CN115001749B - Equipment authorization method, device, equipment and medium - Google Patents

Equipment authorization method, device, equipment and medium Download PDF

Info

Publication number
CN115001749B
CN115001749B CN202210481726.6A CN202210481726A CN115001749B CN 115001749 B CN115001749 B CN 115001749B CN 202210481726 A CN202210481726 A CN 202210481726A CN 115001749 B CN115001749 B CN 115001749B
Authority
CN
China
Prior art keywords
data information
authentication
server
information
authorization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210481726.6A
Other languages
Chinese (zh)
Other versions
CN115001749A (en
Inventor
李新文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ThunderSoft Co Ltd
Original Assignee
ThunderSoft Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ThunderSoft Co Ltd filed Critical ThunderSoft Co Ltd
Priority to CN202210481726.6A priority Critical patent/CN115001749B/en
Publication of CN115001749A publication Critical patent/CN115001749A/en
Application granted granted Critical
Publication of CN115001749B publication Critical patent/CN115001749B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Abstract

The application provides a device authorization method, a device and a medium, wherein the method comprises the following steps: reporting first data information comprising a Mac address, a first random number and an encrypted first target value to a server under the condition that server authentication is passed, wherein the first target value is determined based on first authentication times; receiving encrypted second data information fed back by the server, decrypting the encrypted second data information, generating the second data information based on the first authorization information when the server determines that the first authentication times are the same as the second authentication times, detecting whether the second authorization information is the same as the first authorization information according to third data information and the second data information, and generating the third data information based on the second authorization information; and under the condition that the second authorization information is the same as the first authorization information, determining the operation authority of the acquisition algorithm program, updating the first authentication times, and sending an updating instruction for updating the second authentication times to the server. The terminal equipment authorization authentication method and device can accurately conduct authorization authentication on the terminal equipment.

Description

Equipment authorization method, device, equipment and medium
Technical Field
The present disclosure relates to the field of data processing technologies, and in particular, to a device authorization method, apparatus, device, and medium.
Background
In order to protect the rights of algorithm developers when the algorithm program is deployed on a device, to prevent the algorithm program from running on an unauthorized device, it is necessary to perform authorized authentication of the device.
Currently, when performing authorization authentication on a device, the following two methods are mainly included:
1. the device is authorized by means of an identity (Identity document, ID) of the device.
2. The device authorization authentication is carried out by adopting a dongle mode, namely, the dongle similar to a U disk is inserted into the device, the device is authorized and verified by adopting modes such as communication of an algorithm program and the dongle, and the like.
For the first authentication mode, if the device ID cannot be obtained, the situation that the algorithm program is applied to the unauthorized device in a package mirror image mode is easy to occur, and at this time, accurate authorization authentication cannot be performed on the device, so that the rights and interests of algorithm developers are affected.
For the second authentication mode, because new hardware is needed, the cost is greatly increased when the number of devices is large, and the main stream dongle devices in the market can be cracked by means of hardware cloning or copying, so that an algorithm program runs on unauthorized devices, and at the moment, the devices cannot be accurately authorized and authenticated, and the rights and interests of algorithm developers are affected.
Therefore, in the prior art, the method for carrying out the authorization authentication on the equipment has the defects that the authorization authentication cannot be accurately carried out and the authorization authentication cost is increased.
Disclosure of Invention
The embodiment of the application provides a device authorization method, device and medium, which are used for solving the problems that in the prior art, authorization authentication cannot be accurately performed and the authorization authentication cost is increased when the device is subjected to authorization authentication.
In a first aspect, an embodiment of the present application provides a device authorization method, applied to a terminal device deploying an algorithm program, including:
reporting first data information to a server under the condition that server authentication is passed, wherein the first data information comprises a media access control Mac address, a first random number and an encrypted first target value of the terminal equipment, and the first target value is determined based on the Mac address, the first random number and a first authentication number corresponding to the terminal equipment authentication stored by the terminal equipment;
receiving and decrypting the encrypted second data information fed back by the server to acquire the second data information, wherein when the server determines that the first authentication times are the same as the second authentication times, the second data information is generated based on the first authorization information which is stored by the server and is associated with the terminal equipment, the second authentication times are the authentication times which are stored by the server and correspond to the authentication of the terminal equipment, and the server determines whether the first authentication times are the same as the second authentication times based on the first data information;
Detecting whether second authorization information and the first authorization information are the same according to third data information and the second data information, wherein the third data information is generated based on the second authorization information associated with the terminal equipment;
and under the condition that the second authorization information is the same as the first authorization information, determining to acquire the operation authority of the algorithm program, updating the first authentication times, and sending an update instruction for updating the second authentication times to the server.
In a second aspect, an embodiment of the present application provides a device authorization method, applied to a server, including:
receiving first data information reported by terminal equipment under the condition that the terminal equipment authenticates the server and the authentication passes, wherein the first data information comprises a media access control Mac address, a first random number and an encrypted first target value of the terminal equipment, and the first target value is determined based on the Mac address, the first random number and first authentication times which are stored by the terminal equipment and correspond to the authentication of the terminal equipment;
detecting whether the first authentication times are the same as second authentication times stored by the server according to the first data information, wherein the second authentication times are authentication times corresponding to the authentication of the terminal equipment stored by the server;
Generating second data information based on the stored first authorization information associated with the terminal equipment under the condition that the first authentication times are the same as the second authentication times, encrypting the second data information and then sending the second data information to the terminal equipment;
receiving an update instruction of updating the second authentication times sent by the terminal equipment and updating the second authentication times under the condition that the terminal equipment determines that second authorization information is the same as the first authorization information based on third data information and the decrypted second data information;
the third data information is generated based on second authorization information associated with the terminal equipment, and the terminal equipment deployed with the algorithm program acquires the operation authority of the algorithm program under the condition that the second authorization information is identical to the first authorization information.
In a third aspect, an embodiment of the present application provides an apparatus authorization device, which is applied to a terminal apparatus for deploying an algorithm program, including:
the first reporting module is configured to report first data information to a server when server authentication passes, where the first data information includes a Mac address, a first random number, and an encrypted first target value of the terminal device, and the first target value is determined based on the Mac address, the first random number, and a first authentication number stored by the terminal device and corresponding to the terminal device authentication;
The receiving decryption module is used for receiving encrypted second data information fed back by the server and decrypting the encrypted second data information so as to acquire the second data information, wherein when the server determines that the first authentication times are the same as the second authentication times, the second data information is generated based on first authorization information which is stored by the server and is associated with the terminal equipment, the second authentication times are authentication times which are stored by the server and correspond to the terminal equipment authentication, and the server determines whether the first authentication times are the same as the second authentication times based on the first data information;
the first detection module is used for detecting whether second authorization information and the first authorization information are the same according to third data information and the second data information, and the third data information is generated based on the second authorization information associated with the terminal equipment;
and the first processing module is used for determining to acquire the running authority of the algorithm program under the condition that the second authorization information is the same as the first authorization information, updating the first authentication times and sending an updating instruction for updating the second authentication times to the server.
In a fourth aspect, an embodiment of the present application provides an apparatus authorization device, applied to a server, including:
a first receiving module, configured to receive first data information reported by a terminal device when the terminal device authenticates the server and the authentication passes, where the first data information includes a Mac address, a first random number, and an encrypted first target value of the terminal device, where the first target value is determined based on the Mac address, the first random number, and a first authentication number stored by the terminal device and corresponding to authentication of the terminal device;
the second detection module is used for detecting whether the first authentication times are the same as second authentication times stored by the server according to the first data information, wherein the second authentication times are authentication times corresponding to the authentication of the terminal equipment stored by the server;
the generation and transmission module is used for generating second data information based on stored first authorization information associated with the terminal equipment and transmitting the second data information to the terminal equipment after encrypting the second data information under the condition that the first authentication times are the same as the second authentication times;
The receiving updating module is used for receiving an updating instruction for updating the second authentication times sent by the terminal equipment and updating the second authentication times when the terminal equipment determines that the second authorization information is the same as the first authorization information based on third data information and the decrypted second data information;
the third data information is generated based on second authorization information associated with the terminal equipment, and the terminal equipment deployed with the algorithm program acquires the operation authority of the algorithm program under the condition that the second authorization information is identical to the first authorization information.
In a fifth aspect, embodiments of the present application provide a computer device comprising a processor and a memory, the memory storing at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the method according to the first aspect or the second aspect.
In a sixth aspect, embodiments of the present application provide a computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by a processor to implement a method as described in the first aspect or the second aspect.
In a seventh aspect, embodiments of the present application provide a computer program product for performing the method of the first or second aspect described above when the computer program product is executed.
According to the technical scheme, under the condition that server authentication is passed, first data information is reported to the server, the server determines whether the first authentication times stored by the terminal equipment are identical to the second authentication times stored by the server based on the first data information, generates second data information based on the first authorization information and feeds the second data information back to the terminal equipment after encryption, the terminal equipment detects whether the first authorization information and the second authorization information are identical according to the second data information and third data information generated based on the second authorization information, and under the condition that the first data information and the third data information are identical to the third data information, the terminal equipment determines that the authorization authentication of the terminal equipment is passed, the terminal equipment obtains the operation authority of an algorithm program, updates the first authentication times and sends an update instruction to the server, whether the algorithm program can normally operate on the terminal equipment can be determined based on the authentication times and the authorization information, so that the terminal equipment deploying the algorithm program can be authorized and authenticated accurately.
Furthermore, by encrypting the first target value and the second data information, illegal tampering of the data can be prevented, the security of the data is ensured, normal operation of authorization authentication can be further ensured, and accurate authorization authentication of the terminal equipment can be ensured.
Drawings
Fig. 1 is a schematic diagram of a device authorization method at a terminal device side according to an embodiment of the present application;
fig. 2 is a schematic diagram of a device authorization method on a server side according to an embodiment of the present application;
fig. 3 is a schematic diagram illustrating an interaction flow between a server and a terminal device provided in an embodiment of the present application;
fig. 4 is a schematic diagram of a device authorization apparatus at a terminal device side according to an embodiment of the present application;
fig. 5 shows a schematic diagram of a device authorization apparatus on a server side provided in an embodiment of the present application;
fig. 6 is a block diagram of a computer device according to one embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
In various embodiments of the present application, it should be understood that the sequence numbers of the following processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Aiming at the defects that in the prior art, when the equipment for deploying the algorithm program is subjected to authorization authentication, the authorization authentication cannot be performed accurately and the authorization authentication cost is high, the application provides an equipment authorization method, and whether the algorithm program deployed on the terminal equipment can normally run is determined by comparing the authentication times of the terminal equipment and a server, so that the condition that the algorithm program is run on the unauthorized equipment through clone mirror images is avoided, the rights of algorithm developers are guaranteed, and the authorization authentication cost can be saved.
The following describes a device authorization method provided in the embodiment of the present application, where the method is applied to a terminal device that deploys an algorithm program, as shown in fig. 1, and the method includes:
step 101, reporting first data information to a server when server authentication is passed, where the first data information includes a Mac address, a first random number, and an encrypted first target value of the terminal device, where the first target value is determined based on the Mac address, the first random number, and a first authentication number stored in the terminal device and corresponding to authentication of the terminal device.
According to the device authorization method provided by the embodiment of the application, firstly, the terminal device authenticates the server, and under the condition that the authentication passes, the server authenticates the terminal device so as to realize bidirectional authentication, and the authentication of the server to the terminal device is the authorization authentication of the terminal device running an algorithm program.
The following describes a case where the terminal device authenticates with the server, and the terminal device reports first data information including a media access control (Media Access Control, mac) address, a first random number, and an encrypted first target value of the terminal device to the server based on communication with the server. The first target value is determined based on the Mac address, the first random number and the first authentication times corresponding to the authentication of the terminal equipment, which are stored by the terminal equipment, wherein the first random number is a value randomly selected by the terminal equipment, the terminal equipment encrypts the first target value after determining the first target value, determines first data information according to the Mac address, the first random number and the encrypted first target value, and reports the first data information to the server. Wherein, by carrying out encryption processing on the first target value, the first target value can be prevented from being tampered with, so as to ensure the security of the first target value.
Step 102, receiving and decrypting the encrypted second data information fed back by the server to obtain the second data information, wherein when the server determines that the first authentication times are the same as the second authentication times, the second data information is generated based on the first authorization information stored by the server and associated with the terminal equipment, the second authentication times are the authentication times corresponding to the authentication of the terminal equipment stored by the server, and the server determines whether the first authentication times are the same as the second authentication times based on the first data information.
After reporting the first data information to the server, the terminal device determines, based on the Mac address, the first random number, and the first authentication number, whether the first authentication number is the same as a second authentication number stored by the server and associated with the current terminal device, because the first data information includes the encrypted first target value. For the server, the corresponding authentication times of each terminal device are recorded.
When the first authentication times are the same as the second authentication times, the server generates second data information, and feeds back the second data information after encryption processing to the terminal equipment, wherein the second data information is generated based on first authorization information stored by the server and associated with the terminal equipment (current terminal equipment), and the first authorization information is an authorization character string corresponding to the current terminal equipment stored by the server, and specifically is an equipment authorization code. And the terminal equipment receives the encrypted second data information fed back by the server, decrypts the encrypted second data information and acquires the second data information. By performing encryption processing on the second data information, the second data information can be prevented from being tampered with.
Step 103, detecting whether second authorization information and the first authorization information are the same according to third data information and the second data information, wherein the third data information is generated based on the second authorization information associated with the terminal equipment.
The terminal device may generate third data information based on second authorization information associated with the terminal device, where the second authorization information is an authorization string of the terminal device, specifically a device authorization code. The third data information and the second data information are generated based on the same strategy, the generation parameters corresponding to the second data information comprise first authorization information and target parameters, and the generation parameters corresponding to the third data information comprise second authorization information and target parameters. The third data information may be generated in advance or may be generated after the second data information is acquired.
After the second data information and the third data information are acquired, since the generation parameters corresponding to the second data information include the first authorization information and the target parameters, and the generation parameters corresponding to the third data information include the second authorization information and the target parameters, whether the second authorization information and the first authorization information are the same or not can be detected according to the third data information and the second data information.
Step 104, determining to acquire the operation authority of the algorithm program, updating the first authentication times and sending an update instruction for updating the second authentication times to the server when the second authorization information is the same as the first authorization information.
And under the condition that the second authorization information is the same as the first authorization information, determining that the authorization authentication of the terminal equipment passes, and acquiring the operation authority of the algorithm program by the terminal equipment to execute the algorithm program. And under the condition that the second authorization information is the same as the first authorization information, the terminal equipment completes one-time authentication, and 1 is added on the basis of the first authentication times to update the first authentication times. The terminal device needs to send an update instruction for updating the second authentication number to the server, so that the server can add 1 on the basis of the second authentication number according to the update instruction to update the second authentication number.
According to the implementation process, when the server authentication is passed, the first data information is reported to the server, the server determines whether the first authentication times stored by the terminal equipment are identical to the second authentication times stored by the server based on the first data information, generates the second data information based on the first authorization information and feeds back the second data information to the terminal equipment after encryption, the terminal equipment detects whether the first authorization information and the second authorization information are identical according to the second data information and the third data information generated based on the second authorization information, and under the condition that the first data information and the third data information are identical to the third data information, the terminal equipment determines that the authorization authentication of the terminal equipment is passed, the terminal equipment acquires the operation authority of the algorithm program, updates the first authentication times and sends an update instruction to the server, whether the algorithm program can normally operate on the terminal equipment can be determined based on the authentication times and the authorization information, so that the terminal equipment deploying the algorithm program can be authorized and authenticated accurately.
Furthermore, by encrypting the first target value and the second data information, illegal tampering of the data can be prevented, the security of the data is ensured, normal operation of authorization authentication can be further ensured, and accurate authorization authentication of the terminal equipment can be ensured.
The following describes a procedure of terminal equipment to authenticate a server, and the method further includes: receiving request information encrypted by a first private key sent by the server; decrypting the encrypted request information according to the first public key in the prefabricated certificate; and under the condition that decryption is successful, determining that the server authentication is passed, and feeding back response information carrying authentication passing notification to the server.
The terminal device stores a prefabricated certificate, and the prefabricated certificate at least comprises a first public key, a certificate validity period and a certificate issuer. When the terminal equipment authenticates the server, receiving request information encrypted by the first private key and sent by the server, wherein the request information sent by the server can be an HTTP request or an HTTPS request.
After receiving the request information encrypted by the first private key sent by the server, decrypting the encrypted request information by using the first public key in the prefabricated certificate, and obtaining the request information under the condition that the decryption is successful, determining that the first public key and the first private key are public-private key pairs and that the server authentication is passed, and feeding back response information carrying an authentication passing notification to the server. If the decryption is unsuccessful, it is determined that the server authentication is not passed, and at this time, response information carrying notification that the authentication is not passed may be fed back to the server. The response information may be an HTTP response or an HTTPs response. By sending the notification that the authentication is passed or not passed to the server, the server can conveniently know the authentication condition of the terminal equipment to the server in time.
In the implementation process, the request information which is sent by the server and is encrypted by the first private key is received, the request information is decrypted by the first public key in the prefabricated certificate, the server authentication is determined to pass under the condition that the decryption is successful, response information carrying authentication passing notification is fed back to the server, the server authentication is determined to not pass under the condition that the decryption is unsuccessful, the response information carrying authentication failing notification is fed back to the server, and the server authentication can be carried out based on the decryption condition and corresponding notification is fed back to the server.
Step 101 reports first data information to the server, including:
determining the first target value by adopting a first target calculation strategy based on the Mac address, the first random number and the first authentication times;
encrypting the first target value by adopting a second private key;
and determining the first data information according to the Mac address, the first random number and the encrypted first target value, and reporting the first data information to the server.
When the terminal device reports the first data information to the server, a first target value needs to be determined by adopting a first target calculation policy based on the Mac address, the first random number and the first authentication number, where the first target calculation policy may be a secure hash algorithm (Secure Hash Algorithm, SHA), such as SHA128 algorithm, SHA256 algorithm, SHA512 algorithm, in this embodiment, the SHA256 algorithm is taken as an example to describe, and the Mac address, the first random number and the first authentication number are calculated by the SHA256 algorithm, so that the obtained SHA256 value is the first target value.
After the first target value is obtained, the first target value is encrypted by using the second private key, then first data information is determined according to the Mac address, the first random number and the encrypted first target value, and the first data information is reported to the server. The first authentication number may be protected by encrypting the first target value, so as to prevent unauthorized devices from tampering with the first target value or stealing the first target value.
By generating the first target value based on the first target calculation policy, determining the first data information based on the Mac address, the first random number, and the encrypted first target value after encrypting the first target value, it is possible to facilitate the server to verify whether the first authentication number is the same as the second authentication number stored by the server based on the first data information.
The terminal equipment stores a second private key corresponding to the second public key;
the receiving and decrypting the encrypted second data information fed back by the server to obtain the second data information includes:
and when receiving the second data information encrypted by the second public key, decrypting based on the second private key to obtain the second data information.
The server encrypts the second data information by using the second public key, the terminal device stores a second private key corresponding to the second public key, and when receiving the encrypted second data information fed back by the server and decrypting, the terminal device specifically comprises: and receiving second data information which is fed back by the server and encrypted by the second public key, and then decrypting the encrypted second data information based on the second private key to acquire second data information.
The second public key and the second private key are public-private key pairs, and the second public key is reported to the server by the terminal equipment, specifically: before reporting the first data information to the server, the terminal device further includes:
reporting the MAC address of the terminal equipment and a second public key corresponding to the terminal equipment to the server, wherein the second public key and the second private key are matched to form a public-private key pair;
and the MAC address and the second public key form an association relation, the second public key is used for decryption when the second private key is used for encryption, and the second public key is used for encryption when the second private key is used for decryption.
After the terminal equipment acquires the public-private key pair (the second public key and the second private key), the second private key is reserved, the second public key is reported to the server, the terminal equipment also needs to report the MAC address to the server, and the MAC address reported by the terminal equipment and the second public key form an association relation. The public-private key pair in this embodiment may be an asymmetric encryption algorithm (Rivest Shamir Adleman, RSA) public-private key pair, that is, the second public key is an RSA public key, the second private key is an RSA private key, or may be an ECC elliptic encryption algorithm public-private key pair.
When the server determines that the first authentication times are the same as the second authentication times stored by the server based on the first data information reported by the terminal equipment, generating second data information, determining a corresponding second public key based on the MAC address of the terminal equipment, encrypting the second data information based on the determined second public key, and feeding back the second data information encrypted by the second public key to the terminal equipment. The terminal equipment decrypts the encrypted second data information based on the second private key to obtain the second data information, and at the moment, the second public key is used for encryption and the second private key is used for decryption.
After the first target value is generated, the terminal equipment encrypts the first target value by utilizing the second private key, determines first data information according to the Mac address, the first random number and the encrypted first target value, and reports the first data information to the server. After the server obtains the first data information, a second target value is determined by adopting a first target calculation strategy based on the Mac address, the first random number and the second authentication times stored by the server, the encrypted first target value is decrypted by utilizing a second public key, and the first target value is obtained, wherein at the moment, the second public key is used for decryption, and the second private key is used for encryption. And then comparing the first target value with the second target value, and determining that the first authentication times are the same as the second authentication times when the first target value and the second target value are the same. Since the first target value is determined based on the Mac address, the first random number, and the first authentication number, and the second target value is determined based on the Mac address, the first random number, and the second authentication number in the same manner, the first authentication number is determined to be the same as the second authentication number when the first target value and the second target value are equal. And the server may acquire the first target value based on the first data information, so it may be verified whether the first authentication number and the second authentication number are the same based on the first data information.
In the implementation process, the MAC address and the second public key are reported to the server, and after the first data information including the MAC address, the first random number and the first target value encrypted by the second private key is uploaded, the server decrypts the first target value based on the second public key to protect the first target value; after generating the second data information, the server can encrypt and feed back the second data information to the terminal equipment based on the second public key, and the terminal equipment decrypts the second data information based on the second private key to protect the second data information; by encrypting the data, illegal tampering of the data can be avoided, and the safety of the data is ensured.
Step 103, according to the third data information and the second data information, detects whether the second authorization information and the first authorization information are the same, including:
detecting whether the third data information and the second data information are identical, wherein the second data information is generated according to the Mac address, the first random number and the first authorization information, the third data information is generated according to the Mac address, the first random number and the second authorization information, and the second data information and the third data information both correspond to a second target calculation strategy;
And determining that the second authorization information is identical to the first authorization information in the case that the third data information is identical to the second data information.
After the terminal device obtains the encrypted second data information fed back by the server and decrypts the encrypted second data information to obtain the second data information, whether the second authorization information and the first authorization information are identical needs to be detected based on the third data information and the second data information.
The second data information is generated by the server by adopting a second target calculation strategy based on the Mac address, the first random number and first authorization information which is stored by the server and is associated with the terminal equipment; the third data information is generated by the terminal device based on the Mac address, the first random number and second authorization information associated with the terminal device and stored by the terminal device, and a second target calculation strategy is adopted. The third data information may be generated in advance, or may be generated after the terminal device acquires the second data information. In this embodiment, the SHA256 algorithm is taken as an example to illustrate the SHA256 algorithm, and the obtained SHA256 value is the second data information, and the obtained SHA256 value is the third data information, where the SHA256 algorithm is used to calculate the Mac address, the first random number and the second authorization information.
Since the second data information and the third data information correspond to the same calculation strategy, the generation parameters corresponding to the second data information include the first authorization information and the target parameters (Mac address and first random number), the generation parameters corresponding to the third data information include the second authorization information and the target parameters (Mac address and first random number), and whether the second authorization information and the first authorization information are the same can be detected according to the third data information and the second data information. In the case that the third data information and the second data information are identical, it is determined that the second authorization information and the first authorization information are identical.
In the implementation process, the terminal equipment determines whether the first authorization information is identical to the second authorization information or not by comparing the second data information fed back by the server with the third data information generated by the terminal equipment, and can perform verification of the authorization information in a simple manner.
Optionally, the algorithm program at least comprises a main program file, an encrypted model file and at least one library file; when the algorithm program runs and calls the model file, the method further comprises the following steps: decrypting the encrypted model file based on the GPU so as to obtain a model output result corresponding to the model input information based on the model file; when the algorithm program runs and the main program file calls the target library file, the method further comprises the following steps: and checking the target library file, and allowing the target library file to be normally called under the condition that the checking is passed.
The algorithm program in the embodiment of the application at least comprises a main program file, an encrypted model file and at least one library file. Wherein the model file may be encrypted using advanced encryption standard (Advanced Encryption Standard, AES) to prevent the model file from being used for other items.
When the algorithm program runs and calls the model file, the graphic processor (Graphics Processing Unit, GPU) decrypts the encrypted model file, processes model input information by using the model file after decryption is completed, and obtains a model output result, so that encryption protection is carried out on the model file when the model file is not needed, and the model file is quickly decrypted based on the GPU when the model file is needed, so that the model output result is obtained based on the model file.
Taking a detection model of whether the model file corresponds to the wearing specification of the reflective garment as an example, the process of determining the model file based on model training and obtaining the model output result based on the model file is briefly described. During model training, pictures of correct wearing of reflective clothing, irregular wearing of reflective clothing and non-wearing of reflective clothing in field operations of a large number of construction sites and the like are collected and used as positive and negative samples, and model training is conducted through a yolov5 algorithm to obtain a detection model (corresponding to a model file). Wherein the (You Only Look Once, yolo) algorithm is a deep learning algorithm. The situation that the reflective clothing is worn correctly, the reflective clothing is not worn normally and the reflective clothing is not worn can be distinguished through the detection model. When the terminal equipment calls the model file, the image of construction workers on the site is detected by using the model file so as to identify whether the workers wear the reflective clothing normally.
When the algorithm program runs and the main program file calls the target library file, the target library file needs to be checked, and the target library file is allowed to be normally called under the condition that the checking is passed. When the target library file is verified, the first parameter and the second parameter determined based on the first parameter and the first character are written into an initialization function of the target library file, wherein the first character is a character appointed with the target library file. The first parameter may be a plaintext library name + a second random number, and the second parameter may be determined using a specific algorithm based on the first parameter and the first character, e.g., the second parameter is a SHA256 value determined based on calculation of the first parameter and the first character using a SHA256 algorithm. Because the first parameter and the second parameter are written into the initializing function of the target library file, the target library file can calculate the third parameter by adopting the same calculating method according to the first parameter and the stored second character, and under the condition that the third parameter is the same as the second parameter, the second character is determined to be the same as the first character, and further the verification is determined to pass, and at the moment, the target library file can be normally called.
According to the implementation process, the model file is encrypted and protected when the model file is not needed, and is quickly decrypted based on the GPU when the model file is needed, so that the model output result can be quickly obtained based on the model file while the model file is prevented from being used for other projects; by verifying the target library file, the target library file can be protected.
The above is a device authorization method at a terminal device side of the embodiment of the present application, where, when server authentication passes, first data information is reported to the server, and when the server determines that the first authentication number of times stored by the terminal device is the same as the second authentication number of times stored by the server based on the first data information, the second data information is generated based on the first authorization information, and is encrypted and then fed back to the terminal device, the terminal device detects whether the first authorization information and the second authorization information are the same according to the second data information and third data information generated based on the second authorization information, and if the two information are the same, determines that the authorization authentication of the terminal device passes, the terminal device obtains the operation authority of the algorithm program, updates the first authentication number of times, and sends an update instruction to the server, and it can determine whether the algorithm program can normally operate on the terminal device based on the authentication number of times and the authorization information, so that the terminal device deploying the algorithm program can be authorized and authenticated accurately, and since no hardware need to be increased, the authorization authentication cost can be saved.
Further, by encrypting the first target value and the second data information, illegal tampering of the data can be prevented, the safety of the data is ensured, normal operation of authorization authentication can be further ensured, and accurate authorization authentication of the terminal equipment can be ensured.
By successfully performing server authentication based on decryption, authentication of a server can be rapidly realized; by comparing the second data information with the third data information, determining whether the first authorization information is identical to the second authorization information, the verification of the authorization information can be performed in a simple manner; the model file and the target library file can be protected by encrypting the model file and verifying the target library file.
The embodiment of the application also provides a device authorization method, which is applied to the server, and is shown in fig. 2, and includes:
step 201, receiving first data information reported by a terminal device when the terminal device authenticates the server and the authentication passes, where the first data information includes a Mac address, a first random number, and an encrypted first target value of the terminal device, and the first target value is determined based on the Mac address, the first random number, and a first authentication number corresponding to the authentication of the terminal device stored by the terminal device.
According to the device authorization method provided by the embodiment of the application, after the terminal device authenticates the server and the authentication passes, the server authenticates the terminal device so as to realize bidirectional authentication, and the authentication of the server to the terminal device is authorization authentication for running an algorithm program on the terminal device.
The following describes a case of authenticating a terminal device by a server, where the server receives first data information including a Mac address of the terminal device, a first random number, and an encrypted first target value, which are reported by the terminal device, based on communication with the terminal device. The first target value is determined based on the Mac address, the first random number and the first authentication times stored by the terminal equipment, the first random number is a value randomly selected by the terminal equipment, the terminal equipment performs encryption processing on the first target value after determining the first target value, and the first data information is determined according to the Mac address, the first random number and the encrypted first target value. Wherein, by carrying out encryption processing on the first target value, the first target value can be prevented from being tampered with, so as to ensure the security of the first target value.
Step 202, detecting whether the first authentication times are the same as second authentication times stored by the server according to the first data information, wherein the second authentication times are authentication times corresponding to the authentication of the terminal equipment stored by the server.
The server records the corresponding authentication times of each terminal device, and because the first target value is determined based on the Mac address, the first random number and the first authentication times, the first data information includes the encrypted first target value, and after the server receives the first data information reported by the terminal device, the server can detect whether the first authentication times are the same as the second authentication times associated with the current terminal device stored by the server according to the first data information.
Step 203, generating second data information based on the stored first authorization information associated with the terminal device, encrypting the second data information and then sending the encrypted second data information to the terminal device when the first authentication number is the same as the second authentication number.
When the first authentication times are the same as the second authentication times, the server generates second data information, and feeds back the second data information after encryption processing to the terminal equipment, wherein the second data information is generated based on first authorization information stored by the server and associated with the terminal equipment (current terminal equipment), and the first authorization information is an authorization character string corresponding to the terminal equipment stored by the server, and specifically is an equipment authorization code. And the terminal equipment receives the encrypted second data information fed back by the server and then carries out decryption processing so as to acquire the second data information. By performing encryption processing on the second data information, the second data information can be prevented from being tampered with.
Step 204, receiving an update instruction of updating the second authentication times sent by the terminal equipment and updating the second authentication times when the terminal equipment determines that the second authorization information is the same as the first authorization information based on the third data information and the decrypted second data information; wherein the third data information is generated based on second authorization information associated with the terminal device.
After the server sends the encrypted second data information to the terminal equipment, the terminal equipment decrypts the encrypted second data information to obtain the second data information, and whether the first authorization information and the second authorization information are identical is determined according to the second data information and the third data information. The second authorization information is an authorization character string of the terminal device stored in the terminal device, and specifically is a device authorization code. The third data information and the second data information are generated based on the same strategy, the generation parameters corresponding to the second data information comprise the first authorization information and the target parameters, and the generation parameters corresponding to the third data information comprise the second authorization information and the target parameters. The third data information may be generated in advance or may be generated after the second data information is acquired.
And under the condition that the second authorization information is the same as the first authorization information, determining that the authorization authentication of the terminal equipment for deploying the algorithm program passes, acquiring the operation authority of the algorithm program by the terminal equipment, and under the condition that the second authorization information is the same as the first authorization information, finishing one-time authentication by the terminal equipment, adding 1 on the basis of the first authentication times to update the first authentication times, receiving an update instruction for updating the second authentication times sent by the terminal equipment by the server, adding 1 on the basis of the second authentication times according to the update instruction, and realizing updating the second authentication times.
According to the implementation process, when the server is authenticated, the first data information reported by the terminal equipment is received, the first authentication times are determined to be the same as the second authentication times based on the first data information, the second data information is generated based on the first authorization information and is fed back to the terminal equipment after encryption, so that the terminal equipment detects whether the first authorization information and the second authorization information are the same according to the second data information and the third data information generated based on the second authorization information, and under the condition that the first authorization information and the second authorization information are the same, the authorization authentication of the terminal equipment is determined to be passed, the first authentication times are updated, an update instruction is sent to the server, the second authentication times are updated according to the update instruction, whether the algorithm program can normally run on the terminal equipment can be determined based on the authentication times and the authorization information, the accurate authorization authentication of the terminal equipment deploying the algorithm program is realized, and the authorization authentication cost can be saved without increasing hardware.
Furthermore, by encrypting the first target value and the second data information, illegal tampering of the data can be prevented, the security of the data is ensured, normal operation of authorization authentication can be further ensured, and accurate authorization authentication of the terminal equipment can be ensured.
The following describes a procedure of terminal equipment to authenticate a server, and the method further includes: transmitting the request information encrypted by the first private key to the terminal equipment; and under the condition that the terminal equipment successfully decrypts the encrypted request information according to the first public key in the prefabricated certificate, receiving response information which is fed back by the terminal equipment and carries authentication passing notification, and determining that the server authentication passes.
The terminal device stores a prefabricated certificate, and the prefabricated certificate at least comprises a first public key, a certificate validity period and a certificate issuer. When the terminal equipment authenticates the server, the server sends request information encrypted by the first private key to the terminal equipment, and the request information can be an HTTP request or an HTTPS request.
After receiving the request information encrypted by the first private key sent by the server, the terminal device decrypts the encrypted request information by using the first public key in the prefabricated certificate, and can acquire the request information under the condition that decryption is successful, at the moment, the first public key and the first private key are determined to be public-private key pairs, authentication of the server is passed, and the server receives response information carrying authentication passing notification and fed back by the terminal device. And under the condition that decryption is unsuccessful, determining that the authentication of the server is not passed, and receiving response information which is fed back by the terminal equipment and carries the authentication failure notification by the server. The response information may be an HTTP response or an HTTPs response. The authentication condition can be known in time by receiving the notification that the authentication sent by the terminal equipment passes or fails.
According to the implementation process, under the condition that the terminal equipment successfully decrypts the encrypted request information based on the first public key, the server authentication is determined to pass, the server receives the response information carrying the authentication passing notification, under the condition that the decryption is unsuccessful, the server determines that the server authentication is not passed, and the server receives the response information carrying the authentication failing notification, so that the server authentication based on the decryption condition can be realized.
Step 202 of detecting whether the first authentication times are the same as the second authentication times stored in the server according to the first data information includes:
determining a second target value by adopting a first target calculation strategy based on the Mac address, the first random number and the second authentication times;
decrypting the encrypted first target value by using the second public key to obtain the first target value;
determining that the first authentication number is the same as the second authentication number if the first target value is the same as the second target value;
the encryption key corresponding to the encrypted first target value is a second private key, and the second public key corresponds to the second private key.
After the server obtains the first data information, a second target value is determined by using a first target calculation strategy based on the Mac address, the first random number and a second authentication number stored by the server. The encrypted encryption key corresponding to the encrypted first target value is a second private key, the second public key and the second private key form a public-private key pair, and the server decrypts the encrypted first target value by using the second public key to obtain the first target value. And comparing the first target value with the second target value, wherein the second target value is determined by adopting a first target calculation strategy based on the Mac address, the first random number and the second authentication times, the first target value is determined by adopting the first target calculation strategy based on the Mac address, the first random number and the first authentication times, and the first authentication times and the second authentication times are determined to be the same when the first target value and the second target value are the same.
By determining the second target value, comparing the second target value with the first target value, and determining that the first authentication number is the same as the second authentication number when the second target value and the first target value are the same, it is possible to perform verification of the authentication number in a simple manner.
The step of encrypting the second data information and then sending the encrypted second data information to the terminal equipment comprises the following steps:
encrypting the second data information based on a second public key, and sending the encrypted second data information to the terminal equipment.
And when generating second data information, encrypting and transmitting the second data information to the terminal equipment by the server, encrypting the second data information by the second public key, and transmitting the encrypted second data information to the terminal equipment, so that the terminal equipment decrypts based on the stored second private key to acquire the second data information.
When the server generates the second data information, based on the Mac address, the first random number and the first authorization information, a second target calculation strategy is adopted to generate, specifically: the server generates second data information using a second target calculation policy based on the Mac address, the first random number, and first authorization information stored by the server associated with the terminal device. The second target calculation policy may be a SHA algorithm, such as SHA256 algorithm, SHA128 algorithm, SHA512 algorithm, which may be described in this embodiment by taking SHA256 algorithm as an example, that is, the SHA256 value obtained by calculating the Mac address, the first random number, and the first authorization information by using SHA256 algorithm is the second data information. The second target calculation strategy and the first target calculation strategy may be the same or different, and both strategies belong to SHA series algorithms, for example, the first target calculation strategy and the second target calculation strategy are SHA256 algorithms, or the first target calculation strategy is SHA256 algorithm, and the second target calculation strategy is SHA512 algorithm.
For the implementation process, before receiving the first data information reported by the terminal device, the implementation process further includes:
receiving the MAC address reported by the terminal equipment and a second public key corresponding to the terminal equipment, wherein the second public key and a second private key are matched to form a public-private key pair;
the MAC address and the second public key form an association relation, the second public key is used for decryption when the second private key is used for encryption, and the second public key is used for encryption when the second private key is used for decryption.
The terminal equipment can acquire a public-private key pair (a second public key and a second private key), the server receives the second public key and the MAC address reported by the terminal equipment, the association relation between the MAC address and the second public key is established, and the second private key is reserved in the terminal equipment. The public-private key pair in this embodiment may be an RSA public-private key pair, that is, the second public key is an RSA public key, the second private key is an RSA private key, or may be an ECC elliptic encryption algorithm public-private key pair.
When the server determines that the first authentication times are the same as the second authentication times stored by the server based on the first data information reported by the terminal equipment, generating second data information, determining a corresponding second public key based on the MAC address of the terminal equipment, carrying out encryption processing on the second data information according to the second public key, and feeding back the second data information encrypted by the second public key to the terminal equipment. The terminal device may decrypt the encrypted second data information based on the second private key to obtain the second data information, where the second public key is used for encryption and the second private key is used for decryption.
After the first target value is generated, the terminal equipment encrypts the first target value by utilizing the second private key, determines first data information according to the Mac address, the first random number and the encrypted first target value, and reports the first data information to the server. After the server obtains the first data information, a second target value is determined by adopting a first target calculation strategy based on the Mac address, the first random number and the second authentication times stored by the server, the encrypted first target value is decrypted by utilizing a second public key, and the first target value is obtained, wherein at the moment, the second public key is used for decryption, and the second private key is used for encryption. And then comparing the first target value with the second target value, and determining that the first authentication times are the same as the second authentication times when the first target value and the second target value are the same.
Through the process, the MAC address and the second public key reported by the terminal equipment can be received, the second public key can be used for encryption or decryption, and the required data can be obtained through decryption while the data security is ensured.
The above is a device authorization method at the server side of the embodiment of the present application, in the case that the server authentication passes, the first data information reported by the terminal device is received, when the first authentication times are determined to be the same as the second authentication times stored by the server based on the first data information, the second data information is generated based on the first authorization information, and is encrypted and fed back to the terminal device, so that the terminal device detects whether the first authorization information is the same as the second authorization information according to the second data information and the third data information generated based on the second authorization information, and in the case that the two are the same, determines that the authorization authentication of the terminal device passes, updates the first authentication times, and sends an update instruction to the server, and the server updates the second authentication times according to the update instruction, so that whether the algorithm program can normally run on the terminal device can be realized based on the authentication times and the authorization information, and the authorization authentication cost can be saved due to no need to increase hardware.
Furthermore, by encrypting the first target value and the second data information, illegal tampering of the data can be prevented, the security of the data is ensured, normal operation of authorization authentication can be further ensured, and accurate authorization authentication of the terminal equipment can be ensured.
By successfully performing server authentication based on decryption, authentication of a server can be rapidly realized; by comparing the first target value and the second target value, and determining that the first authentication number is the same as the second authentication number when the first target value and the second target value are the same, it is possible to perform verification of the authentication number in a simple manner.
The following describes the process of interaction between the terminal device and the server through an implementation procedure, and is shown in fig. 3, including the following steps:
step 301, the server sends request information encrypted by the first private key to the terminal device.
Step 302, the terminal equipment decrypts the encrypted request information according to the first public key in the prefabricated certificate. And under the condition that decryption is successful, determining that the server authentication is passed, feeding back response information carrying authentication passing notification to the server, and under the condition that decryption is failed, determining that the server authentication is not passed, and feeding back response information carrying authentication not passing notification to the server. And if the decryption is successful, proceed to step 303.
Step 303, the terminal device reports first data information to the server, where the first data information includes a Mac address, a first random number, and an encrypted first target value, and the first target value is determined based on the Mac address, the first random number, and the first authentication number.
Step 304, the server detects whether the first authentication times are the same as the second authentication times stored in the server according to the first data information, and if so, step 305 is executed, otherwise, it is determined that the authentication of the terminal device is not passed.
Step 305, the server generates second data information based on the stored first authorization information associated with the terminal device, encrypts the second data information, and sends the encrypted second data information to the terminal device.
Step 306, the terminal device decrypts the encrypted second data information to obtain the second data information, and detects whether the second authorization information is identical to the first authorization information according to the third data information and the second data information, if so, step 307 is executed, otherwise, it is determined that the authentication of the terminal device is not passed. Wherein the third data information is determined based on the second authorization information.
Step 307, the terminal device determines to obtain the operation authority of the algorithm program, updates the first authentication times, and sends an update instruction for updating the second authentication times to the server.
Step 308, the server updates the second authentication times according to the update instruction.
The implementation flow introduces interaction between the terminal equipment and the server, can determine whether the algorithm program in the terminal equipment can normally run or not based on the authentication times and the authorization information, realizes accurate authorization authentication of the terminal equipment for deploying the algorithm program, and can save the authorization authentication cost because hardware is not required to be added.
The embodiment of the application also provides a device authorization apparatus, which is applied to a terminal device for deploying an algorithm program, and is shown in fig. 4, and includes:
a first reporting module 401, configured to report first data information to a server when server authentication passes, where the first data information includes a Mac address, a first random number, and an encrypted first target value of the terminal device, where the first target value is determined based on the Mac address, the first random number, and a first authentication number stored by the terminal device and corresponding to authentication of the terminal device;
a receiving decryption module 402, configured to receive encrypted second data information fed back by the server and decrypt the encrypted second data information to obtain the second data information, where the second data information is generated based on first authorization information stored by the server and associated with the terminal device when the server determines that the first authentication number is the same as the second authentication number, where the second authentication number is the authentication number corresponding to authentication of the terminal device stored by the server, and the server determines, based on the first data information, whether the first authentication number is the same as the second authentication number;
A first detection module 403, configured to detect whether second authorization information and the first authorization information are the same according to third data information and the second data information, where the third data information is generated based on second authorization information associated with the terminal device;
and the first processing module 404 is configured to determine to obtain the operation authority of the algorithm program, update the first authentication number, and send an update instruction for updating the second authentication number to the server when the second authorization information is the same as the first authorization information.
Optionally, the apparatus further comprises:
the second receiving module is used for receiving the request information which is sent by the server and is encrypted by the first private key;
the first decryption module is used for decrypting the encrypted request information according to the first public key in the prefabricated certificate;
and the determining feedback module is used for determining that the server passes the authentication under the condition that the decryption is successful, and feeding back response information carrying the authentication passing notification to the server.
Optionally, the first reporting module includes:
a first determining sub-module configured to determine the first target value using a first target calculation policy based on the Mac address, the first random number, and the first authentication number;
The encryption sub-module is used for encrypting the first target value by adopting a second private key;
and the determining and reporting sub-module is used for determining the first data information according to the Mac address, the first random number and the encrypted first target value and reporting the first data information to the server.
Optionally, the second data information is encrypted by a second public key, and the terminal equipment stores a second private key corresponding to the second public key;
the receive decryption module is further to:
and when receiving the second data information encrypted by the second public key, decrypting based on the second private key to obtain the second data information.
Optionally, the apparatus further comprises:
the second reporting module is used for reporting the MAC address of the terminal equipment and a second public key corresponding to the terminal equipment to the server before the first reporting module reports the first data information to the server, and the second public key and the second private key are matched to form a public-private key pair;
the MAC address and the second public key form an association relation, the second public key is used for decryption when the second private key is used for encryption, and the second public key is used for encryption when the second private key is used for decryption.
Optionally, the first detection module includes:
a detection sub-module, configured to detect whether the third data information and the second data information are the same, where the second data information is generated according to the Mac address, the first random number, and the first authorization information, the third data information is generated according to the Mac address, the first random number, and the second authorization information, and the second data information and the third data information both correspond to a second target calculation policy;
and a second determining sub-module configured to determine that the second authorization information is the same as the first authorization information when the third data information is the same as the second data information.
Optionally, the algorithm program at least comprises a main program file, an encrypted model file and at least one library file; when the algorithm program runs and calls the model file, the device further comprises:
the second decryption module is used for decrypting the encrypted model file based on the GPU so as to obtain a model output result corresponding to the model input information based on the model file;
when the algorithm program runs and the main program file calls the target library file, the device further comprises:
And the second processing module is used for checking the target library file and allowing the target library file to be normally called under the condition that the checking is passed.
The embodiment of the application also provides a device authorization apparatus, which is applied to a server, and is shown in fig. 5, and includes:
a first receiving module 501, configured to receive first data information reported by a terminal device when the terminal device authenticates the server and the authentication passes, where the first data information includes a Mac address, a first random number, and an encrypted first target value of the terminal device, where the first target value is determined based on the Mac address, the first random number, and a first authentication number stored by the terminal device and corresponding to authentication of the terminal device;
a second detection module 502, configured to detect, according to the first data information, whether the first authentication number is the same as a second authentication number stored in the server, where the second authentication number is an authentication number corresponding to authentication of the terminal device stored in the server;
a generating and transmitting module 503, configured to generate second data information based on stored first authorization information associated with the terminal device, encrypt the second data information, and transmit the encrypted second data information to the terminal device when the first authentication number is the same as the second authentication number;
A receiving update module 504, configured to receive an update indication sent by the terminal device to update the second authentication number and update the second authentication number, where the terminal device determines that the second authorization information is the same as the first authorization information based on the third data information and the decrypted second data information;
the third data information is generated based on second authorization information associated with the terminal equipment, and the terminal equipment deployed with the algorithm program acquires the operation authority of the algorithm program under the condition that the second authorization information is identical to the first authorization information.
Optionally, the apparatus further comprises:
the sending module is used for sending the request information encrypted by the first private key to the terminal equipment;
and the third receiving module is used for receiving response information carrying authentication passing notification fed back by the terminal equipment and determining that the server authentication passes under the condition that the terminal equipment successfully decrypts the encrypted request information according to the first public key in the prefabricated certificate.
Optionally, the second detection module includes:
a third determining sub-module for determining a second target value using a first target calculation policy based on the Mac address, the first random number, and the second authentication number;
The acquisition sub-module is used for decrypting the encrypted first target value by using the second public key to acquire the first target value;
a fourth determining submodule, configured to determine that the first authentication number is the same as the second authentication number if the first target value is the same as the second target value;
the encryption key corresponding to the encrypted first target value is a second private key, and the second public key corresponds to the second private key.
Optionally, the generating and sending module is further configured to:
encrypting the second data information based on a second public key, and sending the encrypted second data information to the terminal equipment.
Optionally, the apparatus further comprises:
a fourth receiving module, configured to receive, before the first receiving module receives the first data information reported by the terminal device, the MAC address reported by the terminal device and a second public key corresponding to the terminal device, where the second public key cooperates with a second private key to form a public-private key pair;
the MAC address and the second public key form an association relation, the second public key is used for decryption when the second private key is used for encryption, and the second public key is used for encryption when the second private key is used for decryption.
Optionally, the generating and sending module is further configured to:
and generating the second data information by adopting a second target calculation strategy based on the Mac address, the first random number and the first authorization information.
For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points.
Referring to fig. 6, a block diagram of a computer device according to an embodiment of the present application is shown. The computer device may be used to implement the device authorization method provided in the above embodiments. The computer device may be a terminal device or a server, or other device having data processing and storage capabilities. Specifically, the present invention relates to a method for manufacturing a semiconductor device.
The computer apparatus 600 includes a Central Processing Unit (CPU) 601, a system memory 604 including a Random Access Memory (RAM) 602 and a Read Only Memory (ROM) 603, and a system bus 605 connecting the system memory 604 and the central processing unit 601. The computer device 600 also includes a basic input/output system (I/O system) 606 for facilitating the transfer of information between various devices within the computer, and a mass storage device 607 for storing an operating system 613, application programs 614, and other program modules 615.
The basic input/output system 606 includes a display 608 for displaying information and an input device 609, such as a mouse, keyboard, etc., for a user to input information. Wherein the display 608 and the input device 609 are connected to the central processing unit 601 through an input output controller 610 connected to the system bus 605. The basic input/output system 606 may also include an input/output controller 610 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, the input output controller 610 also provides output to a display screen, a printer, or other type of output device.
The mass storage device 607 is connected to the central processing unit 601 through a mass storage controller (not shown) connected to the system bus 605. The mass storage device 607 and its associated computer-readable media provide non-volatile storage for the computer device 600. That is, the mass storage device 607 may include a computer readable medium (not shown) such as a hard disk or CD-ROM drive.
The computer readable medium may include computer storage media and communication media without loss of generality. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, DVD or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will recognize that the computer storage medium is not limited to the one described above. The system memory 604 and mass storage device 607 described above may be collectively referred to as memory.
According to various embodiments of the present application, the computer device 600 may also operate by being connected to a remote computer on a network, such as the Internet. I.e., the computer device 600 may be connected to the network 612 through a network interface unit 611 coupled to the system bus 605, or alternatively, the network interface unit 611 may be used to connect to other types of networks or remote computer systems (not shown).
The memory also includes one or more programs stored in the memory and configured to be executed by the one or more processors. The one or more programs include instructions for performing the device authorization method described above.
In an example embodiment, there is also provided a computer device including a processor and a memory having at least one instruction, at least one program, set of codes, or set of instructions stored therein. The at least one instruction, at least one program, code set, or instruction set is configured to be executed by one or more processors to implement the above-described apparatus authorization method.
In an exemplary embodiment, a computer readable storage medium is also provided, in which at least one instruction, at least one program, a set of codes or a set of instructions is stored, which when executed by a processor of a computer device, implements the above device authorization method.
Alternatively, the above-described computer-readable storage medium may be ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, or the like.
In an exemplary embodiment, a computer program product is also provided, which, when executed, is adapted to carry out the above-described device authorization method.
It should be understood that references herein to "a plurality" are to two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
The foregoing description of the exemplary embodiments of the present application is not intended to limit the invention to the particular embodiments disclosed, but on the contrary, the intention is to cover all modifications, equivalents, alternatives, and alternatives falling within the spirit and scope of the invention.

Claims (12)

1. A device authorization method, applied to a terminal device deploying an algorithm, comprising:
reporting first data information to a server under the condition that server authentication is passed, wherein the first data information comprises a media access control Mac address, a first random number and an encrypted first target value of the terminal equipment, and the first target value is determined based on the Mac address, the first random number and a first authentication number corresponding to the terminal equipment authentication stored by the terminal equipment;
Receiving and decrypting the encrypted second data information fed back by the server to acquire the second data information, wherein when the server determines that the first authentication times are the same as the second authentication times, the second data information is generated based on the first authorization information which is stored by the server and is associated with the terminal equipment, the second authentication times are the authentication times which are stored by the server and correspond to the authentication of the terminal equipment, and the server determines whether the first authentication times are the same as the second authentication times based on the first data information;
detecting whether second authorization information and the first authorization information are the same according to third data information and the second data information, wherein the third data information is generated based on the second authorization information associated with the terminal equipment;
and under the condition that the second authorization information is the same as the first authorization information, determining to acquire the operation authority of the algorithm program, updating the first authentication times, and sending an update instruction for updating the second authentication times to the server.
2. The device authorization method according to claim 1, characterized in that the method further comprises:
Receiving request information encrypted by a first private key sent by the server;
decrypting the encrypted request information according to the first public key in the prefabricated certificate;
and under the condition that decryption is successful, determining that the server authentication is passed, and feeding back response information carrying authentication passing notification to the server.
3. The device authorization method according to claim 1, wherein reporting the first data information to the server includes:
determining the first target value by adopting a first target calculation strategy based on the Mac address, the first random number and the first authentication times;
encrypting the first target value by adopting a second private key;
and determining the first data information according to the Mac address, the first random number and the encrypted first target value, and reporting the first data information to the server.
4. The device authorization method according to claim 1, wherein the second data information is encrypted by a second public key, and the terminal device stores a second private key corresponding to the second public key;
the receiving and decrypting the encrypted second data information fed back by the server to obtain the second data information includes:
And when receiving the second data information encrypted by the second public key, decrypting based on the second private key to obtain the second data information.
5. The device authorization method according to claim 3 or 4, further comprising, before reporting the first data information to the server:
the Mac address of the terminal equipment and a second public key corresponding to the terminal equipment are reported to the server, and the second public key and the second private key are matched to form a public-private key pair;
the Mac address and the second public key form an association relation, the second public key is used for decryption when the second private key is used for encryption, and the second public key is used for encryption when the second private key is used for decryption.
6. The apparatus authentication method according to claim 1, wherein the detecting whether second authentication information and the first authentication information are identical based on third data information and the second data information, comprises:
detecting whether the third data information and the second data information are identical, wherein the second data information is generated according to the Mac address, the first random number and the first authorization information, the third data information is generated according to the Mac address, the first random number and the second authorization information, and the second data information and the third data information both correspond to a second target calculation strategy;
And determining that the second authorization information is identical to the first authorization information in the case that the third data information is identical to the second data information.
7. The device authorization method according to claim 1, wherein the algorithm program comprises at least a main program file, an encrypted model file, and at least one object library file;
when the algorithm program runs and calls the model file, the method further comprises the following steps:
decrypting the encrypted model file based on the GPU so as to obtain a model output result corresponding to the model input information based on the model file;
when the algorithm program runs and the main program file calls the target library file, the method further comprises the following steps:
and checking the target library file, and allowing the target library file to be normally called under the condition that the checking is passed.
8. A device authorization method, applied to a server, comprising:
receiving first data information reported by terminal equipment under the condition that the terminal equipment authenticates the server and the authentication passes, wherein the first data information comprises a media access control Mac address, a first random number and an encrypted first target value of the terminal equipment, and the first target value is determined based on the Mac address, the first random number and first authentication times which are stored by the terminal equipment and correspond to the authentication of the terminal equipment;
Detecting whether the first authentication times are the same as second authentication times stored by the server according to the first data information, wherein the second authentication times are authentication times corresponding to the authentication of the terminal equipment stored by the server;
generating second data information based on the stored first authorization information associated with the terminal equipment under the condition that the first authentication times are the same as the second authentication times, encrypting the second data information and then sending the second data information to the terminal equipment;
receiving an update instruction of updating the second authentication times sent by the terminal equipment and updating the second authentication times under the condition that the terminal equipment determines that second authorization information is the same as the first authorization information based on third data information and the decrypted second data information;
the third data information is generated based on second authorization information associated with the terminal equipment, and the terminal equipment deployed with the algorithm program acquires the operation authority of the algorithm program under the condition that the second authorization information is identical to the first authorization information.
9. A device authorization apparatus, characterized by being applied to a terminal device deploying an algorithm program, comprising:
The first reporting module is configured to report first data information to a server when server authentication passes, where the first data information includes a Mac address, a first random number, and an encrypted first target value of the terminal device, and the first target value is determined based on the Mac address, the first random number, and a first authentication number stored by the terminal device and corresponding to the terminal device authentication;
the receiving decryption module is used for receiving encrypted second data information fed back by the server and decrypting the encrypted second data information so as to acquire the second data information, wherein when the server determines that the first authentication times are the same as the second authentication times, the second data information is generated based on first authorization information which is stored by the server and is associated with the terminal equipment, the second authentication times are authentication times which are stored by the server and correspond to the terminal equipment authentication, and the server determines whether the first authentication times are the same as the second authentication times based on the first data information;
the first detection module is used for detecting whether second authorization information and the first authorization information are the same according to third data information and the second data information, and the third data information is generated based on the second authorization information associated with the terminal equipment;
And the first processing module is used for determining to acquire the running authority of the algorithm program under the condition that the second authorization information is the same as the first authorization information, updating the first authentication times and sending an updating instruction for updating the second authentication times to the server.
10. A device authorization apparatus, for use with a server, comprising:
a first receiving module, configured to receive first data information reported by a terminal device when the terminal device authenticates the server and the authentication passes, where the first data information includes a Mac address, a first random number, and an encrypted first target value of the terminal device, where the first target value is determined based on the Mac address, the first random number, and a first authentication number stored by the terminal device and corresponding to authentication of the terminal device;
the second detection module is used for detecting whether the first authentication times are the same as second authentication times stored by the server according to the first data information, wherein the second authentication times are authentication times corresponding to the authentication of the terminal equipment stored by the server;
The generation and transmission module is used for generating second data information based on stored first authorization information associated with the terminal equipment and transmitting the second data information to the terminal equipment after encrypting the second data information under the condition that the first authentication times are the same as the second authentication times;
the receiving updating module is used for receiving an updating instruction for updating the second authentication times sent by the terminal equipment and updating the second authentication times when the terminal equipment determines that the second authorization information is the same as the first authorization information based on third data information and the decrypted second data information;
the third data information is generated based on second authorization information associated with the terminal equipment, and the terminal equipment deployed with the algorithm program acquires the operation authority of the algorithm program under the condition that the second authorization information is identical to the first authorization information.
11. A computer device comprising a processor and a memory having stored therein at least one instruction, at least one program, code set or instruction set, the at least one instruction, at least one program, code set or instruction set being loaded and executed by the processor to implement the method of any one of claims 1 to 7 or claim 8.
12. A computer readable storage medium having stored therein at least one instruction, at least one program, code set, or instruction set, the at least one instruction, the at least one program, the code set, or instruction set being loaded and executed by a processor to implement the method of any one of claims 1 to 7 or claim 8.
CN202210481726.6A 2022-05-05 2022-05-05 Equipment authorization method, device, equipment and medium Active CN115001749B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210481726.6A CN115001749B (en) 2022-05-05 2022-05-05 Equipment authorization method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210481726.6A CN115001749B (en) 2022-05-05 2022-05-05 Equipment authorization method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN115001749A CN115001749A (en) 2022-09-02
CN115001749B true CN115001749B (en) 2024-02-09

Family

ID=83025784

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210481726.6A Active CN115001749B (en) 2022-05-05 2022-05-05 Equipment authorization method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN115001749B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016224684A (en) * 2015-05-29 2016-12-28 キヤノン株式会社 Server system, control method of the same, and program
CN108023873A (en) * 2017-11-08 2018-05-11 深圳市文鼎创数据科技有限公司 channel establishing method and terminal device
CN109150509A (en) * 2018-07-04 2019-01-04 北京海泰方圆科技股份有限公司 A kind of equipment method for unlocking, device, terminal device and medium
CN109639644A (en) * 2018-11-13 2019-04-16 东软集团股份有限公司 Authority checking method, apparatus, storage medium and electronic equipment
CN112149067A (en) * 2020-09-29 2020-12-29 济南博观智能科技有限公司 Software authorization method, terminal equipment, authorization server and storage medium
CN112202772A (en) * 2020-09-29 2021-01-08 北京海泰方圆科技股份有限公司 Authorization management method and device
CN112989426A (en) * 2021-04-30 2021-06-18 腾讯科技(深圳)有限公司 Authorization authentication method and device, and resource access token acquisition method
CN113343185A (en) * 2021-08-02 2021-09-03 统信软件技术有限公司 Authorization method of client application, computing device and storage medium
CN113553572A (en) * 2021-07-02 2021-10-26 深圳追一科技有限公司 Resource information acquisition method and device, computer equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768664B (en) * 2018-06-06 2020-11-03 腾讯科技(深圳)有限公司 Key management method, device, system, storage medium and computer equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016224684A (en) * 2015-05-29 2016-12-28 キヤノン株式会社 Server system, control method of the same, and program
CN108023873A (en) * 2017-11-08 2018-05-11 深圳市文鼎创数据科技有限公司 channel establishing method and terminal device
CN109150509A (en) * 2018-07-04 2019-01-04 北京海泰方圆科技股份有限公司 A kind of equipment method for unlocking, device, terminal device and medium
CN109639644A (en) * 2018-11-13 2019-04-16 东软集团股份有限公司 Authority checking method, apparatus, storage medium and electronic equipment
CN112149067A (en) * 2020-09-29 2020-12-29 济南博观智能科技有限公司 Software authorization method, terminal equipment, authorization server and storage medium
CN112202772A (en) * 2020-09-29 2021-01-08 北京海泰方圆科技股份有限公司 Authorization management method and device
CN112989426A (en) * 2021-04-30 2021-06-18 腾讯科技(深圳)有限公司 Authorization authentication method and device, and resource access token acquisition method
CN113553572A (en) * 2021-07-02 2021-10-26 深圳追一科技有限公司 Resource information acquisition method and device, computer equipment and storage medium
CN113343185A (en) * 2021-08-02 2021-09-03 统信软件技术有限公司 Authorization method of client application, computing device and storage medium

Also Published As

Publication number Publication date
CN115001749A (en) 2022-09-02

Similar Documents

Publication Publication Date Title
US11258792B2 (en) Method, device, system for authenticating an accessing terminal by server, server and computer readable storage medium
TWI454111B (en) Techniques for ensuring authentication and integrity of communications
EP2659373B1 (en) System and method for secure software update
US11228438B2 (en) Security device for providing security function for image, camera device including the same, and system on chip for controlling the camera device
CN110990827A (en) Identity information verification method, server and storage medium
TWI813894B (en) Data encryption and decryption method, device, system and storage medium
CN103051451A (en) Encryption authentication of security service execution environment
US20180204004A1 (en) Authentication method and apparatus for reinforced software
CN110855426B (en) Method for software use authorization
JP6387908B2 (en) Authentication system
CN110177111B (en) Information verification method, system and device
CN112241527B (en) Secret key generation method and system of terminal equipment of Internet of things and electronic equipment
CN116232593B (en) Multi-password module sensitive data classification and protection method, equipment and system
JP2010182070A (en) Apparatus, method and program for processing information
CN110838919A (en) Communication method, storage method, operation method and device
US20160277182A1 (en) Communication system and master apparatus
CN110445774B (en) Security protection method, device and equipment for IoT (Internet of things) equipment
CN111934862B (en) Server access method and device, readable medium and electronic equipment
CN112383577A (en) Authorization method, device, system, equipment and storage medium
US8522046B2 (en) Method, apparatus and system for acquiring service by portable device
CN116881936A (en) Trusted computing method and related equipment
CN115001749B (en) Equipment authorization method, device, equipment and medium
CN108242997B (en) Method and apparatus for secure communication
CN107343276B (en) Method and system for protecting SIM card locking data of terminal
CN114239000A (en) Password processing method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant