CN113536334A - Authorization checking method, module and system - Google Patents
Authorization checking method, module and system Download PDFInfo
- Publication number
- CN113536334A CN113536334A CN202110643895.0A CN202110643895A CN113536334A CN 113536334 A CN113536334 A CN 113536334A CN 202110643895 A CN202110643895 A CN 202110643895A CN 113536334 A CN113536334 A CN 113536334A
- Authority
- CN
- China
- Prior art keywords
- information
- authorization
- application
- module
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 295
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000012795 verification Methods 0.000 claims abstract description 22
- 238000012545 processing Methods 0.000 claims description 11
- 238000005538 encapsulation Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 5
- 230000006872 improvement Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 101100166829 Mus musculus Cenpk gene Proteins 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The invention discloses an authorization verification method, which comprises the following steps: the application module acquires application information; the application module generates an application file according to the application information so that a user can send the application file to a terminal corresponding to the authorization module from the terminal corresponding to the application module, and the encrypted application information is recorded in the application file; the authorization module acquires the application file and authorization information of the target service module; the authorization module generates an authorization file according to the application file and the authorization information, so that an administrator can send the authorization file to a terminal corresponding to the application module from the terminal corresponding to the authorization module and a user can place the authorization file under a root directory of the target service module, and the encrypted application information and the encrypted authorization information are recorded in the authorization file. The invention also discloses an application module, an authorization module, a target service module and an authorization verification method system. The invention can finish the accurate authorization of the target service through the application file and the authorization file, and has high safety.
Description
Technical Field
The present invention relates to the field of communication security technologies, and in particular, to an authorization checking method, an application module, an authorization module, a target service module, and an authorization checking system.
Background
Because of the reproducibility and repeatable execution of software or services, software or service developers and programmers are increasingly vulnerable to illegal copying and use of software or services and to pirated software products. Currently, designs for software or service authorization verification are numerous, for example:
firstly, sending a verification code to the mobile phone, and verifying and authorizing through the verification code.
Secondly, a user-defined key is adopted, certain contents are encrypted by the key, and a receiver decrypts, verifies and authorizes by using the same key, namely, the method is symmetric encryption.
Thirdly, encrypting the data by using the public key and the private key, and then decrypting the data by using the corresponding private key; or encrypted with a private key and decrypted with a public key, which is asymmetric encryption.
However, in whatever manner, the ultimate goal is to verify and authorize the data. However, the above authorization check uses a set of encryption algorithm and key for different customers or different products, and when a certain key is revealed, a new authorization file cannot be generated quickly; meanwhile, the authorization check does not need to carry out integrity check on the encrypted content, so that whether the content is tampered or not can not be quickly judged, and the safety is not high.
Disclosure of Invention
The invention aims to provide an authorization verification method, an application module, an authorization module, a target service module and an authorization verification system, which can finish accurate authorization of target service and have high safety.
In order to solve the above technical problem, the present invention provides an authorization verification method, including: the application module acquires application information; the application module generates an application file according to the application information so that a user can send the application file to a terminal corresponding to an authorization module from the terminal corresponding to the application module, wherein the encrypted application information is recorded in the application file; the authorization module acquires the application file and authorization information of the target service module; the authorization module generates an authorization file according to the application file and the authorization information so that an administrator can send the authorization file to a terminal corresponding to the application module from the terminal corresponding to the authorization module and a user can place the authorization file under a root directory of the target service module to complete authorization, wherein the encrypted application information and the encrypted authorization information are recorded in the authorization file.
As an improvement of the above scheme, the application file and the authorization file both include a plaintext region and a ciphertext region; the plaintext area comprises mark information, an encryption type and a key index, the ciphertext area of the application file is formed by encrypting the application information according to the encryption type and the key index, and the ciphertext area of the authorization file is formed by encrypting the application information and the authorization information according to the encryption type and the key index; the ciphertext area comprises check information, random information and a data set, and the check information is calculated according to the random information and the data set.
As an improvement of the above solution, the data set includes at least one set of data information, and one set of the data information records one item of the application information or the authorization information so that the data information and the application information or the authorization information correspond to each other one by one; each set of the data information comprises a data mark, a data length and data content.
As an improvement of the above scheme, the step of acquiring the application file and the authorization information of the target service module by the authorization module includes: the authorization module acquires the application file; the authorization module decrypts the application file to obtain the application information so that an administrator can upload authorization information according to the application information; the authorization module obtains authorization information.
As an improvement of the above scheme, the authorization checking method further includes: the target service module acquires system information of a terminal corresponding to the target service module; the target service module reads the application information and the authorization information in the authorization file at regular time; the target service module compares the system information with the application information and the authorization information, judges whether the system information is consistent with the application information and the authorization information, and if so, the target service module is in an authorization state, and if not, the target service module is in a failure state.
As an improvement of the scheme, the application information comprises a target service module name, a company name, a CPUID of the CPU and a UUID of the mainboard, and the authorization information comprises the CPUID of the CPU, the UUID of the mainboard, an authorized product and an authorization time range interval.
Correspondingly, the invention also provides an application module, which comprises: the application acquisition unit is used for acquiring application information, wherein the application information comprises a target service module name, a company name, a CPUID (compact peripheral device identifier) of a CPU (central processing unit) and a UUID (user identifier) of a mainboard; the application generation unit is used for generating an application file according to the application information so that a user can send the application file to a terminal corresponding to an authorization module from the terminal corresponding to the application module, wherein the application file records encrypted application information and comprises a plaintext area and a ciphertext area, the plaintext area comprises mark information, an encryption type and a key index, the ciphertext area of the application file is formed by encrypting the application information according to the encryption type and the key index, the ciphertext area comprises verification information, random information and a data set, and the verification information is calculated according to the random information and the data set;
correspondingly, the invention also provides an authorization module, comprising: the authorization acquisition unit is used for acquiring an application file of an application module and authorization information of a target service module, wherein the authorization information comprises an effective date range; and the authorization generation unit is used for generating an authorization file according to the application file and the authorization information so that an administrator can send the authorization file to a terminal corresponding to the application module from the terminal corresponding to the authorization module and place the authorization file under a root directory of the target service module to complete authorization, wherein the encrypted application information and the encrypted authorization information are recorded in the authorization file, the authorization file comprises a plaintext area and a ciphertext area, the plaintext area comprises mark information, an encryption type and a key index, the ciphertext area of the authorization file is formed by encrypting the application information and the authorization information according to the encryption type and the key index, the ciphertext area comprises verification information, random information and a data set, and the verification information is calculated according to the random information and the data set.
Correspondingly, the invention also provides a target service module, which comprises: the system acquisition unit is used for acquiring system information of a terminal corresponding to the target service module, wherein the system information comprises a CPUID (central processing unit) of a CPU (central processing unit), a UUID (user identifier) of a mainboard and time information; the authorization file comprises a plaintext area and a ciphertext area, the plaintext area comprises mark information, an encryption type and a key index, the ciphertext area of the authorization file is formed by encrypting the application information and the authorization information according to the encryption type and the key index, the ciphertext area comprises verification information, random information and a data set, the verification information is calculated according to the random information and the data set, the application information comprises a target service module name, a company name, a CPUID (public key identification) of a CPU (central processing unit) and a UUID (user identifier) of a mainboard, and the authorization information comprises an effective date range; and the information comparison unit is used for comparing the system information with the application information and the authorization information, judging whether the system information is consistent with the application information and the authorization information, if so, indicating that the target service module is in an authorization state, and if not, indicating that the target service module is in a failure state.
Correspondingly, the invention also provides an authorization verification system, which comprises the application module, the authorization module and the target service module.
The implementation of the invention has the following beneficial effects:
the invention introduces the application file and the authorization file with unique structures to accurately authorize the target service, has high safety, and particularly comprises the following steps: the plain text areas of the application files and the authorization files are provided with encryption type fields and key index fields, and different encryption algorithms and keys can be adopted for different users or target services to encrypt, so that even if a certain key is leaked, new application files and authorization files can be quickly generated by changing the key index. The flexibility is strong; meanwhile, the ciphertext areas of the application file and the authorization file are provided with check information fields, and the check information is a check sum calculated by random information and a data group, so that the encrypted content can be effectively checked for completeness through the check information, the content is prevented from being tampered, and the security is high.
In addition, the system information is compared with the application information and the authorization information in the verification process, so that whether the target service module is authorized or not can be effectively detected, and the accuracy is high.
Drawings
FIG. 1 is a flow chart of a first embodiment of an authorization checking method of the present invention;
FIG. 2 is a diagram illustrating the data structure of an application document and an authorization document according to the present invention;
FIG. 3 is a flow chart of a second embodiment of the authorization checking method of the present invention;
FIG. 4 is a schematic diagram of the authorization verification system of the present invention;
FIG. 5 is a schematic structural diagram of an application module in the authorization check system according to the present invention;
FIG. 6 is a schematic structural diagram of a receiving module in the authorization verification system according to the present invention;
FIG. 7 is a schematic structural diagram of a target service module in the authorization check system according to the present invention;
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 shows a flowchart of a first embodiment of the authorization checking method of the present invention, which includes:
s101, the application module acquires application information.
It should be noted that the application information is used to record the relevant information of the terminal corresponding to the target service module that needs to be authorized. Specifically, the application information includes a name of the target service module, a company name, a CPUID of the CPU, and a UUID of the motherboard. The name of the target service module and the name of the company can be input into the application module by a user according to actual conditions, and the CPUID of the CPU and the UUID of the mainboard can be acquired by the application module by automatically reading a terminal corresponding to the application module.
And S102, the application module generates an application file according to the application information.
It should be noted that, the application module performs encryption and encapsulation processing on the application information according to a preset encapsulation method to generate an application file, that is, the application file records the encrypted application information.
As shown in fig. 2, the application file includes a plaintext region and a ciphertext region. Specifically, the method comprises the following steps:
the plaintext area of the application file is used for storing the content which does not need to be encrypted, and the plaintext area comprises flag information (flag field), an encryption type (ver field) and a key index (key _ solt field). In the invention, the plaintext zone contains 8 bytes of content, and 4 bytes of marking information, 2 bytes of encryption type and 2 bytes of key index are respectively used as examples, and the byte size of each part can be set at will; wherein, the marking information is used for marking the application document; the encryption type is used for recording the type of the encryption algorithm; the key index is used to describe key information.
And the ciphertext area of the application file is formed by encrypting the application information according to the encryption type and the key index and is used for storing the content to be encrypted. In the encryption process, corresponding key keys and vector keys can be calculated according to the key indexes, and then the application information can be encrypted by combining the encryption type (namely, an encryption algorithm).
In the invention, the ciphertext area comprises check information (crc field), random information (random field) and a data group; the check information is 2 bytes and is calculated according to the random information and the data group, namely, the check information is a check sum calculated by the random information and the data group; the random information is 2 bytes and is used for recording random numbers; the data group comprises at least one group of data information, and the group of data information records application information so that the data information corresponds to the application information one by one.
For example, if the application module acquires 4 items of application information, namely the name of the target service module, the name of a company, the CPUID of the CPU, and the UUID of the motherboard, the application module should deal with 4 sets of data information, wherein the 1 st set of data information is used for recording the related content of the name of the service module, the 2 nd set of data information is used for recording the related content of the name of the company, the 3 rd set of data information is used for recording the related content of the CPUID of the CPU, and the 4 th set of data information is used for recording the related content of the UUID of the motherboard.
Further, each set of data information includes a data flag (data _ tag field), a data length (data _ len field), and a data content (e.g., value field/CPUID field/data field). Wherein, the data mark is 2 bytes, it is used for marking the correspondent data information; the data length is 2 bytes, and the data length is used for recording the length of corresponding data information; the byte length of the data content is consistent with the recorded length of the data length, and the data length is used for recording real data of corresponding data information.
Accordingly, after the application module generates the application file, the user can send the application file from the terminal corresponding to the application module to the terminal corresponding to the authorization module. Specific sending methods include e-mail sending, mobile hard disk transmission and the like, but are not limited thereto as long as the application file can be transmitted.
S103, the authorization module acquires the application file and the authorization information of the target service module.
Specifically, the step of acquiring the application file and the authorization information of the target service module by the authorization module includes:
(1) the authorization module obtains an application document.
It should be noted that the application file is generated by the application module, the terminal corresponding to the application module sends the application file to the terminal corresponding to the authorization module, and then the administrator imports the application file into the authorization module to obtain the application file.
(2) And the authorization module decrypts the application file to acquire application information so that an administrator can upload authorization information according to the application information.
After the authorization module obtains the application file, the application file can be decrypted according to the encryption type field and the key index field recorded in the plain text area of the application file so that an administrator can check corresponding application information, and then the administrator distributes authorization information for the target service module according to the application information.
The authorization information is used for recording the effective condition of the target service module. Preferably, the authorization information includes a valid date range, but is not limited thereto as long as valid conditions can be defined.
(3) The authorization module obtains authorization information.
The authorization module acquires authorization information uploaded/input by an administrator.
And S104, the authorization module generates an authorization file according to the application file and the authorization information.
It should be noted that, the authorization module performs encryption and encapsulation processing on the authorization information and the application information in the application file according to a preset encapsulation method to generate an authorization file, that is, the authorization file records the encrypted application information and the encrypted authorization information.
As shown in fig. 2, the authorization file includes a plain text region and a cipher text region. Specifically, the method comprises the following steps:
the plaintext area of the authorization file is used for storing content that does not need to be encrypted, and the plaintext area includes flag information (flag field), an encryption type (ver field), and a key index (key _ solt field). In the invention, a plaintext area contains 8 bytes of content, and 4 bytes of marking information, 2 bytes of encryption type and 2 bytes of key index are respectively contained; wherein, the marking information is used for identifying the authorization file; the encryption type is used for recording the type of the encryption algorithm; the key index is used to describe key information.
The cipher text area of the authorization file is formed by encrypting the application information and the authorization information according to the encryption type and the key index and is used for storing the content to be encrypted. In the encryption process, corresponding key keys and vector keys can be calculated according to the key indexes, and then the application information and the authorization information can be encrypted by combining the encryption type (namely, an encryption algorithm).
In the invention, the ciphertext area comprises check information (crc field), random information (random field) and a data group; the check information is 2 bytes and is calculated according to the random information and the data group, namely, the check information is a check sum calculated by the random information and the data group; the random information is 2 bytes and is used for recording random numbers; the data group comprises at least one group of data information, and the group of data information records an application message or an authorization message so that the data information and the application message or the authorization message are in one-to-one correspondence.
For example, if the authorization module obtains 4 items of application information and 1 item of authorization information as the name of the target service module (i.e., application information), the name of the company (i.e., application information), the CPUID of the CPU (i.e., application information), the UUID of the motherboard (i.e., application information), and the valid date range (i.e., authorization information), 5 sets of data information should be associated, the 1 st set of data information is used to describe the relevant content of the name of the service module, the 2 nd set of data information is used to describe the relevant content of the company name, the 3 rd set of data information is used to describe the relevant content of the CPUID of the CPU, the 4 th set of data information is used to describe the relevant content of the UUID of the motherboard, and the 5 th set of data information is used to describe the relevant content of the valid date range.
Further, each set of data information includes a data flag (data _ tag field), a data length (data _ len field), and a data content (e.g., value field/StartTime field/EndTime field/CPUID field/data field). Wherein, the data mark is 2 bytes, it is used for marking the correspondent data information; the data length is 2 bytes, and the data length is used for recording the length of corresponding data information; the byte length of the data content is consistent with the recorded length of the data length, and the data length is used for recording real data of corresponding data information.
Correspondingly, after the authorization module generates the authorization file, the administrator sends the authorization file from the terminal corresponding to the authorization module to the terminal corresponding to the application module, and then the user places the authorization file under the root directory of the target service module to complete authorization.
Different from the prior art, the invention introduces an application document and an authorization document with unique structures; the plain text areas of the application files and the authorization files are provided with encryption type fields and key index fields, and different encryption algorithms and keys can be used for encrypting different users or target services, so that even if a certain key is leaked, new application files and authorization files can be quickly generated by changing the key index. The flexibility is strong; meanwhile, the ciphertext areas of the application file and the authorization file are provided with check information fields, and the check information is a check sum calculated by random information and a data group, so that the encrypted content can be effectively checked for completeness through the check information, the content is prevented from being tampered, and the security is high.
Referring to fig. 3, fig. 3 shows a flowchart of a second embodiment of the authorization checking method of the present invention, which includes:
s201, the application module acquires application information.
And S202, the application module generates an application file according to the application information.
Accordingly, after the application module generates the application file, the user can send the application file from the terminal corresponding to the application module to the terminal corresponding to the authorization module.
S203, the authorization module acquires the application file and the authorization information of the target service module.
And S204, the authorization module generates an authorization file according to the application file and the authorization information.
Correspondingly, after the authorization module generates the authorization file, the administrator sends the authorization file from the terminal corresponding to the authorization module to the terminal corresponding to the application module, and then the user places the authorization file under the root directory of the target service module to complete authorization.
And S205, the target service module acquires the system information of the terminal corresponding to the target service module.
When the target service module needs to be started, the target service module acquires system information of a corresponding terminal, wherein the system information comprises a CPUID of a CPU, a UUID of a mainboard and time information (namely current system time).
S206, the target service module reads the application information and the authorization information in the authorization file at regular time.
The target service module can decrypt the authorization file according to the encryption type field and the key index field recorded in the plaintext area of the authorization file to extract application information and authorization information, wherein the application information comprises the name of the target service module, the name of a company, the CPUID of the CPU and the UUID of the mainboard, and the authorization information comprises an effective date range.
S207, the target service module compares the system information with the application information and the authorization information and judges whether the system information is consistent with the application information and the authorization information.
Comparing the CPUID of the CPU acquired by the target service module with the CPUID of the CPU in the application information, comparing the UUID of the mainboard acquired by the target service module with the UUID of the mainboard in the application information, and comparing the time information acquired by the target service module with the effective date range in the application information.
And S208, when the judgment result is yes, the target service module is in an authorized state.
When the CPUID of the CPU is consistent, the UUID of the mainboard is consistent, and the time information is in the valid date range, the target service module is in an authorized state, and the target service module can be started to operate normally.
S209, when the judgment is no, the target service module is in a failure state.
When the CPUID of the CPU is inconsistent, the UUID of the mainboard is inconsistent or the time information is not in the valid date range, the target service module is in a failure state and cannot be used.
Therefore, the invention can effectively detect whether the target service module is authorized or not by comparing the system information with the application information and the authorization information, and has high accuracy.
Referring to fig. 4, fig. 4 shows a specific structure of the authorization checking system 100 of the present invention, which includes an application module 1, an authorization module 2, and a target service module 3.
In general, the application module 1 and the target service module 4 are operated and used by a user and can be installed in the same terminal at the same time; and the authorization module 2 is operated by an administrator and can be installed in another terminal.
For example, an application module a, a target service module a1 and a target service module a2 are installed in the terminal a, an application module B, a target service module B1 and a target service module B2 are installed in the terminal B, and an authorization module C is installed in the terminal C; when authorization needs to be performed on the target service module B1 in the terminal B, a user firstly processes through the application module B in the terminal B to generate an application file, then sends the application file to the terminal C, then an administrator generates an authorization file according to the application file through the authorization module C in the terminal C, sends the authorization file to the terminal B, and finally the user places the authorization file under the root directory of the target service module B1 to complete authorization. When the user starts the target service module B1 in the terminal B, the target service module B1 reads the authorization file under the root directory, thereby detecting whether authorization is obtained, and performing the next operation.
As shown in fig. 5, the application module 1 includes:
and an application acquiring unit 11, configured to acquire application information. It should be noted that the application information is used to record the relevant information of the terminal corresponding to the target service module that needs to be authorized. Specifically, the application information includes a name of the target service module, a company name, a CPUID of the CPU, and a UUID of the motherboard. The name of the target service module and the name of the company can be input into the application module by a user according to actual conditions, and the CPUID of the CPU and the UUID of the mainboard can be acquired by the application module by automatically reading a terminal corresponding to the application module.
And an application generating unit 12, configured to generate an application file according to the application information. It should be noted that, the application module performs encryption and encapsulation processing on the application information according to a preset encapsulation method to generate an application file, that is, the application file records the encrypted application information.
Accordingly, after the application generating unit 12 generates the application file, the user can send the application file from the terminal corresponding to the application module 1 to the terminal corresponding to the authorization module 2. Specific sending modes include e-mail sending, mobile hard disk transmission and the like, but are not limited to this, as long as the transmission of the application file can be realized.
As shown in fig. 6, the authorization module 2 includes:
and an authorization obtaining unit 21, configured to obtain the application file of the application module 1 and the authorization information of the target service module 3. It should be noted that the application file is generated by the application module 1, the terminal corresponding to the application module 1 sends the application file to the terminal corresponding to the authorization module 2, and the administrator introduces the application file into the authorization module 2, so that the authorization obtaining unit 21 obtains the application file. Meanwhile, after the authorization obtaining unit 21 obtains the application file, the application file may be decrypted according to the encryption type field and the key index field recorded in the plain text area of the application file, so that the administrator may view corresponding application information, and then the administrator may distribute authorization information for the target service module 3 according to the application information, where the authorization information is used to record valid conditions of the target service module 3, and preferably, the authorization information includes a valid date range, but is not limited thereto, as long as the valid conditions can be defined. Finally, the authorization acquisition unit 21 acquires authorization information uploaded/input by the administrator.
And the authorization generating unit 22 is configured to generate an authorization file according to the application file and the authorization information, so that an administrator sends the authorization file from the terminal corresponding to the authorization module 2 to the terminal corresponding to the application module 1, and a user places the authorization file under the root directory of the target service module 3 to complete authorization. It should be noted that the authorization generating unit 22 performs encryption and encapsulation processing on the authorization information and the application information in the application file according to a preset encapsulation method to generate the authorization file, that is, the encrypted application information and the encrypted authorization information are recorded in the authorization file.
As shown in fig. 2, both the application file and the authorization file include a plaintext region and a ciphertext region. Specifically, the method comprises the following steps:
the plaintext areas of the application file and the authorization file are used for storing contents which do not need to be encrypted, and the plaintext areas comprise flag information (flag field), encryption types (ver field) and key indexes (key _ solt field). In the invention, a plaintext area contains 8 bytes of content, and 4 bytes of marking information, 2 bytes of encryption type and 2 bytes of key index are respectively contained; wherein, the marking information is used for marking the application document and the authorization document; the encryption type is used for recording the type of the encryption algorithm; the key index is used to describe key information.
The cipher text areas of the application file and the authorization file are formed by encrypting the application information and the authorization information according to the encryption type and the key index and are used for storing the contents to be encrypted. In the encryption process, corresponding key keys and vector keys can be calculated according to the key indexes, and then the application information and the authorization information can be encrypted by combining the encryption type (namely, an encryption algorithm).
In the invention, the ciphertext area comprises check information (crc field), random information (random field) and a data group; the check information is 2 bytes and is calculated according to the random information and the data group, namely, the check information is a check sum calculated by the random information and the data group; the random information is 2 bytes and is used for recording random numbers; the data group comprises at least one group of data information, and the group of data information records an application message or an authorization message so that the data information and the application message or the authorization message are in one-to-one correspondence.
Further, each set of data information includes a data flag (data _ tag field), a data length (data _ len field), and a data content (e.g., value field/StartTime field/EndTime field/CPUID field/data field). Wherein, the data mark is 2 bytes, it is used for marking the correspondent data information; the data length is 2 bytes, and the data length is used for recording the length of corresponding data information; the byte length of the data content is consistent with the recorded length of the data length, and the data length is used for recording real data of corresponding data information.
From the above, the invention introduces the application document and the authorization document with unique structure; the plain text areas of the application files and the authorization files are provided with encryption type fields and key index fields, and different encryption algorithms and keys can be used for encrypting different users or target services, so that even if a certain key is leaked, new application files and authorization files can be quickly generated by changing the key index. The flexibility is strong; meanwhile, the ciphertext areas of the application file and the authorization file are provided with check information fields, and the check information is a check sum calculated by random information and a data group, so that the encrypted content can be effectively checked for completeness through the check information, the content is prevented from being tampered, and the security is high.
As shown in fig. 7, the target service module 3 includes:
the system obtaining unit 31 is configured to obtain system information of a terminal corresponding to the target service module 3. When the target service module 3 needs to be started, the target service module 3 acquires system information of a corresponding terminal, wherein the system information includes the CPUID of the CPU, the UUID of the motherboard, and time information (i.e., current system time).
And the timing reading unit 32 is used for regularly reading the application information and the authorization information in the authorization file. It should be noted that the timing reading unit 32 can decrypt the authorization file according to the encryption type field and the key index field recorded in the plaintext region of the authorization file to extract the application information and the authorization information. The application information comprises a target service module name, a company name, a CPUID of the CPU and a UUID of the mainboard, and the authorization information comprises an effective date range.
And an information comparing unit 33, configured to compare the system information with the application information and the authorization information, determine whether the system information is consistent with the application information and the authorization information, if yes, indicate that the target service module is in an authorized state, and if not, indicate that the target service module is in a failed state.
Therefore, the CPUID of the CPU in the target system information is compared with the CPUID of the CPU in the application information, the UUID of the mainboard in the system information is compared with the UUID of the mainboard in the application information, and the time information in the system information is compared with the effective date range in the application information. When the CPUID of the CPU is consistent, the UUID of the mainboard is consistent, and the time information is in the valid date range, the target service module 3 is in an authorized state, and the target service module 3 can be started to operate normally. When the CPUID of the CPU is inconsistent, the UUID of the motherboard is inconsistent, or the time information is not within the valid date range, it indicates that the target service module 3 is in a disabled state, and the target service module 3 is not available.
Therefore, the invention can effectively detect whether the target service module is authorized or not by comparing the system information with the application information and the authorization information, and has high accuracy.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.
Claims (10)
1. An authorization verification method, comprising:
the application module acquires application information;
the application module generates an application file according to the application information so that a user can send the application file to a terminal corresponding to an authorization module from the terminal corresponding to the application module, wherein the encrypted application information is recorded in the application file;
the authorization module acquires the application file and authorization information of the target service module;
the authorization module generates an authorization file according to the application file and the authorization information so that an administrator can send the authorization file to a terminal corresponding to the application module from the terminal corresponding to the authorization module and a user can place the authorization file under a root directory of the target service module to complete authorization, wherein the encrypted application information and the encrypted authorization information are recorded in the authorization file.
2. The authorization checking method according to claim 1, wherein the application file and the authorization file both include a plaintext region and a ciphertext region;
the plaintext area comprises mark information, an encryption type and a key index, the ciphertext area of the application file is formed by encrypting the application information according to the encryption type and the key index, and the ciphertext area of the authorization file is formed by encrypting the application information and the authorization information according to the encryption type and the key index;
the ciphertext area comprises check information, random information and a data set, and the check information is calculated according to the random information and the data set.
3. The authorization checking method according to claim 2, wherein the data set includes at least one set of data information, and one set of the data information records one item of the application information or the authorization information so that the data information corresponds to the application information or the authorization information one to one;
each set of the data information comprises a data mark, a data length and data content.
4. The authorization checking method according to claim 1, wherein the step of the authorization module obtaining the application document and the authorization information of the target service module comprises:
the authorization module acquires the application file;
the authorization module decrypts the application file to obtain the application information so that an administrator can upload authorization information according to the application information;
the authorization module obtains authorization information.
5. The authorization checking method of claim 1, further comprising:
the target service module acquires system information of a terminal corresponding to the target service module;
the target service module reads the application information and the authorization information in the authorization file at regular time;
the target service module compares the system information with the application information and the authorization information to judge whether the system information is consistent with the application information and the authorization information,
if yes, the target service module is in an authorization state,
and if not, the target service module is in a failure state.
6. The authorization checking method according to claim 1, wherein the application information includes a name of the target service module, a company name, a CPUID of the CPU, and a UUID of the motherboard, and the authorization information includes the CPUID of the CPU, the UUID of the motherboard, an authorized product, and an authorization time range interval.
7. An application module, comprising:
the application acquisition unit is used for acquiring application information, wherein the application information comprises a target service module name, a company name, a CPUID of a CPU and a UUID of a mainboard;
the application generation unit is used for generating an application file according to the application information, so that a user can send the application file to a terminal corresponding to the authorization module from the terminal corresponding to the application module, wherein the application file is recorded with the application information after encryption and comprises a plaintext area and a ciphertext area, the plaintext area comprises mark information, an encryption type and a key index, the ciphertext area of the application file is encrypted according to the encryption type and the key index to form the application information, and the ciphertext area comprises check information, random information and a data set and the check information is calculated according to the random information and the data set.
8. An authorization module, comprising:
the authorization acquisition unit is used for acquiring an application file of an application module and authorization information of a target service module, wherein the authorization information comprises an effective date range;
and the authorization generation unit is used for generating an authorization file according to the application file and the authorization information so that an administrator can send the authorization file to a terminal corresponding to the application module from the terminal corresponding to the authorization module and place the authorization file under a root directory of the target service module to complete authorization, wherein the encrypted application information and the encrypted authorization information are recorded in the authorization file, the authorization file comprises a plaintext area and a ciphertext area, the plaintext area comprises mark information, an encryption type and a key index, the ciphertext area of the authorization file is formed by encrypting the application information and the authorization information according to the encryption type and the key index, the ciphertext area comprises verification information, random information and a data set, and the verification information is calculated according to the random information and the data set.
9. A target service module, comprising:
the system acquisition unit is used for acquiring system information of a terminal corresponding to the target service module, wherein the system information comprises a CPUID (central processing unit) of a CPU (central processing unit), a UUID (user identifier) of a mainboard and time information;
a timing reading unit for reading the application information and the authorization information in the authorization file at a timing,
the authorization file comprises a plaintext area and a ciphertext area, the plaintext area comprises mark information, an encryption type and a key index, the ciphertext area of the authorization file is formed by encrypting application information and authorization information according to the encryption type and the key index, the ciphertext area comprises check information, random information and a data set, the check information is calculated according to the random information and the data set, the application information comprises a target service module name, a company name, a CPU (Central processing Unit) CPUID (public user interface device) and a mainboard UUID (user identifier), and the authorization information comprises a CPU CPUID, a mainboard UUID, an authorization product and an authorization time range interval;
and the information comparison unit is used for comparing the system information with the application information and the authorization information, judging whether the system information is consistent with the application information and the authorization information, if so, indicating that the target service module is in an authorization state, and if not, indicating that the target service module is in a failure state.
10. An authorization verification system, comprising:
an application module as claimed in claim 7;
an authorization module as claimed in claim 8;
the target service module of claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110643895.0A CN113536334A (en) | 2021-06-09 | 2021-06-09 | Authorization checking method, module and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110643895.0A CN113536334A (en) | 2021-06-09 | 2021-06-09 | Authorization checking method, module and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113536334A true CN113536334A (en) | 2021-10-22 |
Family
ID=78124751
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110643895.0A Pending CN113536334A (en) | 2021-06-09 | 2021-06-09 | Authorization checking method, module and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113536334A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114706857A (en) * | 2022-04-22 | 2022-07-05 | 北京友友天宇系统技术有限公司 | Unified authentication/authorization method, equipment and storage medium for cross-multi-source heterogeneous storage system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110213276A (en) * | 2019-06-05 | 2019-09-06 | 宁波深擎信息科技有限公司 | Authority checking method, server, terminal and medium under a kind of micro services framework |
| CN110348181A (en) * | 2019-07-15 | 2019-10-18 | 广东名阳信息科技有限公司 | A kind of method of verification software right to use legitimacy |
| CN110659457A (en) * | 2019-09-20 | 2020-01-07 | 安徽听见科技有限公司 | Application authorization verification method and device and client |
| CN111625783A (en) * | 2020-05-26 | 2020-09-04 | 郑州轻工业大学 | Software authorization management system based on multi-stage encryption |
| WO2020192773A1 (en) * | 2019-03-27 | 2020-10-01 | 深圳市网心科技有限公司 | Digital identity authentication method, device, apparatus and system, and storage medium |
| CN112699342A (en) * | 2021-03-24 | 2021-04-23 | 统信软件技术有限公司 | Authorization control method, authorization device and computing equipment |
-
2021
- 2021-06-09 CN CN202110643895.0A patent/CN113536334A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020192773A1 (en) * | 2019-03-27 | 2020-10-01 | 深圳市网心科技有限公司 | Digital identity authentication method, device, apparatus and system, and storage medium |
| CN110213276A (en) * | 2019-06-05 | 2019-09-06 | 宁波深擎信息科技有限公司 | Authority checking method, server, terminal and medium under a kind of micro services framework |
| CN110348181A (en) * | 2019-07-15 | 2019-10-18 | 广东名阳信息科技有限公司 | A kind of method of verification software right to use legitimacy |
| CN110659457A (en) * | 2019-09-20 | 2020-01-07 | 安徽听见科技有限公司 | Application authorization verification method and device and client |
| CN111625783A (en) * | 2020-05-26 | 2020-09-04 | 郑州轻工业大学 | Software authorization management system based on multi-stage encryption |
| CN112699342A (en) * | 2021-03-24 | 2021-04-23 | 统信软件技术有限公司 | Authorization control method, authorization device and computing equipment |
Non-Patent Citations (1)
| Title |
|---|
| 展召磊;赵华伟;褚东升;施鹏;: "安全OA模型的研究与设计", 计算机工程与设计, no. 14 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114706857A (en) * | 2022-04-22 | 2022-07-05 | 北京友友天宇系统技术有限公司 | Unified authentication/authorization method, equipment and storage medium for cross-multi-source heterogeneous storage system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110493197B (en) | Login processing method and related equipment | |
| CN110519309B (en) | Data transmission method, device, terminal, server and storage medium | |
| US5701343A (en) | Method and system for digital information protection | |
| CN101444063B (en) | Secure time functionality for a wireless device | |
| CN1985466B (en) | Method of delivering direct proof private keys in signed groups to devices using a distribution CD | |
| CN110798315B (en) | Data processing method and device based on block chain and terminal | |
| US20200106775A1 (en) | Method, device, system for authenticating an accessing terminal by server, server and computer readable storage medium | |
| KR101754308B1 (en) | Method for management sensitive data of mobile and escrow server for performing the method | |
| CN109274644B (en) | Data processing method, terminal and watermark server | |
| CN113472793A (en) | Personal data protection system based on hardware password equipment | |
| WO2010025318A2 (en) | Encrypting a unique cryptographic entity | |
| CN113553572A (en) | Resource information acquisition method and device, computer equipment and storage medium | |
| US20040143741A1 (en) | Multi-stage authorisation system | |
| CN112765626A (en) | Authorization signature method, device and system based on escrow key and storage medium | |
| CN110598377A (en) | Software serial number management method and device based on block chain | |
| CN111583482A (en) | Access control system based on two-dimensional code and control method thereof | |
| CN115499844A (en) | Mobile terminal information safety protection system and method | |
| CN107548542B (en) | User authentication method with enhanced integrity and security | |
| CN113536334A (en) | Authorization checking method, module and system | |
| CN101399663B (en) | Method, system and device for digital content authentication | |
| CN103336918B (en) | Electronic hard disk system authorization method and device | |
| CN112383577A (en) | Authorization method, device, system, equipment and storage medium | |
| CN105809494A (en) | method and system for invoice generation and invoice verification | |
| CN109639688B (en) | Internet of things safety protection system and protection method thereof | |
| CN113127818A (en) | Block chain-based data authorization method and device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |