CN114785514B - Method and system for application license authorization of industrial Internet of things terminal - Google Patents

Method and system for application license authorization of industrial Internet of things terminal Download PDF

Info

Publication number
CN114785514B
CN114785514B CN202210291358.9A CN202210291358A CN114785514B CN 114785514 B CN114785514 B CN 114785514B CN 202210291358 A CN202210291358 A CN 202210291358A CN 114785514 B CN114785514 B CN 114785514B
Authority
CN
China
Prior art keywords
public key
terminal
application app
certificate
digital certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210291358.9A
Other languages
Chinese (zh)
Other versions
CN114785514A (en
Inventor
李玉凌
李二霞
杨红磊
刘海涛
吕广宪
亢超群
朱克琪
王利
许保平
樊勇华
韩子龙
孙智涛
刘芸杉
吴殿亮
杜金陵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Online Shanghai Energy Internet Research Institute Co ltd
Original Assignee
China Online Shanghai Energy Internet Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Online Shanghai Energy Internet Research Institute Co ltd filed Critical China Online Shanghai Energy Internet Research Institute Co ltd
Priority to CN202210291358.9A priority Critical patent/CN114785514B/en
Publication of CN114785514A publication Critical patent/CN114785514A/en
Application granted granted Critical
Publication of CN114785514B publication Critical patent/CN114785514B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method and a system for application license authorization of an industrial Internet of things terminal, wherein the method comprises the following steps: s11, configuring a security module for a terminal to be authorized, wherein the security module comprises a unique public key and a private key which are associated with the terminal; s12, collecting a public key associated with a terminal to be authorized through an application APP management mechanism, and sending the public key to a certificate digital certificate issuing mechanism; s13, issuing a public key digital certificate C for the terminal to be authorized based on the public key through a certificate digital certificate issuing mechanism T Public key digital certificate C T Comprising a public key associated with the terminal, characteristic information of the application APP and a public key digital certificate C T A validity period; s14, based on symmetric key K 1 For CA certificate C 1 After encryption, an encrypted CA certificate C 'is obtained' 1 Will encrypt CA certificate C' 1 Solidifying in the program code of the application APP, the symmetric key K is passed through 1 Solidifying the encrypted characteristic information of the application APP in the program code of the application APP, and enabling the symmetric key K to be 1 Bit-wise inverting to obtain the antisymmetric key K' 1 Curing in the program code of the application APP.

Description

Method and system for application license authorization of industrial Internet of things terminal
Technical Field
The invention relates to the technical field of industrial Internet of things terminals, in particular to a method and a system for application license authorization of an industrial Internet of things terminal.
Background
With the development of the internet of things and the continuous expansion of industrial application, industrial internet of things terminals (including power distribution terminal equipment such as intelligent fusion terminals in a transformer area, intelligent station terminals, intelligent feeder terminals and the like, transformer substation measurement and control protection devices, oilfield remote terminal equipment and the like) have gradually been provided with technical characteristics such as hardware platform, software containerization and APP so as to meet the application requirements of edge calculation and everything interconnection. The design of the terminal equipment adopts the technical concept of a software defined terminal, realizes software and hardware decoupling through a standard platform architecture, and supports the installation and operation of third-party FDV application software (namely APP). The traditional terminal equipment has large application program copying difficulty due to large software and hardware architecture differences, and standardized data interaction interfaces are adopted between the APP and the operating system component in the terminal of the Internet of things, so that the APP in the terminal is illegally copied to other terminals for running.
At present, an APP in an industrial Internet of things terminal mainly adopts two installation modes, namely a remote installation mode and a field installation mode, and an APP software package is attached with signature information of an APP management center and is used for verifying the validity of the APP by the terminal. However, this signature does not have the function of preventing the APP from being illegally copied. The APP in the existing terminal mainly realizes the purpose of preventing illegal copying by binding a unique identifier (such as an equipment ID, an MAC address and the like) of the terminal, and because the information of the equipment ID, the MAC address and the like is easy to forge and falsify, a new mode is needed to realize the permission and authorization management of the APP.
Therefore, a technology is needed to realize the authorization of the application license of the industrial internet of things terminal.
Disclosure of Invention
The technical scheme of the invention provides a method and a system for license authorization of industrial Internet of things terminal application, which are used for solving the problem of how to license and authorize the industrial Internet of things terminal application.
In order to solve the above problems, the present invention provides a method for license authorization of industrial internet of things terminal applications, the method comprising:
s11, configuring a security module for a terminal to be authorized, wherein the security module comprises a unique public key and a private key which are associated with the terminal;
s12, collecting a public key associated with the terminal to be authorized through an application APP management mechanism, and sending the public key to a certificate digital certificate issuing mechanism;
s13, issuing a public key digital certificate C for the terminal to be authorized based on the public key through the certificate digital certificate issuing mechanism T The public key digital certificate C T Comprising a public key associated with the terminal, characteristic information of an application APP and a public key digital certificate C T A validity period;
s14, based on symmetric key K 1 For CA certificate C 1 After encryption, an encrypted CA certificate C 'is obtained' 1 Will encrypt CA certificate C' 1 Cured in the program code of the application APP to be passed through said symmetric key K 1 Solidifying the characteristic information of the encrypted application APP in the program code of the application APP, and setting the symmetric key K 1 Bit-wise inversion of the obtained antisymmetric key K' 1 Curing in the program code of the application APP.
Preferably, the method further comprises:
s21, starting the application APP, and searching the public key digital certificate C of the terminal T
S22, when the public key digital certificate C of the terminal is found T Reading the anti-symmetric key K 'in the program code of the application APP' 1 By taking the anti-symmetric key K 'for the said' 1 Obtaining symmetric key K by bit-wise inversion 1 By means of the symmetric key K 1 Decrypting the characteristic information of the encrypted application APP in the program code of the application APP to obtain the characteristic information of the application APP;
s23, analyzing the public key digital certificate C through the application APP T Feature information of application APP in (a) and public key digital certificate C T A validity period;
s24, comparing the characteristic information of the application APP obtained in the steps S22 and S23, and judging the public key digital certificate C when the characteristic information comparison results of the application APP in the steps S22 and S23 are consistent T Whether the validity period is within the validity period;
s25, reading an encrypted CA certificate C 'in a program code of an application APP' 1 Based on the symmetric key K 1 For the encrypted CA certificate C' 1 Decrypting to obtain CA certificate C 1
S26, based on the CA certificate C 1 For public key digital certificate C T Performing signature verification to obtain a signature verification result;
s27, when the signature verification result is successful, generating a random number R through the application APP, sending the random number R to the security module, and obtaining a signature random number S through the security module signature R
S28, based on the public key digital certificate C T For the signature random number S R Verifying and obtaining a random number verification result;
s29, when the verification result is passed, and the application APP runs normally.
Preferably, the public key of the terminal includes: SM2 public key, RSA public key, ECC public key.
Preferably, the collecting, by the APP authority, a public key associated with the terminal to be authorized, the collecting mode includes:
acquiring from a terminal certificate request file; or (b)
And acquiring the digital certificate of the terminal which is issued and used for the identity authentication of the terminal and the master station.
Preferably, the terminal issues a public key digital certificate C T Comprising the following steps: national secret SM2, RSA, ECC public key certificates.
Preferably, the feature information of the application APP includes: application APP name, application APP vendor, version number, unique identification.
Preferably, the public key digital certificate C T The validity period is the period during which the application APP license grants the use of the terminal.
Based on another aspect of the present invention, the present invention provides a system for industrial internet of things terminal application license authorization, the system comprising:
an initial unit for configuring a security module for a terminal to be authorized, the security module comprising a unique public key and a private key associated with the terminal;
the acquisition unit is used for acquiring a public key associated with the terminal to be authorized through the application APP management mechanism and sending the public key to the certificate digital certificate issuing mechanism;
an issuing unit, configured to issue, by the certificate digital certificate issuing mechanism, a public key digital certificate C for the terminal to be authorized based on the public key T The public key digital certificate C T Comprising a public key associated with the terminal, characteristic information of an application APP and a public key digital certificate C T A validity period;
a processing unit for based on the symmetric key K 1 For CA certificate C 1 After encryption, an encrypted CA certificate C 'is obtained' 1 Will encrypt CA certificate C' 1 Cured in the program code of the application APP to be passed through said symmetric key K 1 Solidifying the characteristic information of the encrypted application APP in the program code of the application APP, and setting the symmetric key K 1 Bit-wise inversion of the obtained antisymmetric key K' 1 Curing in the program code of the application APP.
Preferably, the method further comprises:
the searching unit is used for starting the application APP and searching the public key digital certificate C of the terminal T
A first obtaining unit, configured to, when searching for the public key digital certificate C of the terminal T Reading the anti-symmetric key K 'in the program code of the application APP' 1 By taking the anti-symmetric key K 'for the said' 1 Obtaining symmetric key K by bit-wise inversion 1 By means of the symmetric key K 1 Decrypting the characteristic information of the encrypted application APP in the program code of the application APP to obtain the characteristic information of the application APP;
a parsing unit, configured to parse the public key digital certificate C through the application APP T Feature information of application APP in (a) and public key digital certificate C T A validity period;
the comparison unit is used for comparing the characteristic information of the application APP acquired in the acquisition unit with the characteristic information of the application APP acquired in the analysis unit, and judging the public key digital certificate when the comparison result of the characteristic information of the application APP acquired in the acquisition unit is consistent with that of the characteristic information of the application APP acquired in the analysis unitBook C T Whether the validity period is within the validity period;
decryption unit for reading an encrypted CA certificate C 'in the program code of an application APP' 1 Based on the symmetric key K 1 For the encrypted CA certificate C' 1 Decrypting to obtain CA certificate C 1
A first verification unit for based on the CA certificate C 1 For public key digital certificate C T Performing signature verification to obtain a signature verification result;
the second obtaining unit is used for generating a random number R through the application APP when the signature verification result is successful, sending the random number R to the security module, and obtaining a signature random number S through the security module signature R
A second verification unit for verifying the public key digital certificate C T For the signature random number S R Verifying and obtaining a random number verification result;
and the result unit is used for enabling the application APP to normally operate when the verification result is passed.
Preferably, the public key of the terminal includes: SM2 public key, RSA public key, ECC public key.
Preferably, the collecting, by the APP authority, a public key associated with the terminal to be authorized, the collecting mode includes:
acquiring from a terminal certificate request file; or (b)
And acquiring the digital certificate of the terminal which is issued and used for the identity authentication of the terminal and the master station.
Preferably, the terminal issues a public key digital certificate C T Comprising the following steps: national secret SM2, RSA, ECC public key certificates.
Preferably, the feature information of the application APP includes: application APP name, application APP vendor, version number, unique identification.
Preferably, the public key digital certificate C T The validity period is the period during which the application APP license grants the use of the terminal.
The technical scheme of the invention provides a terminal for industrial Internet of thingsA method and system for licensing authorization, wherein the method comprises: s11, configuring a security module for a terminal to be authorized, wherein the security module comprises a unique public key and a private key which are associated with the terminal; s12, collecting a public key associated with a terminal to be authorized through an application APP management mechanism, and sending the public key to a certificate digital certificate issuing mechanism; s13, issuing a public key digital certificate C for the terminal to be authorized based on the public key through a certificate digital certificate issuing mechanism T Public key digital certificate C T Comprising a public key associated with the terminal, characteristic information of the application APP and a public key digital certificate C T A validity period; s14, based on symmetric key K 1 For CA certificate C 1 After encryption, an encrypted CA certificate C 'is obtained' 1 Will encrypt CA certificate C' 1 Solidifying in the program code of the application APP, the symmetric key K is passed through 1 Solidifying the encrypted characteristic information of the application APP in the program code of the application APP, and enabling the symmetric key K to be 1 Bit-wise inversion of the obtained antisymmetric key K' 1 Curing in the program code of the application APP. The technical scheme of the invention solves the problems that the existing industrial Internet of things terminal APP cannot effectively prevent illegal copying, application and the like, and is based on the security module, the APP and the hardware information of the terminal equipment are bound by utilizing a cryptographic algorithm and an identity authentication technology, the APP can identify the terminal, the terminal identity information can be prevented from being maliciously tampered or forged, and the permission and authorization management level of the terminal APP is effectively improved.
Drawings
Exemplary embodiments of the present invention may be more completely understood in consideration of the following drawings:
FIG. 1 is a flow chart of a method for industrial Internet of things terminal application license authorization in accordance with a preferred embodiment of the present invention; and
fig. 2 is a system configuration diagram for license authorization of an industrial internet of things terminal application according to a preferred embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Fig. 1 is a flowchart of a method for industrial internet of things terminal application license authorization according to a preferred embodiment of the present invention. Aiming at the problems that the existing industrial internet of things terminal APP cannot effectively prevent illegal copying, application and the like, the invention is based on the security module, and the APP and the hardware information of the terminal equipment are bound by utilizing a cryptographic algorithm and an identity authentication technology, so that the APP can identify the terminal, thereby preventing the terminal identity information from being tampered or forged maliciously and effectively improving the permission and authorization management level of the terminal APP. The invention provides an industrial Internet of things terminal application license authorization method based on a security module, which comprises a binding method of APP and a terminal security module and an authentication method of APP to a terminal identity.
As shown in fig. 1, the present invention provides a method for license authorization of industrial internet of things terminal applications, the method comprising:
s11, configuring a security module for a terminal to be authorized, wherein the security module comprises a unique public key and a private key which are associated with the terminal; preferably, the public key of the terminal includes: SM2 public key, RSA public key, ECC public key.
The invention provides a binding method of APP and a terminal security module.
S12, collecting a public key associated with a terminal to be authorized through an application APP management mechanism, and sending the public key to a certificate digital certificate issuing mechanism;
preferably, the public key associated with the terminal to be authorized is collected by the application APP authority in a manner comprising:
acquiring from a terminal certificate request file; or (b)
And acquiring the digital certificate of the terminal which is issued and used for the identity authentication of the terminal and the master station.
The APP management mechanism acquires public key information of a terminal security module to be authorized.
S13, issuing a public key digital certificate C for the terminal to be authorized based on the public key through a certificate digital certificate issuing mechanism T Public key digital certificate C T Comprising a public key associated with the terminal, characteristic information of the application APP and a public key digital certificate C T A validity period; preferably, the terminal issues a public key digital certificate C T Comprising the following steps: national secret SM2, RSA, ECC public key certificates. Preferably, the feature information of the application APP includes: application APP name, application APP vendor, version number, unique identification. Preferably, public key digital certificate C T The validity period is the period during which the application APP license grants the use of the terminal.
The certificate issuing mechanism (CA system) of the invention issues a public key digital certificate C for a terminal to be authorized T . Wherein the digital certificate C T The public key in the terminal is the public key of the terminal security module; digital certificate C T The feature information of the APP is bound in the theme (or extension) and comprises but is not limited to an APP name, an APP manufacturer, a version number and a unique identifier, and when the APP name or the APP manufacturer is different, the unique identifier is different; digital certificate C T Is the period during which the APP license grants the terminal for use.
S14, based on symmetric key K 1 For CA certificate C 1 After encryption, an encrypted CA certificate C 'is obtained' 1 Will encrypt CA certificate C' 1 Solidifying in the program code of the application APP, the symmetric key K is passed through 1 Solidifying the encrypted characteristic information of the application APP in the program code of the application APP, and enabling the symmetric key K to be 1 Bit-wise inverting to obtain the antisymmetric key K' 1 Curing at the proper positionIn program code with APP.
In the APP development process, the symmetric key K is used 1 For CA certificate C 1 Encryption to obtain C' 1 C 'is carried out' 1 Solidifying in the program code of the APP; information such as APP name, APP manufacturer, version number and unique identifier is used as key K 1 After encryption, solidifying in APP program codes; to key K 1 The K 'is obtained by taking the inverse according to the position' 1 Will K' 1 Cured in the program code of the APP.
The invention uses APP and digital certificate C T Packaged together and installed in authorized terminals.
Preferably, the method further comprises:
s21, starting an application APP, and searching a public key digital certificate C of a terminal T
After APP of the invention is started, digital certificate C is searched first T The method comprises the steps of carrying out a first treatment on the surface of the If find C under the specified directory T And S22, if not, exiting the operation.
S22, when the public key digital certificate C of the terminal is found T Reading the anti-symmetric key K 'in the program code of the application APP' 1 By taking the antisymmetric key K' 1 Obtaining symmetric key K by bit-wise inversion 1 By means of a symmetric key K 1 Decrypting the characteristic information of the encrypted application APP in the program code of the application APP to obtain the characteristic information of the application APP;
APP of the invention reads K 'from the code' 1 It is bit-wise inverted to obtain the key K 1 The method comprises the steps of carrying out a first treatment on the surface of the Then reading APP name, APP manufacturer, version number, unique identification ciphertext from the code, using key K 1 And decrypting to obtain a plaintext.
S23, analyzing public key digital certificate C through application APP T Feature information of application APP in (a) and public key digital certificate C T A validity period;
s24, comparing the characteristic information of the application APP obtained in the steps S22 and S23, and judging the public key digital certificate C when the characteristic information comparison results of the application APP in the steps S22 and S23 are consistent T Whether the validity period is within the validity period;
APP resolution digital certificate C of the invention T C is carried out by T Comparing the APP name, the APP manufacturer, the version number, the unique identifier and other information with the decrypted information read from the code, if the comparison result is consistent, performing S24 steps, otherwise, exiting the operation of the APP;
the APP acquires the system time, if the current time is in the digital certificate C T In the validity period, S25 is carried out, otherwise, the operation is stopped;
s25, reading an encrypted CA certificate C 'in a program code of an application APP' 1 Based on symmetric key K 1 For encrypted CA certificate C' 1 Decrypting to obtain CA certificate C 1
S26, based on CA certificate C 1 For public key digital certificate C T Performing signature verification to obtain a signature verification result;
the APP of the present invention reads C 'from the code' 1 Using key K 1 Decrypting it to obtain CA certificate plaintext C 1 And use C 1 For digital certificate C T And (3) signature verification is carried out, if the verification is successful, S27 is carried out, and otherwise, the APP is withdrawn from operation.
S27, when the signature verification result is successful, generating a random number R by applying the APP, sending the random number R to the security module, and obtaining a signature random number S by the security module through signature R
The APP of the invention generates a random number R and sends the random number R to the security module for signature to obtain S R
S28, digital certificate C based on public key T For signature random number S R Verifying and obtaining a random number verification result;
and S29, when the verification result is that the verification result is passed, the application APP normally operates.
The APP uses the digital certificate C T Verifying signature S of security module to R R The method comprises the steps of carrying out a first treatment on the surface of the If the verification is passed, the APP operates normally, otherwise the APP exits operation.
According to the invention, the security module is configured in the industrial Internet of things terminal, and the identity authentication capability of the APP to the terminal is enhanced by combining the cryptographic algorithm, so that the APP can be effectively prevented from being illegally copied and applied, and the legal intellectual property of an APP provider is ensured.
According to the method, APP information and terminal hardware information are bound, so that the installation quantity of the APP can be effectively controlled, and APP authorization management is facilitated.
The invention can effectively prevent the APP and the terminal information from being tampered, and can promote the development of the industrial Internet of things terminal to the intelligent APP direction.
The invention provides an industrial Internet of things terminal application license authorization method based on a security module, which comprises a binding method of APP and a terminal security module and an authentication method of APP to a terminal identity.
Examples of specific applications of the invention are as follows:
(1) Binding method of APP and terminal security module
1) The terminal to be authorized should be provided with a security module having a unique public key and private key.
2) The APP management mechanism collects public key information of a terminal security module to be authorized; the public key of the security module may be a national secret SM2 public key, an RSA public key, an ECC public key, etc. Acquisition means include, but are not limited to: acquiring from a terminal certificate request file (P10 format); or from the issued terminal digital certificate for terminal and master station identity authentication.
3) Certificate issuing authority (CA system) issues public key digital certificate C for terminal to be authorized T ;C T The X509V 3 digital certificate format can be SM2, RSA, ECC public key certificate and the like. Digital certificate C T The public key of the terminal security module. Digital certificate C T The subject matter of (2) is as follows:
cn=distribution terminal
SERIALNUMBER=0114234801001C09
APPNAME=IEC104
APPVENDOR=ABC Co.,Ltd
APPVERSION=1.23.07.69
APPID=61309F2359B803721A2C8D042383EAD1
OU=CEPRI
O=SGCC
C=CN
Wherein, SERIALNUMBER is the serial number of the security module; APPNAME is the APP name, APPVENDOR is the APP manufacturer, and APPVERSION is the APP version number; APPID is the unique identification of APP, and when APP name or APP producer are different, unique identification should be different.
Digital certificate C T The validity period of 2021, 12 months, 20 days, 12:00:00 to 2031, 12 months, 20 days, 12:00:00, i.e. the period of authorizing the terminal to use the APP is 10 years.
4) In APP development, symmetric key K is used 1 For CA certificate C 1 Encryption to obtain C' 1 C 'is carried out' 1 Solidifying in the program code of the APP; information such as APP name, APP manufacturer, version number and unique identifier is used as key K 1 After encryption, solidifying in APP program codes; to key K 1 The K 'is obtained by taking the inverse according to the position' 1 Will K' 1 Cured in the program code of the APP. Key K 1 The key may be 16 byte national cipher SM4, national cipher SM7, AES, 3DES, etc.
5) APP executable, configuration file and digital certificate C T Together compressed into tar packets for installation in authorized terminals.
(2) APP terminal identity authentication method
1) After APP is started, digital certificate C is first found in a specified directory (e.g./data/APP/IEC 104/cer) T The method comprises the steps of carrying out a first treatment on the surface of the If find C under the specified directory T Step 2) is carried out, otherwise, the operation is exited;
2) APP reads K 'from code' 1 It is bit-wise inverted to obtain the key K 1 The method comprises the steps of carrying out a first treatment on the surface of the Then reading APP name, APP manufacturer, version number, unique identification ciphertext from the code, using key K 1 Decrypting to obtain a plaintext;
3) APP resolution digital certificate C T C is carried out by T Comparing APPNAME, APPVENDOR, APPVERSION, APPID field values (namely APP name, APP manufacturer, version number and unique identifier) in the theme with decrypted information read in the code, if the comparison results are consistent, carrying out the step 4), otherwise, exiting the operation of the APP;
4)APP obtains the system time if the current time (e.g. 2021, 12, 20, 15: 00) is in digital certificate C T In the effective period, the step 5) is carried out, otherwise, the operation is stopped;
5) APP reads C 'from code' 1 Using key K 1 Decrypting it to obtain CA certificate plaintext C 1 And use C 1 For digital certificate C T Performing signature verification, if the verification is successful, performing step 6), otherwise, exiting the APP;
6) APP generates random number R and sends the random number R to a security module for signature to obtain S R The method comprises the steps of carrying out a first treatment on the surface of the Wherein, the length of the random number R can be 8 bytes, 16 bytes and the like (the length is not suitable to be less than 8 bytes);
7) APP uses digital certificate C T Verifying signature S of security module to R R The method comprises the steps of carrying out a first treatment on the surface of the If the verification is passed (i.e. the APP is licensed and authorized for legal use by the terminal), the APP operates normally, otherwise the APP exits operation.
Fig. 2 is a system configuration diagram for license authorization of an industrial internet of things terminal application according to a preferred embodiment of the present invention.
As shown in fig. 2, the present invention provides a system for license authorization of industrial internet of things terminal applications, the system comprising:
an initial unit 201, configured to configure a security module for a terminal to be authorized, the security module including a unique public key and a private key associated with the terminal; preferably, the public key of the terminal includes: SM2 public key, RSA public key, ECC public key.
The acquisition unit 202 is configured to acquire a public key associated with a terminal to be authorized through an application APP management mechanism, and send the public key to a certificate digital certificate issuing mechanism;
preferably, the public key associated with the terminal to be authorized is collected by the application APP authority in a manner comprising:
acquiring from a terminal certificate request file; or (b)
And acquiring the digital certificate of the terminal which is issued and used for the identity authentication of the terminal and the master station.
Preferably, the terminal issues a public key digital certificate C T Comprising the following steps: national landSecret SM2, RSA, ECC public key certificates.
An issuing unit 203 for issuing a public key digital certificate C for a terminal to be authorized based on the public key through a certificate digital certificate issuing mechanism T Public key digital certificate C T Comprising a public key associated with the terminal, characteristic information of the application APP and a public key digital certificate C T A validity period;
a processing unit 204 for generating a symmetric key K 1 For CA certificate C 1 After encryption, an encrypted CA certificate C 'is obtained' 1 Will encrypt CA certificate C' 1 Solidifying in the program code of the application APP, the symmetric key K is passed through 1 Solidifying the encrypted characteristic information of the application APP in the program code of the application APP, and enabling the symmetric key K to be 1 Bit-wise inverting to obtain the antisymmetric key K' 1 Curing in the program code of the application APP.
Preferably, the feature information of the application APP includes: application APP name, application APP vendor, version number, unique identification.
Preferably, the system further comprises:
the searching unit is used for starting the application APP and searching the public key digital certificate C of the terminal T
A first obtaining unit, configured to, when the public key digital certificate C of the terminal is found T Reading the anti-symmetric key K 'in the program code of the application APP' 1 By taking the antisymmetric key K' 1 Obtaining symmetric key K by bit-wise inversion 1 By means of a symmetric key K 1 Decrypting the characteristic information of the encrypted application APP in the program code of the application APP to obtain the characteristic information of the application APP;
a parsing unit for parsing the public key digital certificate C by applying APP T Feature information of application APP in (a) and public key digital certificate C T A validity period;
the comparison unit is used for comparing the characteristic information of the application APP acquired in the acquisition unit and the analysis unit, and judging the public key digital certificate C when the comparison result of the characteristic information of the application APP acquired in the acquisition unit and the analysis unit is consistent T Whether the validity period is within the validity period;
decryption unit for reading an encrypted CA certificate C 'in the program code of an application APP' 1 Based on symmetric key K 1 For encrypted CA certificate C' 1 Decrypting to obtain CA certificate C 1
A first verification unit for based on CA certificate C 1 For public key digital certificate C T Performing signature verification to obtain a signature verification result;
the second obtaining unit is used for generating a random number R by applying the APP when the signature verification result is successful, sending the random number R to the security module, and obtaining the signature random number S by the security module signature R
A second verification unit for digital certificate C based on public key T For signature random number S R Verifying and obtaining a random number verification result;
and the result unit is used for normally operating the application APP when the verification result is passed.
Preferably, public key digital certificate C T The validity period is the period during which the application APP license grants the use of the terminal.
A system 200 for industrial internet of things terminal application license authorization according to a preferred embodiment of the present invention corresponds to a method 100 for industrial internet of things terminal application license authorization according to a preferred embodiment of the present invention, and will not be described herein.
The invention has been described with reference to a few embodiments. However, as is well known to those skilled in the art, other embodiments than the above disclosed invention are equally possible within the scope of the invention, as defined by the appended patent claims.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise therein. All references to "a// the [ means, component, etc ]" are to be interpreted openly as referring to at least one instance of means, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

Claims (12)

1. A method for industrial internet of things terminal application license authorization, the method comprising:
s11, configuring a security module for a terminal to be authorized, wherein the security module comprises a unique public key and a private key which are associated with the terminal;
s12, collecting a public key associated with the terminal to be authorized through an application APP management mechanism, and sending the public key to a certificate digital certificate issuing mechanism;
s13, issuing a public key digital certificate C for the terminal to be authorized based on the public key through the certificate digital certificate issuing mechanism T The public key digital certificate C T Comprising a public key associated with the terminal, characteristic information of an application APP and a public key digital certificate C T A validity period;
s14, based on symmetric key K 1 For CA certificate C 1 Encryption to obtain encrypted CA certificate C' 1 Will encrypt the CA certificate C 1 Cured in the program code of the application APP to be passed through said symmetric key K 1 Solidifying the characteristic information of the encrypted application APP in the program code of the application APP, and setting the symmetric key K 1 Bit-wise inversion of the resulting antisymmetric key K' 1 Solidifying in program codes of application APP;
s21, starting the application APP, and searching the public key digital certificate C of the terminal T
S22, when the public key digital certificate C of the terminal is found T Reading the anti-symmetric key K' from the program code of the application APP 1 By taking the antisymmetric key K', for the said 1 Obtaining symmetric key K by bit-wise inversion 1 By means of the symmetric key K 1 Decrypting the characteristic information of the encrypted application APP in the program code of the application APP to obtain the characteristic information of the application APP;
s23, analyzing the public key digital certificate C through the application APP T Feature information of application APP in (a) and public key digital certificate C T A validity period;
s24, comparing the characteristic information of the application APP obtained in the steps S22 and S23, and judging the public key digital certificate C when the characteristic information comparison results of the application APP in the steps S22 and S23 are consistent T Whether the validity period is within the validity period;
s25, reading an encrypted CA certificate C' in a program code of an application APP 1 Based on the symmetric key K 1 For said encrypted CA certificate C 1 Decrypting to obtain CA certificate C 1
S26, based on the CA certificate C 1 For public key digital certificate C T Performing signature verification to obtain a signature verification result;
s27, when the signature verification result is successful, generating a random number R through the application APP, sending the random number R to the security module, and obtaining a signature random number S through the security module signature R
S28, based on the public key digital certificate C T For the signature random number S R Verifying and obtaining a random number verification result;
s29, when the verification result is passed, and the application APP runs normally.
2. The method of claim 1, the public key of the terminal comprising: SM2 public key, RSA public key, ECC public key.
3. The method of claim 1, wherein the collecting, by the APP authority, the public key associated with the terminal to be authorized, comprises:
acquiring from a terminal certificate request file; or (b)
And acquiring the digital certificate of the terminal which is issued and used for the identity authentication of the terminal and the master station.
4. The method of claim 1, the terminal issuing a public key digital certificate C T Comprising the following steps: national secret SM2, RSA, ECC public key certificates.
5. The method of claim 1, the application APP feature information comprising: application APP name, application APP vendor, version number, unique identification.
6. The method of claim 1, the public key digital certificate C T The validity period is the period during which the application APP license grants the use of the terminal.
7. A system for industrial internet of things terminal application license authorization, the system comprising:
an initial unit for configuring a security module for a terminal to be authorized, the security module comprising a unique public key and a private key associated with the terminal;
the acquisition unit is used for acquiring a public key associated with the terminal to be authorized through the application APP management mechanism and sending the public key to the certificate digital certificate issuing mechanism;
an issuing unit, configured to issue, by the certificate digital certificate issuing mechanism, a public key digital certificate C for the terminal to be authorized based on the public key T The public key digital certificate C T Comprising a public key associated with the terminal, characteristic information of an application APP and a public key digital certificate C T A validity period;
a processing unit for based on the symmetric key K 1 For CA certificate C 1 Encryption to obtain encrypted CA certificate C' 1 Will encrypt the CA certificate C 1 Cured in the program code of the application APP to be passed through said symmetric key K 1 Solidifying the characteristic information of the encrypted application APP in the program code of the application APP, and setting the symmetric key K 1 Bit-wise inversion of the resulting antisymmetric key K' 1 Solidifying in program codes of application APP;
the searching unit is used for starting the application APP and searching the public key digital certificate C of the terminal T
A first obtaining unit, configured to, when searching for the public key digital certificate C of the terminal T Reading the anti-symmetric key K' from the program code of the application APP 1 By pairing ofSaid taking an antisymmetric key K 1 Obtaining symmetric key K by bit-wise inversion 1 By means of the symmetric key K 1 Decrypting the characteristic information of the encrypted application APP in the program code of the application APP to obtain the characteristic information of the application APP;
a parsing unit, configured to parse the public key digital certificate C through the application APP T Feature information of application APP in (a) and public key digital certificate C T A validity period;
the comparison unit is used for comparing the characteristic information of the application APP acquired in the acquisition unit and the analysis unit, and judging the public key digital certificate C when the comparison result of the characteristic information of the application APP acquired in the acquisition unit and the analysis unit is consistent T Whether the validity period is within the validity period;
decryption unit for reading an encrypted CA certificate C' in a program code of an application APP 1 Based on the symmetric key K 1 For said encrypted CA certificate C 1 Decrypting to obtain CA certificate C 1
A first verification unit for based on the CA certificate C 1 For public key digital certificate C T Performing signature verification to obtain a signature verification result;
the second obtaining unit is used for generating a random number R through the application APP when the signature verification result is successful, sending the random number R to the security module, and obtaining a signature random number S through the security module signature R
A second verification unit for verifying the public key digital certificate C T For the signature random number S R Verifying and obtaining a random number verification result;
and the result unit is used for enabling the application APP to normally operate when the verification result is passed.
8. The system of claim 7, the public key of the terminal comprising: SM2 public key, RSA public key, ECC public key.
9. The system of claim 7, wherein the acquiring, by the APP authority, the public key associated with the terminal to be authorized comprises:
acquiring from a terminal certificate request file; or (b)
And acquiring the digital certificate of the terminal which is issued and used for the identity authentication of the terminal and the master station.
10. The system of claim 7, the terminal issuing a public key digital certificate C T Comprising the following steps: national secret SM2, RSA, ECC public key certificates.
11. The system of claim 7, the application APP feature information comprising: application APP name, application APP vendor, version number, unique identification.
12. The system of claim 7, the public key digital certificate C T The validity period is the period during which the application APP license grants the use of the terminal.
CN202210291358.9A 2022-03-23 2022-03-23 Method and system for application license authorization of industrial Internet of things terminal Active CN114785514B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210291358.9A CN114785514B (en) 2022-03-23 2022-03-23 Method and system for application license authorization of industrial Internet of things terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210291358.9A CN114785514B (en) 2022-03-23 2022-03-23 Method and system for application license authorization of industrial Internet of things terminal

Publications (2)

Publication Number Publication Date
CN114785514A CN114785514A (en) 2022-07-22
CN114785514B true CN114785514B (en) 2023-11-14

Family

ID=82425134

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210291358.9A Active CN114785514B (en) 2022-03-23 2022-03-23 Method and system for application license authorization of industrial Internet of things terminal

Country Status (1)

Country Link
CN (1) CN114785514B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022091B (en) * 2022-08-04 2022-12-16 亿次网联(杭州)科技有限公司 Autonomous authorization method and system based on digital certificate
CN117714214B (en) * 2024-02-05 2024-05-03 国网上海能源互联网研究院有限公司 Data transmission security protection method and device, electronic equipment and medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004006075A1 (en) * 2002-07-09 2004-01-15 Fujitsu Limited Open type general-purpose attack-resistant cpu, and application system thereof
CN102065092A (en) * 2010-12-31 2011-05-18 广东九联科技股份有限公司 Method and system for authorizing digital signature of application program of set top box
CN103812871A (en) * 2014-02-24 2014-05-21 北京明朝万达科技有限公司 Development method and system based on mobile terminal application program security application
CN104008351A (en) * 2014-05-06 2014-08-27 武汉天喻信息产业股份有限公司 System, method and device for Windows application program integrity checking
WO2018000886A1 (en) * 2016-07-01 2018-01-04 广州爱九游信息技术有限公司 Application program communication processing system, apparatus, method, and client terminal, and server terminal
CN109560933A (en) * 2018-10-12 2019-04-02 阿里巴巴集团控股有限公司 Authentication method and system, storage medium based on digital certificate, electronic equipment
CN109670828A (en) * 2018-12-06 2019-04-23 福建联迪商用设备有限公司 A kind of application on-line signature method and system
CN112470428A (en) * 2018-06-08 2021-03-09 威睿公司 Unmanaged secure inter-application data communications
CN113378119A (en) * 2021-06-25 2021-09-10 成都卫士通信息产业股份有限公司 Software authorization method, device, equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768664B (en) * 2018-06-06 2020-11-03 腾讯科技(深圳)有限公司 Key management method, device, system, storage medium and computer equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004006075A1 (en) * 2002-07-09 2004-01-15 Fujitsu Limited Open type general-purpose attack-resistant cpu, and application system thereof
CN102065092A (en) * 2010-12-31 2011-05-18 广东九联科技股份有限公司 Method and system for authorizing digital signature of application program of set top box
CN103812871A (en) * 2014-02-24 2014-05-21 北京明朝万达科技有限公司 Development method and system based on mobile terminal application program security application
CN104008351A (en) * 2014-05-06 2014-08-27 武汉天喻信息产业股份有限公司 System, method and device for Windows application program integrity checking
WO2018000886A1 (en) * 2016-07-01 2018-01-04 广州爱九游信息技术有限公司 Application program communication processing system, apparatus, method, and client terminal, and server terminal
CN112470428A (en) * 2018-06-08 2021-03-09 威睿公司 Unmanaged secure inter-application data communications
CN109560933A (en) * 2018-10-12 2019-04-02 阿里巴巴集团控股有限公司 Authentication method and system, storage medium based on digital certificate, electronic equipment
CN109670828A (en) * 2018-12-06 2019-04-23 福建联迪商用设备有限公司 A kind of application on-line signature method and system
CN113378119A (en) * 2021-06-25 2021-09-10 成都卫士通信息产业股份有限公司 Software authorization method, device, equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Wei Xiong ; Li Xiong.Data Trading Certification Based on Consortium Blockchain and Smart Contracts.IEEE.2020,全文. *
移动应用开发加密密钥标识校验系统关键技术研究;刘红玲;;江西电力职业技术学院学报(第03期);全文 *

Also Published As

Publication number Publication date
CN114785514A (en) 2022-07-22

Similar Documents

Publication Publication Date Title
CN114785514B (en) Method and system for application license authorization of industrial Internet of things terminal
CN111181928B (en) Vehicle diagnosis method, server, and computer-readable storage medium
US20060282391A1 (en) Method and apparatus for transferring protected content between digital rights management systems
CN106100836B (en) A kind of method and system of industrial user's authentication and encryption
US20120072730A1 (en) Context access management using watermark extraction information
US20070157318A1 (en) Method and apparatus for managing digital rights of secure removable media
KR100945650B1 (en) Digital cable system and method for protection of secure micro program
EP3025235B1 (en) Anti-piracy protection for software
CN110995685B (en) Data encryption and decryption method, device, system and storage medium
CN109598104B (en) Software authorization protection system and method based on timestamp and secret authentication file
CN1925392A (en) Method for identification of equipment validity
KR101314751B1 (en) Apparatus for managing installation of DRM and method thereof
US20100058047A1 (en) Encrypting a unique cryptographic entity
CN101694685A (en) Safety product license management method based on XML encryption and digital certificate
KR101496318B1 (en) Apparatus and method for providing security in remote digital forensics
CN105099705A (en) Safety communication method and system based on USB protocol
KR20150022429A (en) Counterfeiting preventing appratus, user device, method and system for mobile application
JPH09282155A (en) Method for equipping cipher authentication function
KR100973203B1 (en) Integrated software and method for authenticating same
CN104486322A (en) Terminal access authentication authorization method and terminal access authentication authorization system
CN112383577A (en) Authorization method, device, system, equipment and storage medium
CN115457687B (en) Security configuration method and system for intelligent pole
Adelsbach et al. Secure software delivery and installation in embedded systems
KR101711024B1 (en) Method for accessing temper-proof device and apparatus enabling of the method
CN111641873A (en) Method and system for unlocking television developer mode and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant