CN114938299A - Device authorization method and device based on application service interface - Google Patents

Device authorization method and device based on application service interface Download PDF

Info

Publication number
CN114938299A
CN114938299A CN202210531860.2A CN202210531860A CN114938299A CN 114938299 A CN114938299 A CN 114938299A CN 202210531860 A CN202210531860 A CN 202210531860A CN 114938299 A CN114938299 A CN 114938299A
Authority
CN
China
Prior art keywords
authorization
service
interface
application
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210531860.2A
Other languages
Chinese (zh)
Other versions
CN114938299B (en
Inventor
陈翼宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Xinzhi Information Technology Co ltd
Original Assignee
Jiangsu Xinzhi Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Xinzhi Information Technology Co ltd filed Critical Jiangsu Xinzhi Information Technology Co ltd
Priority to CN202210531860.2A priority Critical patent/CN114938299B/en
Publication of CN114938299A publication Critical patent/CN114938299A/en
Application granted granted Critical
Publication of CN114938299B publication Critical patent/CN114938299B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The method carries out equipment characteristic value calculation through the application service interface, and judges the current business requirement according to the calling actual interface: if the actual interface is called as the interface in the application service interface directory, turning to a first processing flow: performing hash operation on the generated equipment characteristic value to obtain a first hash value, using an authorization public key to check the obtained authorization file, if the check is legal, comparing the first hash value with a second hash value in the authorization file, and if the first hash value and the second hash value are the same, entering a service calling confirmation stage; if the actual interface is called as the authorized application interface, the process goes to a second processing flow: the current time and the client code of the equipment are obtained, the current time, the client code and the characteristic value of the equipment are encrypted by adopting an authorization public key to generate an authorization application file, and authorization management is carried out according to the authorization application file to generate the authorization file. The invention reduces the operation pressure of the server, simplifies the service processing flow and has strong reusability resistance.

Description

Equipment authorization method and device based on application service interface
Technical Field
The invention relates to the technical field of encryption, in particular to an equipment authorization method and device based on an application service interface.
Background
Currently, when a device vendor sells a device, in order to protect the core technology and intellectual property of the privileged service of the device, only a part of open functions are generally authorized inside the device, or the service time limit of the functions is authorized to be used by a user.
With the popularization of the cloud service concept and the push of the market, device providers have gradually changed into service providers, and by hosting devices in a private cloud or a public cloud, functional services of the devices are provided to the outside in an on-demand expansion manner, and user objects become cloud tenants.
However, in this way, because of the unpredictability of the cloud tenant itself, the original way of performing the limited protection on a single device has a significant drawback: firstly, different cloud tenants have different requirements, and partial function authorization control of original single equipment is not applicable any more; and secondly, lease management is carried out on cloud tenants with high mobility, and an original service deadline authorization mode of a single device is not applicable any more. How to perform device authorization and authentication in the cloud service background is a technical problem to be solved urgently.
Disclosure of Invention
Therefore, the invention provides a device authorization method and a device based on an application service interface, which solve the problem of management of the authorization service deadline of a temporary user request service on one hand; on the other hand, the method can cut off the unauthorized service call at the application client, so that the server equipment can open all functions without considering the work of copyright protection.
In order to achieve the above purpose, the invention provides the following technical scheme: the device authorization method based on the application service interface comprises the following steps:
when the application system calls an application service interface to establish connection with a business processing server, the application service interface is used for calculating the characteristic value of equipment, and the current business requirement is judged according to the calling actual interface:
if the actual interface is called as the interface in the application service interface directory, turning to a first processing flow;
in the first processing flow: performing hash operation on the generated device characteristic value to obtain a first hash value, using an authorization public key to check the obtained authorization file, if the check is legal, comparing the first hash value with a second hash value in the authorization file, and if the first hash value is the same as the second hash value, entering a service calling confirmation stage;
if the actual interface is called as the authorized application interface, the process goes to a second processing flow;
in the second processing flow: acquiring the current time and the client code of the equipment, encrypting the current time, the client code and the characteristic value of the equipment by adopting an authorization public key to generate an authorization application file, and carrying out authorization management according to the authorization application file to generate the authorization file.
As a preferred scheme of the device authorization method based on the application service interface, in the first processing flow: if the verification is illegal, the authorization authentication fails, and the processing flow is ended;
if the first hash value is different from the second hash value, the authorization authentication fails, and the processing flow is ended.
As a preferred scheme of the device authorization method based on the application service interface, the service call confirmation phase includes:
checking validity period and time anti-rollback, reading a time information ciphertext accessed last time, decrypting by adopting a characteristic key, comparing time information decryption data with the current time, judging whether the current time is greater than the last access time, comparing the current time with a permission period, and judging whether the validity period is in the validity period;
and if the current time is greater than the last access time and within the valid period, encrypting the current time value by adopting the characteristic key to cover the last access time record.
As an optimal scheme of the device authorization method based on the application service interface, encrypting the device characteristic value by using an authorization public key, creating a session application according to a ciphertext of the device characteristic value, and creating a session application process:
reading temporary elliptic curve points in the ciphertext of the device characteristic value, performing verification in a point set stored in a window period, checking whether the points are repeated, and if the points are repeated, judging that the current message is a multiplexing attack and refusing service; if not, recording a new point-to-point set; and verifying the decrypted characteristic value and the white list, and successfully creating a session.
As a preferred scheme of the device authorization method based on the application service interface, a service call request of an application system is confirmed, an authorization service list in an authorization file is matched, a permitted service is sent to a service processing server for processing, and an unauthorized service is interrupted.
As a preferred scheme of the device authorization method based on the application service interface, in the second processing flow:
inputting user information, a license service list and a license period in advance according to contract constraints, and generating a client code by performing hash calculation on the user information, the license service list and the license period, wherein the client code is provided for a client to be used as an input parameter;
decrypting the authorization application file by using an authorization private key, extracting user information from decrypted data for retrieval, verifying whether the user information is in a pre-configured user list, and extracting decrypted equipment characteristic value information from users in the list to generate a white list for binding;
and forming the service list and the permission period corresponding to the user information into authorization information, and carrying out hash operation on the authorization information and the equipment characteristic information to obtain the second hash value.
The invention also provides a device authorization device based on the application service interface, which comprises:
the service calling module is used for providing an external application service interface of a server manufacturer for the application system;
the device information acquisition module is used for calculating a device characteristic value through the application service interface and judging the current service requirement according to the calling actual interface;
the authorization verification module is used for carrying out Hash operation on the generated equipment characteristic value to obtain a first Hash value if an actual interface is called as an interface in an application service interface directory, using an authorization public key to carry out signature verification on the obtained authorization file, comparing the first Hash value with a second Hash value in the authorization file if the signature verification is legal, and entering a service calling confirmation stage if the first Hash value is identical with the second Hash value;
the authorization registration module is used for acquiring the current time and the client code of the equipment if the actual interface is called as an authorization application interface, and encrypting the current time, the client code and the characteristic value of the equipment by adopting an authorization public key to generate an authorization application file;
and the authorization management module is used for carrying out authorization management according to the authorization application file to generate an authorization file.
