CN115567314B - License security agent method and platform based on hardware trusted trust chain - Google Patents

License security agent method and platform based on hardware trusted trust chain Download PDF

Info

Publication number
CN115567314B
CN115567314B CN202211258511.4A CN202211258511A CN115567314B CN 115567314 B CN115567314 B CN 115567314B CN 202211258511 A CN202211258511 A CN 202211258511A CN 115567314 B CN115567314 B CN 115567314B
Authority
CN
China
Prior art keywords
license
authorization
certificate
module
hardware
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211258511.4A
Other languages
Chinese (zh)
Other versions
CN115567314A (en
Inventor
邓覃思
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongdian Cloud Computing Technology Co ltd
Original Assignee
Zhongdian Cloud Computing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongdian Cloud Computing Technology Co ltd filed Critical Zhongdian Cloud Computing Technology Co ltd
Priority to CN202211258511.4A priority Critical patent/CN115567314B/en
Publication of CN115567314A publication Critical patent/CN115567314A/en
Application granted granted Critical
Publication of CN115567314B publication Critical patent/CN115567314B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to the technical field of License agents, and provides a License security agent method and platform based on a hardware trusted trust chain, wherein the method comprises the following steps: generating a certificate and a private key required by License verification through a hardware encryptor, and presetting the generated certificate and private key; applying for a License authorization file from a License authorization issuing system; importing the License authorization file obtained by the application to a License authorization agent module; the License authorization agent module applies for authorization quota from the License authorization agent module through the service terminal module, and after the License authorization agent module and the service terminal module complete bidirectional verification, the License authorization agent module allocates authorization resources for the service terminal module. According to the License security agent method and platform based on the hardware trusted trust chain, which are disclosed by the embodiment of the invention, the complexity of mutual authentication between the agent and the terminal can be reduced, and the security of the License agent can be improved.

