CN113626787A - Equipment fingerprint generation method and related equipment - Google Patents
Equipment fingerprint generation method and related equipment Download PDFInfo
- Publication number
- CN113626787A CN113626787A CN202110995607.8A CN202110995607A CN113626787A CN 113626787 A CN113626787 A CN 113626787A CN 202110995607 A CN202110995607 A CN 202110995607A CN 113626787 A CN113626787 A CN 113626787A
- Authority
- CN
- China
- Prior art keywords
- fingerprint
- equipment
- information
- terminal
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 16
- 230000007246 mechanism Effects 0.000 claims abstract description 10
- 230000004044 response Effects 0.000 claims abstract description 5
- 150000003839 salts Chemical class 0.000 claims description 24
- 238000012795 verification Methods 0.000 claims description 24
- 238000004590 computer program Methods 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 9
- 238000004364 calculation method Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000010422 painting Methods 0.000 description 1
- 230000037361 pathway Effects 0.000 description 1
- 238000003825 pressing Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y20/00—Information sensed or collected by the things
- G16Y20/40—Information sensed or collected by the things relating to personal data, e.g. biometric data, records or preferences
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y40/00—IoT characterised by the purpose of the information processing
- G16Y40/50—Safety; Security of things, users, data or systems
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Collating Specific Patterns (AREA)
Abstract
The disclosure provides a device fingerprint generation method and a related device. The method is applied to the terminal equipment and comprises the following steps: collecting equipment information of the terminal equipment on a native layer of the terminal equipment in response to the terminal equipment being started; generating the equipment fingerprint of the terminal equipment according to the equipment information on the native layer according to a preset fingerprint generation algorithm; and providing the device fingerprint for the application layer to be called based on the interface calling mechanism of the native layer and the application layer of the terminal device.
Description
Technical Field
The disclosure relates to the technical field of internet of things, and in particular relates to a device fingerprint generation method and related devices.
Background
In recent years, the use of the intelligent terminal of the internet of things is more and more widespread. Some internet of things terminal products are widely used in our lives, such as screen painting.
In order to provide better services, the intelligent terminal device also needs to rely on the server side to provide better support, such as business member services. The member service can bring more convenient and faster service to the user. Generally, the server needs to record the identity information of each device for verifying whether to provide member services for the device.
A device fingerprint is a device feature or unique device identification that can be used to uniquely identify the device, which can be used for device identity verification. With the improvement of technology, some users may tamper with the information specific to the device by using a certain technical means, resulting in a phenomenon that one device uses multiple devices to enjoy services after completing registration.
Disclosure of Invention
The embodiment of the disclosure provides an equipment fingerprint generation method and related equipment.
In a first aspect of the embodiments of the present disclosure, a method for generating a device fingerprint is provided, which is applied to a terminal device, and includes:
collecting equipment information of the terminal equipment on a native layer of the terminal equipment in response to the terminal equipment being started;
generating the equipment fingerprint of the terminal equipment according to the equipment information on the native layer according to a preset fingerprint generation algorithm; and
and providing the device fingerprint for the application layer to be called based on an interface calling mechanism of the native layer and the application layer of the terminal device.
In a second aspect of the disclosed embodiments, there is provided a terminal device, comprising one or more processors, a memory; and one or more programs, wherein the one or more programs are stored in the memory and executed by the one or more processors, the programs comprising instructions for performing the method of the first aspect.
In a third aspect of the embodiments of the present disclosure, an internet of things system is provided, including:
the terminal device of the second aspect, configured to: receiving a service request sent by a user and sending the service request to a server; responding to a received equipment information acquisition request of a server, and sending corresponding equipment information to the server according to the equipment information acquisition request; and
a server connected to the terminal device via a network and configured to:
receiving the service request sent by the terminal equipment;
determining whether fingerprint verification needs to be carried out on the terminal equipment or not according to the service request;
responding to the requirement of fingerprint verification on the terminal equipment, and sending an equipment information acquisition request to the terminal equipment;
receiving equipment information sent by the terminal equipment based on the equipment information acquisition request;
generating a first device fingerprint of the terminal device according to the device information according to a preset fingerprint generation algorithm;
determining whether the first device fingerprint corresponds to a second device fingerprint of the terminal device stored by the server; and
and responding to the consistency of the first device fingerprint and the second device fingerprint, and outputting fingerprint verification passing information of the terminal device.
In a fourth aspect of the embodiments of the present disclosure, there is provided a non-transitory computer-readable storage medium containing a computer program which, when executed by one or more processors, causes the processors to perform the method of the first aspect.
In a fifth aspect of the embodiments of the present disclosure, there is provided a computer program product comprising computer program instructions which, when run on a computer, cause the computer to perform the method of the first aspect.
According to the device fingerprint generation method and the related device provided by the embodiment of the disclosure, the device fingerprint is generated through the preset fingerprint generation algorithm by reading the device information at the native layer of the terminal device, so that the device fingerprint can be prevented from being illegally tampered by a user to a certain extent, and the security is improved.
Drawings
In order to more clearly illustrate the technical solutions in the present disclosure or related technologies, the drawings needed to be used in the description of the embodiments or related technologies are briefly introduced below, and it is obvious that the drawings in the following description are only embodiments of the present disclosure, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 shows a schematic diagram of an internet of things system provided by an embodiment of the present disclosure.
FIG. 2 shows an exemplary architecture diagram of an android system in accordance with an embodiment of the present disclosure.
Fig. 3 shows a schematic diagram of a terminal device interacting with a server according to an embodiment of the present disclosure.
Fig. 4 shows an exemplary hardware structure diagram of a more specific computer device provided by the embodiment of the present disclosure.
Fig. 5 shows a flow diagram of an exemplary method provided by an embodiment of the present disclosure.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It is to be noted that technical terms or scientific terms used in the embodiments of the present disclosure should have a general meaning as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar terms in the embodiments of the disclosure is not intended to indicate any order, quantity, or importance, but rather to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
Most of the existing device fingerprint technologies collect intrinsic characteristic values of terminal devices at an application end (i.e., an application program), and then generate device fingerprints through calculation. However, this approach has at least several drawbacks: 1. some inherent device information, for example, International Mobile Equipment Identity number (IMEI number for short), Media Access Control Address (MAC Address for short), etc. may be modified by a certain technical means, which may greatly cause a plurality of devices to share one device fingerprint; 2. the process of generating a device fingerprint is strongly dependent on the client application (i.e., the application is used to generate the device fingerprint), and it is easy to obtain which device feature values are used by the client application through a decompilation technique.
In view of this, the embodiments of the present disclosure provide an apparatus fingerprint generation method and related apparatus, which can effectively improve the security and uniqueness of an apparatus fingerprint and protect the benefits of enterprises.
Fig. 1 shows a schematic diagram of an internet of things system 100 provided by an embodiment of the present disclosure.
As shown in fig. 1, the internet of things system 100 may include a server 300 and a plurality of terminal devices 200a to 200 n. The server 300 may be implemented using one or more servers and, when implemented using multiple servers, may be a distributed architecture. The terminal devices 200a to 200n and the server 300 may be connected to each other via a network, which may be a wired network or a wireless network, and transmit requests, instructions, and the like to the server 300. The terminal devices 200a to 200n may be any internet of things terminals, such as a mobile phone (terminal 200a), a television (terminal 200b), an air conditioner (terminal 200n), and the like. The user 400 may cause the terminal apparatuses 200a to 200n to transmit requests or instructions to the server 300 by operating the terminal apparatuses 200a to 200 n.
In some embodiments, android system 500 can run on terminal devices 200 a-200 n.
FIG. 2 shows an exemplary architecture diagram of android system 500, in accordance with an embodiment of the present disclosure.
As shown in fig. 2, the system architecture of the Android system 500 includes a five-layer architecture, which may include a Linux kernel 502, a Hardware Abstraction Layer (HAL)504, a Native layer (Native C/C + + Libraries)506, an Android runtime environment (runtime)508, a Java framework layer 510, and an application layer 512 in sequence from the bottom layer to the application layer. Each layer of the architecture may include a large number of sub-modules or subsystems.
The bottom kernel space of the Android system 500 takes a Linux kernel 502 as a foundational stone, and the upper user space may be composed of a Native C/C + + Libraries 506, an Android runtime environment (runtime)508 and a Java framework layer 510, and the kernel space and the user space of the system are communicated through a system call (Syscall). For the user space, C + + code (running at the Native layer 506) or Java code (running at the application layer 512) may be used for writing, and JNI (Java Native Interface, interactive Interface between Java and local code) technology may be used for opening up the Native layer 506 and the application layer 512 of the user space.
Application layer 512 can include all applications in android system 500, and can be further divided into a core application that is self-contained in the system and an application that is developed by the user. For example, the core application may be, for example, a browser, contacts, phone, calendar, camera, etc. application. The Android applications developed by the user may be, for example, microblogs, WeChats, and the like.
In view of the problem that existing device fingerprints are easily tampered with, the terminal devices 200a to 200n of the embodiments of the present disclosure adopt a device fingerprint generation method that is not easily tampered with. The following description will be given taking the terminal device 200a as an example.
Before the terminal device 200a leaves the factory, a code written in the C/C + + language may be written in the terminal device 200a for running at the time of system initialization. In this way, after the terminal device 200a is powered on and started, by running the code, the terminal device 200a collects the device information of the terminal device 200a in the native layer 506 of the android system 500 and generates the device fingerprint of the terminal device 200a according to the device information in the native layer 506 according to the preset fingerprint generation algorithm. After generating the device fingerprint, the device fingerprint may be provided to the application layer 512 for invocation based on interface invocation mechanisms (e.g., JNI invocation mechanisms) of the native layer 506 and the application layer 512. In some embodiments, the terminal 200a may be powered on by the user 400 pressing a power key to power on the terminal 200a, and the power module of the terminal 200a supplies power to a processor (e.g., a CPU) of the terminal 200a after powering on to start the processor, and at this time, the terminal may be considered to be powered on. When the processor is powered on and started, a system initialization process is started, and in the system initialization process, the terminal device 200a may run and write codes written in the C/C + + language for device information collection and device fingerprint calculation, so that the device information collection and the device fingerprint calculation are completed in the native layer 506 of the android system 500.
In the embodiment of the present disclosure, the acquisition and calculation codes of the device fingerprint of the terminal device are compiled in the native layer 506 of the android system 500 using the C/C + + language, and are compiled and burned in the terminal device via the android source code. Therefore, the C/C + + language is harder to decompile compared with the Java language, and meanwhile, the acquisition and calculation codes of the device fingerprints are burnt in the terminal device in advance, so that the system has functions of the terminal device and does not need to be generated by a client application program, so that the decompiling difficulty is higher, and the device fingerprints are difficult to obtain from the outside and are specifically calculated by which device information.
In some embodiments, the device information may be selected from the following: processor information (e.g., CPU information), memory information, media access control address (MAC address), chip vendor information, product serial number (SN code), international mobile equipment identification number (IMEI number). It is to be understood that the foregoing hardware information is only exemplary, and other hardware information may be selected as the device information for generating the device fingerprint, and is not particularly limited herein. Hardware information of the device belongs to static attribute information, and is generally written on a system disk of the device when the device leaves a factory, so that the hardware information can be directly read from the device. The storage location of the device information may be found in the same location, for example, CPU information may be read in address/proc/cpuinfo, MAC address may be read in address/sys/class/net/eth 0/address, etc.
Since there are various device information available for selection, in some embodiments, the terminal device 200a may randomly collect at least two device information therefrom to generate a device fingerprint. Therefore, the equipment information for generating the equipment fingerprint is randomly selected, so that the cracking difficulty can be increased, and the safety is further improved. To ensure security of the device fingerprint while ensuring computational efficiency, in some embodiments, three device information may be selected to generate the device fingerprint.
In some embodiments, the number of device information used to generate a device fingerprint may be at least two, e.g., three. The terminal device 200a may perform an exclusive or operation on the at least two pieces of device information to obtain the first data. Since the lengths of the device information may not be consistent, and accordingly, the lengths of the first data may also be different, the terminal device 200a needs to further perform a hash operation (e.g., MD5 operation) on the first data to obtain a device fingerprint with a preset data length (set according to actual needs). Taking C + + as an example, the Xor operation can be implemented by using the Xor operator Xor, and the specific operation rule is not described herein again.
In order to ensure the security of the device fingerprint, a salt value (salt) can be introduced when the device fingerprint is generated by using the hash operation. Therefore, in some embodiments, the terminal device 200a may determine the salt value, and then perform MD5 operation on the first data based on the salt value to obtain the device fingerprint with the preset data length. The salt value (salt) may be an extra random number added in the hash operation process, which may increase the difficulty of deciphering. In some embodiments, the salt value may be a fixed value that is set in advance for ease of calculation. It will be appreciated that different ways of determining the salt value may be chosen depending on the actual requirements.
In some embodiments, the terminal device 200a may store the generated device fingerprint in its memory, and provide a call interface to an application in the application layer 512 through a daemon process. In this way, since the data calculation process is generally performed in the system process, and the generated device fingerprint is also stored in the memory (i.e. the calculation result is not stored on the disk), the security is well guaranteed. Since the device fingerprint is generated and stored in the memory only after the terminal device 200a is started up, and when the device fingerprint is generated again after the device is powered off, the address of the device fingerprint in the memory changes, and thus it is difficult to obtain the device fingerprint from the outside by finding the device fingerprint from the stored address.
In some embodiments, an access interface may be provided to the application layer 512 through a JNI call, and then the device fingerprint is uploaded to the Java framework layer 510, and the upper layer application program may obtain the device fingerprint and related information thereof by calling a service defined by the Java framework layer 510 through a get method.
Fig. 3 shows a schematic diagram of a terminal device 200a interacting with a server 300 according to an embodiment of the disclosure.
The user 400 may transmit a registration request (e.g., a request for registering a member account on the server 300) or a service request (e.g., a request for acquiring a video service from the server 300) to the server 300 using the device 200a by means of a key, a touch screen, a remote controller, or the like.
In the initial state, the user 400 may first transmit a registration request 602 to the server 300 using the terminal device 200a to complete registration (e.g., registration of a membership identity) on the server 300.
When sending the registration request 602, the terminal device 200a may invoke the device fingerprint 202 of the terminal device 200a after power-on start-up according to the registration request 602 and obtain the name of the device information 204 used for generating the device fingerprint 202 and the identification information of the terminal device 200 a. In some embodiments, the device fingerprint 202 generated by the native layer 506 may be invoked at the application layer 512 through a JNI mechanism. In some embodiments, the device information 204 used by the terminal device 200a to generate the device fingerprint 202 may be randomly selected to improve the difficulty of cracking and increase the security. In some embodiments, the identification information may be information capable of characterizing a unique identity of the terminal device 200a, and the identification information may be given to the terminal device 200a according to a certain encoding rule, or may be characteristic information inherent and unique to the terminal device 200a, for example, a MAC address of the terminal device 200 a.
The terminal device 200a, when sending the registration request 602 to the server 300, may send to the server 300 the name of the device fingerprint 202 and the device information 204 used to generate the device fingerprint 202. In some embodiments, if the device fingerprint 202 introduces a randomly generated salt (salt) during the generation process, the registration request 602 may also be sent to the server 300 with the salt 208. In some embodiments, an interface may be registered with the request server 300 by the terminal device 200a, and the interface parameters include the device fingerprint 202, the device information name 206, and identification information (e.g., MAC address).
After receiving the registration request 602, the device fingerprint 202, the device information name 206, and the identification information, the server 300 may first determine whether the terminal device 200a has completed registration with the server 300 based on the identification information. In some embodiments, as shown in fig. 3, the identification information of the terminal device that has completed registration may be stored in a database of the server 300, and the server 300 may determine whether the terminal device 200a has completed registration by looking up the stored identification information of the terminal device 200a in the database. If the identification information of the terminal equipment can be found, the registration is finished.
If the terminal device 200a does not complete registration with the server 300, the server 300 may store the device fingerprint 202 and the device information name 206 (e.g., store interface parameters sent by the terminal device), and return corresponding information 604, e.g., registration success information, to the terminal device 200a based on the registration request 602. In some embodiments, the server 300 may further return a corresponding token (token) to the terminal device 200a after the registration is completed, and the terminal device 200a may subsequently carry the token when sending the service request to the server 300 to complete the authentication. The token has a pre-set validity period (e.g., 24 hours, a week, etc.) and the server 300 may not perform further identity verification for the terminal device 200a when the token is within the validity period.
If the terminal device 200a has completed registration with the server 300, the server 300 may return registration failure information to the terminal device 200a or may not need to register information again.
After completion of the registration, the user 400 can transmit a service request 606 (for example, a request for obtaining a member service) to the server 300 by using the terminal device 200a at any time.
After receiving the service request 606 transmitted by the terminal device 200a, the server 300 may determine whether the fingerprint verification needs to be performed on the terminal device 200a according to the service request 606. For example, if the service request 606 of the terminal device 200a carries a token and the token does not exceed its validity period, it is not necessary to perform fingerprint verification on the terminal device 200a, and otherwise, it is necessary to perform fingerprint verification on the terminal device 200 a.
If the fingerprint of the terminal device 200a needs to be verified, the server 300 may send a device information collecting request 608 to the terminal device 200a, where the request 608 may include information related to the device information that needs to be collected. In some embodiments, the server 300 may determine the name 206 of the device information 204 used to generate the device fingerprint 202 of the terminal device 200a according to the service request 606, and then generate the device information collection request 608 according to the device information name 206, wherein the name 206 of the device information 204 required to be collected by the server 300 is included in the device information collection request 608. For example, the name 206 may be determined from the device information name 206 of the terminal device 200a that the memory 302 has stored.
After receiving the device information collection request 608 of the server 300, the terminal device 200a may transmit the corresponding device information 204 to the server 300 according to the device information collection request 608. For example, if the device information 204 selected by the terminal device 200a for generating the device fingerprint 202 at the time of registration is CPU information, MAC information, and SN code, the names of the CPU information, MAC information, and SN code (i.e., the names of the information, not the information itself) need to be sent to the server 300 at the time of registration, so that the server 300 sends a request for collecting device information corresponding to the names to the terminal device 200a according to the stored names when the fingerprint of the terminal device 200a needs to be verified, so that the terminal device 200a sends the device information corresponding to the names to the server 300. In some embodiments, the operation of collecting device information may be implemented by a Software Development Kit (SDK) encapsulated in an application program that sends the service request, and the collected device information may be reported to the server 300 based on the SDK.
After receiving the device information 204 collected and transmitted by the terminal device 200a based on the device information collection request 608, the server 300 may generate the device fingerprint 304 of the terminal device 200a from the device information 204 according to a preset fingerprint generation algorithm. The preset fingerprint generation algorithm is the same as the preset fingerprint generation algorithm that generates the device fingerprint 202 when the terminal device 200a is registered.
In some embodiments, if the number of the device information 204 is at least two, the server 300 may perform an xor operation on the at least two device information to obtain first data, and then perform a hash operation on the first data to obtain the device fingerprint 304 with a preset data length. In some embodiments, if the device fingerprint 202 is generated by combining salt values, the server further needs to obtain the salt values 208 of the terminal device 200a stored in the server 300, and then perform MD5 operation on the first data based on the salt values 208 to obtain the device fingerprint 304 with a preset data length. The salt value 208 may be a pre-agreed fixed value. In some embodiments, if the terminal device 200a is a device fingerprint 202 generated based on a randomly generated salt value, the terminal device 200a may send the salt value to the server 300 for storage at registration for the server 300 to invoke the salt value 208 when computing the device fingerprint 304 of the terminal device 200 a.
After computing the device fingerprint 304, the server 300 may determine whether the device fingerprint 304 corresponds to the device fingerprint 202 of the terminal device 200a stored in the memory 302 of the server 300. If the device fingerprint 304 is consistent with the device fingerprint 202, the fingerprint verification of the terminal device 200a is passed, and the fingerprint verification passing information 610 of the terminal device 200a can be output; otherwise, the verification fails, and verification failure information may be returned to the terminal device 200 a. In some embodiments, after the verification passes, the server 300 may further generate a new token (token) and send the token to the terminal device 200a, so that the terminal device 200a does not need to perform fingerprint verification any more when requesting a service from the server 300 with the token in the validity period of the new token. After the verification is completed, the server 300 may provide a corresponding service, for example, a member service, to the terminal device 200a based on the service request 606.
As can be seen, in the present embodiment, the server 300 does not directly acquire the device fingerprint from the terminal device 200a for verification when verifying the device fingerprint of the terminal device 200a, but generates the device fingerprint 304 by the server 300 after acquiring the device information for generating the device fingerprint thereof from the terminal device 200a according to the information provided by the terminal device 200a at the time of registration, and then compares the device fingerprint 304 with the locally stored device fingerprint 202, and if the comparison is consistent, the verification passes. Therefore, specific equipment fingerprints are not transmitted in the verification process, so that the condition that the equipment fingerprints are intercepted by the outside in the modes of packet grabbing and the like during equipment fingerprint verification is avoided, and the safety is further improved.
According to the device fingerprint generation method and the related device, the device parameters are read from the system native layer of the terminal device, the device fingerprint is generated through the preset fingerprint generation algorithm, and then the device fingerprint is stored in the memory, so that illegal tampering of a user is prevented. When the server performs fingerprint verification, the server firstly collects the device information corresponding to the device name provided during registration to the terminal device, generates a device fingerprint in the server according to a preset fingerprint generation algorithm, compares the device fingerprint with the device fingerprint provided during registration of the terminal device, and verifies that the device fingerprint passes the comparison if the device fingerprint is consistent with the device fingerprint provided during registration of the terminal device. The equipment fingerprint generation method and the related equipment effectively improve the safety and uniqueness of the equipment fingerprint, and also provide a new idea for the implementation mode of the equipment fingerprint.
The present disclosure also provides a computer device for implementing the terminal devices 200a to 200n or the server 300. The device may comprise a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method implemented by the terminal devices 200a to 200n or the server 300 of the foregoing embodiments when executing the program, and accordingly having the technical effects of the foregoing embodiments.
Fig. 4 shows an exemplary hardware structure diagram of a more specific computer device 700 provided by the embodiment of the present disclosure. The apparatus 700 may include: a processor 702, a memory 704, an input/output interface 706, a communication interface 708, and a bus 710. Wherein the processor 702, memory 704, input/output interface 706 and communication interface 708 are communicatively coupled to each other within the device via a bus 710.
The processor 702 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present specification.
The Memory 704 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 704 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 704 and called by the processor 702 for execution.
The input/output interface 706 is used for connecting an input/output module to realize information input and output. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 708 is used for connecting a communication module (not shown in the figure) to implement communication interaction between the present device and other devices. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-described device only shows the processor 702, the memory 704, the input/output interface 706, the communication interface 708, and the bus 710, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The embodiment of the disclosure also provides a device fingerprint generation method, which can provide the security of the device fingerprint.
Fig. 5 illustrates a flow diagram of an exemplary method 800 provided by an embodiment of the present disclosure. The method 800 may be applied to the aforementioned terminal apparatuses 200a to 200n and implemented by the terminal apparatuses 200a to 200 n. As shown in fig. 5, the method may include the following steps.
At step 802, in response to a terminal device (e.g., terminal device 200a of fig. 3) having been powered on, terminal device 200a may collect device information (e.g., device information 204 of fig. 3) of the terminal device at its native layer (e.g., native layer 506 of fig. 2).
In some embodiments, in order to further improve the cracking difficulty, collecting the device information of the terminal device in a native layer of the terminal device may include: and randomly collecting at least two pieces of equipment information of the terminal equipment.
In some embodiments, the device information is selected from the following: processor information, memory information, media access control address, chip manufacturer information, product serial number, and international mobile equipment identity.
At step 804, the terminal device 200a may generate a device fingerprint (e.g., the device fingerprint 202 of fig. 3) of the terminal device according to the device information at its native layer according to a preset fingerprint generation algorithm.
In some embodiments, the number of device information is at least two; generating the device fingerprint of the terminal device according to the device information according to a preset fingerprint generation algorithm, including: performing XOR operation on at least two pieces of equipment information to obtain first data; and carrying out Hash operation on the first data to obtain the device fingerprint with a preset data length, thereby ensuring that the lengths of the device fingerprints are consistent.
In some embodiments, performing a hash operation on the first data to obtain the device fingerprint having a preset data length may further include: determining a salt value; and performing MD5 operation on the first data based on the salt value to obtain the device fingerprint with preset data length.
In step 806, the terminal device 200a may provide the device fingerprint to its application layer (e.g., application layer 512 of fig. 2) for invocation based on an interface invocation mechanism (e.g., JNI mechanism) of the native layer and the application layer.
In some embodiments, to improve security, the method 800 may further comprise: and storing the device fingerprint in a memory of the terminal device.
It should be noted that the above describes some embodiments of the disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Based on the same inventive concept, the present disclosure also provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform the method 800 according to any of the above embodiments, corresponding to any of the above embodiments of the method 800.
Computer-readable media of the present embodiments, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiment are used to enable the computer to execute the method 800 according to any one of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiment, which are not described herein again.
The present disclosure also provides a computer program product comprising a computer program, corresponding to any of the embodiment methods 800 described above, based on the same inventive concept. In some embodiments, the computer program is executable by one or more processors to cause the processors to perform the method 800. Corresponding to the execution subject corresponding to each step in the embodiments of the method 800, the processor executing the corresponding step may be belonging to the corresponding execution subject.
The computer program product of the foregoing embodiment is used for enabling a processor to execute the method 800 according to any of the foregoing embodiments, and has the advantages of corresponding method embodiments, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the present disclosure, also technical features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present disclosure as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the disclosure. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the present disclosure, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the present disclosure are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that the embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The disclosed embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalents, improvements, and the like that may be made within the spirit and principles of the embodiments of the disclosure are intended to be included within the scope of the disclosure.
Claims (15)
1. A device fingerprint generation method is applied to terminal equipment and comprises the following steps:
collecting equipment information of the terminal equipment on a native layer of the terminal equipment in response to the terminal equipment being started;
generating the equipment fingerprint of the terminal equipment according to the equipment information on the native layer according to a preset fingerprint generation algorithm; and
and providing the device fingerprint for the application layer to be called based on an interface calling mechanism of the native layer and the application layer of the terminal device.
2. The method of claim 1, wherein the number of the device information is at least two;
the generating the device fingerprint of the terminal device according to the device information according to the preset fingerprint generating algorithm includes:
performing XOR operation on at least two pieces of equipment information to obtain first data; and the number of the first and second groups,
and carrying out Hash operation on the first data to obtain the equipment fingerprint with preset data length.
3. The method of claim 2, wherein hashing the first data to obtain the device fingerprint having a preset data length comprises:
determining a salt value; and the number of the first and second groups,
and performing MD5 operation on the first data based on the salt value to obtain the device fingerprint with preset data length.
4. The method of claim 2, wherein the device information is selected from the following: processor information, memory information, media access control address, chip manufacturer information, product serial number, and international mobile equipment identity.
5. The method of claim 2, wherein collecting device information of the terminal device at a native layer of the terminal device comprises:
and randomly collecting at least two pieces of equipment information of the terminal equipment.
6. The method of any of claims 1-5, further comprising:
and storing the device fingerprint in a memory of the terminal device.
7. A terminal device comprising one or more processors, memory; and one or more programs, wherein the one or more programs are stored in the memory and executed by the one or more processors, the programs comprising instructions for performing the method of any of claims 1-6.
8. An internet of things system, comprising:
a terminal device configured to:
collecting equipment information of the terminal equipment on a native layer of the terminal equipment in response to the terminal equipment being started;
generating the equipment fingerprint of the terminal equipment according to the equipment information on the native layer according to a preset fingerprint generation algorithm; and
providing the device fingerprint to an application layer of the terminal device for calling based on an interface calling mechanism of the native layer and the application layer;
receiving a service request sent by a user and sending the service request to a server; and
responding to a received equipment information acquisition request of a server, and sending corresponding equipment information to the server according to the equipment information acquisition request; and
a server connected to the terminal device via a network and configured to:
receiving the service request sent by the terminal equipment;
determining whether fingerprint verification needs to be carried out on the terminal equipment or not according to the service request;
responding to the requirement of fingerprint verification on the terminal equipment, and sending an equipment information acquisition request to the terminal equipment;
receiving equipment information sent by the terminal equipment based on the equipment information acquisition request;
generating a first device fingerprint of the terminal device according to the device information according to a preset fingerprint generation algorithm;
determining whether the first device fingerprint corresponds to a second device fingerprint of the terminal device stored by the server; and
and responding to the consistency of the first device fingerprint and the second device fingerprint, and outputting fingerprint verification passing information of the terminal device.
9. The internet of things system of claim 8, wherein the number of device information is at least two;
the server configured to:
performing XOR operation on at least two pieces of equipment information to obtain first data; and the number of the first and second groups,
and carrying out Hash operation on the first data to obtain the first equipment fingerprint with preset data length.
10. The internet of things system of claim 9, wherein the server is further configured to:
acquiring a salt value of the terminal equipment stored by the server; and the number of the first and second groups,
and performing MD5 operation on the first data based on the salt value to obtain the first device fingerprint with preset data length.
11. The internet of things system of claim 8, wherein the terminal device is configured to:
receiving a registration request sent by a user;
calling a second device fingerprint generated by the terminal device, a name of device information used for generating the second device fingerprint and identification information of the terminal device according to the registration request; and
sending the registration request to a server along with the second device fingerprint and a name of device information used to generate the second device fingerprint;
the server configured to:
receiving the registration request, the second device fingerprint, a name of device information used for generating the second device fingerprint, and identification information of the terminal device;
determining whether the terminal equipment is registered in the server or not according to the identification information; and
and responding to the terminal equipment not registered in the server, storing the second equipment fingerprint and the name of the equipment information used for generating the second equipment fingerprint, and returning registration success information to the terminal equipment based on the registration request.
12. The internet of things system of claim 11, wherein the server is configured to:
determining a name of device information used for generating a second device fingerprint of the terminal device according to the service request; and
and generating the equipment information acquisition request according to the name of the equipment information used for generating the second equipment fingerprint of the terminal equipment, wherein the equipment information acquisition request comprises the name of the equipment information required to be acquired by the server.
13. The internet of things system of claim 11, wherein the server is configured to:
responding to the successful registration of the terminal equipment, and returning a corresponding token to the terminal equipment, wherein the token has a preset validity period; and
and responding to the received service request sent by the terminal equipment, and determining whether fingerprint verification is required to be carried out on the terminal equipment according to whether the token of the terminal equipment exceeds the preset validity period or not.
14. A non-transitory computer-readable storage medium containing a computer program which, when executed by one or more processors, causes the processors to perform the method of any one of claims 1-6.
15. A computer program product comprising computer program instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110995607.8A CN113626787B (en) | 2021-08-27 | 2021-08-27 | Equipment fingerprint generation method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110995607.8A CN113626787B (en) | 2021-08-27 | 2021-08-27 | Equipment fingerprint generation method and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113626787A true CN113626787A (en) | 2021-11-09 |
| CN113626787B CN113626787B (en) | 2024-01-30 |
Family
ID=78388074
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110995607.8A Active CN113626787B (en) | 2021-08-27 | 2021-08-27 | Equipment fingerprint generation method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113626787B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114143199A (en) * | 2021-11-15 | 2022-03-04 | 江苏有线技术研究院有限公司 | Terminal configuration method, configuration device, configuration equipment and storage medium of broadband access system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101431192B1 (en) * | 2013-03-28 | 2014-08-19 | 한신대학교 산학협력단 | Method for Rooting Attack Events Detection on Mobile Device |
| CN105893821A (en) * | 2016-03-30 | 2016-08-24 | 贵州大学 | Method for encrypting USB flash disk with fingerprint authentication |
| CN107480996A (en) * | 2017-07-17 | 2017-12-15 | 深圳市金立通信设备有限公司 | A kind of method of payment and terminal |
| CN107908940A (en) * | 2017-11-06 | 2018-04-13 | 深圳市文鼎创数据科技有限公司 | The method and terminal device of a kind of fingerprint recognition |
| CN107957911A (en) * | 2016-10-18 | 2018-04-24 | 腾讯科技(深圳)有限公司 | Method and apparatus, the method and apparatus of module data processing of component call |
| WO2018076291A1 (en) * | 2016-10-28 | 2018-05-03 | 美的智慧家居科技有限公司 | Method and system for generating permission token, and device |
| US20180181739A1 (en) * | 2015-08-27 | 2018-06-28 | Alibaba Group Holding Limited | Identity authentication using biometrics |
| CN108616361A (en) * | 2018-03-27 | 2018-10-02 | 阿里巴巴集团控股有限公司 | A kind of method and device of identification equipment uniqueness |
| CN110139270A (en) * | 2019-04-10 | 2019-08-16 | 努比亚技术有限公司 | Wearable device matching method, wearable device and computer readable storage medium |
| CN110321228A (en) * | 2018-03-28 | 2019-10-11 | 腾讯科技(深圳)有限公司 | Call method, device, equipment and the computer readable storage medium of Native method |
| CN112100604A (en) * | 2019-06-17 | 2020-12-18 | 北京达佳互联信息技术有限公司 | Terminal equipment information processing method and device |
-
2021
- 2021-08-27 CN CN202110995607.8A patent/CN113626787B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101431192B1 (en) * | 2013-03-28 | 2014-08-19 | 한신대학교 산학협력단 | Method for Rooting Attack Events Detection on Mobile Device |
| US20180181739A1 (en) * | 2015-08-27 | 2018-06-28 | Alibaba Group Holding Limited | Identity authentication using biometrics |
| CN105893821A (en) * | 2016-03-30 | 2016-08-24 | 贵州大学 | Method for encrypting USB flash disk with fingerprint authentication |
| CN107957911A (en) * | 2016-10-18 | 2018-04-24 | 腾讯科技(深圳)有限公司 | Method and apparatus, the method and apparatus of module data processing of component call |
| WO2018076291A1 (en) * | 2016-10-28 | 2018-05-03 | 美的智慧家居科技有限公司 | Method and system for generating permission token, and device |
| CN107480996A (en) * | 2017-07-17 | 2017-12-15 | 深圳市金立通信设备有限公司 | A kind of method of payment and terminal |
| CN107908940A (en) * | 2017-11-06 | 2018-04-13 | 深圳市文鼎创数据科技有限公司 | The method and terminal device of a kind of fingerprint recognition |
| CN108616361A (en) * | 2018-03-27 | 2018-10-02 | 阿里巴巴集团控股有限公司 | A kind of method and device of identification equipment uniqueness |
| CN110321228A (en) * | 2018-03-28 | 2019-10-11 | 腾讯科技(深圳)有限公司 | Call method, device, equipment and the computer readable storage medium of Native method |
| CN110139270A (en) * | 2019-04-10 | 2019-08-16 | 努比亚技术有限公司 | Wearable device matching method, wearable device and computer readable storage medium |
| CN112100604A (en) * | 2019-06-17 | 2020-12-18 | 北京达佳互联信息技术有限公司 | Terminal equipment information processing method and device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114143199A (en) * | 2021-11-15 | 2022-03-04 | 江苏有线技术研究院有限公司 | Terminal configuration method, configuration device, configuration equipment and storage medium of broadband access system |
| CN114143199B (en) * | 2021-11-15 | 2023-11-03 | 江苏有线技术研究院有限公司 | Configuration method, configuration device, configuration equipment and storage medium for broadband access system terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113626787B (en) | 2024-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10152579B2 (en) | Network information system with license registration and method of operation thereof | |
| CN110378091B (en) | Identity verification method, device and equipment | |
| RU2727063C1 (en) | Service processing method and device | |
| US20180101847A1 (en) | User and device authentication for web applications | |
| KR20150064063A (en) | Secure identification of computing device and secure identification methods | |
| US9921827B1 (en) | Developing versions of applications based on application fingerprinting | |
| CN112507291B (en) | Method and device for generating unique identifier of Android device | |
| JP6127241B2 (en) | Application fulfillment to device | |
| CN114547569A (en) | Account login processing method and device | |
| CN108550033B (en) | Method and device for displaying unique identifier of digital object | |
| US11409847B2 (en) | Source-based authentication for a license of a license data structure | |
| CN111143782B (en) | Application software authority management method and device, server and storage medium | |
| CN113360217A (en) | Rule engine SDK calling method and device and storage medium | |
| CN113626787B (en) | Equipment fingerprint generation method and related equipment | |
| CN111259368A (en) | Method and equipment for logging in system | |
| CN112100613A (en) | Application login control method and device, electronic equipment and storage medium | |
| CN113868691B (en) | Authorized operation method and device of block chain based on cloud-native technology | |
| CN112787994B (en) | Method, device and equipment for processing equipment ID of electronic equipment and storage medium | |
| CN111309551B (en) | Method and device for determining event monitoring SDK integration correctness | |
| CN114585055A (en) | Vehicle-mounted WiFi access method, vehicle controller, cloud server and mobile terminal | |
| CN114489698A (en) | Application program installation method and device | |
| JP6134369B2 (en) | Terminal management system and terminal management method. | |
| CN112487382B (en) | Identity authentication method and device through living body detection and electronic equipment | |
| WO2024095711A1 (en) | Application provision equipment, application provision method, and program | |
| US20240104223A1 (en) | Portable verification context |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |