CN116432163A - Authentication information processing method, device, equipment and storage medium - Google Patents

Authentication information processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN116432163A
CN116432163A CN202210003932.6A CN202210003932A CN116432163A CN 116432163 A CN116432163 A CN 116432163A CN 202210003932 A CN202210003932 A CN 202210003932A CN 116432163 A CN116432163 A CN 116432163A
Authority
CN
China
Prior art keywords
authentication information
server
license
state
application subsystem
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210003932.6A
Other languages
Chinese (zh)
Inventor
朱乐陶
樊利安
范建豪
孙会贤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Unicom Digital Technology Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Unicom Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, Unicom Digital Technology Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202210003932.6A priority Critical patent/CN116432163A/en
Publication of CN116432163A publication Critical patent/CN116432163A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides an authentication information processing method, an authentication information processing device and a storage medium, and relates to the technical field of communication, wherein the authentication information processing method comprises the following steps: when the starting of the application subsystem is detected, acquiring a digital signature of a license client program file adopted by the application subsystem when the application subsystem is started currently, the starting time currently, machine code information of a server and an IP address as first authentication information; acquiring authentication information in a license certificate of a server as second authentication information; authenticating the first authentication information according to the second authentication information; and if the authentication is passed, the application subsystem is operated. The method and the device can greatly reduce operation and maintenance cost on the basis of guaranteeing the accuracy of the authentication result, and have good self-protection capability and tamper resistance capability.

Description

Authentication information processing method, device, equipment and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an authentication information processing method, apparatus, device, and storage medium.
Background
With the development of communication technology, distributed systems are becoming more and more widely used. The distributed system is a combination of dividing a large application system into a plurality of application subsystems, wherein each application subsystem is independently deployed and operated on different servers, and the service capability of corresponding functional modules is independently provided. The distributed system may design license certificates for servers deployed with the application subsystem, one for each server, for specifying the functional scope of the application system, the time span of use, the device designated to run, etc. When the application subsystem starts to run, authentication information in the corresponding license certificate is authenticated, and if the use limit specified by the license certificate is found to be exceeded, an error prompt is carried out or the application system is exited, so that legal rights and interests of an application system developer are protected.
Currently, a centralized authentication method is generally used to authenticate authentication information in a license. Specifically, by providing a unified authentication server, when each application subsystem runs, the license client corresponding to the application subsystem sends an authentication request to the authentication server, and a corresponding authentication result is obtained through the authentication server. However, the authentication method needs to add additional server resources to deploy the authentication server, which increases the operation and maintenance cost.
Disclosure of Invention
The application provides an authentication information processing method, an authentication information processing device, authentication information processing equipment and a storage medium, and aims to solve the problem of high operation and maintenance cost caused by a centralized authentication mode.
In a first aspect, the present application provides an authentication information processing method applied to a server in which an application subsystem is deployed in a distributed system, the authentication information processing method including:
when the starting of the application subsystem is detected, a digital signature of a license client program file adopted by the application subsystem at the current starting, the current starting time, machine code information of a server and an Internet protocol (Internet Protocol, IP) address are obtained as first authentication information, and the machine code information is a unique code corresponding to core hardware of the server;
Acquiring authentication information in a license certificate of a server as second authentication information, wherein the second authentication information comprises a digital signature of a license client program file, a usable time range, machine code set information of the server and IP address set information of the server;
authenticating the first authentication information according to the second authentication information;
and if the authentication is passed, the application subsystem is operated.
Optionally, authenticating the first authentication information according to the second authentication information includes: if the first authentication information meets the following conditions, determining that the authentication of the first authentication information is passed: the digital signature of the license client program file in the first authentication information is identical to the digital signature of the license client program file in the second authentication information; the current starting time is within the usable time range; the machine code information of the server is in the machine code set information; the IP address of the server is in the IP address set information.
Optionally, the authentication information processing method further includes: if the authentication is passed, the state of the license is set to a valid state and the valid state is stored.
Optionally, the authentication information processing method further includes: if the digital signature of the license client program file in the first authentication information is not consistent with the digital signature of the license client program file in the second authentication information, at least one of the following operations is performed: setting the state of the license client program file in the first authentication information as a tampered state, and storing the tampered state; setting the state of the license certificate as an invalid state and storing the invalid state; and stopping running the application subsystem.
Optionally, acquiring the authentication information in the license certificate of the server is second authentication information, including: acquiring ciphertext content in a license certificate of a server; decrypting the ciphertext content to obtain the second authentication information as authentication information in the license certificate of the server.
Optionally, the license certificate of the server is obtained by: and generating a license certificate according to the digital signature of the license client program file, the usable time range, the machine code set information of the server, the IP address set information of the server and a preset encryption algorithm contained in the second authentication information.
Optionally, the authentication information processing method further includes: determining an application subsystem set corresponding to the IP address according to the IP address set information; determining a target application subsystem from an application subsystem set through a preset main selection algorithm, wherein the preset main selection algorithm is used for determining a leading node and a following node from a server cluster deployed with the application subsystem, and realizing consensus through a leading method; the method comprises the steps of determining a server deployed with a target application subsystem as a leading node, determining servers deployed with other application subsystems as following nodes, wherein the leading node is used for managing the state of a license certificate, synchronizing the state of the license certificate to the following nodes, and the following nodes are used for synchronizing the state of the license certificate from the leading node so as to control the running state of the application subsystem deployed on the following nodes according to the state of the license certificate.
Optionally, if the server is the leader node, the authentication information processing method further includes: sending a heartbeat detection message to the following node; if a response message corresponding to the heartbeat detection message is received, determining that a following node corresponding to the response message is an online node; if the online proportion of the online node is determined to be greater than the online threshold, setting the state of the license in the server to be a valid state, and synchronizing the valid state of the license to the following node so that the following node runs an application subsystem deployed on the following node.
Optionally, the authentication information processing method further includes: if the online proportion is determined to be smaller than or equal to the online threshold value, the state of the license in the server is set to be the invalid state, and the invalid state of the license is synchronized to the following node, so that the following node stops running an application subsystem deployed on the following node.
Optionally, the authentication information processing method further includes: if the response message contains information that the state of the license client program file is a tampered state, setting the state of the license certificate in the server to be an invalid state, and synchronizing the invalid state of the license certificate to the following node so that the following node stops running an application subsystem deployed on the following node.
In a second aspect, the present application provides an authentication information processing apparatus applied to a server in which an application subsystem is deployed in a distributed system, the authentication information processing apparatus including:
the first acquisition module is used for acquiring a digital signature of a license client program file adopted by the application subsystem when the application subsystem is started currently, the starting time currently, machine code information of the server and an IP address as first authentication information when the application subsystem is detected to be started, wherein the machine code information is a unique code corresponding to core hardware of the server;
the second acquisition module is used for acquiring authentication information in the license certificate of the server as second authentication information, wherein the second authentication information comprises a digital signature of a license client program file, a usable time range, machine code set information of the server and IP address set information of the server;
the authentication module is used for authenticating the first authentication information according to the second authentication information;
and the operation module is used for operating the application subsystem if the authentication is passed.
Optionally, the authentication module is specifically configured to: if the first authentication information meets the following conditions, determining that the authentication of the first authentication information is passed: the digital signature of the license client program file in the first authentication information is identical to the digital signature of the license client program file in the second authentication information; the current starting time is within the usable time range; the machine code information of the server is in the machine code set information; the IP address of the server is in the IP address set information.
Optionally, the authentication module is further configured to: if the authentication is passed, the state of the license is set to a valid state and the valid state is stored.
Optionally, the authentication module is further configured to: if the digital signature of the license client program file in the first authentication information is not consistent with the digital signature of the license client program file in the second authentication information, at least one of the following operations is performed: setting the state of the license client program file in the first authentication information as a tampered state, and storing the tampered state; setting the state of the license certificate as an invalid state and storing the invalid state; and stopping running the application subsystem.
Optionally, the second obtaining module is specifically configured to: acquiring ciphertext content in a license certificate of a server; decrypting the ciphertext content to obtain the second authentication information as authentication information in the license certificate of the server.
Optionally, the authentication information processing apparatus includes a generation module configured to generate the license credential according to the digital signature of the license client program file included in the second authentication information, the usable time range, the machine code set information of the server, the IP address set information of the server, and a preset encryption algorithm.
Optionally, the authentication information processing device further includes a determining module, configured to determine, according to the IP address set information, an application subsystem set corresponding to the IP address; determining a target application subsystem from an application subsystem set through a preset main selection algorithm, wherein the preset main selection algorithm is used for determining a leading node and a following node from a server cluster deployed with the application subsystem, and realizing consensus through a leading method; the method comprises the steps of determining a server deployed with a target application subsystem as a leading node, determining servers deployed with other application subsystems as following nodes, wherein the leading node is used for managing the state of a license certificate, synchronizing the state of the license certificate to the following nodes, and the following nodes are used for synchronizing the state of the license certificate from the leading node so as to control the running state of the application subsystem deployed on the following nodes according to the state of the license certificate.
Optionally, if the server is a leader node, the authentication information processing device further includes a processing module, configured to send a heartbeat detection message to a following node; if a response message corresponding to the heartbeat detection message is received, determining that a following node corresponding to the response message is an online node; if the online proportion of the online node is determined to be greater than the online threshold, setting the state of the license in the server to be a valid state, and synchronizing the valid state of the license to the following node so that the following node runs an application subsystem deployed on the following node.
Optionally, the processing module is further configured to: if the online proportion is determined to be smaller than or equal to the online threshold value, the state of the license in the server is set to be the invalid state, and the invalid state of the license is synchronized to the following node, so that the following node stops running an application subsystem deployed on the following node.
Optionally, the processing module is further configured to: if the response message contains information that the state of the license client program file is a tampered state, setting the state of the license certificate in the server to be an invalid state, and synchronizing the invalid state of the license certificate to the following node so that the following node stops running an application subsystem deployed on the following node.
In a third aspect, the present application provides an electronic device, comprising: a processor, a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the authentication information processing method as described in the first aspect of the present application.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein computer program instructions which, when executed by a processor, implement the authentication information processing method according to the first aspect of the present application.
In a fifth aspect, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the authentication information processing method according to the first aspect of the present application.
According to the authentication information processing method, the device, the equipment and the storage medium, when the starting of the application subsystem is detected, the digital signature of the license client program file adopted by the application subsystem when the application subsystem is started at present, the current starting time, the machine code information of the server and the IP address are obtained as first authentication information; acquiring authentication information in a license certificate of a server as second authentication information; authenticating the first authentication information according to the second authentication information; and if the authentication is passed, the application subsystem is operated. According to the method and the device, the first authentication information is authenticated according to the second authentication information corresponding to the server by the server which is provided with the application subsystem, wherein the authentication comprises the authentication of the digital signature of the license client program file adopted by the application subsystem when the application subsystem is started currently, so that the operation and maintenance cost can be greatly reduced on the basis of ensuring the accuracy of an authentication result, and the method and the device have good self-protection capability and tamper resistance.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, a brief description will be given below of the drawings that are needed in the embodiments or the prior art descriptions, and it is obvious that the drawings in the following description are some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort to a person skilled in the art.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
FIG. 2 is a flowchart of an authentication information processing method according to an embodiment of the present application;
FIG. 3 is a flowchart of an authentication information processing method according to another embodiment of the present application;
FIG. 4 is a flowchart of a method for a leader node to control the status of a license credential according to one embodiment of the present application;
fig. 5 is a schematic structural diagram of an authentication information processing apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
In the technical scheme of the application, the related information such as financial data or user data is collected, stored, used, processed, transmitted, provided, disclosed and the like, which accords with the regulations of related laws and regulations and does not violate the popular regulations of the public order.
First, some technical terms related to the present application will be explained:
the distributed system is a combination of dividing a large application system into a plurality of application subsystems, wherein each application subsystem is independently deployed and operated on different servers, and the service capability of corresponding functional modules is independently provided.
License, like an electronic contract, is signed by a system developer with a user to specify and restrict the rights of the user to use the system, such as specifying the functional scope of the application system, the usage time scope, and specifying the server on which the application system is running.
In the technical background of high concurrency and large data volume, the use of distributed systems is becoming more and more widespread. The distributed system may design license certificates for servers deployed with the application subsystem, one license certificate for each server. The unique identifier of the server is usually obtained by calculating hardware and system information such as a media access control address (Media Access Control Address, MAC), a central processing unit (Central Processing Unit, CPU) serial number, a motherboard serial number, a system serial number, etc. of the server using a key encryption algorithm, binding the unique identifier of the server, the function range of the distributed system, the limit information such as the service time of the distributed system, etc. with a license certificate as authentication information, and then installing and deploying the license certificate and the distributed system program together. After installation and deployment, the license is written onto a server where the distributed system is deployed. When the application subsystem starts to run, authentication information in the corresponding license is authenticated, and if the use limit specified by the license is found to be exceeded, error prompt or exiting of the application system is performed, so that legal rights and interests of an application system developer are protected.
Currently, a centralized authentication method is generally used to authenticate authentication information in a license. Specifically, by providing a unified authentication server, when each application subsystem runs, the license client corresponding to the application subsystem sends an authentication request to the authentication server, and a corresponding authentication result is obtained through the authentication server. The centralized authentication mode has certain defects in the aspects of availability, safety, resource occupation and the like. Firstly, in terms of availability, if the authentication server itself or a network of communication between the authentication server and a license client corresponding to an application subsystem has a problem, the authentication process cannot be performed normally; secondly, in terms of security, if an operation and maintenance person of the authentication server modifies a database of the authentication server, an original license certificate for verification stored in the authentication server may be changed, thereby causing misjudgment of authentication; finally, in terms of resource occupation, additional server resources are required to be added to deploy the authentication server, and operation and maintenance cost is increased.
Based on the above problems, the application provides an authentication information processing method, an authentication information processing device and a storage medium, and the operation and maintenance cost can be greatly reduced on the basis of guaranteeing the accuracy of an authentication result through an decentralization authentication mode.
In the following, first, an application scenario of the solution provided in the present application is illustrated.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application. As shown in fig. 1, in the present application scenario, a distributed system includes a plurality of application subsystems, where each application subsystem is independently deployed on a different server 101, and each server 101 is deployed with a corresponding license. The server 101 authenticates the authentication information in the license ticket when the application subsystem starts up to run, and determines whether to run the application subsystem according to the authentication result. The server 101 authenticates the authentication information in the license certificate when the application subsystem starts to run, and determines whether to run the specific implementation process of the application subsystem according to the authentication result.
It should be noted that fig. 1 is only a schematic diagram of an application scenario provided by the embodiment of the present application, and the embodiment of the present application does not limit the devices included in fig. 1, or limit the positional relationship between the devices in fig. 1. For example, in the application scenario shown in fig. 1, a data storage device may be further included, where the data storage device may be an external memory with respect to the server 101, or may be an internal memory integrated into the server 101.
Next, an authentication information processing method is described by a specific embodiment.
Fig. 2 is a flowchart of an authentication information processing method according to an embodiment of the present application, which is applied to a server with an application subsystem deployed in a distributed system. As shown in fig. 2, the method of the embodiment of the present application includes:
s201, when the starting of the application subsystem is detected, the digital signature of a license client program file adopted by the application subsystem when the application subsystem is started currently, the current starting time, machine code information of a server and an IP address are obtained as first authentication information.
The machine code information is a unique code corresponding to the core hardware of the server.
In the embodiment of the present application, the license client program is a program for executing the embodiment of the method of the present application, and is integrated in the application subsystem. The license client program contains at least one license client program file whose digital signature, such as the secure hash algorithm 1 (Secure Hash Algorithm, sha-1) code of the license client program file, is used to determine tampering, which changes whenever the license client program file is modified in any way. The machine code information of the server is a unique code corresponding to core hardware of the server, and specifically, for example, includes hardware information such as a MAC address, a CPU serial number, and a motherboard serial number of the server. In this step, illustratively, when the application subsystem is detected to be started, SHA-1 code of a license client program file adopted by the application subsystem at the current start, the current start time, machine code information of the server, and an IP address are acquired as first authentication information. It can be understood that the machine code information and the IP address of the server are the machine code information and the IP address of the server corresponding to the currently started application subsystem.
S202, acquiring authentication information in a license certificate of a server as second authentication information.
Wherein the second authentication information includes a digital signature of the license client program file, a usable time range, machine code set information of the server, and IP address set information of the server.
In this step, the license is an authorization file, which contains ciphertext data of an authorization range, and corresponding authentication information can be obtained according to the ciphertext data. It can be understood that when the application subsystem is deployed to the server, the license credential is also deployed to the server at the same time, so that the authentication information in the license credential of the server can be acquired as the second authentication information. The manner of deploying license certificates to servers is not limited in this application. It can be understood that the machine code set information of the server includes machine codes of the server corresponding to each application subsystem respectively; the IP address set information of the server comprises the IP addresses of the servers respectively corresponding to the application subsystems. For how to obtain the second authentication information as the authentication information in the license certificate of the server, reference may be made to the subsequent embodiments, which are not described herein.
Optionally, the license certificate of the server is obtained by: and generating a license certificate according to the digital signature of the license client program file, the usable time range, the machine code set information of the server, the IP address set information of the server and a preset encryption algorithm contained in the second authentication information.
Illustratively, the packaged license client program file is compiled, and the SHA1 code of the license client program file is obtained from the license client program file and the contents of the license client program file. Generating an authentication information plaintext of the license certificate according to the SHA1 code, the usable time range, the machine code set information of the server and the IP address set information of the server of the license client program file; then, encrypting the authentication information plaintext of the license certificate by adopting a private key of an RSA encryption algorithm (an encryption algorithm named by the name of the three Rivest, shamir, adleman persons) to obtain corresponding ciphertext content; the ciphertext content is used as signature information to be combined with public key information of an RSA encryption algorithm, namely the ciphertext content and the public key information are spliced together, and then an advanced encryption standard (Advanced Encryption Standard, AES) algorithm is adopted to encrypt the ciphertext content, so that final ciphertext content is obtained, and the content of the license certificate is obtained.
S203, authenticating the first authentication information according to the second authentication information.
In this step, after the first authentication information and the second authentication information are obtained, the first authentication information may be authenticated according to the second authentication information to determine the state of the license. The state of the license includes a valid state and an invalid state, and whether the corresponding application subsystem is normally operated can be controlled according to the state of the license. For how to authenticate the first authentication information according to the second authentication information, reference may be made to the subsequent embodiments, which are not described herein.
And S204, if the authentication is passed, the application subsystem is operated.
For example, after the first authentication information is authenticated according to the second authentication information, it may be determined whether the authentication is passed, and if the authentication is passed, the application subsystem is run. Alternatively, the state of the license ticket may be set to a valid state and stored. It will be appreciated that the application subsystem is running, i.e. the application subsystem is able to normally provide the corresponding services.
According to the authentication information processing method, when the starting of the application subsystem is detected, the digital signature of the license client program file adopted by the application subsystem when the application subsystem is started currently, the current starting time, the machine code information of the server and the IP address are obtained as first authentication information; acquiring authentication information in a license certificate of a server as second authentication information; authenticating the first authentication information according to the second authentication information; and if the authentication is passed, the application subsystem is operated. According to the embodiment of the application, the server deployed with the application subsystem authenticates the first authentication information according to the second authentication information corresponding to the server, wherein the authentication comprises the authentication of the digital signature of the license client program file adopted by the application subsystem when the application subsystem is started currently, so that the operation and maintenance cost can be greatly reduced on the basis of ensuring the accuracy of an authentication result, and the application subsystem has good self-protection capability and tamper resistance.
Fig. 3 is a flowchart of an authentication information processing method according to another embodiment of the present application. On the basis of the above embodiments, the embodiments of the present application further describe an authentication information processing method. As shown in fig. 3, the method of the embodiment of the present application may include:
and S301, when the starting of the application subsystem is detected, acquiring a digital signature of a license client program file adopted by the application subsystem at the current starting, the current starting time, machine code information of a server and an IP address as first authentication information.
The machine code information is a unique code corresponding to the core hardware of the server.
A detailed description of this step may be referred to the related description of S201 in the embodiment shown in fig. 2, and will not be repeated here.
In this embodiment, step S202 in fig. 2 may further include two steps S302 and S303 as follows:
s302, ciphertext content in a license certificate of the server is acquired.
In this step, the license has been deployed in the server, and thus, ciphertext content in the license of the server can be acquired by direct reading.
S303, decrypting the ciphertext content to obtain the authentication information in the license certificate of the server as second authentication information.
Wherein the second authentication information includes a digital signature of the license client program file, a usable time range, machine code set information of the server, and IP address set information of the server.
In this step, after obtaining the ciphertext content in the license certificate of the server, a decryption algorithm corresponding to the preset encryption algorithm may be used to decrypt the ciphertext content, and obtain the authentication information in the license certificate of the server as the second authentication information. Illustratively, if the ciphertext content is obtained through the RSA encryption algorithm and the AES encryption algorithm in step S202, the ciphertext content may be decrypted through private key information of the AES decryption algorithm and the RSA encryption algorithm, and authentication information in the license certificate of the server is obtained as second authentication information, and the second authentication information is cached in the memory.
In this embodiment, step S203 in fig. 2 may further include the following step S304:
s304, if the first authentication information meets the following conditions, determining that the authentication of the first authentication information is passed: the digital signature of the license client program file in the first authentication information is identical to the digital signature of the license client program file in the second authentication information; the current starting time is within the usable time range; the machine code information of the server is in the machine code set information; the IP address of the server is in the IP address set information.
Illustratively, the digital signature of the license client program file is, for example, the SHA1 code of the license client program file, and comparing the SHA1 code of the license client program file in the first authentication information with the SHA1 code of the license client program file in the second authentication information can determine whether the SHA1 code of the license client program file in the first authentication information is identical to the SHA1 code of the license client program file in the second authentication information; the current starting time is the time of the server corresponding to the current started application subsystem, so that whether the current starting time is in the usable time range or not can be determined; the machine code information of the server corresponding to the currently started application subsystem can be inquired in the machine code set information to determine whether the machine code information of the server corresponding to the currently started application subsystem is in the machine code set information; the IP address of the server corresponding to the currently started application subsystem may be queried in the IP address set information to determine whether the IP address of the server corresponding to the currently started application subsystem is in the IP address set information. After determining that the digital signature of the license client program file in the first authentication information is identical to the digital signature of the license client program file in the second authentication information, the current start-up time is within the usable time range, the machine code information of the server is in the machine code set information, and the IP address of the server is in the IP address set information, authentication passing of the first authentication information can be determined.
If the digital signature of the license client program file in the first authentication information is not identical to the digital signature of the license client program file in the second authentication information, step S307 is executed.
And S305, if the authentication is passed, the application subsystem is operated.
A detailed description of this step may be referred to as S204 in the embodiment shown in fig. 2, and will not be described herein.
S306, if the authentication is passed, setting the state of the license to be a valid state, and storing the valid state.
Illustratively, if the authentication passes, the state of the license credential is set to a valid state and the valid state is stored in a built-in database. It will be appreciated that the valid or invalid state of the license ticket may be stored via a built-in database to control whether the corresponding application subsystem is normally operated according to the state of the license ticket.
It should be noted that, in the embodiment of the present application, the execution sequence of the step S305 and the step S306 is not limited, and the step S305 may be executed first and then the step S306 may be executed, or the step S306 may be executed first and then the step S305 may be executed.
S307, if the digital signature of the license client program file in the first authentication information is inconsistent with the digital signature of the license client program file in the second authentication information, executing at least one of the following operations: setting the state of the license client program file in the first authentication information as a tampered state, and storing the tampered state; setting the state of the license certificate as an invalid state and storing the invalid state; and stopping running the application subsystem.
Illustratively, the SHA1 code of the license client program file in the first authentication information is compared with the SHA1 code of the license client program file in the second authentication information, if the SHA1 code of the license client program file in the first authentication information is inconsistent with the SHA1 code of the license client program file in the second authentication information, it indicates that the license client program file has been tampered with, the state of the license client program file in the first authentication information is set to a tampered state, and the tampered state is stored in the built-in database; setting the state of the license certificate as an invalid state, and storing the invalid state into a built-in database; and stopping running the application subsystem. It will be appreciated that the application subsystem is stopped, i.e. the application subsystem stops providing normal services.
On the basis of the above embodiment, optionally, if the current startup time is not within the usable time range, or if the machine code information of the server is not in the machine code set information, or if the IP address of the server is in the IP address set information, determining that the authentication on the first authentication information is not passed, and correspondingly, setting the state of the license certificate to be a failure state, and storing the failure state; and stopping running the application subsystem.
According to the authentication information processing method, when the starting of the application subsystem is detected, the digital signature of the license client program file adopted by the application subsystem when the application subsystem is started currently, the current starting time, the machine code information of the server and the IP address are obtained as first authentication information; obtaining ciphertext content in a license certificate of a server, decrypting the ciphertext content, and obtaining authentication information in the license certificate of the server as second authentication information; if the first authentication information meets the following conditions, determining that the authentication of the first authentication information is passed: the digital signature of the license client program file in the first authentication information is identical to the digital signature of the license client program file in the second authentication information; the current starting time is within the usable time range; the machine code information of the server is in the machine code set information; the IP address of the server is in the IP address set information; if the authentication is passed, the application subsystem is operated, the state of the license certificate is set to be a valid state, and the valid state is stored; if the digital signature of the license client program file in the first authentication information is not consistent with the digital signature of the license client program file in the second authentication information, at least one of the following operations is performed: setting the state of the license client program file in the first authentication information as a tampered state, and storing the tampered state; setting the state of the license certificate as an invalid state and storing the invalid state; and stopping running the application subsystem. According to the embodiment of the application, the server deployed with the application subsystem authenticates the first authentication information according to the second authentication information corresponding to the server, wherein the authentication includes the authentication of the digital signature of the license client program file adopted by the application subsystem when the application subsystem is started currently, so that the operation and maintenance cost can be greatly reduced on the basis of ensuring the accuracy of an authentication result, and the application subsystem has good self-protection capability and tamper resistance.
On the basis of the above embodiment, the state of the license of the entire distributed system is considered to be synchronously controlled, so that, optionally, an application subsystem set corresponding to the IP address is determined according to the IP address set information; determining a target application subsystem from an application subsystem set through a preset main selection algorithm, wherein the preset main selection algorithm is used for determining a leading node and a following node from a server cluster deployed with the application subsystem, and realizing consensus through a leading method; the method comprises the steps of determining a server deployed with a target application subsystem as a leading node, determining servers deployed with other application subsystems as following nodes, wherein the leading node is used for managing the state of a license certificate, synchronizing the state of the license certificate to the following nodes, and the following nodes are used for synchronizing the state of the license certificate from the leading node so as to control the running state of the application subsystem deployed on the following nodes according to the state of the license certificate.
Illustratively, the pre-selected dominant algorithm is, for example, a Raft algorithm (a consensus algorithm). The second authentication information includes IP address set information of the server, so that an application subsystem set corresponding to the IP address can be determined according to the IP address set information of the server, and network communication can be established between the application subsystems. And determining a target application subsystem from the application subsystem set through a Raft algorithm, further determining that a server deployed with the target application subsystem is a leading node, and determining that servers deployed with other application subsystems are trailing nodes. For the specific usage of the Raft algorithm, reference may be made to the related art, and details are not repeated here. The leader node is responsible for data synchronization in a built-in database, namely, managing the state of the license, and synchronizing the state of the license to the following node; the follower node synchronizes the state of the license from the leader node to control the running state of the application subsystem deployed on the follower node according to the state of the license.
Fig. 4 is a flowchart of a method for controlling a status of a license credential by a leader node according to an embodiment of the present application. Based on the above embodiments, the embodiments of the present application further describe how the leader node controls the status of the license ticket. As shown in fig. 4, the method of the embodiment of the present application may include:
s401, sending a heartbeat detection message to the following node.
Illustratively, the leader node sends heartbeat detection messages to the follower nodes at intervals based on a Raft algorithm to inform the follower nodes of their own presence and to determine if the follower nodes are online.
S402, if a response message corresponding to the heartbeat detection message is received, determining that a following node corresponding to the response message is an online node.
In the step, after sending the heartbeat detection message to the following node, if a response message corresponding to the heartbeat detection message is received, the response message is sent by the corresponding following node after determining that the state of the license certificate is in a valid state, and then the following node corresponding to the response message is determined to be an online node.
S403, if the online proportion of the online node is determined to be greater than the online threshold, setting the state of the license in the server to be a valid state, and synchronizing the valid state of the license to the following node so that the following node runs an application subsystem deployed on the following node.
Illustratively, the online threshold is, for example, 50%. After determining the online nodes contained in the distributed system, the online proportion of the online nodes can be determined according to the number of the online nodes. If the online proportion of the online nodes is determined to be greater than 50%, the state of the license in the server is set to be a valid state, and the valid state of the license is synchronized to all following nodes, so that the following nodes run application subsystems deployed on the following nodes, namely the distributed system runs normally.
S404, if the online proportion is smaller than or equal to the online threshold, setting the state of the license in the server as an invalid state, and synchronizing the invalid state of the license to the following node so that the following node stops running the application subsystem deployed on the following node.
Illustratively, the online threshold is, for example, 50%. After the online proportion of the online node is obtained, if the online proportion is determined to be smaller than or equal to the online threshold, setting the state of the license certificate in the server as an invalid state, and synchronizing the invalid state of the license certificate to all following nodes so that the following nodes stop running the application subsystem deployed on the following nodes, namely stopping the normal running of the distributed system.
S405, if the response message contains information that the state of the license client program file is a tampered state, setting the state of the license certificate in the server as an invalid state, and synchronizing the invalid state of the license certificate to the following node so that the following node stops running an application subsystem deployed on the following node.
Illustratively, based on the step S307 described above, if the following node determines that the digital signature of the license client program file in the first authentication information is inconsistent with the digital signature of the license client program file in the second authentication information, then upon receiving the heartbeat detection message sent by the leader node, the following node adds the tamper status to the response message. Correspondingly, after receiving the response message, if the response message contains information that the state of the license client program file is a tampered state, the tampered state is stored in a built-in database in a lasting mode, the state of the license certificate in the server is set to be an invalid state, and the invalid state of the license certificate is synchronized to the following node, so that the following node stops running an application subsystem deployed on the following node.
It should be noted that, in the embodiment of the present application, the execution sequence of the step S403, the step S404, and the step S405 is not limited.
According to the method for controlling the state of the license by the leader node, the state of the license is uniformly managed by judging whether the online proportion of the follow node and the license client program file are tampered, so that a decentralization architecture is realized, and a uniform authentication server is not required to be additionally deployed.
The following are device embodiments of the present application, which may be used to perform method embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.
Fig. 5 is a schematic structural diagram of an authentication information processing apparatus according to an embodiment of the present application, which is applied to a server with an application subsystem deployed in a distributed system. As shown in fig. 5, the authentication information processing apparatus 500 of the embodiment of the present application includes: a first acquisition module 501, a second acquisition module 502, an authentication module 503, and a run module 504. Wherein:
the first obtaining module 501 is configured to obtain, when it is detected that the application subsystem is started, a digital signature of a license client program file adopted by the application subsystem when the application subsystem is currently started, a current start time, machine code information of the server, and an IP address as first authentication information, where the machine code information is a unique code corresponding to core hardware of the server.
The second obtaining module 502 is configured to obtain that the authentication information in the license certificate of the server is second authentication information, where the second authentication information includes a digital signature of the license client program file, a usable time range, machine code set information of the server, and IP address set information of the server.
And the authentication module 503 is configured to authenticate the first authentication information according to the second authentication information.
And the operation module 504 is configured to operate the application subsystem if the authentication is passed.
In some embodiments, the authentication module 503 may be specifically configured to: if the first authentication information meets the following conditions, determining that the authentication of the first authentication information is passed: the digital signature of the license client program file in the first authentication information is identical to the digital signature of the license client program file in the second authentication information; the current starting time is within the usable time range; the machine code information of the server is in the machine code set information; the IP address of the server is in the IP address set information.
Optionally, the authentication module 503 may be further configured to: if the authentication is passed, the state of the license is set to a valid state and the valid state is stored.
Optionally, the authentication module 503 may be further configured to: if the digital signature of the license client program file in the first authentication information is not consistent with the digital signature of the license client program file in the second authentication information, at least one of the following operations is performed: setting the state of the license client program file in the first authentication information as a tampered state, and storing the tampered state; setting the state of the license certificate as an invalid state and storing the invalid state; and stopping running the application subsystem.
In some embodiments, the second acquisition module 502 may be specifically configured to: acquiring ciphertext content in a license certificate of a server; decrypting the ciphertext content to obtain the second authentication information as authentication information in the license certificate of the server.
Optionally, the authentication information processing apparatus includes a generating module 505, configured to generate the license credential according to the digital signature of the license client program file included in the second authentication information, the usable time range, the machine code set information of the server, the IP address set information of the server, and a preset encryption algorithm.
In some embodiments, the authentication information processing apparatus further includes a determining module 506, configured to determine, according to the IP address set information, an application subsystem set corresponding to the IP address; determining a target application subsystem from an application subsystem set through a preset main selection algorithm, wherein the preset main selection algorithm is used for determining a leading node and a following node from a server cluster deployed with the application subsystem, and realizing consensus through a leading method; the method comprises the steps of determining a server deployed with a target application subsystem as a leading node, determining servers deployed with other application subsystems as following nodes, wherein the leading node is used for managing the state of a license certificate, synchronizing the state of the license certificate to the following nodes, and the following nodes are used for synchronizing the state of the license certificate from the leading node so as to control the running state of the application subsystem deployed on the following nodes according to the state of the license certificate.
In some embodiments, if the server is a leader node, the authentication information processing apparatus further includes a processing module 507 configured to send a heartbeat detection message to a following node; if a response message corresponding to the heartbeat detection message is received, determining that a following node corresponding to the response message is an online node; if the online proportion of the online node is determined to be greater than the online threshold, setting the state of the license in the server to be a valid state, and synchronizing the valid state of the license to the following node so that the following node runs an application subsystem deployed on the following node.
Optionally, the processing module 507 may be further configured to: if the online proportion is determined to be smaller than or equal to the online threshold value, the state of the license in the server is set to be the invalid state, and the invalid state of the license is synchronized to the following node, so that the following node stops running an application subsystem deployed on the following node.
Optionally, the processing module 507 may be further configured to: if the response message contains information that the state of the license client program file is a tampered state, setting the state of the license certificate in the server to be an invalid state, and synchronizing the invalid state of the license certificate to the following node so that the following node stops running an application subsystem deployed on the following node.
The device of the present embodiment may be used to execute the technical solution of any of the above-described method embodiments, and its implementation principle and technical effects are similar, and are not described herein again.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device may be provided as a server or computer, for example. Referring to fig. 6, an electronic device 600 includes a processing component 601 that further includes one or more processors and memory resources represented by memory 602 for storing instructions, such as applications, executable by the processing component 601. The application program stored in the memory 602 may include one or more modules each corresponding to a set of instructions. Further, the processing component 601 is configured to execute instructions to perform any of the method embodiments described above.
The electronic device 600 may also include a power component 603 configured to perform power management of the electronic device 600, a wired or wireless network interface 604 configured to connect the electronic device 600 to a network, and an input output (I/O) interface 605. The electronic device 600 may operate based on an operating system stored in the memory 602, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, or the like.
The application also provides a computer readable storage medium, in which computer executable instructions are stored, which when executed by a processor, implement the scheme of the authentication information processing method as above.
The present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the aspects of the authentication information processing method as above.
The computer readable storage medium described above may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk, or optical disk. A readable storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.
An exemplary readable storage medium is coupled to the processor such the processor can read information from, and write information to, the readable storage medium. In the alternative, the readable storage medium may be integral to the processor. The processor and the readable storage medium may reside in an application specific integrated circuit (Application Specific Integrated Circuits, ASIC). It is also possible that the processor and the readable storage medium are present in the authentication information processing apparatus as separate components.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a computer readable storage medium. The program, when executed, performs steps including the method embodiments described above; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.

Claims (13)

1. An authentication information processing method, which is applied to a server in which an application subsystem is deployed in a distributed system, comprising:
When the application subsystem is detected to be started, acquiring a digital signature of a license client program file adopted by the application subsystem when the application subsystem is started currently, current starting time, machine code information of the server and an Internet Protocol (IP) address as first authentication information, wherein the machine code information is a unique code corresponding to core hardware of the server;
acquiring authentication information in a license certificate of the server as second authentication information, wherein the second authentication information comprises a digital signature of a license client program file, a usable time range, machine code set information of the server and IP address set information of the server;
authenticating the first authentication information according to the second authentication information;
and if the authentication is passed, the application subsystem is operated.
2. The authentication information processing method according to claim 1, wherein the authenticating the first authentication information based on the second authentication information includes:
if the first authentication information meets the following conditions, determining that the authentication of the first authentication information is passed:
the digital signature of the license client program file in the first authentication information is consistent with the digital signature of the license client program file in the second authentication information;
The current starting time is within the usable time range;
the machine code information of the server is in the machine code set information;
the IP address of the server is in the IP address set information.
3. The authentication information processing method according to claim 2, characterized by further comprising:
and if the authentication is passed, setting the state of the license to be a valid state, and storing the valid state.
4. The authentication information processing method according to claim 2, characterized by further comprising:
if the digital signature of the license client program file in the first authentication information is inconsistent with the digital signature of the license client program file in the second authentication information, at least one of the following operations is executed:
setting the state of the license client program file in the first authentication information as a tampered state, and storing the tampered state;
setting the state of the license to be an invalid state, and storing the invalid state;
and stopping running the application subsystem.
5. The authentication information processing method according to any one of claims 1 to 4, characterized in that the acquiring authentication information in the license certificate of the server is second authentication information, comprising:
Acquiring ciphertext content in a license certificate of the server;
decrypting the ciphertext content to obtain the authentication information in the license certificate of the server as second authentication information.
6. The authentication information processing method according to any one of claims 1 to 4, characterized in that the license certificate of the server is obtained by:
and generating the license certificate according to the digital signature of the license client program file, the usable time range, the machine code set information of the server, the IP address set information of the server and a preset encryption algorithm contained in the second authentication information.
7. The authentication information processing method according to any one of claims 1 to 4, characterized by further comprising:
determining an application subsystem set corresponding to the IP address according to the IP address set information;
determining a target application subsystem from the application subsystem set through a preset main selection algorithm, wherein the preset main selection algorithm is used for determining a leading node and a following node from a server cluster deployed with the application subsystem, and realizing consensus through a leading method;
the server deployed with the target application subsystem is determined to be a leading node, the servers deployed with other application subsystems are determined to be trailing nodes, wherein the leading node is used for managing the state of a license certificate and synchronizing the state of the license certificate to the trailing nodes, and the trailing nodes are used for synchronizing the state of the license certificate from the leading node so as to control the running state of the application subsystem deployed on the trailing nodes according to the state of the license certificate.
8. The authentication information processing method according to claim 7, further comprising, if the server is a leader node:
sending a heartbeat detection message to the following node;
if a response message corresponding to the heartbeat detection message is received, determining that a following node corresponding to the response message is an online node;
and if the online proportion of the online node is determined to be greater than an online threshold value, setting the state of the license in the server to be a valid state, and synchronizing the valid state of the license to the following node so that the following node runs an application subsystem deployed on the following node.
9. The authentication information processing method according to claim 8, characterized by further comprising:
and if the online proportion is determined to be smaller than or equal to an online threshold value, setting the state of the license certificate in the server as an invalid state, and synchronizing the invalid state of the license certificate to the following node so that the following node stops running an application subsystem deployed on the following node.
10. The authentication information processing method according to claim 8, characterized by further comprising:
If the response message contains information that the state of the license client program file is a tampered state, setting the state of the license certificate in the server as an invalid state, and synchronizing the invalid state of the license certificate to the following node so that the following node stops running an application subsystem deployed on the following node.
11. An authentication information processing apparatus applied to a server in which an application subsystem is disposed in a distributed system, comprising:
the first acquisition module is used for acquiring a digital signature of a license client program file adopted by the application subsystem when the application subsystem is started currently, the starting time currently, machine code information of the server and an Internet Protocol (IP) address as first authentication information when the application subsystem is detected to be started, wherein the machine code information is a unique code corresponding to core hardware of the server;
the second acquisition module is used for acquiring authentication information in the license certificate of the server as second authentication information, wherein the second authentication information comprises a digital signature of a license client program file, a usable time range, machine code set information of the server and IP address set information of the server;
The authentication module is used for authenticating the first authentication information according to the second authentication information;
and the operation module is used for operating the application subsystem if the authentication is passed.
12. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the authentication information processing method according to any one of claims 1 to 10.
13. A computer-readable storage medium, in which computer program instructions are stored, which, when executed by a processor, implement the authentication information processing method according to any one of claims 1 to 10.
CN202210003932.6A 2022-01-04 2022-01-04 Authentication information processing method, device, equipment and storage medium Pending CN116432163A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210003932.6A CN116432163A (en) 2022-01-04 2022-01-04 Authentication information processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210003932.6A CN116432163A (en) 2022-01-04 2022-01-04 Authentication information processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116432163A true CN116432163A (en) 2023-07-14

Family

ID=87093096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210003932.6A Pending CN116432163A (en) 2022-01-04 2022-01-04 Authentication information processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116432163A (en)

Similar Documents

Publication Publication Date Title
JP5747981B2 (en) System and method for remote maintenance of multiple clients in an electronic network using virtual machines
CN112422532B (en) Service communication method, system and device and electronic equipment
US9867051B2 (en) System and method of verifying integrity of software
US8266684B2 (en) Tokenized resource access
CN111522809B (en) Data processing method, system and equipment
CN112257093B (en) Authentication method, terminal and storage medium for data object
CN112400169A (en) Identity management of software components through dynamic credentials based on one-time credential requests
CN112800393B (en) Authorization authentication method, software development kit generation method, device and electronic equipment
US20220006654A1 (en) Method to establish an application level ssl certificate hierarchy between master node and capacity nodes based on hardware level certificate hierarchy
US9948632B2 (en) Sharing data between sandboxed applications with certificates
CN110324315B (en) Off-line authentication system and method thereof
CN112261103A (en) Node access method and related equipment
CN114120498B (en) Method and related device for migrating data
JP2017183930A (en) Server management system, server device, server management method, and program
CN113282950B (en) Operation and maintenance method, device, equipment and system of encryption machine
CN115280718B (en) Method and system for secure private key distribution between authorized instances
CN116432163A (en) Authentication information processing method, device, equipment and storage medium
CN109688158B (en) Financial execution chain authentication method, electronic device and storage medium
CN108228219B (en) Method and device for verifying BIOS validity during in-band refreshing of BIOS
US10177918B2 (en) User permission check system
WO2018092289A1 (en) Information processing device
CN114329574B (en) Encrypted partition access control method and system based on domain management platform and computing equipment
US11526598B2 (en) Microcontroller and semiconductor device
CN117439771A (en) Identity authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination