensor assembly 814 may detect an open/closed state of the electronic device 800, the relative positioning of components, such as a display and keypad of the electronic device 800, the sensor assembly 814 may also detect a change in the position of the electronic device 800 or a component of the electronic device 800, the presence or absence of user contact with the electronic device 800, orientation or acceleration/deceleration of the electronic device 800, and a change in the temperature of the electronic device 800. Sensor assembly 814 may include a proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 814 may also include a light sensor, such as a Complementary Metal Oxide Semiconductor (CMOS) or Charge Coupled Device (CCD) image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.

The communication component 816 is configured to facilitate wired or wireless communication between the electronic device 800 and other devices. The electronic device 800 may access a wireless network based on a communication standard, such as a wireless network (WiFi), a second generation mobile communication technology (2G) or a third generation mobile communication technology (3G), or a combination thereof. In an exemplary embodiment, the communication component 816 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.

In an exemplary embodiment, the electronic device 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic components for performing the above-described methods.

In an exemplary embodiment, a non-transitory computer-readable storage medium, such as the memory 804, is also provided that includes computer program instructions executable by the processor 820 of the electronic device 800 to perform the above-described methods.

Fig. 8 illustrates a block diagram of an electronic device 1900 in accordance with an embodiment of the disclosure. For example, the electronic device 1900 may be provided as a server. Referring to fig. 8, electronic device 1900 includes a processing component 1922 further including one or more processors and memory resources, represented by memory 1932, for storing instructions, e.g., applications, executable by processing component 1922. The application programs stored in memory 1932 may include one or more modules that each correspond to a set of instructions. Further, the processing component 1922 is configured to execute instructions to perform the above-described method.

The electronic device 1900 may also include a power component 1926 configured to perform power management of the electronic device 1900, a wired or wireless network interface 1950 configured to connect the electronic device 1900 to a network, and an input/output (I/O) interface 1958. The electronic device 1900 may operate based on an operating system, such as the Microsoft Server operating system (Windows Server), stored in the memory 1932^TM) Apple Inc. of the present application based on the graphic user interface operating System (Mac OS X)^TM) Multi-user, multi-process computer operating system (Unix)^TM) Free and open native code Unix-like operating System (Linux)^TM) Open native code Unix-like operating System (FreeBSD)^TM) Or the like.

In an exemplary embodiment, a non-transitory computer readable storage medium, such as the memory 1932, is also provided that includes computer program instructions executable by the processing component 1922 of the electronic device 1900 to perform the above-described methods.

The present disclosure may be systems, methods, and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for causing a processor to implement various aspects of the present disclosure.

The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.

The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.

The computer program instructions for carrying out operations of the present disclosure may be assembler instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, the electronic circuitry that can execute the computer-readable program instructions implements aspects of the present disclosure by utilizing the state information of the computer-readable program instructions to personalize the electronic circuitry, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA).

Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The computer program product may be embodied in hardware, software or a combination thereof. In an alternative embodiment, the computer program product is embodied in a computer storage medium, and in another alternative embodiment, the computer program product is embodied in a Software product, such as a Software Development Kit (SDK), or the like.

Having described embodiments of the present disclosure, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims

1. A method for authorization management based on machine fingerprints, applied to a service node in a plurality of local devices of a target device cluster, the method comprising:

when target software in a target equipment cluster is in an authorized state, acquiring a local fingerprint of the target equipment cluster at a preset time interval;

matching the local fingerprint with an authorized original fingerprint of the target device cluster;

maintaining an authorizable state of the target software in the cluster of target devices if the local fingerprint matches the original fingerprint.

2. The method of claim 1, wherein the obtaining the local fingerprint of the target device cluster comprises:

determining at least one information item for information acquisition of the target device cluster based on the original fingerprint;

acquiring information of the target equipment cluster according to the at least one information item to obtain current acquisition information of the target equipment cluster;

and generating a local fingerprint of the target equipment cluster according to the current acquisition information.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

under an offline condition, acquiring an original fingerprint authorized by the target device cluster from an authorization file stored locally, wherein the authorization file is generated by authorization equipment, the authorization equipment is used for decrypting an imported fingerprint file, writing a machine fingerprint obtained by decryption into the authorization file as the original fingerprint authorized by the target device cluster, and obtaining the authorization file of a ciphertext, and the fingerprint file is generated based on original acquisition information obtained by acquiring information of the target device cluster.

4. A method according to any one of claims 1 to 3, characterized in that the method further comprises:

in the event that the local fingerprint is confirmed to not match the original fingerprint, ceasing an authorizable state of the target software.

5. The method of claim 1, further comprising:

sending registration information to an authorization device, wherein the registration information includes an authorization identifier and a local fingerprint, and the authorization device is configured to return activation information to the target device cluster when it is determined that the local fingerprint matches an original fingerprint to which an authorization file indicated by the authorization identifier is bound based on the registration information;

the matching the local fingerprint with an authorized original fingerprint of the target device cluster comprises:

and matching the local fingerprint with an original fingerprint obtained by analysis in the activation information.

6. The method of claim 5, further comprising:

analyzing the activation information to obtain the validity period of the activation information;

said maintaining an authorizeable state of the target software in the cluster of target devices if the local fingerprint matches the original fingerprint, comprising:

maintaining an authorizable state of the target software in the cluster of target devices if the local fingerprint matches the original fingerprint and the validity period has not expired.

7. The method of claim 6, further comprising:

stopping the target software's authorizable state if the local fingerprint does not match the original fingerprint or the validity period has expired.

8. The method according to any one of claims 5 to 7, further comprising:

receiving authentication failure information sent by the authorization device, wherein the authorization device is used for returning the authentication failure information based on the registration information under the condition that the number of the clusters bound by the authorization file is confirmed to reach a preset number and the local fingerprint is not matched with the original fingerprint bound by the authorization file;

and setting the authorization state of the target software to be a stop authorization state in response to the authentication failure information.

9. The method according to any of claims 5 to 8, wherein the registration information further comprises a local fingerprint of the target cluster; the sending registration information to the authorized device includes:

and sending the registration information to the authorization equipment at a preset time interval when the target software is in an authorized state, wherein the authorization equipment is used for confirming that the target software is in an abnormal operation state when the receiving frequency of the registration information is greater than a preset value.

10. An authorization management method based on machine fingerprint is characterized in that the authorization management method is applied to an authorization device and comprises the following steps:

receiving registration information sent by a service node of a target equipment cluster, wherein the registration information comprises an authorization identifier and a local fingerprint of the target equipment cluster;

judging whether the local fingerprint is matched with an original fingerprint bound by the authorization file indicated by the authorization identifier;

under the condition that the local fingerprint is confirmed to be matched with the original fingerprint bound by the authorization file, returning activation information to the service node; the service node of the target device cluster is configured to match a local fingerprint of the target device cluster with an original fingerprint in the activation information at a preset time interval when target software in the target device cluster is in an authorized state, and maintain the authorized state of the target software in the target device cluster when the local fingerprint is matched with the original fingerprint.

11. The method of claim 10, further comprising:

judging whether the number of the clusters bound by the authorization file reaches a preset number or not;

and under the condition that the local fingerprint is not matched with the original fingerprint bound by the authorization file and the number of the clusters bound by the authorization file does not reach the preset number, binding the authorization file with the local fingerprint carried in the registration information.

12. The method of claim 11, further comprising:

and sending authentication failure information to a service node when the number of the clusters bound by the authorization file reaches the preset number and the local fingerprint is not matched with the original fingerprint bound by the authorization file.

13. The method according to any one of claims 10 to 12, further comprising:

determining the receiving frequency of the registration information;

judging whether the receiving frequency of the registration information is smaller than a preset value;

and under the condition that the receiving frequency is greater than the preset value, confirming that the target software is in an abnormal operation state.

14. An authorization management device based on machine fingerprint, applied to a service node in a plurality of local devices of a target device cluster, comprising:

15. An authorization management device based on machine fingerprint, which is applied to authorization equipment, and comprises:

16. An electronic device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor is configured to invoke the memory-stored instructions to perform the method of any of claims 1 to 9 or to perform the method of any of claims 10 to 13.

17. A computer readable storage medium having computer program instructions stored thereon, which when executed by a processor implement the method of any one of claims 1 to 9 or the method of any one of claims 10 to 13.