Description

License security agent method and platform based on hardware trusted trust chain
Technical Field
The invention relates to the technical field of License agents, in particular to a License security agent method and platform based on a hardware trusted trust chain.
Background
For large complex service systems or service clusters with numerous clients, license distribution usually requires the use of an authorization proxy mechanism, i.e. an authorization center issues a quota set composed of the entire service system or numerous application terminals to a License authorization proxy, which distributes the quota to a specific service module or application terminal.
Typical scenarios are: 1. a large service system is provided with a plurality of service subsystems such as A/B/C/D, and for each specific market item, each service subsystem has own authorization specification requirement, and for convenience in management, license authorization centers uniformly execute authorization management. 2. If each set of software and hardware respectively executes independent License management, license agents are usually deployed in the enterprise internal environment, the whole amount of authorization is issued to the agents at one time, and a single terminal applies for authorization to the License agents.
In practical application, in proxy mode, a secure bidirectional authentication mechanism is needed between the License proxy server and the service module or the application terminal. The proxy service needs to verify the legitimacy of the application terminal, so that the authorization is prevented from being abused; the terminal application verifies the validity of the proxy service, and prevents the intermediate from forging proxy counterfeit authorization. However, since many large business systems are deployed in isolated local area networks or closed environments, there is no internet authentication condition. The common authorization management scheme only performs security verification when the authorization is imported into the License proxy service, and does not perform strict security authentication on the authorization behavior of the service module or the software and hardware terminal. Leading to the following drawbacks and deficiencies with existing License authorization proxy mechanisms: 1. when the fake terminal applies for authorization, the agency cannot identify; 2. when the counterfeit agent provides authorization capability, the terminal application cannot be identified; 3. the scheme of storing certificates and private keys through software has the risk of leakage and tampering.
Therefore, how to provide a method for further improving the security of License authorization agents is a technical problem to be solved.
Disclosure of Invention
In view of this, the present invention mainly solves the problem of simplifying the authentication complexity between the proxy and the terminal while enhancing the security of the License proxy.
In one aspect, the present invention provides a License security agent method based on a hardware trusted trust chain, including:
step S1: generating a certificate and a private key required by License verification through a hardware encryptor, and presetting the generated certificate and private key;
step S2: applying for a License authorization file from a License authorization issuing system;
step S3: importing the License authorization file obtained by the application to a License authorization agent module;
step S4: the License authorization agent module applies for authorization quota from the License authorization agent module through the service terminal module, and after the License authorization agent module and the service terminal module complete bidirectional verification, the License authorization agent module allocates authorization resources for the service terminal module.
Further, step S1 of the License security agent method based on the hardware trusted trust chain of the present invention includes:
step S11: generating a root certificate/root private key through the hardware encryptor, and storing the root private key to the hardware encryptor;
step S12: generating a secondary certificate/private key for the License authorization agent module through a hardware encryptor, recording identity information of the License authorization agent module in a generated secondary certificate CN field, and storing the secondary certificate/private key and the root certificate generated in the step S11 into a trusted hardware environment unit in the License authorization agent module;
step S13: and generating a secondary certificate/private key for the service terminal module through a hardware encryptor, recording the identity information of the service terminal module in a generated secondary certificate CN field, and storing the secondary certificate/private key and the root certificate generated in the step S11 into a trusted hardware environment unit of the service terminal module.
Further, step S2 of the License security agent method based on the hardware trusted trust chain of the present invention includes:
step S21: acquiring client environment information from a License authorization agent module, and applying for a License authorization file from an authorization issuing service module of a License issuing system;
step S22: the authorization issuing service module acquires authorization item contents according to the item order information, adds client environment information to the authorization item contents and generates License authorization file contents;
step S23: the authorization issuing service module generates a signature private key/signature certificate by using a root private key through a hardware encryptor, performs signature on License authorization file content by using the signature private key, performs encryption on the signed License authorization file content, and adds the signature certificate into the License authorization file content obtained by encryption to generate a License authorization file.
Further, step S3 of the License security agent method based on the hardware trusted trust chain of the present invention includes:
step S31: a License authorization agent module of a client service environment system is logged in, and a License authorization file generated by a License authorization issuing system is imported through a License management service unit;
step S32: reading the encrypted License file content and the signature certificate from the imported License authorization file, and decrypting the encrypted License authorization file content to obtain a plaintext License file content;
step S33: verifying the legitimacy of the content of the License file and the signature certificate in a local trusted hardware environment unit through the License management service unit;
step S34: verifying the legitimacy of the authorization item content in the plaintext License file content by the License management service unit, and adding the authorization item content which passes the verification into the allocatable authorization resource.
Further, step S33 of the License security agent method based on the hardware trusted trust chain of the present invention includes: and verifying the validity of a certificate chain of the signature certificate by utilizing a root certificate built in the trusted hardware environment unit, and verifying whether the signature of the License authorization file content is correct or not by utilizing the signature certificate.
Further, step S4 of the License security agent method based on the hardware trusted trust chain of the present invention includes:
step S41: establishing connection to a terminal management service unit of a License authorization agent module through an authorization management service unit of a service terminal module, and initiating an authorization allocation application;
step S42: the terminal management service unit of the License authorization agent module is used for verifying the validity of the secondary certificate of the service terminal module in the local trusted hardware environment unit by utilizing the built-in root certificate;
step S43: verifying the validity of a second-level certificate of the License authorization agent module by using a built-in root certificate in a local trusted hardware environment unit through an authorization management service unit of the service terminal module;
step S44: after the bidirectional verification is confirmed to pass through the terminal management service unit of the License authorization agent module, the License management service unit allocates authorized resources for the service terminal module and updates the remaining authorized resources.
Further, in step S42 of the License security proxy method based on the hardware trusted trust chain, the method for verifying the validity of the secondary certificate of the service terminal module includes: and verifying the validity of the secondary certificate trust chain and the validity of the identity information of the terminal module recorded in the secondary certificate CN field.
Further, in step S43 of the License security agent method based on the hardware trusted trust chain, the verification of the validity of the License authorization agent module secondary certificate includes: and verifying the validity of the secondary certificate trust chain and the validity of the identity information of the License authorization agent module recorded in the CN field of the secondary certificate.
In another aspect, the present invention provides a License security agent platform based on a hardware trusted trust chain, including:
the client service environment system comprises a License authorization agent module and a service terminal module, and is used for importing License authorization files from a License authorization issuing system, checking the legality of the License authorization files, checking the legality of the License authorization agent module and the service terminal module, and distributing resources for the service terminal from the successfully imported authorized resources;
the License authorization issuing system comprises an authorization issuing service module and a hardware encryption machine, wherein the authorization issuing service module is used for receiving a request for applying for a License authorization file, acquiring authorization item content according to item order information, adding client environment information into the authorization item content to generate License authorization file content, generating a signature private key/signature certificate by using a root private key through the hardware encryption machine, signing the License authorization file content by using the signature private key, encrypting the signed License authorization file content, adding a signature certificate into the encrypted License authorization file content, and generating a License authorization file.
Further, in the License security agent platform based on the trusted trust chain, the License authorization agent module comprises a License management service unit, a terminal management service unit and a trusted hardware environment unit, wherein the License management service unit is used for importing a License authorization file generated by a License authorization issuing system, verifying the legality of the content of a License file with a text and a signature certificate in a local trusted hardware environment unit, verifying the legality of the content of an authorization item in the content of the License file with the text, adding the content of the authorization item which passes the verification into an allocatable authorization resource, allocating the authorization resource for a service terminal module, and updating the rest of the allocatable resource; the terminal management service unit is used for establishing connection with the authorization management service unit, receiving an authorization allocation application initiated by the authorization management service unit, and verifying the validity of the secondary certificate of the service terminal module by using the built-in root certificate in the local trusted hardware environment unit; the service terminal module comprises an authorization management service unit and a trusted hardware environment unit, wherein the authorization management service unit is used for establishing connection with the terminal management service unit of the License authorization proxy module, initiating an authorization allocation application, and verifying the validity of the secondary certificate of the License authorization proxy module by using a built-in root certificate in the local trusted hardware environment unit.
The License security agent method and platform based on the hardware trusted trust chain have the following beneficial effects:
1. by internally arranging the root certificate, the certificate trust chain management mode is adopted, the validity can be verified by checking the certificate trust chain, and the complexity of bidirectional authentication between the proxy and the terminal is reduced;
2. and a unified hardware encryptor distributes a secondary certificate for the agent and the terminal, wherein the secondary certificate respectively carries the identity information of the agent and the terminal, and the root private key cannot go out of the encryptor, so that absolute confidentiality is ensured. The terminal information carried by the secondary certificate can ensure that the leakage of the terminal certificate can be immediately identified, and the leakage certificate cannot be abused, so that the safety is improved;
3. the secondary certificate used by the proxy and the terminal is stored in the trusted hardware of the server, encryption and decryption operations are completed by the trusted hardware, and the secondary certificate and the private key are stored safely and cannot be stolen by a program, so that the safety is further improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a License security agent method based on a hardware trusted trust chain according to an exemplary first embodiment of the present invention.
FIG. 2 is a flow chart of a License security agent method based on a hardware trusted trust chain according to an exemplary second embodiment of the present invention.
FIG. 3 is a flow chart of a License security agent method based on a hardware trusted trust chain according to a third exemplary embodiment of the present invention.
Fig. 4 is a flowchart of a License security agent method based on a hardware trusted trust chain according to an exemplary fourth embodiment of the present invention.
Fig. 5 is a flowchart of a License security agent method based on a hardware trusted trust chain according to an exemplary fifth embodiment of the present invention.
Fig. 6 is a schematic diagram of a License security agent platform based on a hardware trusted trust chain according to a sixth embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be noted that, without conflict, the following embodiments and features in the embodiments may be combined with each other; and, based on the embodiments in this disclosure, all other embodiments that may be made by one of ordinary skill in the art without inventive effort are within the scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
Fig. 1 is a flowchart of a License security agent method based on a hardware trusted trust chain according to an exemplary first embodiment of the present invention, as shown in fig. 1, the method of this embodiment includes:
step S1: generating a certificate and a private key required by License verification through a hardware encryptor, and presetting the generated certificate and private key;
step S2: applying for a License authorization file from a License authorization issuing system;
step S3: importing the License authorization file obtained by the application to a License authorization agent module;
step S4: the License authorization agent module applies for authorization quota from the License authorization agent module through the service terminal module, and after the License authorization agent module and the service terminal module complete bidirectional verification, the License authorization agent module allocates authorization resources for the service terminal module.
Fig. 2 is a flowchart of a License security agent method based on a hardware trusted trust chain according to a second exemplary embodiment of the present invention, which is a preferred embodiment of the method shown in fig. 1, as shown in fig. 2, and step S1 of the method of the present embodiment includes:
step S11: generating a root certificate/root private key through the hardware encryptor, and storing the root private key to the hardware encryptor;
step S12: generating a secondary certificate/private key for the License authorization agent module through a hardware encryptor, and storing the secondary certificate/private key and the root certificate generated in the step S11 to a trusted hardware environment unit in the License authorization agent module;
step S13: and generating a secondary certificate/private key for the service terminal module through a hardware encryptor, and storing the secondary certificate/private key and the root certificate generated in the step S11 into a trusted hardware environment unit of the service terminal module.
In step S12 of the method of the present embodiment, generating, by the hardware encryptor, a secondary certificate/private key for the License authorization agent module includes: and recording the identity information of the License authorization agent module in the generated secondary certificate CN field.
In step S13 of the method of the present embodiment, generating, by the hardware encryptor, a secondary certificate/private key for the service terminal module includes: and recording the identity information of the service terminal module in the generated secondary certificate CN field.
Fig. 3 is a flowchart of a License security agent method based on a hardware trusted trust chain according to a third embodiment of the present invention, which is a preferred embodiment of the method shown in fig. 1, as shown in fig. 3, and step S2 of the method of the present embodiment includes:
step S21: acquiring client environment information from a License authorization agent module, and applying for a License authorization file from an authorization issuing service module of a License issuing system;
step S22: the authorization issuing service module acquires authorization item contents according to the item order information, adds client environment information to the authorization item contents and generates License authorization file contents;
step S23: the authorization issuing service module generates a signature private key/signature certificate by using a root private key through a hardware encryptor, performs signature on License authorization file content by using the signature private key, performs encryption on the signed License authorization file content, and adds the signature certificate into the License authorization file content obtained by encryption to generate a License authorization file.
Fig. 4 is a flowchart of a License security agent method based on a hardware trusted trust chain according to a fourth embodiment of the present invention, which is a preferred embodiment of the method shown in fig. 1, as shown in fig. 4, and step S3 of the method of the present embodiment includes:
step S31: a License authorization agent module of a client service environment system is logged in, and a License authorization file generated by a License authorization issuing system is imported through a License management service unit;
step S32: reading the encrypted License file content and the signature certificate from the imported License authorization file, and decrypting the encrypted License authorization file content to obtain a plaintext License file content;
step S33: verifying the legitimacy of the content of the License file and the signature certificate in a local trusted hardware environment unit through the License management service unit;
step S34: verifying the legitimacy of the authorization item content in the plaintext License file content by the License management service unit, and adding the authorization item content which passes the verification into the allocatable authorization resource.
Step S33 of the method of the present embodiment includes: and verifying the validity of a certificate chain of the signature certificate by utilizing a root certificate built in the trusted hardware environment unit, and verifying whether the signature of the License authorization file content is correct or not by utilizing the signature certificate.
Fig. 5 is a flowchart of a License security agent method based on a hardware trusted trust chain according to a fifth exemplary embodiment of the present invention, which is a preferred embodiment of the method shown in fig. 1, as shown in fig. 5, and step S4 of the method of the present embodiment includes:
step S41: establishing connection to a terminal management service unit of a License authorization agent module through an authorization management service unit of a service terminal module, and initiating an authorization allocation application;
step S42: the terminal management service unit of the License authorization agent module is used for verifying the validity of the secondary certificate of the service terminal module in the local trusted hardware environment unit by utilizing the built-in root certificate;
step S43: verifying the validity of a second-level certificate of the License authorization agent module by using a built-in root certificate in a local trusted hardware environment unit through an authorization management service unit of the service terminal module;
step S44: after the bidirectional verification is confirmed to pass through the terminal management service unit of the License authorization agent module, the License management service unit allocates authorized resources for the service terminal module and updates the remaining authorized resources.
In step S42 of the method of the present embodiment, verifying the validity of the secondary certificate of the service terminal module includes: and verifying the validity of the secondary certificate trust chain and the validity of the identity information of the terminal module recorded in the secondary certificate CN field.
In step S43 of the method of the present embodiment, verifying the validity of the License authorization agent module secondary certificate includes: and verifying the validity of the secondary certificate trust chain and the validity of the identity information of the License authorization agent module recorded in the CN field of the secondary certificate.
Fig. 6 is a schematic diagram of a License security agent platform based on a hardware trusted trust chain according to a sixth embodiment of the present invention, as shown in fig. 6, the platform of this embodiment includes:
the client service environment system comprises a License authorization agent module and a service terminal module, and is used for importing License authorization files from a License authorization issuing system, checking the legality of the License authorization files, checking the legality of the License authorization agent module and the service terminal module, and distributing resources for the service terminal from the successfully imported authorized resources;
the License authorization issuing system comprises an authorization issuing service module and a hardware encryption machine, wherein the authorization issuing service module is used for receiving a request for applying for a License authorization file, acquiring authorization item content according to item order information, adding client environment information into the authorization item content to generate License authorization file content, generating a signature private key/signature certificate by using a root private key through the hardware encryption machine, signing the License authorization file content by using the signature private key, encrypting the signed License authorization file content, adding a signature certificate into the encrypted License authorization file content, and generating a License authorization file.
In practical application, in the License security agent platform based on a trusted trust chain, a License authorization agent module comprises a License management service unit, a terminal management service unit and a trusted hardware environment unit, wherein the License management service unit is used for importing a License authorization file generated by a License authorization issuing system, verifying the legitimacy of the content of a plaintext License file and a signature certificate in a local trusted hardware environment unit, verifying the legitimacy of the content of an authorization item in the content of the plaintext License file, adding the content of the authorization item which passes the verification into an allocatable authorization resource, allocating the authorization resource for a service terminal module, and updating the rest of the allocatable resource; the terminal management service unit is used for establishing connection with the authorization management service unit, receiving an authorization allocation application initiated by the authorization management service unit, and verifying the validity of the secondary certificate of the service terminal module by using the built-in root certificate in the local trusted hardware environment unit; the service terminal module comprises an authorization management service unit and a trusted hardware environment unit, wherein the authorization management service unit is used for establishing connection with the terminal management service unit of the License authorization proxy module, initiating an authorization allocation application, and verifying the validity of the secondary certificate of the License authorization proxy module by using a built-in root certificate in the local trusted hardware environment unit.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (5)

1. A License security agent method based on a hardware trusted trust chain, the method comprising:
step S1: generating a certificate and a private key required by License verification through a hardware encryptor, and presetting the generated certificate and private key;
step S2: applying for a License authorization file from a License authorization issuing system;
step S3: importing the License authorization file obtained by the application to a License authorization agent module;
step S4: the License authorization agent module applies for authorization quota from the License authorization agent module through the service terminal module, and after the bidirectional verification is completed between the License authorization agent module and the service terminal module, the License authorization agent module allocates authorization resources for the service terminal module;
step S1, including:
step S11: generating a root certificate/root private key through the hardware encryptor, and storing the root private key to the hardware encryptor;
step S12: generating a secondary certificate/private key for the License authorization agent module through a hardware encryptor, recording identity information of the License authorization agent module in a generated secondary certificate CN field, and storing the secondary certificate/private key and the root certificate generated in the step S11 into a trusted hardware environment unit in the License authorization agent module;
step S13: generating a secondary certificate/private key for the service terminal module through a hardware encryptor, recording the identity information of the service terminal module in a generated secondary certificate CN field, and storing the secondary certificate/private key and the root certificate generated in the step S11 into a trusted hardware environment unit of the service terminal module;
step S4, including:
step S41: establishing connection to a terminal management service unit of a License authorization agent module through an authorization management service unit of a service terminal module, and initiating an authorization allocation application;
step S42: the terminal management service unit of the License authorization agent module is used for verifying the validity of the secondary certificate of the service terminal module in the local trusted hardware environment unit by utilizing the built-in root certificate;
step S43: verifying the validity of a second-level certificate of the License authorization agent module by using a built-in root certificate in a local trusted hardware environment unit through an authorization management service unit of the service terminal module;
step S44: after the bidirectional verification is confirmed to pass through the terminal management service unit of the License authorization agent module, the License management service unit distributes authorized resources for the service terminal module and updates the remaining authorized resources;
in step S42, verifying the validity of the secondary certificate of the service terminal module includes: verifying the validity of the secondary certificate trust chain and the validity of the identity information of the terminal module recorded in the CN field of the secondary certificate;
in step S43, verifying the validity of the License authorization agent module secondary certificate includes: and verifying the validity of the secondary certificate trust chain and the validity of the identity information of the License authorization agent module recorded in the CN field of the secondary certificate.
2. The License security agent method based on the hardware trusted chain of trust according to claim 1, wherein step S2 comprises:
step S21: acquiring client environment information from a License authorization agent module, and applying for a License authorization file from an authorization issuing service module of a License issuing system;
step S22: the authorization issuing service module acquires authorization item contents according to the item order information, adds client environment information to the authorization item contents and generates License authorization file contents;
step S23: the authorization issuing service module generates a signature private key/signature certificate by using a root private key through a hardware encryptor, performs signature on License authorization file content by using the signature private key, performs encryption on the signed License authorization file content, and adds the signature certificate into the License authorization file content obtained by encryption to generate a License authorization file.
3. The License security agent method based on the hardware trusted chain of trust according to claim 1, wherein step S3 comprises:
step S31: a License authorization agent module of a client service environment system is logged in, and a License authorization file generated by a License authorization issuing system is imported through a License management service unit;
step S32: reading the encrypted License file content and the signature certificate from the imported License authorization file, and decrypting the encrypted License authorization file content to obtain a plaintext License file content;
step S33: verifying the legitimacy of the content of the License file and the signature certificate in a local trusted hardware environment unit through the License management service unit;
step S34: verifying the legitimacy of the authorization item content in the plaintext License file content by the License management service unit, and adding the authorization item content which passes the verification into the allocatable authorization resource.
4. The License security agent method based on the hardware trusted chain of trust according to claim 3, wherein step S33 comprises: and verifying the validity of a certificate chain of the signature certificate by utilizing a root certificate built in the trusted hardware environment unit, and verifying whether the signature of the License authorization file content is correct or not by utilizing the signature certificate.
5. A License security agent platform based on a hardware trusted chain of trust, the platform comprising:
the client service environment system comprises a License authorization agent module and a service terminal module, and is used for importing License authorization files from a License authorization issuing system, checking the legality of the License authorization files, checking the legality of the License authorization agent module and the service terminal module, and distributing resources for the service terminal from the successfully imported authorized resources;
the License authorization issuing system comprises an authorization issuing service module and a hardware encryption machine, wherein the authorization issuing service module is used for receiving a request for applying for a License authorization file, acquiring authorization item content according to item order information, adding client environment information into the authorization item content, generating License authorization file content, generating a signature private key/signature certificate by using a root private key through the hardware encryption machine, signing the License authorization file content by using the signature private key, encrypting the signed License authorization file content, adding a signature certificate into the encrypted License authorization file content, and generating a License authorization file;
the hardware encryption machine is also used for generating a root certificate/root private key through the hardware encryption machine and storing the root private key to the hardware encryption machine; generating a secondary certificate/private key for a License authorization agent module through a hardware encryptor, recording identity information of the License authorization agent module in a generated secondary certificate CN field, and storing the secondary certificate/private key and a root certificate generated by the hardware encryptor into a trusted hardware environment unit in the License authorization agent module; generating a secondary certificate/private key for a service terminal module through a hardware encryption machine, recording identity information of the service terminal module in a generated secondary certificate CN field, and storing the secondary certificate/private key and a root certificate generated by the hardware encryption machine to a trusted hardware environment unit of the service terminal module;
the License authorization agent module comprises a License management service unit, a terminal management service unit and a trusted hardware environment unit, wherein the License management service unit is used for importing License authorization files generated by a License authorization issuing system, verifying the legality of the content of the License files and signature certificates in the local trusted hardware environment unit, verifying the legality of the content of the authorization items in the content of the plaintext License files, adding the content of the authorization items which pass the verification into allocatable authorization resources, allocating the authorization resources for the service terminal module, and updating the rest of the allocatable resources; the terminal management service unit is used for establishing connection with the authorization management service unit, receiving an authorization allocation application initiated by the authorization management service unit, and verifying the validity of the secondary certificate of the service terminal module by using the built-in root certificate in the local trusted hardware environment unit; the service terminal module comprises an authorization management service unit and a trusted hardware environment unit, wherein the authorization management service unit is used for establishing connection with the terminal management service unit of the License authorization proxy module, initiating an authorization allocation application, and verifying the validity of a secondary certificate of the License authorization proxy module by using a built-in root certificate in the local trusted hardware environment unit;
verifying the validity of the secondary certificate of the service terminal module comprises the following steps: verifying the validity of the secondary certificate trust chain and the validity of the identity information of the terminal module recorded in the CN field of the secondary certificate;
verifying the legitimacy of the License authorization agent module secondary certificate comprises the following steps: and verifying the validity of the secondary certificate trust chain and the validity of the identity information of the License authorization agent module recorded in the CN field of the secondary certificate.
CN202211258511.4A 2022-10-14 2022-10-14 License security agent method and platform based on hardware trusted trust chain Active CN115567314B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211258511.4A CN115567314B (en) 2022-10-14 2022-10-14 License security agent method and platform based on hardware trusted trust chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211258511.4A CN115567314B (en) 2022-10-14 2022-10-14 License security agent method and platform based on hardware trusted trust chain

Publications (2)

Publication Number Publication Date
CN115567314A CN115567314A (en) 2023-01-03
CN115567314B true CN115567314B (en) 2024-01-30

Family

ID=84744527

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211258511.4A Active CN115567314B (en) 2022-10-14 2022-10-14 License security agent method and platform based on hardware trusted trust chain

Country Status (1)

Country Link
CN (1) CN115567314B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011097551A1 (en) * 2010-02-05 2011-08-11 General Instrument Corporation Software feature authorization through delegated agents
US8886964B1 (en) * 2014-04-24 2014-11-11 Flexera Software Llc Protecting remote asset against data exploits utilizing an embedded key generator
WO2019178763A1 (en) * 2018-03-21 2019-09-26 福建联迪商用设备有限公司 Certificate importing method and terminal
CN110677240A (en) * 2019-08-29 2020-01-10 阿里巴巴集团控股有限公司 Method and device for providing high-availability computing service through certificate issuing
CN110996319A (en) * 2019-11-01 2020-04-10 北京握奇智能科技有限公司 System and method for performing activation authorization management on software service
CN111104665A (en) * 2019-12-04 2020-05-05 紫光云(南京)数字技术有限公司 Security monitoring method based on license authentication of cluster virtual machine
US10790979B1 (en) * 2019-08-29 2020-09-29 Alibaba Group Holding Limited Providing high availability computing service by issuing a certificate
CN113886771A (en) * 2021-09-29 2022-01-04 新开普电子股份有限公司 Software authorization authentication method
WO2022116734A1 (en) * 2020-12-04 2022-06-09 华为技术有限公司 Digital certificate issuing method and apparatus, terminal entity, and system

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011097551A1 (en) * 2010-02-05 2011-08-11 General Instrument Corporation Software feature authorization through delegated agents
US8886964B1 (en) * 2014-04-24 2014-11-11 Flexera Software Llc Protecting remote asset against data exploits utilizing an embedded key generator
WO2019178763A1 (en) * 2018-03-21 2019-09-26 福建联迪商用设备有限公司 Certificate importing method and terminal
CN110677240A (en) * 2019-08-29 2020-01-10 阿里巴巴集团控股有限公司 Method and device for providing high-availability computing service through certificate issuing
US10790979B1 (en) * 2019-08-29 2020-09-29 Alibaba Group Holding Limited Providing high availability computing service by issuing a certificate
CN110996319A (en) * 2019-11-01 2020-04-10 北京握奇智能科技有限公司 System and method for performing activation authorization management on software service
CN111104665A (en) * 2019-12-04 2020-05-05 紫光云(南京)数字技术有限公司 Security monitoring method based on license authentication of cluster virtual machine
WO2022116734A1 (en) * 2020-12-04 2022-06-09 华为技术有限公司 Digital certificate issuing method and apparatus, terminal entity, and system
CN113886771A (en) * 2021-09-29 2022-01-04 新开普电子股份有限公司 Software authorization authentication method

Also Published As

Publication number Publication date
CN115567314A (en) 2023-01-03

Similar Documents

Publication Publication Date Title
US10728039B2 (en) Method and system for signing and authenticating electronic documents via a signature authority which may act in concert with software controlled by the signer
US10382427B2 (en) Single sign on with multiple authentication factors
US7526649B2 (en) Session key exchange
US8843415B2 (en) Secure software service systems and methods
CN109728903B (en) Block chain weak center password authorization method using attribute password
US8631486B1 (en) Adaptive identity classification
CN106992988B (en) Cross-domain anonymous resource sharing platform and implementation method thereof
JP2019506103A (en) How to manage trusted identities
EP1914951A1 (en) Methods and system for storing and retrieving identity mapping information
CN111914293B (en) Data access right verification method and device, computer equipment and storage medium
CN109450843B (en) SSL certificate management method and system based on block chain
CN108830733A (en) A kind of information processing method, block scm cluster and system
KR100656355B1 (en) Method for user authentication and service authentication using splitted user authentication key and apparatus thereof
KR102410006B1 (en) Method for creating decentralized identity able to manage user authority and system for managing user authority using the same
CN111368340A (en) Block chain-based evidence-based security verification method and device and hardware equipment
CN106533693B (en) Access method and device of railway vehicle monitoring and overhauling system
CN112905979B (en) Electronic signature authorization method and device, storage medium and electronic device
CN111641615A (en) Distributed identity authentication method and system based on certificate
CN106936588A (en) A kind of trustship method, the apparatus and system of hardware controls lock
CN110020869B (en) Method, device and system for generating block chain authorization information
CN111355591A (en) Block chain account safety management method based on real-name authentication technology
CN113271207A (en) Escrow key using method and system based on mobile electronic signature, computer equipment and storage medium
CN114666168A (en) Decentralized identity certificate verification method and device, and electronic equipment
CN112381634A (en) Tax statistics and settlement method, device, equipment and storage medium
CN115396096A (en) Encryption and decryption method and protection system for secret file based on national cryptographic algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 430058 No. n3013, 3rd floor, R & D building, building n, Artificial Intelligence Science Park, economic and Technological Development Zone, Caidian District, Wuhan City, Hubei Province

Applicant after: Zhongdian Cloud Computing Technology Co.,Ltd.

Address before: 430058 No. n3013, 3rd floor, R & D building, building n, Artificial Intelligence Science Park, economic and Technological Development Zone, Caidian District, Wuhan City, Hubei Province

Applicant before: CLP cloud Digital Intelligence Technology Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A License Security Proxy Method and Platform Based on Hardware Trusted Trust Chain

Granted publication date: 20240130

Pledgee: Industrial and Commercial Bank of China Limited Wuhan Economic and Technological Development Zone Branch

Pledgor: Zhongdian Cloud Computing Technology Co.,Ltd.

Registration number: Y2024980026310

PE01 Entry into force of the registration of the contract for pledge of patent right