CN115484094A - License authorization method and system based on hardware trusted trust chain - Google Patents

License authorization method and system based on hardware trusted trust chain Download PDF

Info

Publication number
CN115484094A
CN115484094A CN202211114049.0A CN202211114049A CN115484094A CN 115484094 A CN115484094 A CN 115484094A CN 202211114049 A CN202211114049 A CN 202211114049A CN 115484094 A CN115484094 A CN 115484094A
Authority
CN
China
Prior art keywords
authorization
client
certificate
product
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211114049.0A
Other languages
Chinese (zh)
Inventor
周喜
邓覃思
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CLP Cloud Digital Intelligence Technology Co Ltd
Original Assignee
CLP Cloud Digital Intelligence Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CLP Cloud Digital Intelligence Technology Co Ltd filed Critical CLP Cloud Digital Intelligence Technology Co Ltd
Priority to CN202211114049.0A priority Critical patent/CN115484094A/en
Publication of CN115484094A publication Critical patent/CN115484094A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The invention relates to the technical field of License authorization, and provides a License authorization method and a License authorization system based on a hardware trusted trust chain, wherein the License authorization method comprises the following steps: generating a client private key and a client certificate at a client through a root certificate, and generating a product private key and a product certificate at a server; carrying out signature encryption on the client environment information through a client private key; generating an authorization file according to the authorization content and the client environment information; and importing the authorization file through a legal product certificate, and providing service to the outside through an interface. The system of the present invention comprises: the License authorization server side consists of a product management module, a server side authorization management module and a hardware encryption machine; the License authorization client consists of a client authorization management module and a trusted hardware environment module. The License authorization method and system based on the hardware trusted trust chain can improve the security and the management efficiency of License authorization and reduce the License authorization cost.

Description

License authorization method and system based on hardware trusted trust chain
Technical Field
The invention relates to the technical field of License authorization, in particular to a License authorization method and a License authorization system based on a hardware trusted trust chain.
Background
When License is authorized, an asymmetric encryption signature mechanism is generally adopted to ensure the integrity of the License authorization file. By creating a public-private key pair in advance and respectively arranging a public key (certificate) and a private key in a client and a server, the encrypted or signed data of the public key (certificate)/the private key can only be decrypted or signed by the paired private key/public key (certificate), so that the License authorization content is ensured to be safe and credible. In order to implement mutual authentication, a common method is to apply for two sets of public and private keys, and a private key and a public key corresponding to the private key of the opposite terminal are respectively built in an authorized client and a server. The client private key is used for carrying out encryption signature on the client environment information, and the server private key is used for encryption signature of License authorization content. When License is required to be issued, the client environment information is acquired first, and encryption/signature is executed by using a client private key. And taking the environment information or the authorization application information to the server, and after the client public key stored by the server is used for decryption and verification, the server uses the License authorization private key to carry out encryption signature on the authorization information. And (4) the authorization information after the signature is encrypted is taken into the client side and imported, and the client side uses a License authorization public key stored locally to decrypt and verify the signature. After passing, the authorized content is considered to be legal and the information is complete and is not tampered. The above method has the following problems:
1. when the private key is stored in a software manner, the security is limited to that of the operating system. When the operating system is invaded, damaged and the like, the private key is stolen or even tampered. The private key is stored in hardware media such as TPM/TPCM and the like, so that the data security can be improved, but the actions of signature/signature verification, encryption and decryption and the like are usually executed in a memory, and the possibility that the data is stolen or even tampered still exists.
2. Because the client needs to embed a public and private key pair, when a product selling entity is numerous, the server needs to record the mapping relation between massive product public keys and product examples, and the management difficulty and the management cost of the server are greatly increased. When the key pair needs to be replaced due to key leakage, periodic update and the like, both ends of the client-side server side must be replaced simultaneously. When the number of released products is large, the difficulty of replacement is very high.
Therefore, how to provide security and management efficiency for License authorization and reduce License authorization cost becomes a technical problem to be solved urgently.
Disclosure of Invention
In view of this, in order to overcome the defects of the prior art, the present invention provides a License authorization method and system based on a hardware trusted trust chain.
In one aspect, the invention provides a License authorization method based on a hardware trusted trust chain, which comprises the following steps:
step S1: generating a client private key and a client certificate at a client through a root certificate, and generating a product private key and a product certificate at a server;
step S2: carrying out signature encryption on the client environment information through a client private key;
and step S3: generating an authorization file according to the authorization content and the client environment information;
and step S4: and importing the authorization file through a legal product certificate, and providing service to the outside through an interface.
Further, step S1 in the License authorization method based on the hardware trusted trust chain of the present invention includes:
step S11: signing and issuing a root certificate according to a system initialization request, and respectively storing the root certificate in a server and a client;
step S12: generating a client private key and a client certificate through a root certificate of a client, and storing the generated client private key and the generated client certificate in a trusted hardware environment of the client;
step S13: and according to the product creation request, generating a product private key and a product certificate through a root certificate of the server, and storing the generated product private key and the product certificate in a hardware encryption machine of the server.
Further, step S2 in the License authorization method based on the hardware trusted trust chain of the present invention includes: and signing and encrypting the client environment information through a client private key stored in the trusted hardware environment, and placing the client certificate into the client environment information after signature and encryption.
Further, step S3 in the License authorization method based on the hardware trusted trust chain of the present invention includes:
step S31: according to the authorization application request, signing the authorization content by adopting a product private key to generate signature authorization information;
step S32: acquiring client environment information and verifying the validity of a client certificate in the client environment information;
step S33: verifying and decrypting the client environment information by adopting the verified client certificate;
step S34: placing the product certificate and the client environment information subjected to signature verification decryption in signature authorization information to form authorization data;
step S35: and encrypting the authorization data in the step S34 to generate an authorization file.
Further, step S4 in the License authorization method based on the hardware trusted trust chain of the present invention includes:
step S41: verifying the validity of the product certificate in the authorization file through a root certificate stored in the client;
step S42: adopting the verified product certificate to verify and decrypt the authorization file;
step S43: meanwhile, the environment information of the client is verified, the signature authorization information is formatted, and information inquiry service is provided for the outside in an interface mode.
In another aspect, the present invention provides a License authorization system based on a hardware trusted trust chain, including:
the License authorization server side consists of a product management module, a server side authorization management module and a hardware encryption machine, wherein the product management module consists of a system initialization unit, a product creation unit and an authorization application unit; the server side authorization management module consists of an authorization information signing unit, a client side certificate verification unit, an environment information verification unit and an authorization information encryption unit; the hardware encryption machine is used for signing and issuing a root certificate according to a system initialization request, respectively storing the root certificate in a server and a client, generating a client private key and a client certificate through the client root certificate, storing the generated client private key and the client certificate in a trusted hardware environment module of the client, generating and storing a product private key and a product certificate through the server root certificate according to a product creation request, and providing an API (application program interface) interface for the server authorization management module, so that the server authorization management module completes authorization information signature, client certificate verification, environment information verification and authorization information encryption in the encryption machine through the API interface;
the License authorization client consists of a client authorization management module and a trusted hardware environment module, wherein the client authorization management module consists of an environment information signature encryption unit, an authorization information verification decryption unit, an authorization information formatting unit and an authorization information interface unit; the trusted hardware environment module is used for storing a client private key and a client certificate and providing an API (application programming interface) interface for the client authorization management module, so that the client authorization management module completes environment information signature encryption, authorization information verification decryption, authorization information formatting and authorization information interface provision in the trusted hardware environment module.
Furthermore, in the product management module of the License authorization system based on the hardware trusted trust chain, the system initialization unit is used for sending a system initialization request, the product creation unit is used for sending a product creation request, and the authorization application unit is used for sending an authorization application request.
Furthermore, in the License authorization management module of the hardware trusted trust chain-based License authorization system, the authorization information signing unit is used for signing the authorization content by adopting a product private key according to the authorization application request to generate signature authorization information; the client certificate checking unit is used for checking the validity of the client certificate in the client environment information; the environment information verification unit is used for acquiring the client environment information and verifying and decrypting the client environment information by adopting a verified client certificate; the authorization information encryption unit is used for placing the product certificate and the client environment information subjected to signature verification and decryption in the signature authorization information to form authorization data, encrypting the authorization data and generating an authorization file.
Furthermore, in the client authorization management module of the License authorization system based on the hardware trusted trust chain, the environment information signature encryption unit is used for carrying out signature encryption on the client environment information through a client private key stored in the hardware system and placing the client certificate into the client environment information after signature encryption; the authorization information verification decryption unit is used for verifying the validity of the product certificate in the authorization file through the root certificate stored in the client, and verifying and decrypting the authorization file by adopting the verified product certificate; the authorization information formatting unit is used for verifying the client environment information and formatting the signature authorization information; the authorization information interface unit is used for providing information inquiry service to the outside in an interface mode.
Finally, the invention also provides a terminal device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method when executing the program.
The License authorization method and the License authorization system based on the hardware trusted trust chain have the following beneficial effects:
1. a hardware encryption machine is adopted to manage the root certificate and the product private keys of all products, all encryption and signature verification actions are executed in the hardware encryption machine, the private keys do not go out of the hardware encryption machine, and absolute safety of a License authorization server side is guaranteed.
The License root certificate and the client private key are stored in the trusted hardware environment module, all encryption and signature verification processes are executed in the client trusted hardware environment module, and the private key is not transmitted to a software system (memory), so that the certificate used in the client environment is not replaceable, and the private key is not stolen and tampered, thereby ensuring the absolute security of the License authorized client.
3. The certificate chain is adopted to manage the private keys and the certificates used by all License authorization servers and authorization clients, so that the number of the private keys of the products to be maintained by the servers is greatly reduced on the premise of not reducing the security, and the License signing and issuing cost is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating a License authorization method based on a hardware trusted trust chain according to an exemplary first embodiment of the present invention.
Fig. 2 is a flowchart of a License authorization method based on a hardware trusted trust chain according to an exemplary second embodiment of the present invention.
Fig. 3 is a flowchart of a License authorization method based on a hardware trusted trust chain according to an exemplary third embodiment of the present invention.
Fig. 4 is a flowchart of a License authorization method based on a hardware trusted trust chain according to an exemplary fourth embodiment of the present invention.
Fig. 5 is an architecture diagram of a License authorization system based on a hardware trusted trust chain according to an exemplary fourth embodiment of the present invention.
Detailed Description
Embodiments of the present invention are described in detail below with reference to the accompanying drawings.
It should be noted that, in the case of no conflict, the features in the following embodiments and examples may be combined with each other; moreover, all other embodiments that can be derived by one of ordinary skill in the art from the embodiments disclosed herein without making any creative effort fall within the scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
The technical principle of the application is as follows:
a hardware encryption machine is adopted to manage a root certificate and product private keys of products, all encryption and signature verification behaviors are executed in the hardware encryption machine, the private keys do not go out of the hardware encryption machine, and absolute security of a License authorization server side is guaranteed.
The License root certificate and the client private key are stored in a trusted hardware environment module such as TPM/TPCM/TEE, all encryption and signature verification processes are executed in the client trusted hardware environment module, the private key is not transmitted to a software system (memory), the certificate used in the client environment is guaranteed to be irreplaceable, and the private key is not stolen or tampered, so that the absolute security of the License authorized client is guaranteed.
The certificate chain is adopted to manage the private keys and the certificates used by all License authorization servers and authorization clients, so that the number of the private keys of the products to be maintained by the servers is greatly reduced on the premise of not reducing the security, and the License signing and issuing cost is reduced. For example, the system can allocate a set of License authorized private key certificates for each product version, and can allocate a set of client private keys and client certificates for each version and even each selling entity. The License authorization server side does not need to record the private key and the certificate of the client side, and can verify the legality of the client side only by using the root certificate to verify the trust chain of the certificate provided by the client side together with the ciphertext when verifying the encrypted information of the client side. The License authorization server side can independently replace the product private key, and the client side does not need to update; when the client-side is authorized to update the built-in client-side private key, the License authorization server-side does not need to sense.
Fig. 1 is a flowchart of a License authorization method based on a hardware trusted trust chain according to an exemplary first embodiment of the present invention, as shown in fig. 1, the method of this embodiment includes:
step S1: generating a client private key and a client certificate at a client through a root certificate, and generating a product private key and a product certificate at a server;
step S2: carrying out signature encryption on the client environment information through a client private key;
and step S3: generating an authorization file according to the authorization content and the client environment information;
and step S4: and importing the authorization file through a legal product certificate, and providing service to the outside through an interface.
In this embodiment, the step S2 in the License authorization method based on the hardware trusted trust chain includes: the client environment information is signed and encrypted through a client private key stored in a trusted hardware environment, a client certificate is placed in the client environment information after signature encryption, and the environment information after signature encryption and the client certificate are provided for a server.
Fig. 2 is a flowchart of a License authorization method based on a hardware trusted trust chain according to an exemplary second embodiment of the present invention, where this embodiment is a preferred embodiment of the method shown in fig. 1, and as shown in fig. 2, step S1 of the method of this embodiment includes:
step S11: signing and issuing a root certificate according to a system initialization request, and respectively storing the root certificate in a server and a client;
step S12: generating a client private key and a client certificate through a root certificate of a client, and storing the generated client private key and the generated client certificate in a trusted hardware environment of the client;
step S13: and generating a product private key and a product certificate through a root certificate of the server according to the product creation request, and storing the generated product private key and the generated product certificate in a hardware encryption machine of the server.
Fig. 3 is a flowchart of a License authorization method based on a hardware trusted trust chain according to an exemplary third embodiment of the present invention, where this embodiment is a preferred embodiment of the method shown in fig. 1, and as shown in fig. 3, step S3 of the method of this embodiment includes:
step S31: according to the authorization application request, signing the authorization content by adopting a product private key to generate signature authorization information;
step S32: acquiring client environment information and verifying the validity of a client certificate in the client environment information;
step S33: verifying and decrypting the client environment information by adopting the verified client certificate;
step S34: placing the product certificate and the client environment information subjected to signature verification and decryption in signature authorization information to form authorization data;
step S35: and encrypting the authorization data in the step S34 to generate an authorization file.
In this embodiment, the root certificate is used to perform trust chain verification on the client certificate, and the client certificate passing the verification is used to perform signature verification and decryption on the client environment information. Therefore, the server does not need to record the product private key information distributed to the product, and the legality of the built-in certificate of the product can be verified by using the root certificate. License authorization content is signed by using a License authorization private key generated by a root certificate private key, and a product certificate is provided to an authorization client along with a License authorization file.
Fig. 4 is a flowchart of a License authorization method based on a hardware trusted trust chain according to an exemplary fourth embodiment of the present invention, where this embodiment is a preferred embodiment of the method shown in fig. 1, and as shown in fig. 4, step S4 of the method of this embodiment includes:
step S41: verifying the validity of the product certificate in the authorization file through a root certificate stored in the client;
step S42: adopting the verified product certificate to verify and decrypt the authorization file;
step S43: meanwhile, the client environment information is verified, the signature authorization information is formatted, and information query service is provided for the outside in an interface mode.
In this embodiment, the client verifies the validity of the trust chain of the secondary certificate through the root certificate stored in the trusted hardware environment, the secondary certificate is used as a product certificate, the CN field fills in the product ID, and the client needs to additionally verify whether the product certificate CN is the same as the product ID when verifying the validity of the product certificate. And when the product certificate is trusted, verifying and decrypting License authorization content by using the product certificate.
Fig. 5 is a License authorization system based on a hardware trusted trust chain according to an exemplary fifth embodiment of the present invention, and as shown in fig. 5, the system of this embodiment includes:
the License authorization server side consists of a product management module, a server side authorization management module and a hardware encryption machine, wherein the product management module consists of a system initialization unit, a product creation unit and an authorization application unit; the server side authorization management module consists of an authorization information signing unit, a client side certificate verification unit, an environment information verification unit and an authorization information encryption unit; the hardware encryption machine is used for signing and issuing a root certificate according to a system initialization request, respectively storing the root certificate in a server and a client, generating a client private key and a client certificate through the client root certificate, storing the generated client private key and the client certificate in a trusted hardware environment module of the client, generating and storing a product private key and a product certificate through the server root certificate according to a product creation request, and providing an API (application program interface) interface for the server authorization management module, so that the server authorization management module completes authorization information signature, client certificate verification, environment information verification and authorization information encryption in the encryption machine through the API interface;
the License authorization client consists of a client authorization management module and a trusted hardware environment module, wherein the client authorization management module consists of an environment information signature encryption unit, an authorization information verification decryption unit, an authorization information formatting unit and an authorization information interface unit; the trusted hardware environment module is used for storing a client private key and a client certificate and providing an API (application program interface) interface for the client authorization management module, so that the client authorization management module completes environment information signature encryption, authorization information verification decryption, authorization information formatting and authorization information interface provision in the trusted hardware environment module.
In the product management module of the License authorization system based on the hardware trusted trust chain, the system initialization unit is configured to send a system initialization request, the product creation unit is configured to send a product creation request, and the authorization application unit is configured to send an authorization application request.
In the embodiment, in a server side authorization management module of the License authorization system based on the hardware trusted trust chain, an authorization information signing unit is used for signing authorization contents by adopting a product private key according to an authorization application request to generate signing authorization information; the client certificate checking unit is used for checking the validity of the client certificate in the client environment information; the environment information verification unit is used for acquiring the client environment information and verifying and decrypting the client environment information by adopting a verified client certificate; the authorization information encryption unit is used for placing the product certificate and the client environment information subjected to signature verification and decryption in the signature authorization information to form authorization data, encrypting the authorization data and generating an authorization file.
In the client authorization management module of the License authorization system based on the hardware trusted trust chain, the environment information signature encryption unit is used for performing signature encryption on the client environment information through a client private key stored in the hardware system and placing the client certificate into the client environment information after signature encryption; the authorization information verification decryption unit is used for verifying the validity of a product certificate in the authorization file through a root certificate stored in the client, and verifying and decrypting the authorization file by adopting the verified product certificate; the authorization information formatting unit is used for verifying the client environment information and formatting the signature authorization information; the authorization information interface unit is used for providing information inquiry service to the outside through an interface mode.
An exemplary fifth embodiment of the present invention provides an application principle of a License authorization system based on a hardware trusted trust chain, where this embodiment is a preferred embodiment of the system shown in fig. 5, and the system of this embodiment is applied in the following manner:
the system initialization unit sends out a system initialization request, the hardware encryption machine signs a root certificate according to the system initialization request, and the root certificate is respectively stored in the hardware encryption machine of the server side and the trusted hardware environment module of the client side;
the hardware encryption machine generates a client private key and a client certificate through a root certificate of the client, and stores the generated client private key and the generated client certificate in a trusted hardware environment module of the client;
the method comprises the steps that a product creating unit sends a product creating request, a hardware encryption machine generates a product private key and a product certificate through a root certificate of a server according to the product creating request, and the generated product private key and the generated product certificate are stored in the hardware encryption machine of the server;
and the environment information signature encryption unit is used for carrying out signature encryption on the client environment information by adopting a client private key stored in the trusted hardware environment module, and the client certificate is placed in the client environment information after signature encryption.
Signing the authorized content by adopting a product private key through an authorized information signing unit according to an authorized application request sent by an authorized application unit to generate signature authorized information;
the client side environment information is obtained through an environment information verification unit, and the validity of a client side certificate in the client side environment information is verified through a client side certificate verification unit;
verifying and decrypting the client side environment information by adopting the verified client side certificate through an environment information verification unit;
and placing the product certificate and the client environment information subjected to signature verification and decryption in signature authorization information through an authorization information encryption unit to form authorization data, encrypting the authorization data, and generating an authorization file.
Verifying the legality of a product certificate in the authorization file by using a root certificate stored in the client through an authorization information verification decryption unit, and verifying and decrypting the authorization file by using the verified product certificate;
verifying the client environment information and formatting the signature authorization information through an authorization information formatting unit;
and providing information inquiry service to the outside by adopting an interface mode through the authorization information interface unit.
In this embodiment, the private key authorized by License is stored in the hardware encryption device, the software management system only stores the key ID, and when License authorization of a product is generated, data encryption and signature are completed in the encryption device through the API interface of the hardware encryption device.
The private key of the client environment is generated by a hardware encryption machine before the product is issued, and is built in a trusted hardware environment module of the product client such as TPM/TPCM/TEE together with the License root certificate. The certificate validity verification, encryption and decryption verification are completed in the trusted hardware environment module through an API (application program interface) provided by the trusted hardware environment module.
Finally, the invention also provides a terminal device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method when executing the program.
The terminal equipment has the corresponding technical effects of the License authorization method and the License authorization system based on the hardware trusted trust chain.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A License authorization method based on a hardware trusted trust chain is characterized in that the method comprises the following steps:
step S1: generating a client private key and a client certificate at a client through a root certificate, and generating a product private key and a product certificate at a server;
step S2: carrying out signature encryption on the client environment information through a client private key;
and step S3: generating an authorization file according to the authorization content and the client environment information;
and step S4: and importing the authorization file through a legal product certificate, and providing service to the outside through an interface.
2. The License authorization method based on the hardware trusted trust chain according to claim 1, wherein the step S1 comprises:
step S11: signing a root certificate according to the system initialization request, and respectively storing the root certificate in a server and a client;
step S12: generating a client private key and a client certificate through a root certificate of a client, and storing the generated client private key and the generated client certificate in a trusted hardware environment of the client;
step S13: and according to the product creation request, generating a product private key and a product certificate through a root certificate of the server, and storing the generated product private key and the product certificate in a hardware encryption machine of the server.
3. The License authorization method based on the hardware trusted trust chain according to claim 1, wherein the step S2 comprises: and signing and encrypting the client environment information through a client private key stored in the trusted hardware environment, and placing the client certificate into the client environment information after signature and encryption.
4. The License authorization method based on the hardware trusted trust chain according to claim 1, wherein the step S3 comprises:
step S31: according to the authorization application request, signing the authorization content by adopting a product private key to generate signature authorization information;
step S32: acquiring client environment information and verifying the validity of a client certificate in the client environment information;
step S33: verifying and decrypting the client side environment information by adopting the verified client side certificate;
step S34: placing the product certificate and the client environment information subjected to signature verification and decryption in signature authorization information to form authorization data;
step S35: and encrypting the authorization data in the step S34 to generate an authorization file.
5. The License authorization method based on the hardware trusted trust chain according to claim 1, wherein the step S4 comprises:
step S41: verifying the validity of the product certificate in the authorization file through a root certificate stored in the client;
step S42: adopting the verified product certificate to verify and decrypt the authorization file;
step S43: meanwhile, the environment information of the client is verified, the signature authorization information is formatted, and information inquiry service is provided for the outside in an interface mode.
6. A License authorization system based on a hardware trusted trust chain is characterized in that the system comprises:
the License authorization server side consists of a product management module, a server side authorization management module and a hardware encryption machine, wherein the product management module consists of a system initialization unit, a product creation unit and an authorization application unit; the server side authorization management module consists of an authorization information signature unit, a client side certificate verification unit, an environment information verification unit and an authorization information encryption unit; the hardware encryption machine is used for signing and issuing a root certificate according to a system initialization request, respectively storing the root certificate in a server and a client, generating a client private key and a client certificate through the root certificate of the client, storing the generated client private key and the client certificate in a trusted hardware environment module of the client, generating and storing a product private key and a product certificate through the root certificate of the server according to a product creation request, and providing an API (application program interface) interface for the server authorization management module, so that the server authorization management module completes authorization information signature, client certificate verification, environment information verification and authorization information encryption in the encryption machine through the API interface;
the License authorization client consists of a client authorization management module and a trusted hardware environment module, wherein the client authorization management module consists of an environment information signature encryption unit, an authorization information verification decryption unit, an authorization information formatting unit and an authorization information interface unit; the trusted hardware environment module is used for storing a client private key and a client certificate and providing an API (application programming interface) interface for the client authorization management module, so that the client authorization management module completes environment information signature encryption, authorization information verification decryption, authorization information formatting and authorization information interface provision in the trusted hardware environment module.
7. The License authorization system based on the hardware trusted trust chain as claimed in claim 6, wherein in the product management module, the system initialization unit is configured to send a system initialization request, the product creation unit is configured to send a product creation request, and the authorization application unit is configured to send an authorization application request.
8. The License authorization system based on the hardware trusted trust chain as claimed in claim 6, wherein in the server-side authorization management module, the authorization information signature unit is configured to sign the authorization content with a product private key according to the authorization application request to generate signature authorization information; the client certificate checking unit is used for checking the validity of the client certificate in the client environment information; the environment information verification unit is used for acquiring the client environment information and verifying and decrypting the client environment information by adopting a verified client certificate; the authorization information encryption unit is used for placing the product certificate and the client environment information subjected to signature verification and decryption in the signature authorization information to form authorization data, encrypting the authorization data and generating an authorization file.
9. The License authorization system based on the hardware trusted trust chain as claimed in claim 6, wherein in the client authorization management module, the environment information signature encryption unit is configured to perform signature encryption on the client environment information through a client private key stored in the hardware system, and place the client certificate into the client environment information after signature encryption; the authorization information verification decryption unit is used for verifying the validity of the product certificate in the authorization file through the root certificate stored in the client, and verifying and decrypting the authorization file by adopting the verified product certificate; the authorization information formatting unit is used for verifying the client environment information and formatting the signature authorization information; the authorization information interface unit is used for providing information inquiry service to the outside in an interface mode.
10. A terminal device, characterized in that the terminal device comprises a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method according to any one of claims 1-5 when executing the program.
CN202211114049.0A 2022-09-14 2022-09-14 License authorization method and system based on hardware trusted trust chain Pending CN115484094A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211114049.0A CN115484094A (en) 2022-09-14 2022-09-14 License authorization method and system based on hardware trusted trust chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211114049.0A CN115484094A (en) 2022-09-14 2022-09-14 License authorization method and system based on hardware trusted trust chain

Publications (1)

Publication Number Publication Date
CN115484094A true CN115484094A (en) 2022-12-16

Family

ID=84393088

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211114049.0A Pending CN115484094A (en) 2022-09-14 2022-09-14 License authorization method and system based on hardware trusted trust chain

Country Status (1)

Country Link
CN (1) CN115484094A (en)

Similar Documents

Publication Publication Date Title
US10848492B2 (en) Certificate system for verifying authorized and unauthorized secure sessions
US9350555B2 (en) Method and system for signing and authenticating electronic documents via a signature authority which may act in concert with software controlled by the signer
US7526649B2 (en) Session key exchange
EP1914951B1 (en) Methods and system for storing and retrieving identity mapping information
CN108933667B (en) Management method and management system of public key certificate based on block chain
US7568114B1 (en) Secure transaction processor
US9246889B2 (en) Layered protection and validation of identity data delivered online via multiple intermediate clients
US20080216147A1 (en) Data Processing Apparatus And Method
US20060195689A1 (en) Authenticated and confidential communication between software components executing in un-trusted environments
US20190372759A1 (en) Shared secret establishment
CN106936588B (en) Hosting method, device and system of hardware control lock
EP2291787A2 (en) Techniques for ensuring authentication and integrity of communications
JP2008507203A (en) Method for transmitting a direct proof private key in a signed group to a device using a distribution CD
JP2010514000A (en) Method for securely storing program state data in an electronic device
US20230370263A1 (en) Master key escrow process
CN113271207A (en) Escrow key using method and system based on mobile electronic signature, computer equipment and storage medium
Kent et al. Assuring vehicle update integrity using asymmetric public key infrastructure (PKI) and public key cryptography (PKC)
CN112948894A (en) Block chain-based anti-counterfeiting method, device, equipment and medium for tally inspection report
JP2004140636A (en) System, server, and program for sign entrustment of electronic document
KR20140071775A (en) Cryptography key management system and method thereof
CN115801281A (en) Authorization method, electronic device, and computer-readable storage medium
CN116049802A (en) Application single sign-on method, system, computer equipment and storage medium
CN115484094A (en) License authorization method and system based on hardware trusted trust chain
CN114048513A (en) Disposable digital certificate application and signature system and method
KR100897075B1 (en) Method of delivering direct proof private keys in signed groups to devices using a distribution cd

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination