CN114465803A

CN114465803A - Object authorization method, device, system and storage medium

Info

Publication number: CN114465803A
Application number: CN202210139278.1A
Authority: CN
Inventors: 吴建伟
Original assignee: Alibaba China Co Ltd
Current assignee: Alibaba China Co Ltd
Priority date: 2022-02-15
Filing date: 2022-02-15
Publication date: 2022-05-10
Anticipated expiration: 2042-02-15
Also published as: CN114465803B

Abstract

The invention discloses an object authorization method, device, system and storage medium. Wherein, the method comprises the following steps: the method comprises the steps that an authorization device obtains device information of a first device and authorization information of a target object, wherein the authorization information is used for verifying the legality of the target object used by the target device; the authorization device generates an authorization file corresponding to the first device based on the device information and the authorization information; the authorization device transmits an authorization file to the first device, wherein the authorization file is used to authenticate the target device with the first device. The invention solves the technical problem of lower software authorization efficiency in the related technology.

Description

Object authorization method, device, system and storage medium

Technical Field

The invention relates to the field of product authorization, in particular to an object authorization method, device, system and storage medium.

Background

In the soft and hard integrated output scene, some self-research cloud products or systems need to perform authorized management on a client, the client is allowed to realize authorization of a certain service life or use under a certain limit frame (such as the number of examples), different authorized life or different authorized number of examples are calibrated to different prices, the software is collected, and the software is protected from being copied and abused randomly. Meanwhile, in a specific user output scene, the authorization protocol can limit a certain number of instances under a specific user hardware specification so as to protect the stability of the cluster.

Currently, each software needs to set a set of authorization processing logic, each authorization protocol needs to have a specific output version, and if the protocol is changed, a client needs to be upgraded to the specific output version, so that the authorization efficiency of the software is low.

In view of the above problems, no effective solution has been proposed.

Disclosure of Invention

The embodiment of the invention provides an object authorization method, device, system and storage medium, which at least solve the technical problem of low software authorization efficiency in the related art.

According to an aspect of an embodiment of the present invention, there is provided an object authorization method, including: the method comprises the steps that an authorization device obtains device information of a first device and authorization information of a target object, wherein the authorization information is used for verifying the legality of the target object used by the target device; the authorization device generates an authorization file corresponding to the first device based on the device information and the authorization information; the authorization device transmits an authorization file to the first device, wherein the authorization file is used to authenticate the target device with the first device.

According to an aspect of an embodiment of the present invention, there is provided another object authorization method, including: the method comprises the steps that first equipment receives an authorization file transmitted by authorization equipment, wherein the authorization file is generated based on equipment information of the first equipment and authorization information of a target object, and the authorization information is used for verifying the legality of the target object used by the target equipment; the first device is used for verifying the target device based on the authorization file.

According to another aspect of the embodiments of the present invention, there is provided an object authorization apparatus disposed in an authorization device, including: the device comprises an acquisition module, a verification module and a verification module, wherein the acquisition module is used for acquiring device information of first equipment and authorization information of a target object, and the authorization information is used for verifying the legality of the target object used by the target equipment; the generating module is used for generating an authorization file corresponding to the first device based on the device information and the authorization information; the transmission module is used for transmitting the authorization file to the first device, wherein the authorization file is used for verifying the target device through the first device.

According to another aspect of the embodiments of the present invention, there is also provided an object authorization apparatus, including: the receiving module is used for receiving an authorization file transmitted by authorization equipment, wherein the authorization file is generated based on the equipment information of the first equipment and the authorization information of the target object, and the authorization information is used for verifying the legality of the target object used by the target equipment; and the verification module is used for verifying the target equipment based on the authorization file.

According to another aspect of the embodiments of the present invention, there is provided an object authorization system, including: the authorization device is used for generating an authorization file corresponding to the first device based on the device information of the first device and the authorization information of the target object, wherein the authorization information is used for verifying the legality of the target object used by the target device; and the authorization service is installed on the first device and used for verifying the target device based on the authorization file.

According to another aspect of the embodiments of the present invention, there is provided a storage medium, where the storage medium includes a stored program, and where the program is executed to control a device in which the storage medium is located to perform the object authorization method in any one of the above embodiments.

According to another aspect of the embodiments of the present invention, there is provided a computer terminal, wherein a processor is configured to execute a program, and the program executes the object authorization method in any one of the above embodiments.

Through the steps, firstly, the authorization device acquires the device information of the first device and the authorization information of the target object, wherein the authorization information is used for verifying the legality of the target object used by the target device; the authorization device generates an authorization file corresponding to the first device based on the device information and the authorization information; the authorization device transmits the authorization file to the first device, wherein the authorization file is used for verifying the target device through the first device, and the purpose of improving the product authorization efficiency is achieved. It is easy to note that the authorization device may generate an authorization file corresponding to the first device according to the device information of the first device and the authorization information of the target object, and transmit the authorization file to the first device, so that the first device may verify the validity of the target object used by the target device through the authorization file, and may authorize the target object on the target device through the authorization file if the verification is successful, where the target object may be software, so as to improve the efficiency of software authorization, and further solve the technical problem in the related art that the efficiency of software authorization is low.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:

fig. 1 is a block diagram of a hardware structure of a computer terminal (or mobile device) for implementing an object authorization method according to an embodiment of the present application;

FIG. 2 is a flow chart of a method of object authorization according to an embodiment of the application;

FIG. 3 is a schematic diagram of a customer environment and a corporate environment according to an embodiment of the present application;

FIG. 4 is a schematic illustration of an authorization service according to an embodiment of the application;

FIG. 5 is a schematic diagram of an authorizing device in accordance with an embodiment of the application;

FIG. 6 is a schematic diagram of an authorization service and cloud product according to an embodiment of the present application;

FIG. 7 is a flow chart of a method of authorizing an object according to an embodiment of the present application;

FIG. 8 is a schematic diagram of an object authorization apparatus according to an embodiment of the present application;

FIG. 9 is a schematic diagram of another object authorization apparatus according to an embodiment of the application;

fig. 10 is a block diagram of a computer terminal according to an embodiment of the present application.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:

asymmetric cryptography algorithm (Rivest Shamir Adleman, RSA for short): one of them requires two keys, one public and one private, public key encryption, private key decryption.

RSA signature and signature verification: because the RSA algorithm is relatively inefficient compared to the symmetric encryption algorithm, the RSA algorithm is usually used to encrypt small data, such as keys used in the symmetric encryption. In practice, the RSA algorithm is used more widely for signature operations. The hash value of a segment of message is usually signed by using a private key, so as to achieve the purpose of preventing falsification and forgery of the message.

Advanced Encryption Standard (AES) is a block Encryption Standard. The block length of AES is fixed to 128 bits and the key length may be 128, 192 or 256 bits.

Keyless Encryption algorithm (No Key Encryption, NKE for short).

Product Serial Number (SN): the product serial number is a concept introduced for verifying 'legal identity of product', and is used for guaranteeing the copyright interest of users and enjoying legal services.

Currently, product authorization can be achieved by the following scheme:

the first scheme is as follows: each software implements its own product authorization protocol, sets a certain serial number + sets a certain time limit to complete the control of authorization. Like software a, which authorizes a customer to achieve use by 1 month 1 day 2030, software a requires regulatory and serial number algorithms that force a write-down to a specific point in time in the product. A release version of partially legacy software is authorized for this implementation.

Scheme II: the authorization server is realized at the cloud end, the detailed processing of authorization is realized in software, and each client must realize the authorization and the use of the content in the network environment. Most software on operating systems is solved in this way.

For the first solution, each software needs its own set of authorization processing logic, each authorization protocol needs a specific output version, and if the protocol changes, the client needs to upgrade to the specific output version. For the second solution of the fish book, the client must use the corresponding authorization in the environment with the network, and cannot use the corresponding content in the environment without the network, and if the network has a problem, the task will cause a problem.

According to the method and the system, the authorization services of various cloud products can be combined into a uniform authorization service platform, and each cloud product is prevented from processing own product authorization. The method can be used in an authorization system by utilizing three-layer encryption protocols, so that higher security is realized, wherein the three-layer encryption protocols are respectively RSA encryption, AES encryption and NKE encryption, the non-updatable processing of the authorization service can be changed into the updatable authorization service, and the security is ensured. The authorization under the environment without the support of an external network can be realized on the basis of ensuring the authorization security.

Example 1

There is also provided, in accordance with an embodiment of the present invention, an embodiment of an object authorization method, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than here.

The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Fig. 1 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing an object authorization method. As shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more processors (shown as 102a, 102b, … …, 102n in the figures) which may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, a memory 104 for storing data, and a transmission module 106 for communication functions. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the BUS), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.

It should be noted that the one or more processors and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).

The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the object authorization method in the embodiment of the present invention, and the processor executes various functional applications and data processing by executing the software programs and modules stored in the memory 104, that is, implementing the object authorization method. The memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.

The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).

It should be noted here that in some alternative embodiments, the computer device (or mobile device) shown in fig. 1 described above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that fig. 1 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in the computer device (or mobile device) described above.

Under the operating environment, the application provides an object authorization method as shown in fig. 2. Fig. 2 is a flowchart of an object authorization method according to a first embodiment of the present invention.

In step S202, the authorization device obtains the device information of the first device and the authorization information of the target object.

The authorization information is used for verifying the validity of the target object used by the target device.

The authorization device may be an authorization service platform.

The target object may require software, cloud products, etc. that are authorized for use. The target object may be one or more cloud products, and the target object may also be one or more software.

The authorization information of the target object may be an authorization protocol.

The first device and the target device may be devices of a client, where the target device may include the first device, and the target device may also include other devices of the client. Wherein the first device and the target device may be servers of the client.

The target device may be a device in which the target object is installed in the client device, and the target device may be the first device or another device. In the case that the target device is another device, the target device may access the first device, so that the first device authorizes the target object on the target device through the authorization service, so that the target device can use the target object.

The first device is installed with an authorization service, and the first device may be configured to authorize a target object on the client device. The device information of the first device may be deployment server information.

In an optional embodiment, the authorization device may generate an RSA Key pair and an AES Key sequence for each first device when each first device registers with the authorization device, and may determine the authorization file corresponding to the first device according to the deployment server information of the first device and the authorization protocol of the target object, so that the first device may activate the target object through the authorization file.

In another optional embodiment, the authorization device is connected to the internet, and the first device is disconnected from the internet segment, so that the authorization service in the first device can be activated in an environment without support of an external network, so that the first device can authorize a target object in the target device through an authorization file, thereby ensuring the security of authorization.

In another alternative embodiment, the cloud product SDK in the customer environment is processed by the GO language as a dynamic link library. The authorization device and the cloud product SDK can be written and processed by other languages as long as the authorization device and the cloud product SDK cannot be decompiled.

In another alternative embodiment, both the authorization device and the first device may be in a network environment, the authorization device and the first device may access each other in the network environment, and optionally, the authorization device may activate an authorization service in the first device remotely, so that the first device may authorize the target object on the target device; the authorization device may be in the environment of a network, the first device may not be in the environment of a network, the authorization device may send the authorization file to a mailbox of the client, and the client may activate the authorization service in the first device in the client's private network so that the first device may authorize the target object on the target device. Therefore, the target object can be authorized in a network or non-network environment.

Step S204, the authorization device generates an authorization file corresponding to the first device based on the device information and the authorization information.

The authorization file can be delivery SN, delivery ciphertext, client authorization ciphertext and signature.

In an optional embodiment, the authorization device may generate an authorization file corresponding to the first device according to the device information of the first device and the authorization information of the target object, so that the authorization file can only activate an authorization service in the first device, and it is difficult to authorize other devices except the first device, thereby improving the security of authorization.

In step S206, the authorization device transmits the authorization file to the first device.

Wherein the authorization file is used to authenticate the target device by the first device.

The first device may have an authorization service installed therein. Wherein the authorization service may be installed on the first device in the form of software.

In an alternative embodiment, the authorization service on the first device itself already has the RSA private key cryptogram and AES key sequence for the client, so the first device may allow the client to import the contents of the authorization file after booting. Wherein the SN in the authorization file may be activated by the user on the customer interface as a product activation code. The corresponding original information is stored in the authorization database, and the service life is decrypted for use.

In another alternative embodiment, the authorization service is bound to server information (machine SN) of the first device, and the non-specific server is unable to initiate the authorization service. The authorization service allows the cloud product to register an instance of the corresponding cloud product or environmental information to verify whether its authorization is present. The interaction mode is HTTPS, namely the authorization service opens the HTTPS service for the cloud product to call.

In an alternative embodiment, the authorization service in the customer environment may be compiled in the GO language into a binary file for processing.

In another optional embodiment, the cloud product may use the authorization service SDK through an interface to implement the invocation of the authorization service, where the main interface implementing the invocation may be an authorization protocol query, a product authorization query, an instance registration and destruction, and an instance heartbeat detection. The authorization protocol query can be used for querying the authorization condition of all cloud products of the client, such as authorization date, authorization instance number and the like. The product authorization query can be the authorization condition and the authorization use limit condition of the current cloud product. The instance registration and destruction can be the instance registration condition of the current cloud product, and the instance can be divided into various types of instances, such as product object instances, CPU core numbers, GPU instances, task numbers and other product self-defined types. The default type is a product object instance. The example heartbeat detection can be that whether the authorized service is legal or not needs to be monitored at certain time intervals during the operation of the cloud product, and the execution is interrupted after the authorized service is illegal for certain time.

In yet another alternative embodiment, the communication between the cloud product and the authorization service may also be implemented by other protocols, such as socket, and besides https, the interaction processing such as RSA encryption and decryption and AES encryption and decryption may also be performed by children.

The scheme mainly comprises two large scenes, wherein one scene is an authorization system environment for generating an authorization file, namely a group environment, namely the environment where the authorization equipment is located, the other scene is a software use scene, and the other scene is a software use and file verification environment of a C-S framework, and the environment is divided into a cloud product APP and an authorization service, namely a client environment, namely the environment where the first equipment is located. The file may be communicated between the authorisation device and the first device in a non-email manner, for example by transmission to the customer via an instant tool, or by on-site delivery personnel for delivery to the customer for acceptance after introduction into the on-site system.

Fig. 3 is a schematic diagram of a client environment and a group environment, and as shown in fig. 3, in the group environment, an authorization device may generate an authorization file according to authorization information of a target object, and send the authorization file to a client mailbox by way of a mailbox, and after obtaining the authorization file through the mailbox, a client may import the authorization file into the client environment, where the client environment may be an extranet-free environment, and the client environment may include a first device and a target device. Wherein the client or project manager activates a console in the first device of the client via the remote VPN so that the authorization file is available in the client environment. In the client environment, a client can use the authorization file to verify and authorize a target object in the target equipment through a control console, and the accessed target object can limit information registration.

It should be noted that, in a group environment, the authorization device generates an authorization file for the client device, and then sends the authorization file to the client in a mailbox manner, and the client takes the authorization file and then imports the authorization file into a field environment of the client, where the client field may be an extranet-free environment.

Fig. 4 is a schematic diagram of an authorization service, as shown in fig. 4, the client authorization file is mainly implemented by RSA encryption, and the certificate contains deployment device information (client machine SN) binding of the client, wherein multiple encryption rules can be generated for AES encryption and NKE encryption to generate the authorization file, wherein AES is encrypted by using unique AES key sequence of the client, that is, each client randomly generates N256-bit encryption keys to perform specific key encryption and decryption according to version. The on-site authorization service can provide authorization activation and updating capability, authorization resolution query capability, product information registration capability, service limitation and recovery, information interaction (authorization, information and reminding) of cloud products and information processing (registration examples, destruction examples, limit limits and the like) of the cloud products, and can remind a client of the quick expiration of an authorization protocol at a specific time. The encryption mode of the client information can be RSA encryption, delivery of the delivery client such as non-encrypted delivery, or encryption with only one layer of encryption mode (not limited to AES) to solve the problem.

In the foregoing embodiment of the present application, the generating, by the authorization device, the authorization file corresponding to the first device based on the device information and the authorization information includes: the method comprises the steps that an authorization device obtains a device serial number contained in device information, wherein the device serial number is used for activating an authorization service, the authorization service is installed on a first device, and the authorization service is used for verifying a target device through the activated authorization service; the authorization device generates an authorization file based on the device serial number and the authorization information.

The device serial number may be an AES key sequence of the first device, where AES is encrypted using a unique AES key sequence of the first device.

It should be noted that the first device of each client randomly generates N256-bit encryption keys, and performs specific key encryption and decryption according to the version.

The authorization information may be server information deployed on the first device.

In an optional embodiment, the server information deployed on the first device may be encrypted to generate an authorization ciphertext, and an authorization file may be generated according to the authorization ciphertext and the device serial number, so as to improve security of authorization.

In an optional embodiment, the authorization device may obtain the AES key sequence included in the device information, and the authorization device may generate an authorization file for the first device according to the AES key sequence and the authorization information of the target object, so that the first device may activate the authorization service on the first device according to the authorization file, so that the first device may authorize the target object of the target device through the authorization service.

In the above embodiments of the present application, the generating, by the authorization device, the authorization file based on the device serial number and the authorization information includes: the authorization equipment encrypts the authorization information to obtain an authorization ciphertext; and generating an authorization file based on the authorization ciphertext and the equipment serial number.

The authorization cryptogram may include, but is not limited to, SN, delivery cryptogram, client authorization cryptogram, and signature.

In an alternative embodiment, the authorization device may encrypt the independent key pair for the first device to obtain an authorization ciphertext, so that the first device may decrypt the authorization ciphertext, and activate the authorization service through the decrypted file, so that the first device uses the authorization service.

In another alternative embodiment, the authorization device may perform one-layer encryption on the authorization information to obtain the authorization file, and the authorization device may perform multiple-layer encryption on the authorization device to obtain the authorization file. Optionally, the authorization device may perform three-layer encryption processing on the authorization information through RSA encryption, AES dynamic KEY encryption, and NKE encryption to obtain the authorization ciphertext.

In the foregoing embodiment of the present application, the encrypting, by the authorization device, the authorization information to obtain the authorization ciphertext includes: the method comprises the steps that an authorization device obtains a first public key corresponding to a first device; the authorization device encrypts the authorization information by using the first public key to obtain an authorization ciphertext.

The first public key may be an RSA public key.

The encryption method may be RSA encryption.

The authorization cryptogram can be a client authorization cryptogram.

In an alternative embodiment, the authorization device may obtain an RAS public key in the client device independent key pair, and then encrypt the authorization information of at least one cloud product by using the RSA public key to obtain an authorization ciphertext.

In the above embodiments of the present application, generating the authorization file based on the authorization cryptogram and the device serial number further includes: the method comprises the steps that an authorization device obtains a first private key corresponding to a first device; the authorization equipment encrypts the first public key in multiple layers to obtain a public key ciphertext; the authorization device signs the authorization ciphertext by using the first private key to obtain a signature file; and the authorization device generates an authorization file based on the authorization ciphertext, the device serial number, the public key ciphertext and the signature file.

The first private key may be an RSA private key.

The public key cryptograph can be the delivery SN and the delivery cryptograph.

The multi-layer encryption is at least twice encryption, wherein the multi-layer encryption can be AES encryption and then NKE encryption. The multi-layer encryption may also be NKE encryption followed by AES encryption.

In an alternative embodiment, the authorization device may perform AES encryption and NKE encryption on the RSA public key to obtain the delivery SN and the delivery ciphertext. The authorization device can obtain a first private key corresponding to the first device, and perform key signature on the client authorization ciphertext by using the first private key to obtain a signature file, and the authorization device can generate the authorization file according to the authorization ciphertext, the device serial number, the public key ciphertext and the signature file. Optionally, the authorization device may package the authorization ciphertext, the device serial number, the public key ciphertext, and the signature file by using a go language to obtain the authorization file.

In the foregoing embodiment of the present application, the performing, by the authorization device, multi-layer encryption on the first public key to obtain a public key ciphertext includes: the authorization equipment acquires a second key sequence corresponding to the first equipment; the authorization equipment encrypts the first public key by using the second key sequence to obtain a first ciphertext; and the authorization equipment encrypts the first ciphertext without a secret key to obtain a public key ciphertext.

The second Key sequence may be an AES Key sequence.

The above-described keyless encryption may be implemented by a keyless encryption algorithm.

In an optional embodiment, the authorization device may obtain an AES Key sequence corresponding to the first device, the authorization device may encrypt the RAS public Key by using the AES Key sequence to obtain a first ciphertext, and then the authorization device may encrypt the first ciphertext by NKE to obtain a public Key ciphertext.

In the above embodiment of the present application, the method further includes: the authorization equipment encrypts the first private key by using the second key sequence to obtain a second ciphertext; the authorization equipment encrypts the second ciphertext without a secret key to obtain a private key ciphertext; the authorization device transmits the second key sequence and the private key ciphertext to the first device.

In an alternative embodiment, the authorization device may perform AES encryption on the RSA private Key through an AES Key sequence to obtain a second ciphertext, the authorization device may perform keyless encryption on the second ciphertext by using NKE to obtain a private Key ciphertext, and the authorization device may transmit the second Key sequence and the RSA private Key ciphertext to the first device in the client device.

In the above embodiments of the present application, the transmitting, by the authorization device, the authorization file to the first device includes one of: the authorization device sends the authorization file to the second device, wherein the authorization file is imported into the first device in a data import mode; and the authorization equipment sends the authorization file to the second equipment, wherein the authorization file is sent to the first equipment by the second equipment in a virtual private network mode.

The second device may be a device of a customer manager.

In an alternative embodiment, the authorization device may send the authorization file to the second device by mail, and the second device may send the authorization file to the first device by one-time import, configuration content or data import through the virtual private network.

Fig. 5 is a schematic diagram of an authorization device according to an embodiment of the application. As shown in fig. 5, when each client of the authorization device (group environment) registers in the system, it generates a unique RSA Key pair and AES Key sequence (the client system is updatable when it is upgraded) for a client, and generates a client authorization (usage certificate) for the client according to the client's deployment server information and the authorization protocol of each cloud product, that is, generates authorization information of each cloud product for the client, and after the RSA public Key and the client authorization are encrypted by AES and NKE, it generates four contents, respectively SN, delivery ciphertext, client authorization ciphertext and signature, and these 4 contents form an authorization file to be delivered to the client. The RSA private key is encrypted by AES and NKE to generate an RSA private key ciphertext, and the RSA private key ciphertext and an AES key sequence are generated and packaged (go language packaging) in the license service and the cloud product SDK.

Fig. 6 is a schematic diagram of an authorization service and a cloud product according to an embodiment of the present application. As shown in fig. 6, the authorization service (client site) itself already has the RSA private key ciphertext and AES key sequence for the client, so the system can allow the client to import the authorization file content after starting. Wherein the SN in the authorization file is activated by the user on the customer interface as a product activation code. The corresponding original information is stored in the authorization database, and the service life is decrypted for use. Where the authorization service is bound to the client server information (machine SN) and the non-specific server is not bootable. The authorization service allows the cloud product to register an instance of the corresponding cloud product or environmental information to verify whether its authorization is present. The interaction mode is HTTPS, namely the authorization service opens the HTTPS service for the cloud product to call. The cloud product uses an authorization service SDK to realize the calling of the authorization service, and the main interfaces comprise four interfaces: authorization agreement query, product authorization query, instance registration and destruction, and instance heartbeat detection.

Through the content, the authorization service of various cloud products can be combined into a uniform authorization service platform, and each cloud product is prevented from processing the product authorization of the cloud product. The method can be used in an authorization system by utilizing three-layer encryption protocols, so that higher security is realized, wherein the three-layer encryption protocols are respectively RSA encryption, AES encryption and NKE encryption, the non-updatable processing of the authorization service can be changed into the updatable authorization service, and the security is ensured. The authorization under the environment without the support of an external network can be realized on the basis of ensuring the authorization security.

Example 2

According to an embodiment of the present invention, an embodiment of an object authorization method is further provided, and fig. 7 is a flowchart of an object authorization method according to a second embodiment of the present invention.

Fig. 7 is a flowchart of an object authorization method according to an embodiment of the present invention.

In step S702, the first device receives an authorization file transmitted by an authorization device.

The authorization file is generated based on the device information of the first device and the authorization information of the target object, and the authorization information is used for verifying the legality of the target object used by the target device.

In step S704, the first device verifies the target device based on the authorization file.

In the foregoing embodiment of the present application, the verifying, by the first device, the target device based on the authorization file includes: analyzing the authorization file in the first equipment to obtain an equipment serial number and authorization information; the method comprises the steps that an authorization service in first equipment is activated based on an equipment serial number in the first equipment, the authorization service is installed on the first equipment, and the authorization service is used for verifying target equipment through the activated authorization service; in response to successful activation of the authorization service, the first device authenticates the target device based on the authorization information.

In the foregoing embodiment of the present application, the authorization file is generated based on an authorization ciphertext and an equipment serial number, the authorization ciphertext is obtained by encrypting authorization information, and the first equipment analyzes the authorization file to obtain the authorization information, where: and the first equipment decrypts the authorization ciphertext contained in the authorization file to obtain the authorization information.

In the foregoing embodiment of the present application, the obtaining of the authorization ciphertext is performed by encrypting the authorization ciphertext using a first public key corresponding to the first device, and the decrypting, by the first device, the authorization ciphertext included in the authorization file, where the obtaining of the authorization information includes: the method comprises the steps that first equipment obtains a first private key corresponding to the first equipment; and the first equipment decrypts the authorization ciphertext by using the first private key to obtain the authorization information.

In the above embodiments of the present application, the authorization file further includes: the method comprises the following steps that a public key ciphertext and a signature file are obtained, the public key ciphertext is obtained by carrying out multi-layer encryption on a first public key, and the signature file is obtained by utilizing a first private key to sign an authorization ciphertext, and the method further comprises the following steps: the first equipment decrypts the public key ciphertext in multiple layers to obtain a first public key; the first equipment checks the signature of the signature file by using the first public key to obtain a signature checking result; and the first equipment verifies the first equipment based on the signature verification result and the authorization information.

The multi-layer decryption refers to at least twice encryption, wherein the multi-layer encryption can be AES decryption and then NKE decryption. The multi-layer encryption may also be NKE decryption first, followed by AES decryption.

In the foregoing embodiment of the present application, the multi-layer decryption of the public key ciphertext by the first device to obtain the first public key includes: the first equipment acquires a second key sequence corresponding to the first equipment; the first equipment decrypts the public key ciphertext without a secret key to obtain a first ciphertext; and the first equipment decrypts the first ciphertext by using the second key sequence to obtain a first public key.

In the foregoing embodiment of the present application, the obtaining, by the first device, the first private key corresponding to the first device includes: the first device acquires a private key ciphertext corresponding to the first private key, wherein the private key ciphertext and the second key sequence are transmitted to the first device by the authorization device; the first equipment decrypts the private key ciphertext without the secret key to obtain a second ciphertext; and the first equipment decrypts the second ciphertext by using the second key sequence to obtain the first private key.

In the above embodiment of the present application, the method further includes: the method comprises the steps that first equipment receives an inquiry request sent by a target object, wherein the inquiry request is used for inquiring authorization information; the first equipment encrypts the authorization information by using the first public key to obtain an authorization ciphertext; the first equipment encrypts the authorization ciphertext by using the second key sequence to obtain a query result; and the first equipment sends the query result to the target equipment, wherein the private key ciphertext and the second key sequence are transmitted to the first equipment by the authorization equipment.

In an optional embodiment, the first device may receive an inquiry request sent by the cloud product so as to inquire the authorization information of the cloud product through the authorization service, the first device may encrypt the authorization ciphertext by using the second key sequence to obtain an inquiry result so as to inquire the authorization information of the cloud product, and the first device may send the authorization information of the cloud product to a target device where a target object is located so as to authorize the cloud product for use on the target device.

In the above embodiment of the present application, before the first device decrypts the authorization ciphertext by using the first private key to obtain the authorization information, the method further includes: the first device determines a target device corresponding to the first device based on the first private key; the first device determines whether the first device is a target device based on the device information of the first device; and in response to the first device being the target device, the first device decrypts the authorization ciphertext by using the first private key to obtain the authorization information.

In an optional embodiment, the target device and the first device have a binding relationship, and for the processing of the binding relationship between the target device and the authorized device, the binding may be performed by using a hash (hash) result of another hardware algorithm of the device.

It should be noted that the above modules may be operated in the computer terminal 10 provided in embodiment 1 as a part of the apparatus.

Example 3

According to an embodiment of the present invention, there is also provided an object authorization apparatus for implementing the object authorization method, fig. 8 is a schematic diagram of an object authorization apparatus, as shown in fig. 8, the apparatus 800 includes: an obtaining module 802, a generating module 804, and a transmitting module 806.

The device comprises an acquisition module, a verification module and a verification module, wherein the acquisition module is used for acquiring device information of first equipment and authorization information of a target object, and the authorization information is used for verifying the legality of the target object used by the target equipment; the generating module is used for generating an authorization file corresponding to the first device based on the device information and the authorization information; the transmission module is used for transmitting the authorization file to the first device, wherein the authorization file is used for verifying the target device through the first device.

It should be noted here that the obtaining module 802, the generating module 804, and the transmitting module 806 correspond to steps S202 to S206 in embodiment 1, and the three modules are the same as the corresponding steps in the implementation scenario, but are not limited to the disclosure in the first embodiment.

In the above embodiment of the present application, the generating module includes: the device comprises a first acquisition unit and a generation unit.

The first acquisition unit is used for acquiring an equipment serial number contained in the equipment information, wherein the equipment serial number is used for activating an authorization service, the authorization service is installed on the first equipment, and the authorization service is used for verifying target equipment through the activated authorization service; the generation unit is used for generating an authorization file based on the equipment serial number and the authorization information.

In the above embodiments of the present application, the generating unit includes: an encryption subunit and a generation subunit.

The encryption subunit is used for encrypting the authorization information to obtain an authorization ciphertext; the generation subunit is used for generating an authorization file based on the authorization ciphertext and the device serial number.

In the above embodiment of the present application, the encryption subunit is configured to obtain a first public key corresponding to the first device; the encryption subunit is configured to encrypt the authorization information by using the first public key to obtain an authorization ciphertext.

In the above embodiment of the present application, the apparatus further includes: the device comprises an encryption module and a signature module.

The obtaining module is further used for obtaining a first private key corresponding to the first device; the encryption module is also used for carrying out multi-layer encryption on the first public key to obtain a public key ciphertext; the signature module is also used for signing the authorization ciphertext by using the first private key to obtain a signature file; the generation module is also used for generating an authorization file based on the authorization ciphertext, the equipment serial number, the public key ciphertext and the signature file.

In the above embodiments of the present application, the encryption module includes: a second obtaining unit and an encrypting unit.

The second obtaining unit is used for obtaining a second key sequence corresponding to the first device; the encryption unit is used for encrypting the first public key by using the second key sequence to obtain a first ciphertext; the encryption unit is further used for carrying out non-key encryption on the first ciphertext to obtain a public key ciphertext.

In the above embodiment of the present application, the encryption module is further configured to encrypt the first private key by using the second key sequence to obtain a second ciphertext; the encryption module is also used for carrying out non-key encryption on the second ciphertext to obtain a private key ciphertext; the transmission module is further configured to transmit the second key sequence and the private key ciphertext to an authorization service.

In the above embodiment of the present application, the transmission module includes: and a sending unit.

The sending unit is used for sending the authorization file to the second equipment, wherein the authorization file is imported into the authorization service in a data import mode; the sending unit is further configured to send the authorization file to the second device, where the authorization file is sent to the authorization service by the second device through a virtual private network.

In the above embodiments of the present application, the authorization service is compiled into a binary file by a target language for processing, and the target object is processed by a dynamic link library by the target language.

Example 4

According to an embodiment of the present invention, there is also provided an object authorization apparatus for implementing the object authorization method, fig. 9 is a schematic diagram of an object authorization apparatus, as shown in fig. 9, the apparatus 900 includes: a receiving module 902 and an authentication module 904.

The receiving module is used for receiving an authorization file transmitted by authorization equipment, wherein the authorization file is generated based on equipment information of the first equipment and authorization information of a target object, and the authorization information is used for verifying the legality of the target object used by the target equipment; the verification module is used for verifying the target equipment based on the authorization file.

It should be noted here that the authorization module 902 and the verification module 904 correspond to steps S702 to S704 in embodiment 2, and the two modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment.

Example 5

The embodiment of the invention can provide a computer terminal which can be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.

Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.

In this embodiment, the computer terminal may execute the program code of the following steps in the object authorization method: the method comprises the steps that an authorization device obtains device information of a first device and authorization information of a target object, wherein the authorization information is used for verifying the legality of the target object used by the target device; the authorization device generates an authorization file corresponding to the first device based on the device information and the authorization information; the authorization device transmits an authorization file to the first device, wherein the authorization file is used to authenticate the target device with the first device.

Alternatively, fig. 10 is a block diagram of a computer terminal according to an embodiment of the present invention. As shown in fig. 10, the computer terminal 10 may include: one or more processors (only one shown), memory.

The memory may be configured to store software programs and modules, such as program instructions/modules corresponding to the object authorization method and apparatus in the embodiments of the present invention, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, so as to implement the object authorization method. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located from the processor, and these remote memories may be connected to terminal a through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: the method comprises the steps that an authorization device obtains device information of a first device and authorization information of a target object, wherein the authorization information is used for verifying the legality of the target object used by the target device; the authorization device generates an authorization file corresponding to the first device based on the device information and the authorization information; the authorization device transmits an authorization file to the first device, wherein the authorization file is used to authenticate the target device with the first device.

Optionally, the processor may further execute the program code of the following steps: the method comprises the steps that an authorization device obtains a device serial number contained in device information, wherein the device serial number is used for activating an authorization service, the authorization service is installed on a first device, and the authorization service is used for verifying a target device through the activated authorization service; the authorization device generates an authorization file based on the device serial number and the authorization information.

Optionally, the processor may further execute the program code of the following steps: the authorization equipment encrypts the authorization information to obtain an authorization ciphertext; and the authorization device generates an authorization file based on the authorization ciphertext and the device serial number.

Optionally, the processor may further execute the program code of the following steps: the method comprises the steps that an authorization device obtains a first public key corresponding to a first device; the authorization device encrypts the authorization information by using the first public key to obtain an authorization ciphertext.

Optionally, the processor may further execute the program code of the following steps: the method comprises the steps that an authorization device obtains a first private key corresponding to a first device; the authorization equipment encrypts the first public key in multiple layers to obtain a public key ciphertext; the authorization device signs the authorization ciphertext by using the first private key to obtain a signature file; and the authorization device generates an authorization file based on the authorization ciphertext, the device serial number, the public key ciphertext and the signature file.

Optionally, the processor may further execute the program code of the following steps: the authorization equipment acquires a second key sequence corresponding to the first equipment; the authorization equipment encrypts the first public key by using the second key sequence to obtain a first ciphertext; and the authorization equipment encrypts the first ciphertext without a secret key to obtain a public key ciphertext.

Optionally, the processor may further execute the program code of the following steps: the authorization equipment encrypts the first private key by using the second key sequence to obtain a second ciphertext; the authorization equipment encrypts the second ciphertext without a secret key to obtain a private key ciphertext; the authorization device transmits the second key sequence and the private key ciphertext to the first device.

Optionally, the processor may further execute the program code of the following steps: the authorization device sends the authorization file to the second device, wherein the authorization file is imported into the first device in a data import mode; and the authorization equipment sends the authorization file to the second equipment, wherein the authorization file is sent to the first equipment by the second equipment in a virtual private network mode.

Optionally, the processor may further execute the program code of the following steps: the authorization service is compiled into a binary file by a target language for processing, and the target object is processed by a dynamic link library by the target language.

The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: the method comprises the steps that first equipment receives an authorization file transmitted by authorization equipment, wherein the authorization file is generated based on equipment information of the first equipment and authorization information of a target object, and the authorization information is used for verifying the legality of the target object used by the target equipment; the first device authenticates the target device based on the authorization file.

By adopting the embodiment of the invention, firstly, the authorization equipment acquires the equipment information of the first equipment and the authorization information of the target object, wherein the authorization information is used for verifying the legality of the target object used by the target equipment; the authorization device generates an authorization file corresponding to the first device based on the device information and the authorization information; the authorization device transmits the authorization file to the first device, wherein the authorization file is used for verifying the target device through the first device, and the purpose of improving the product authorization efficiency is achieved. It is easy to note that the authorization device may generate an authorization file corresponding to the first device according to the device information of the first device and the authorization information of the target object, and transmit the authorization file to the first device, so that the first device may verify the validity of the target device using the target object through the authorization file, and may authorize the target object on the target device through the authorization file in the case of successful verification, where the target object may be software, so as to improve the efficiency of software authorization, and further solve the technical problem of low software authorization efficiency in the related art.

It can be understood by those skilled in the art that the structure shown in fig. 10 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 10 is a diagram illustrating a structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 10, or have a different configuration than shown in FIG. 10.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.

Example 6

The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the object authorization method provided in the first embodiment.

Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the method comprises the steps that an authorization device obtains device information of a first device and authorization information of a target object, wherein the authorization information is used for verifying the legality of the target object used by the target device; the authorization device generates an authorization file corresponding to the first device based on the device information and the authorization information; the authorization device transmits an authorization file to the first device, wherein the authorization file is used to authenticate the target device with the first device.

Optionally, the storage medium is further configured to store program codes for performing the following steps: the method comprises the steps that an authorization device obtains a device serial number contained in device information, wherein the device serial number is used for activating an authorization service, the authorization service is installed on a first device, and the authorization service is used for verifying a target device through the activated authorization service; the authorization device generates an authorization file based on the device serial number and the authorization information.

Optionally, the storage medium is further configured to store program codes for performing the following steps: the authorization equipment encrypts the authorization information to obtain an authorization ciphertext; and the authorization device generates an authorization file based on the authorization ciphertext and the device serial number.

Optionally, the storage medium is further configured to store program codes for performing the following steps: the method comprises the steps that an authorization device obtains a first public key corresponding to a first device; the authorization device encrypts the authorization information by using the first public key to obtain an authorization ciphertext.

Optionally, the storage medium is further configured to store program codes for performing the following steps: the method comprises the steps that an authorization device obtains a first private key corresponding to a first device; the authorization equipment encrypts the first public key in multiple layers to obtain a public key ciphertext; the authorization device signs the authorization ciphertext by using the first private key to obtain a signature file; and the authorization device generates an authorization file based on the authorization ciphertext, the device serial number, the public key ciphertext and the signature file.

Optionally, the storage medium is further configured to store program codes for performing the following steps: the authorization equipment acquires a second key sequence corresponding to the first equipment; the authorization equipment encrypts the first public key by using the second key sequence to obtain a first ciphertext; and the authorization equipment encrypts the first ciphertext without a secret key to obtain a public key ciphertext.

Optionally, the storage medium is further configured to store program codes for performing the following steps: the authorization equipment encrypts the first private key by using the second key sequence to obtain a second ciphertext; the authorization equipment encrypts the second ciphertext without a secret key to obtain a private key ciphertext; the authorization device transmits the second key sequence and the private key ciphertext to the first device.

Optionally, the storage medium is further configured to store program codes for performing the following steps: the authorization device sends the authorization file to the second device, wherein the authorization file is imported into the first device in a data import mode; and the authorization equipment sends the authorization file to the second equipment, wherein the authorization file is sent to the first equipment by the second equipment in a virtual private network mode.

Optionally, the storage medium is further configured to store program codes for performing the following steps: the authorization service is compiled into a binary file by a target language for processing, and the target object is processed by a dynamic link library by the target language.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the method comprises the steps that first equipment receives an authorization file transmitted by authorization equipment, wherein the authorization file is generated based on equipment information of the first equipment and authorization information of a target object, and the authorization information is used for verifying the legality of the target object used by the target equipment; the first device authenticates the target device based on the authorization file.

By adopting the embodiment of the invention, firstly, the authorization equipment acquires the equipment information of the first equipment and the authorization information of the target object, wherein the authorization information is used for verifying the legality of the target object used by the target equipment; the authorization device generates an authorization file corresponding to the first device based on the device information and the authorization information; the authorization device transmits the authorization file to the first device, wherein the authorization file is used for verifying the target device through the first device, and the purpose of improving the product authorization efficiency is achieved. It is easy to note that the authorization device may generate an authorization file corresponding to the first device according to the device information of the first device and the authorization information of the target object, and transmit the authorization file to the first device, so that the first device may verify the validity of the target object used by the target device through the authorization file, and may authorize the target object on the target device through the authorization file if the verification is successful, where the target object may be software, so as to improve the efficiency of software authorization, and further solve the technical problem in the related art that the efficiency of software authorization is low.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.

The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims

1. An object authorization method, comprising:

the method comprises the steps that an authorization device obtains device information of a first device and authorization information of a target object, wherein the authorization information is used for verifying the legality of the target object used by the target device;

the authorization device generates an authorization file corresponding to the first device based on the device information and the authorization information;

the authorization device transmits the authorization file to a first device, wherein the authorization file is used for verifying the target device through the first device.

2. The method of claim 1, wherein the authorization device generating the authorization file corresponding to the first device based on the device information and the authorization information comprises:

the authorization device obtains a device serial number contained in the device information, wherein the device serial number is used for activating an authorization service, the authorization service is installed on the first device, and the authorization service is used for verifying the target device through the activated authorization service;

the authorization device generates the authorization file based on the device serial number and the authorization information.

3. The method of claim 2, wherein generating the authorization file by the authorization device based on the device serial number and the authorization information comprises:

the authorization equipment encrypts the authorization information to obtain an authorization ciphertext;

and the authorization device generates the authorization file based on the authorization ciphertext and the device serial number.

4. The method of claim 3, wherein the authorization device encrypts the authorization information to obtain an authorization ciphertext, comprising:

the authorization equipment acquires a first public key corresponding to the first equipment;

and the authorization equipment encrypts the authorization information by using the first public key to obtain the authorization ciphertext.

5. The method of claim 4, wherein generating the authorization file based on the authorization cryptogram and the device serial number further comprises:

the authorization equipment acquires a first private key corresponding to the first equipment;

the authorization equipment encrypts the first public key in multiple layers to obtain a public key ciphertext;

the authorization equipment signs the authorization ciphertext by using the first private key to obtain a signature file;

and the authorization device generates the authorization file based on the authorization ciphertext, the device serial number, the public key ciphertext and the signature file.

6. The method of claim 5, wherein the authorizing device performs multi-layer encryption on the first public key to obtain a public key ciphertext, comprising:

the authorization equipment acquires a second key sequence corresponding to the first equipment;

the authorization equipment encrypts the first public key by using the second key sequence to obtain a first ciphertext;

and the authorization equipment encrypts the first ciphertext without a secret key to obtain the public key ciphertext.

7. The method of claim 6, further comprising:

the authorization equipment encrypts the first private key by using the second key sequence to obtain a second ciphertext;

the authorization equipment encrypts the second ciphertext without a secret key to obtain a private key ciphertext;

the authorizing device transmits the second key sequence and the private key cipher text to the first device.

8. The method of claim 2, wherein the authorization service is compiled into a binary file for processing by a target language, and wherein the target object is dynamically linked to library processing by the target language.

9. An object authorization method, comprising:

the method comprises the steps that first equipment receives an authorization file transmitted by authorization equipment, wherein the authorization file is generated based on equipment information of the first equipment and authorization information of a target object, and the authorization information is used for verifying the legality of the target object used by the target equipment;

the first device authenticates the target device based on the authorization file.

10. An object authorization apparatus, disposed in an authorization device, comprising:

the device comprises an acquisition module, a verification module and a verification module, wherein the acquisition module is used for acquiring device information of first equipment and authorization information of a target object, and the authorization information is used for verifying the legality of the target object used by the target equipment;

a generating module, configured to generate an authorization file corresponding to the first device based on the device information and the authorization information;

a transmission module, configured to transmit the authorization file to a first device, where the authorization file is used to verify the target device through the first device.

11. An object authorization apparatus, disposed on a first device, comprising:

the receiving module is used for receiving an authorization file transmitted by authorization equipment, wherein the authorization file is generated based on the equipment information of the first equipment and the authorization information of a target object, and the authorization information is used for verifying the legality of the target object used by the target equipment;

and the verification module is used for verifying the target equipment based on the authorization file.

12. An object authorization system, comprising:

the authorization device is used for generating an authorization file corresponding to a first device based on device information of the first device and authorization information of a target object, wherein the authorization information is used for verifying the legality of the target object used by the target device;

an authorization service, installed on the first device, to authenticate the target device based on the authorization file.

13. A storage medium, characterized in that the storage medium comprises a stored program, wherein when the program runs, a device in which the storage medium is located is controlled to execute the object authorization method according to any one of claims 1 to 9.

14. A computer terminal, comprising: a processor for executing a program, wherein the program when executed performs the object authorization method of any of claims 1 to 9.