As a preferred scheme of the device authorization device based on the application service interface, the authorization check module is used for checking validity period and time rollback prevention, reading a time information ciphertext accessed last time, decrypting by adopting a characteristic key, comparing time information decryption data with the current time, judging whether the current time is greater than the last access time, comparing the current time with a permission period, and judging whether the current time is in the validity period;
and if the current time is greater than the last access time and within the valid period, encrypting the current time value by adopting the characteristic key to cover the last access time record.
As a preferred scheme of the device authorization apparatus based on the application service interface, the apparatus further comprises a service processing module, configured to read a temporary elliptic curve point in a ciphertext of the device feature value, perform verification in a point set stored in a window period, check whether there is duplication, and if there is duplication, determine that a current message is a multiplexing attack, and deny service; if not, recording a new point-to-point set; verifying the decrypted characteristic value and the white list, and successfully creating a session; and confirming the service calling request of the application system, matching an authorized service list in the authorized file, sending the authorized service to the service processing server for processing, and interrupting the request of the unauthorized service.
The device authorization device based on the application service interface preferably further comprises an authorization registration authentication module, wherein the authorization registration authentication module inputs the user information, the license service list and the license period in advance according to contract constraints, generates a client code by performing hash calculation on the user information, the license service list and the license period, and provides the client code for the client to be used as an input parameter.
As a preferred scheme of the device authorization apparatus based on the application service interface, in the authorization management module, an authorization private key is used for decrypting an authorization application file, user information is extracted from decrypted data for retrieval, whether the user information is in a pre-configured user list or not is verified, and a white list is generated for binding the device characteristic value information extracted and decrypted by the user in the list; and forming the service list and the permission period corresponding to the user information into authorization information, and carrying out hash operation on the authorization information and the equipment characteristic information to obtain the second hash value.
The invention has the following advantages: when the application system calls an application service interface to establish connection with a business processing server, the application service interface is used for calculating the characteristic value of equipment, and the current business requirement is judged according to the calling actual interface: if the actual interface is called as the interface in the application service interface directory, turning to a first processing flow; in the first processing flow: performing hash operation on the generated equipment characteristic value to obtain a first hash value, using an authorization public key to check the obtained authorization file, if the check is legal, comparing the first hash value with a second hash value in the authorization file, and if the first hash value is the same as the second hash value, entering a service calling confirmation stage; if the actual interface is called as the authorization application interface, the second processing flow is switched to; in the second processing flow: the current time and the client code of the equipment are obtained, the current time, the client code and the characteristic value of the equipment are encrypted by adopting an authorization public key to generate an authorization application file, and authorization management is carried out according to the authorization application file to generate the authorization file. The invention completes the authorization check work through the client application service interface, can reduce the operation pressure of the server, is beneficial to the server to release part of management operation resources, and thus processes more business operations; the client checks the license service list and the license time through the authorization file, and the server does not need to check whether the called service is in the license list or not when receiving the service request of the client, and does not need to check the license time, thereby simplifying the service processing flow and improving the processing efficiency of the service flow; meanwhile, authorization limitation of a license service list and license time is carried out on the client, the client only calls a service interface licensed in the license time sent by the server, invalid call connection is reduced, network overhead is reduced, and network environment requirements are reduced especially for scenes such as big data and cloud service; the authorization file of the client is signed by a server private key, the integrity and the authenticity of data are effectively protected, the authorization file contains an equipment characteristic value calculated based on a characteristic key, the authorization adopts a one-machine-one-authorization mode, the authorization cannot be replaced, and the reusability is strong.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so that those skilled in the art can understand and read the present invention, and do not limit the conditions for implementing the present invention, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the functions and purposes of the present invention, should still fall within the scope of the present invention.
Fig. 1 is a schematic flowchart of an apparatus authorization method based on an application service interface according to embodiment 1 of the present invention;
fig. 2 is a location flowchart of authentication authorization in a service invocation process according to embodiment 1 of the present invention;
fig. 3 is a schematic diagram of an architecture of an apparatus authorization device based on an application service interface according to embodiment 2 of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Due to the unpredictability of cloud tenants, the original method for performing limited protection on a single device has the obvious defects: firstly, different cloud tenants have different requirements, and partial function authorization control of original single equipment is not applicable any more; and secondly, lease management is carried out on cloud tenants with high mobility, and an original service deadline authorization mode of a single device is not applicable any more.
In view of the above, the present invention provides an apparatus authorization method and apparatus based on an application service interface, which complete authorization and authentication work by deploying an application service interface library at a user or a cloud tenant client, and on one hand, solve the problem of management work of an authorization service deadline of a temporary user request service face to face at the client; on the other hand, the interception of the unauthorized service call at the application client can allow the server device to open all functions without considering the work of copyright protection. The following is a specific embodiment of the present invention.
Example 1
Referring to fig. 1 and fig. 2, embodiment 1 of the present invention provides an apparatus authorization method based on an application service interface, and the specific processing flow is as follows:
s101, when an application system calls an application service interface to establish connection with a business processing server, the application service interface firstly calculates a characteristic value of equipment, and judges the current business requirement according to a calling actual interface: if the interface is an interface in the application service interface directory, the process goes to S111; if the authorization request interface is called, the process goes to S121.
S111: a first hash value is obtained from the device characteristic value generated in the step S101, and the next step goes to a step S112;
s112: and (4) checking the signature of the authorization file acquired in the step (S122) by using the authorization public key, if the signature is not checked, failing to authorize and authenticate, ending the processing flow, and if the signature is checked to be legal, comparing the first hash value generated in the step (S111) with the second hash value in the authorization file. If the first hash value is different from the second hash value, the authorization authentication fails, the processing flow is ended, and if the first hash value is the same as the second hash value, the process goes to the step S113;
s113: and (3) performing validity period and time anti-rollback check: reading a time information ciphertext accessed last time, decrypting by using a characteristic key (the time recorded for the first time is authorized import time), comparing decrypted data with the current time, judging whether the current time is greater than the last time access time, comparing the current time with an authorization time limit, judging whether the decrypted data is in a valid period, if any one of the decrypted data and the current time is not greater than the last time access time, failing to authorize and authenticate, ending the processing flow, if both are satisfied, encrypting the current time value by using the characteristic key to cover the last time access time record, and turning to S114;
s114: encrypting the device characteristic value by using the authorization public key, sending a device characteristic value ciphertext to S221, applying for session creation, ending the processing flow if the session creation fails, and going to S115 if the session creation succeeds;
s115: and confirming all service calling requests of the application system, matching an authorized service list in the S122 authorization file, sending the permitted service to the service processing server for processing, and interrupting the request of the non-permitted service.
S121: acquiring the current time and the client code of the equipment, then encrypting the current time, the client code and the equipment characteristic value generated in the step S101 by adopting an authorized public key and sending the encrypted values to a step S211 for processing, and turning to a step S122;
s122: the authorization file returned in S214 is accepted, and the flow process ends.
S211: inputting user information, a license service list and a license period in advance according to contract constraints, and generating a client code to be provided to the client through Hash calculation according to the information, wherein the client code is used as an input parameter in the step S121;
s212: decrypting the authorization application file of the S121 by using the authorization private key, and turning to S213;
s213: extracting user information from the decrypted data of S212 for retrieval, verifying whether the user information is in a user list configured in advance in S211, extracting decrypted characteristic value information from the users in the list, generating a white list for binding, and turning to S214;
s214: and finding a service list corresponding to the user information and the permission period to form authorization information, signing the authorization information and the second hash value of the device characteristic information together, sending back to S122, and ending the processing.
S221: and receiving the device characteristic value sent by the S114 for anti-multiplexing check: reading temporary elliptic curve points in ciphertext, verifying in a point set stored in a window period, checking whether the ciphertext is repeated, judging that the current ciphertext is a multiplexing attack if the ciphertext is repeated, refusing service, and inputting a new point-to-point set if the ciphertext is not repeated; and verifying the decrypted characteristic value and the white list, establishing a session if the verification is successful, and ending the processing if the verification is failed.
S222: the service request processing is performed, and the permitted service list and the non-permitted service interruption request transmitted in S115 are received.
The technical scheme of the invention can be widely applied to application server equipment or system software for providing services through an external application service interface. A server provides various types of business services and management interfaces for client system applications through an application service interface deployed at a client, and the service authorization scheme is as follows:
the service end supplier inputs user information, a service list and a permission period in the authorization management module according to the contract, and generates a client code to export and deliver the client; when the system application calls the service in the application service interface, authorization should be obtained first. Taking the client code as a parameter, starting a registration authorization process through auth _ reg, and acquiring a device characteristic value through calling a devhmac _ calc interface in the registration process: the interface reads the hardware information of the equipment and converts the hardware information into a binary string, HMAC operation is carried out through a characteristic key, and an equipment characteristic value is calculated and returned through parameters;
the auth _ reg interface continuously reads the current time information of the equipment and converts the current time information into a binary string, the characteristic value of the equipment and the client code are encrypted together by adopting an authorization public key, and the encrypted data is sent to a server side to carry out an authorization request; the server starts authorization management software to receive the authorization information and decrypt the authorization information;
the server reads the client code and verifies whether the client code is in the user information input by the authorization management module; extracting the characteristic value of the equipment to generate a user white list; the server forms the data such as the service permission catalog and the authorization time corresponding to the user information into authorization information; and carrying out HASH operation on the device characteristic value, calculating the HASH value and adopting an authorization private key to carry out signature together with the authorization information, and sending the signature back to the client. and the auth _ reg judges after waiting for the response of the server, and reads the corresponding authorization file for storage if the server returns success.
The system application calls an application service of the server through a client service interface, firstly registers an access token with the server at an openDevice interface, firstly calls auth _ chk for authorization verification in a registration process, and firstly acquires a device characteristic value through a devhmac _ calc interface in a verification first step; calculating the HASH value of the acquired characteristic value; the auth _ chk verifies the source and integrity of the local authorization file through the authorization public key, and verifies the identity of the issuer; after the verification is passed, the HASH value in the file is continuously extracted to carry out the verification of the issued object; the auth _ chk performs time anti-rollback authentication, reads the ciphertext value of the last record to decrypt whether a rollback record exists in comparison time, and adopts the feature key to encrypt the current time as a time identifier again, and meanwhile, checks the validity period; the auth _ chk returns authorization information and an authorization directory, and the openDevice continues to use the authorization public key to encrypt the device characteristic value for token registration; the server carries out ciphertext window period anti-multiplexing check, establishes token and is associated with a subsequent service request; and the system application calls the service in the authorization directory through the application service interface.
In summary, when the application system calls the application service interface to establish connection with the service processing server, the present invention calculates the device characteristic value through the application service interface, and determines the current service requirement according to the calling actual interface: if the actual interface is called as the interface in the application service interface directory, turning to a first processing flow; in the first processing flow: performing hash operation on the generated equipment characteristic value to obtain a first hash value, using an authorization public key to check the obtained authorization file, if the check is legal, comparing the first hash value with a second hash value in the authorization file, and if the first hash value is the same as the second hash value, entering a service calling confirmation stage; if the actual interface is called as the authorized application interface, the process goes to a second processing flow; in the second processing flow: the current time and the client code of the equipment are obtained, the current time, the client code and the characteristic value of the equipment are encrypted by adopting an authorization public key to generate an authorization application file, and authorization management is carried out according to the authorization application file to generate the authorization file. In the first processing flow: if the signature verification is illegal, the authorization authentication fails, and the processing flow is ended; if the first hash value is different from the second hash value, the authorization authentication fails, and the processing flow is ended. The service invocation confirmation phase comprises the following steps: checking validity period and time anti-rollback, reading a time information ciphertext accessed last time, decrypting by adopting a characteristic key, comparing time information decryption data with the current time, judging whether the current time is greater than the last access time, comparing the current time with a permission period, and judging whether the validity period is in the validity period; if the current time is larger than the last access time and within the validity period, the current time value is encrypted by adopting the characteristic key, and the last access time record is covered. Encrypting the device characteristic value by using the authorized public key, performing session establishment application according to the ciphertext of the device characteristic value, and performing the session establishment application process: reading temporary elliptic curve points in the ciphertext of the characteristic value of the equipment, performing verification in a point set stored in a window period, checking whether the points are repeated, and if the points are repeated, judging that the current message is a multiplexing attack and refusing service; if not, recording a new point-to-point set; and verifying the decrypted characteristic value and the white list, and successfully creating a session. And confirming the service call request of the application system, matching an authorized service list in the authorized file, sending the permitted service to the service processing server for processing, and interrupting the request for the non-permitted service. In the second processing flow: inputting user information, a license service list and a license period in advance according to contract constraints, and generating a client code by performing hash calculation on the user information, the license service list and the license period, wherein the client code is provided for a client to be used as an input parameter; decrypting the authorization application file by using an authorization private key, extracting user information from decrypted data to retrieve, verifying whether the user information is in a pre-configured user list, and generating a white list for binding the device characteristic value information extracted and decrypted by the user in the list; and forming the service list corresponding to the user information and the permission period into authorization information, and carrying out hash operation on the authorization information and the equipment characteristic information to obtain a second hash value.
The authorization protection usually uses a security algorithm to perform complex mathematical operations such as hash operation, identity authentication or data encryption and decryption, and the operations consume operation resources relatively, but the invention completes authorization check work by an application service interface arranged at a client, can reduce the operation pressure of a server, is beneficial to the release of part of management operation resources of the server, and thus processes more business operations. The client checks the permission service list and the permission time through the authorization file, and the server does not need to check whether the called service is in the permission list or not when receiving the service request of the client, and does not need to check the permission time, thereby simplifying the service processing flow and improving the processing efficiency of the service flow. According to the invention, the authorization limitation of the permission service list and the permission time is carried out at the client, the client only sends the service interface permitted in the permission time to the server to call, so that invalid call connection is reduced, the network overhead is reduced, and the network environment requirement is particularly reduced for scenes such as big data, cloud service and the like; the authorization file of the client is signed by a server private key, the integrity and the authenticity of data are effectively protected, the authorization file contains an equipment characteristic value calculated based on a characteristic key, and the authorization adopts a one-machine-one-authorization mode and cannot be used alternatively.
It should be noted that the method of the embodiments of the present disclosure may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may only perform one or more steps of the method of the embodiments of the present disclosure, and the devices may interact with each other to complete the method.
It should be noted that the above describes some embodiments of the disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Example 2
Referring to fig. 3, embodiment 2 of the present invention provides an apparatus for authorizing a device based on an application service interface, including:
the service calling module 1 is used for providing an external application service interface of a server manufacturer for an application system;
the equipment information acquisition module 2 is used for calculating the characteristic value of the equipment through the application service interface and judging the current service requirement according to the calling actual interface;
the authorization checking module 3 is configured to perform hash operation on the generated device characteristic value to obtain a first hash value if an actual interface is called as an interface in an application service interface directory, perform signature verification on the obtained authorization file by using an authorization public key, compare the first hash value with a second hash value in the authorization file if the signature verification is legal, and enter a service calling confirmation stage if the first hash value is the same as the second hash value;
the authorization registration module 4 is used for acquiring the current time and the client code of the equipment if the actual interface is called as an authorization application interface, and encrypting the current time, the client code and the characteristic value of the equipment by adopting an authorization public key to generate an authorization application file;
and the authorization management module 5 is used for carrying out authorization management according to the authorization application file to generate an authorization file.
In this embodiment, the validity period and time rollback prevention check is performed by the authorization check module 3, the time information ciphertext accessed last time is read, decryption is performed by using the feature key, the time information decryption data is compared with the current time, whether the current time is greater than the last access time is judged, and whether the current time is in the validity period is judged by using the comparison between the current time and the permission period; and if the current time is greater than the last access time and within the valid period, encrypting the current time value by adopting the characteristic key to cover the last access time record.
In this embodiment, the system further includes a service processing module 6, configured to read a temporary elliptic curve point in a ciphertext of the device feature value, perform verification in a point set stored in a window period, check whether there is duplication, and if there is duplication, determine that the current packet is a multiplexing attack and deny service; if not, recording a new point-to-point set; verifying the decrypted characteristic value and the white list, and successfully creating a session; and confirming the service call request of the application system, matching an authorized service list in the authorized file, sending the permitted service to the service processing server for processing, and interrupting the request for the non-permitted service.
In this embodiment, the system further includes an authorized registration authentication module 7, where the authorized registration authentication module 7 inputs the user information, the license service list, and the license time limit in advance according to the contract constraint, and generates a client code by performing hash calculation on the user information, the license service list, and the license time limit, and provides the client code with the client code as an input parameter.
In this embodiment, in the authorization management module 5, the authorization application file is decrypted by using an authorization private key, user information is extracted from decrypted data to retrieve, whether the user information is in a preconfigured user list or not is verified, and decrypted device characteristic value information is extracted from a user in the list to generate a white list for binding; and forming authorization information by using a service list corresponding to the user information and the permission period, and carrying out hash operation on the authorization information and the equipment characteristic information to obtain the second hash value.
Specifically, the device authorization apparatus based on the application service interface of the present invention develops a service calling module 1, a device information collecting module 2, an authorization checking module 3, and an authorization registration module 4 in the application service interface, respectively performs service calling, collecting processing, authorization checking, and authorization registration of device information, and simultaneously develops a corresponding service processing module 6, an authorization registration authentication module 7, and an authorization management module 5 in a service processing server, respectively performs service processing, authorization registration authentication processing, and authorization management.
The service calling module 1: and providing an external application service interface of a server manufacturer for the application system. The application system can enjoy the operation service brought by the server manufacturer without paying attention to the specific communication mode with the server manufacturer by calling the near-end interface. The application service interface generally includes an access token (access token), a closing access application, and different service interfaces for performing various service calls through the token. The token registration process encrypts the device characteristic value through the authorization public key SM2 and sends the device characteristic value to the server side to perform identity confirmation of the link creation process.
Wherein, equipment information acquisition module 2: various hardware information of the equipment is collected, HMAC calculation based on SM3 algorithm is carried out through the characteristic key, and a hash message authentication code is generated and used as an equipment characteristic value. Different from the method of direct abstract, the feature key mainly carries out security reinforcement on the process, adds a data source authentication effect and prevents the feature key from being generated by illegal users in other modes.
Wherein, the authorization checking module 3: adopting an SM2 algorithm, checking the signature of the authorization file through the authorization public key, and verifying the identity authority of the authorization file; HASH operation based on SM3 algorithm is carried out on the equipment characteristic value, the HASH value is compared with the HASH value in the authorization file, and the issued object of the authorization file is confirmed; recording the current time information ciphertext value encrypted by using the characteristic key SM4 as equipment time rollback check, and reading the ciphertext value decryption comparison time recorded last time to determine whether rollback exists; and comparing the current time with the registration time, and calculating whether the current time is within the permission period of the authorization file.
Wherein, the authorization registration module 4: reading the equipment time to form registration time information, and encrypting the registration time information, the equipment characteristic value and the client code provided offline together by adopting an authorization public key to generate an authorization application file; and sending an authorization application file to the server and receiving the authorization file returned by the server.
Wherein, the authorization management module 5: inputting user information, a callable service list and a permission period, and calculating HASH to generate a client code; acquiring a device characteristic value and binding the device characteristic value with a white list; and verifying the user information, and generating an authorization information file by using the corresponding device characteristic value HASH, the service list and the license deadline.
Wherein, the service processing module 6: receiving token registration information, extracting an equipment characteristic value ciphertext from the token registration information, and performing anti-multiplexing check on the ciphertext in a window period, wherein the multiplexing check is to verify by using ciphertext transformation characteristics caused by random elliptic curve points in an SM2 encryption process, so that interception replay attack can be effectively resisted; and establishing connection with the client by using token information association, receiving and processing a service request of the token-related connection, and returning the processed service request to the application client.
Wherein, the authorization registration authentication module 7: receiving an authorization application file sent by an application client, and decrypting the device characteristic value data and the client code by using an SM2 algorithm through an authorization private key; and calculating a HASH value by using an SM3 algorithm on the device characteristic value data, signing the HASH value and the authorization information related to the client code through an authorization private key, carrying out base64 coding on the signed data and the original data, and transmitting the data back to the application client.
It should be noted that, because the contents of information interaction, execution process, and the like between the modules/units of the apparatus are based on the same concept as the method embodiment in embodiment 1 of the present application, the technical effect brought by the contents is the same as the method embodiment of the present application, and specific contents may refer to the description in the foregoing method embodiment of the present application, and are not described herein again.
Example 3
Embodiment 3 of the present invention provides a non-transitory computer-readable storage medium, where a program code of an application service interface-based device authorization method is stored in the computer-readable storage medium, where the program code includes instructions for executing the application service interface-based device authorization method of embodiment 1 or any possible implementation manner of the embodiment.
The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
Example 4
An embodiment 4 of the present invention provides an electronic device, including: a memory and a processor;
the processor and the memory are communicated with each other through a bus; the memory stores program instructions executable by the processor to invoke the application service interface based device authorization method of embodiment 1 or any possible implementation thereof.
Specifically, the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory, which may be integrated in the processor, located external to the processor, or stand-alone.
In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
Although the invention has been described in detail above with reference to a general description and specific examples, it will be apparent to one skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, it is intended that all such modifications and alterations be included within the scope of this invention as defined in the appended claims.

Claims (10)

1. The device authorization method based on the application service interface is characterized by comprising the following steps:
when the application system calls an application service interface to establish connection with a business processing server, the application service interface is used for calculating the characteristic value of equipment, and the current business requirement is judged according to the calling actual interface:
if the actual interface is called as the interface in the application service interface directory, turning to a first processing flow;
in the first processing flow: performing hash operation on the generated device characteristic value to obtain a first hash value, using an authorization public key to check the obtained authorization file, if the check is legal, comparing the first hash value with a second hash value in the authorization file, and if the first hash value is the same as the second hash value, entering a service calling confirmation stage;
if the actual interface is called as the authorized application interface, the process goes to a second processing flow;
in the second processing flow: acquiring the current time and the client code of the equipment, encrypting the current time, the client code and the characteristic value of the equipment by adopting an authorization public key to generate an authorization application file, and carrying out authorization management according to the authorization application file to generate the authorization file.
2. The device authorization method based on application service interface as claimed in claim 1, wherein in the first processing flow: if the verification is illegal, the authorization authentication fails, and the processing flow is ended;
and if the first hash value is different from the second hash value, the authorization authentication fails, and the processing flow is ended.
3. The application service interface-based device authorization method according to claim 2, characterized in that the service invocation confirmation phase comprises:
checking validity period and time anti-rollback, reading a time information ciphertext accessed last time, decrypting by adopting a characteristic key, comparing time information decryption data with the current time, judging whether the current time is greater than the last access time, comparing the current time with a permission period, and judging whether the validity period is in the validity period;
and if the current time is greater than the last access time and within the valid period, encrypting the current time value by adopting the characteristic key to cover the last access time record.
4. The device authorization method based on application service interface of claim 3, characterized in that, the device characteristic value is encrypted by using an authorization public key, a session creation application is performed according to the ciphertext of the device characteristic value, and the session creation application process is as follows:
reading the temporary elliptic curve points in the ciphertext of the device characteristic value, performing verification in a point set stored in a window period, checking whether the points are repeated, and if the points are repeated, judging that the current message is a multiplexing attack and refusing service; if not, recording a new point-to-point set; and verifying the decrypted characteristic value and the white list, and establishing a session after verification is successful.
5. The device authorization method based on application service interface of claim 4, characterized in that, the service call request of the application system is confirmed, the authorized service list in the authorization file is matched, the authorized service is sent to the service processing server for processing, and the request is interrupted by the unauthorized service.
6. The device authorization method based on application service interface of claim 1, characterized in that in the second processing flow:
inputting user information, a license service list and a license period in advance according to contract constraints, and generating a client code by performing hash calculation on the user information, the license service list and the license period, wherein the client code is provided for a client to be used as an input parameter;
decrypting the authorization application file by using an authorization private key, extracting user information from decrypted data for retrieval, verifying whether the user information is in a pre-configured user list, and extracting decrypted equipment characteristic value information from users in the list to generate a white list for binding;
and forming authorization information by using a service list corresponding to the user information and the permission period, and carrying out hash operation on the authorization information and the equipment characteristic information to obtain the second hash value.
7. The device authorization apparatus based on application service interface is characterized by comprising:
the service calling module is used for providing an external application service interface of a server manufacturer for the application system;
the equipment information acquisition module is used for calculating the characteristic value of the equipment through the application service interface and judging the current service requirement according to the calling actual interface;
the authorization checking module is used for carrying out Hash operation on the generated equipment characteristic value to obtain a first Hash value if an actual interface is called as an interface in an application service interface directory, carrying out signature verification on the obtained authorization file by using an authorization public key, comparing the first Hash value with a second Hash value in the authorization file if the signature verification is legal, and entering a service calling confirmation stage if the first Hash value is the same as the second Hash value;
the authorization registration module is used for acquiring the current time and the client code of the equipment if the actual interface is called as an authorization application interface, and encrypting the current time, the client code and the characteristic value of the equipment by adopting an authorization public key to generate an authorization application file;
and the authorization management module is used for carrying out authorization management according to the authorization application file to generate an authorization file.
8. The device authorization apparatus based on application service interface of claim 7, characterized in that, the authorization check module is used to check validity period and time rollback prevention, read the time information ciphertext accessed last time, decrypt with the feature key, compare the time information decryption data with the current time, determine whether the current time is greater than the last access time, compare the current time with the permission period, and determine whether the validity period is in;
and if the current time is greater than the last access time and within the valid period, encrypting the current time value by adopting the characteristic key to cover the last access time record.
9. The device authorization apparatus based on application service interface of claim 8, further comprising a service processing module, configured to read a temporary elliptic curve point in the ciphertext of the device feature value, perform verification in a point set stored in a window period, check whether there is duplication, and if there is duplication, determine that the current packet is a multiplexing attack, and deny service; if the point-to-point set is not repeated, recording a new point-to-point set; verifying the decrypted characteristic value and the white list, and successfully creating a session; and confirming the service calling request of the application system, matching an authorized service list in the authorized file, sending the authorized service to the service processing server for processing, and interrupting the request of the unauthorized service.
10. The device authorization apparatus based on application service interface according to claim 9, further comprising an authorization registration authentication module, wherein the authorization registration authentication module enters the user information, the license service list and the license period in advance according to the contract constraint, and generates a client code by performing hash calculation on the user information, the license service list and the license period, and provides the client code as an input parameter;
in the authorization management module, an authorization private key is used for decrypting an authorization application file, user information is extracted from decrypted data for retrieval, whether the user information is in a pre-configured user list or not is verified, and decrypted device characteristic value information extracted by a user in the list is generated to be bound; and forming the service list and the permission period corresponding to the user information into authorization information, and carrying out hash operation on the authorization information and the equipment characteristic information to obtain the second hash value.
CN202210531860.2A 2022-05-16 2022-05-16 Device authorization method and device based on application service interface Active CN114938299B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210531860.2A CN114938299B (en) 2022-05-16 2022-05-16 Device authorization method and device based on application service interface

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210531860.2A CN114938299B (en) 2022-05-16 2022-05-16 Device authorization method and device based on application service interface

Publications (2)

Publication Number Publication Date
CN114938299A true CN114938299A (en) 2022-08-23
CN114938299B CN114938299B (en) 2024-03-12

Family

ID=82865748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210531860.2A Active CN114938299B (en) 2022-05-16 2022-05-16 Device authorization method and device based on application service interface

Country Status (1)

Country Link
CN (1) CN114938299B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104901809A (en) * 2015-04-23 2015-09-09 北京航空航天大学 Remote authentication protocol method based on password and intelligent card
US20170099148A1 (en) * 2015-10-01 2017-04-06 Cisco Technology, Inc. Securely authorizing client applications on devices to hosted services
US20200151366A1 (en) * 2018-11-13 2020-05-14 Samsung Electronics Co., Ltd. System and method for anti-rollback
CN111708991A (en) * 2020-06-17 2020-09-25 腾讯科技(深圳)有限公司 Service authorization method, service authorization device, computer equipment and storage medium
CN114186199A (en) * 2022-02-15 2022-03-15 北京安帝科技有限公司 License authorization method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104901809A (en) * 2015-04-23 2015-09-09 北京航空航天大学 Remote authentication protocol method based on password and intelligent card
US20170099148A1 (en) * 2015-10-01 2017-04-06 Cisco Technology, Inc. Securely authorizing client applications on devices to hosted services
US20200151366A1 (en) * 2018-11-13 2020-05-14 Samsung Electronics Co., Ltd. System and method for anti-rollback
CN111708991A (en) * 2020-06-17 2020-09-25 腾讯科技(深圳)有限公司 Service authorization method, service authorization device, computer equipment and storage medium
CN114186199A (en) * 2022-02-15 2022-03-15 北京安帝科技有限公司 License authorization method and device

Also Published As

Publication number Publication date
CN114938299B (en) 2024-03-12

Similar Documents

Publication Publication Date Title
US9281949B2 (en) Device using secure processing zone to establish trust for digital rights management
US8196186B2 (en) Security architecture for peer-to-peer storage system
EP1942430B1 (en) Token Passing Technique for Media Playback Devices
CN109412812B (en) Data security processing system, method, device and storage medium
Messerges et al. Digital rights management in a 3G mobile phone and beyond
KR100945650B1 (en) Digital cable system and method for protection of secure micro program
US20110119494A1 (en) Method and apparatus for sharing licenses between secure removable media
CN110611657A (en) File stream processing method, device and system based on block chain
CN110324358B (en) Video data management and control authentication method, module, equipment and platform
WO2023151504A1 (en) Internet of things-based data processing method and apparatus
JP2017152880A (en) Authentication system, key processing coordination method, and key processing coordination program
CN115277168B (en) Method, device and system for accessing server
US20110154436A1 (en) Provider Management Methods and Systems for a Portable Device Running Android Platform
KR20070059891A (en) Application authentication security system and method thereof
JP6581611B2 (en) Authentication key sharing system and authentication key sharing method
JP6533542B2 (en) Secret key replication system, terminal and secret key replication method
CN115473655B (en) Terminal authentication method, device and storage medium for access network
WO2013067792A1 (en) Method, device and system for querying smart card
CN113329003B (en) Access control method, user equipment and system for Internet of things
CN114938299B (en) Device authorization method and device based on application service interface
CN115563588A (en) Software offline authentication method and device, electronic equipment and storage medium
US20130219510A1 (en) Drm/cas service device and method using security context
CN114885326A (en) Bank mobile operation safety protection method, device and storage medium
CN114817956A (en) USB communication object verification method, system, device and storage medium
US11171786B1 (en) Chained trusted platform modules (TPMs) as a secure bus for pre-placement of device capabilities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant