CN116881865A - License generation method and system - Google Patents

License generation method and system Download PDF

Info

Publication number
CN116881865A
CN116881865A CN202310990170.8A CN202310990170A CN116881865A CN 116881865 A CN116881865 A CN 116881865A CN 202310990170 A CN202310990170 A CN 202310990170A CN 116881865 A CN116881865 A CN 116881865A
Authority
CN
China
Prior art keywords
authorization
key
information
license
description information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310990170.8A
Other languages
Chinese (zh)
Inventor
李胤颉
宋健玮
李小宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongke Times Shenzhen Computer System Co ltd
Original Assignee
Zhongke Times Shenzhen Computer System Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongke Times Shenzhen Computer System Co ltd filed Critical Zhongke Times Shenzhen Computer System Co ltd
Priority to CN202310990170.8A priority Critical patent/CN116881865A/en
Publication of CN116881865A publication Critical patent/CN116881865A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a license generation method, which comprises the following steps: when online authorization is carried out, reading hardware information through software, and serializing the obtained hardware information to generate authorization description information; generating a key by using a symmetric encryption algorithm, and encrypting the authorization description information based on the key; generating a key pair by utilizing an asymmetric encryption algorithm, wherein the key pair comprises a public key and a private key, carrying out private key signature on the encrypted authorization description information through the private key to generate a digital signature, and combining the encrypted authorization description information and the digital signature to generate a license; when offline authorization is performed, reading the hardware information through software, and serializing the obtained hardware information to generate authorization description information; a key is generated using a symmetric encryption algorithm, and the authorization description information is encrypted based on the key to generate a license. The application can bind hardware information, and the software authorization can be more closely related to specific hardware equipment, thereby increasing the difficulty of cracking the authorization by an attacker.

Description

License generation method and system
Technical Field
The application belongs to the technical field of computers, and particularly relates to a license generation method and a license generation system.
Background
With the rapid development of the internet, internet data is more and more important, and at present, some software needs to be authorized to be used, so that the generation of a license for the software to be authorized is a software authorization mode.
RSA and AES are commonly used encryption algorithms that provide powerful data encryption and decryption functions that can protect software authorization information from unauthorized users, and although the RSA and AES algorithm-based software authorization schemes provide higher security, there is still a potential risk of hacking. Hackers and reverse engineers may attempt to attack and crack the authorization scheme using various means. Thus, security needs to be comprehensively considered in designing and implementing software authorization schemes.
Therefore, how to increase the difficulty of an attacker to crack the authorization, even if the authorization information is stolen, the authorization information cannot be used on other equipment, and the security and the protection capability of the software are improved, so that the technical problem to be solved at present is solved.
Disclosure of Invention
The present invention is directed to a license generation method for solving the above-mentioned problems of the prior art.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
The invention also provides a license generation method, which comprises the following steps:
when on-line authorization is performed, reading hardware information through software, and serializing the obtained hardware information to generate authorization description information, wherein the hardware information comprises CPU hardware information, memory information, BIOS information and main board information;
generating a key by using a symmetric encryption algorithm, and encrypting the authorization description information based on the key;
generating a key pair by utilizing an asymmetric encryption algorithm, wherein the key pair comprises a public key and a private key, carrying out private key signature on encrypted authorization description information through the private key to generate a digital signature, and combining the encrypted authorization description information and the digital signature to generate a license;
when offline authorization is performed, reading the hardware information through software, and serializing the obtained hardware information to generate the authorization description information;
generating a key using the symmetric encryption algorithm, encrypting the authorization description information based on the key to generate a license.
In some embodiments, private key signing the encrypted authorization description information with the private key to generate a digital signature includes:
Converting the authorization description information into text, file or digital abstract according to the hash function;
and encrypting the text, the file or the digital abstract by using the private key to generate a unique digital signature.
In some embodiments, after online authorization to generate the license, a software authorization verification is further included, where the software authorization verification is used to verify the integrity, authenticity, and origin of the license when the software is running;
when online authorization is performed, the software authorization verification includes:
transmitting the authorization description information and the digital signature to an authorization server, wherein the authorization server decrypts the digital signature through the public key to obtain the original text, file or digital abstract;
converting the authorization description information by using the hash function to generate text, file or digital digest;
and matching and comparing the obtained original text, file or digital abstract with the text, file or digital abstract generated by converting the authorization description information by using the hash function, and if so, successfully verifying the license.
In some embodiments, when the software authorization verification is completed, the method further comprises:
The authorization server obtains a decryption key, and the decryption key is matched with a key for encrypting the authorization description information;
the authorization server divides the encrypted authorization description information into data blocks with fixed lengths;
the authorization server initializes a decryptor using a key and decrypts the data block based on the decryptor and the key;
the authorization server merges the decrypted data blocks into the original plaintext data.
In some embodiments, after merging the decrypted data blocks into the original plaintext data, the method further comprises:
verifying whether the hardware information matches the local machine currently used by the user side,
and if the function range, the expiration time or the user information is matched, carrying out modification of the authorization description information, wherein the modification of the authorization description information is modification of a user-defined item, and the user-defined item is a function range, the expiration time or the user information.
In some embodiments, the method further comprises:
encrypting the changed authorization description information, carrying out private key signature on the changed authorization description information to generate a digital signature, and combining the changed encrypted authorization description information and the digital signature to regenerate a license;
and importing the regenerated license to a local machine of the user side through a network to complete online authorization.
In some embodiments, the method further comprises:
when offline authorization is performed, the generated license is stored in advance, authorization description information is copied to an authorization server through a dongle or a USB flash disk,
or directly generating a License through a License registration machine to complete offline authorization.
Correspondingly, the invention also provides a license generation system, which comprises:
the first authorization module is used for reading hardware information through software when online authorization is carried out, and serializing the obtained hardware information to generate authorization description information, wherein the hardware information comprises CPU hardware information, memory information, BIOS information and main board information;
the first encryption module is used for generating a key by utilizing a symmetric encryption algorithm and encrypting the authorization description information based on the key;
the generation module is used for generating a key pair by utilizing an asymmetric encryption algorithm, the key pair comprises a public key and a private key, the encrypted authorization description information is subjected to private key signature through the private key to generate a digital signature, and the encrypted authorization description information and the digital signature are combined to generate a license;
the second authorization module is used for reading the hardware information through software and serializing the obtained hardware information to generate the authorization description information when offline authorization is performed;
And the second encryption module is used for generating a key by utilizing the symmetric encryption algorithm, and encrypting the authorization description information based on the key to generate a license.
In some embodiments, the generating module is specifically configured to:
converting the authorization description information into text, file or digital abstract according to the hash function;
and encrypting the text, the file or the digital abstract by using the private key to generate a unique digital signature.
In some embodiments, the system further comprises a verification module for verifying the integrity, authenticity, and origin of the license when the software is running after online authorization to generate the license.
The beneficial effects are that:
1. flexible license management: software authorization schemes for multiple security algorithms allow for flexible license management. The license may contain various authorization information such as license terms, function restrictions, the number of users, etc. The developer may generate a license using the private key and the software may verify the legitimacy of the license using the public key.
2. Offline authorization verification is supported: the software authorization scheme based on the rsa+aes algorithm may support offline authorization verification, i.e. verifying the authorization information of the software without a network connection. Authorization information may be stored locally by encryption and verified using a public key.
3. Cross-platform: industrial hardware platforms are various, such as cpu of various instruction sets of x86, arm64, mips and the like, and operating systems of Linux, windows, vxworks and the like, so that software of different platforms can be ensured to use the same set of authorization and encryption strategies.
4. Cross-language: and the multiple industrial software can ensure that the framework supports the API design of different languages and supports C/C++, C#, python, golang, st, ld, fbd and the like.
5. Various encryption strategies: and a plurality of security algorithms such as AES encryption and decryption, RSA encryption and decryption, ECC key exchange, signature verification, curve25519 key exchange, curve25519 EdDSA signature verification and the like are supported. The safety of the whole system is improved. Vulnerabilities or vulnerabilities of a single algorithm may be exploited by an attacker, but using multiple algorithms may increase the difficulty of the attacker. Even if one algorithm is problematic, the other algorithm can still provide protection. And can meet the adaptability and safety of various complex application scenes.
6. Future extensibility: with the development of technology and the advancement of cryptoanalysis, existing encryption algorithms may become unsecure. By using a variety of security algorithms, provision can be made for future evolution and changes. In this way, the system can be easily migrated to a safer algorithm when needed without extensive modification.
7. Meets the complex industrial site: the security level of an industrial site is different, for example, the site cannot be networked, a USB flash disk cannot be carried, an external program cannot be installed, and the like. The authorization mode can be freely selected, for example, online authorization, USB flash disk copy authorization, dongle authorization, license register authorization, FB function block authorization and the like can be selected.
8. When the software authorization scheme is designed and implemented, the security is comprehensively considered, and the software authorization can be more closely associated with specific hardware equipment through hardware information binding, so that the difficulty of cracking the authorization by an attacker is increased. Even if the authorization information is stolen, the authorization information cannot be used on other equipment, so that the safety and the protection capability of the software are improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application, are incorporated in and constitute a part of this specification. The drawings and their description are illustrative of the application and are not to be construed as unduly limiting the application. In the drawings:
FIG. 1 is a schematic diagram of a license generation method according to an embodiment of the present application;
FIG. 2 is a flowchart of an online authorization provided by an embodiment of the present application;
FIG. 3 is a flowchart of an offline authorization provided by an embodiment of the present application;
fig. 4 is a block diagram of a license generation system according to an embodiment of the present application.
Detailed Description
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the present application will be briefly described below with reference to the accompanying drawings and the description of the embodiments or the prior art, and it is obvious that the following description of the structure of the drawings is only some embodiments of the present application, and other drawings can be obtained according to these drawings without inventive effort to a person skilled in the art. It should be noted that the description of these examples is for aiding in understanding the present application, but is not intended to limit the present application.
It will be understood that, although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another element. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of example embodiments of the present application.
It should be understood that for the term "and/or" that may appear herein, it is merely one association relationship that describes an associated object, meaning that there may be three relationships, e.g., a and/or B, may represent: a alone, B alone, and both a and B; for the term "/and" that may appear herein, which is descriptive of another associative object relationship, it means that there may be two relationships, e.g., a/and B, it may be expressed that: a alone, a alone and B alone; in addition, for the character "/" that may appear herein, it is generally indicated that the context associated object is an "or" relationship.
Software and hardware cooperation: the Software-Hardware collaboration (Hardwire-Software Co-design) refers to a method for realizing system function and performance optimization by close collaboration between Software and Hardware in the system design process. The cooperation of software and hardware aims to improve the overall efficiency, reliability and expandability of the system.
Authorization: software license authorization refers to the granting of a user of rights and conditions to use software by a software developer. License authorization specifies the manner, scope, and limitations in which a user can use software, as well as the rights and responsibilities of the developer. The following are some common types of software license authorization.
RSA encryption algorithm: the RSA (Ron Rivest, adi Shamir, leonard Adleman,3 proponents' surname initials) encryption algorithm is an asymmetric encryption algorithm (public key encryption algorithm). The RSA encryption algorithm has a pair of keys, one being a public key and the other being a private key, the public key being used for encryption and the private key being used for decryption. The encrypted ciphertext can be decrypted by the public key and the original plaintext can be obtained only by the corresponding private key.
AES encryption algorithm: AES (Advanced Encryption Standard) the encryption algorithm, also known as the Rijndael encryption algorithm in cryptography, is a block encryption standard algorithm. AES encryption algorithm was published by National Institute of Standards and Technology (NIST) in FIPS PUB 197 at 11/26/2001 and became a valid standard at 5/26/2002. The AES encryption algorithm is now one of the most popular algorithms in symmetric key encryption.
ECC: ECC (Elliptic Curve Cryptography) is a public key encryption algorithm based on elliptic curves. It is one of the encryption algorithms commonly used in modern cryptography, and is used for realizing security functions such as encryption, key exchange, digital signature, etc. ECC is based on mathematical problems on elliptic curves, exploiting the characteristics of elliptic curves to achieve secure encryption and key exchange. Compared to the conventional RSA algorithm, ECC can use shorter key length with the same security, thereby providing higher efficiency and smaller storage space requirements
Curve25519: curve25519 is an elliptic Curve used for key exchange and digital signature operations in elliptic Curve cryptography. It was designed by Daniel j. Bernstein in 2005 and takes the form of a Montgomery curve. Curve25519 is named from the characteristics of its Curve equation, where 255 represents the number of points on the Curve. Curve25519 uses an elliptic Curve over the prime number domain in the form of y++2=xζ3+486662x2+x. This particular elliptic curve parameter selection aims at providing high safety and high performance.
Fig. 1 is a schematic structural diagram of a license generation method according to an embodiment of the present invention, including:
s201, when online authorization is performed, reading hardware information through software, and serializing the obtained hardware information to generate authorization description information, wherein the hardware information comprises CPU hardware information, memory information, BIOS information and main board information.
Specifically, the whole License generation framework mainly comprises two authorization modes, namely online authorization and offline authorization, and the roles are divided into an authorization server and a product machine. And reading related hardware information including CPU hardware information, memory information, BIOS information and mainboard information by software. The information has the characteristic of no repetition, and the use of the information as hardware binding can improve the security of the system. The authorization description information is to serialize the acquired hardware information, and the data information can be described by json, XML, YAML or protobuf.
S202, a key is generated by utilizing a symmetric encryption algorithm, and the authorization description information is encrypted based on the key.
Specifically, the symmetric encryption algorithm is an AES encryption algorithm, and encrypts the authorization description information: by encrypting the authorization description information, an unauthorized person or system may be prevented from reading or modifying the sensitive data. Only authorized entities can decrypt and access the data. Some authorization description information may contain sensitive personal, business, or confidential data. By encryption, it can be ensured that these data are not illegally acquired or revealed during transmission.
It should be noted that the AES encryption algorithm is only one embodiment of the present application, and any manner of implementing the encryption authorization description information through the encryption algorithm falls within the protection scope of the present application.
S203, generating a key pair by utilizing an asymmetric encryption algorithm, wherein the key pair comprises a public key and a private key, carrying out private key signature on the encrypted authorization description information through the private key to generate a digital signature, and combining the encrypted authorization description information and the digital signature to generate a license.
In order to generate a unique digital signature, in a preferred embodiment of the present solution, private key signing the encrypted authorization description information with the private key to generate a digital signature comprises:
Converting the authorization description information into text, file or digital abstract according to the hash function;
and encrypting the text, the file or the digital abstract by using the private key to generate a unique digital signature.
In particular, private key signing is the process of encrypting data using a private key to generate a digital signature. And converting the authorization description information into a text, a file or a digital abstract according to the hash function, encrypting the text, the file or the digital abstract by using the private key, and generating a unique digital signature. Encryption algorithms typically use asymmetric encryption algorithms, such as RSA. The private key is used to encrypt the digital digest to generate a unique digital signature.
In order to verify the integrity, authenticity and origin of the license, in a preferred embodiment of the solution, after online authorization to generate the license, a software authorization verification is also included, which is used to verify the integrity, authenticity and origin of the license when the software is running.
When online authorization is performed, the software authorization verification includes:
transmitting the authorization description information and the digital signature to an authorization server, wherein the authorization server decrypts the digital signature through the public key to obtain the original text, file or digital abstract;
Converting the authorization description information by using the hash function to generate text, file or digital digest;
and matching and comparing the obtained original text, file or digital abstract with the text, file or digital abstract generated by converting the authorization description information by using the hash function, and if so, successfully verifying the license.
In particular, public key signing is a process of verifying digital signatures for verifying the integrity, authenticity and origin of data. Which is an operation corresponding to a private key signature.
The authorization server obtains a message containing the authorization description information and the digital signature, and the authorization server obtains a public key paired with the digital signature. The public key is generated by the private key of the signer and widely distributed to all parties needing to verify the digital signature, the digital signature is decrypted by using the public key to obtain an original text, file or digital digest, the text, file or digital digest is generated on the received data by using a hash function, and the hash function converts the data into a unique hash value with a fixed length. The decrypted digital signature is compared with the generated text, file or digital digest. If the two match, the integrity and authenticity of the representation data is verified.
In order to decrypt the data, in a preferred embodiment of the present solution, after the software authorization verification is completed, the method further includes:
the authorization server obtains a decryption key, and the decryption key is matched with a key for encrypting the authorization description information;
the authorization server divides the encrypted authorization description information into data blocks with fixed lengths;
the authorization server initializes a decryptor using a key and decrypts the data block based on the decryptor and the key;
the authorization server merges the decrypted data blocks into the original plaintext data.
Specifically, decryption of data is performed by the AES encryption algorithm, which is a process of restoring encrypted data to original data by using the same key and the opposite algorithm. The correct decryption key is obtained, ensuring a match with the key used in the encryption. The encrypted data is divided into fixed-length blocks of data, typically 128 bits (16 bytes). The AES decryptor is initialized with the key. The decryptor needs to know the key to be used in order to decrypt the data correctly. The inverse AES algorithm, also known as inverse transform, is applied to each data block. This involves decrypting the data block using a decryptor and a key. If a specific encryption mode is used for encryption (e.g., ECB, CBC, CFB, OFB, etc.), the same encryption mode and Initialization Vector (IV) must be used during decryption. The decrypted data blocks are combined into the original plaintext data.
In order to modify the authorization description information, in a preferred embodiment of the present solution, after merging the decrypted data block into the original plaintext data, the method further includes:
verifying whether the hardware information matches the local machine currently used by the user side,
and if the function range, the expiration time or the user information is matched, carrying out modification of the authorization description information, wherein the modification of the authorization description information is modification of a user-defined item, and the user-defined item is a function range, the expiration time or the user information.
Specifically, hardware information inspection: and retrieving the content of the hardware information, such as CPU information, memory information, BIOS information and the like, whether the content is matched with the current local machine or not. Modifying custom items such as scope of functions used, expiration time, user information, etc.
To accomplish the online authorization, in a preferred embodiment of the present solution, the method further comprises:
encrypting the changed authorization description information, carrying out private key signature on the changed authorization description information to generate a digital signature, combining the changed encrypted authorization description information and the digital signature to regenerate a license, and importing the regenerated license to a local machine of a user side through a network to complete online authorization.
And S204, when offline authorization is performed, reading the hardware information through software, and serializing the acquired hardware information to generate the authorization description information.
S205, generating a key by using the symmetric encryption algorithm, and encrypting the authorization description information based on the key to generate a license.
To accomplish the offline authorization, in a preferred embodiment of the present solution, the method further comprises:
when offline authorization is performed, the generated license is stored in advance, authorization description information is copied to an authorization server through a dongle or a USB flash disk,
or directly generating a License through a License registration machine to complete offline authorization.
In particular, offline authorization is substantially the same as online authorization, and does not require the process of signing and verifying the signature, in which case the license or authorization information is typically generated and stored locally in advance, rather than in real-time or dynamically. Thus, for verifying offline authorization, there is no need to use digital signatures and mechanisms to verify the signatures to verify their integrity and authenticity. When the offline authorization is performed, the generated License is stored in advance, and authorization description information is copied to an authorization server through a dongle or a USB flash disk, or the License is directly generated through a License registration machine, so that the offline authorization is completed.
The application adds the modes of USB dongle, USB flash disk and License register
USB dongle: a USB dongle is a hardware device, typically in the form of a USB flash drive, that provides software authorization and data protection functions. Used with software applications to ensure that only authorized users can access and use particular software. The USB dongle includes an internal encryption chip for storing license information and performing encryption operations. It can ensure the legal use of software and the security of data through encryption algorithm, signature and verification mechanism.
USB Flash Drive (USB Flash Drive): a USB disk is a portable storage device that is typically connected to a computer with a USB interface. In addition to conventional data storage and transfer functions, U disks can also be used to store encrypted files, sensitive data, and protected software licenses. By storing license files or encrypted data in the U disk, software authorization and data protection can be tied together with specific physical devices to provide greater security and authorization control.
License registrar (License Generator): the License registry is a tool for generating software licenses. Legal license keys, authorization files, or license codes are generated according to specific license generation rules and algorithms. The registrar is typically used by a software developer to provide generated licenses to authorized users to control legitimate use of the software. The registrar may also include other functions such as license management, license renewal and tracking, etc.
And the License registrar needs to provide the following functions:
independent application: the License registry may exist as a stand-alone application that a user may run to generate software licenses. Such registrars typically provide a user interface for the user to enter the necessary information (e.g., license type, license terms, user information, etc.) and then generate the corresponding license file or license code.
Command line tool: the License enroller may be in the form of a command line tool through which the user enters parameters to generate a License. This approach is suitable for integration into an automation script or batch process for batch license operations.
Library or API: the License registry may exist as a library or API and the developer may call related functions or methods in his own software to generate the License. This approach allows the developer to customize the logic and flow of license generation as desired.
IEC61131-3 function block: the License registrar may be used as an IEC61131-3 function, which the industry developer generates by invoking.
It should be noted that there are various encryption strategies in the present application: and a plurality of security algorithms such as AES encryption and decryption, RSA encryption and decryption, ECC key exchange, signature verification, curve25519 key exchange, curve25519 EdDSA signature verification and the like are supported. The safety of the whole system is improved. Vulnerabilities or vulnerabilities of a single algorithm may be exploited by an attacker, but using multiple algorithms may increase the difficulty of the attacker. Even if one algorithm is problematic, the other algorithm can still provide protection. And can meet the adaptability and safety of various complex application scenes.
The secure key exchange policy is used to ensure security during online authorization and to protect sensitive data. Such policies include the use of encryption, digital signatures, security protocols, authentication mechanisms, etc. to ensure confidentiality, integrity, and authentication of communications.
The security policy of the present application comprises:
ECC key exchange and signature verification
Implementing ECC key exchange and signature verification typically involves the steps of:
elliptic curve parameters were chosen: suitable elliptic curve parameters are selected, including curve type, base point, modulus, etc. Common curve parameters can be found in related documents or criteria.
Generating a key pair: public and private key pairs are generated using the selected elliptic curve parameters. The private key should remain confidential, while the public key may be shared with others.
Key exchange or signature: depending on the application scenario, the data is either key negotiated using an ECC key exchange algorithm (e.g., ECDH) or signed using an ECC signature algorithm (e.g., ECDSA).
Key verification or signature verification: the received key is verified using the public key or the received signature is signed using the public key. The verification and signature verification process will involve computation and comparison on elliptic curves
Curve25519 key exchange
Key exchange using Curve25519 can be performed as follows:
and (3) key generation: both parties each generate a private key and a public key on the Curve25519 Curve.
A 256-bit private key (i.e., a 32-byte random number) is randomly generated.
And performing point multiplication operation through a base point on the elliptic curve by using the private key to generate a corresponding public key.
Key exchange: both parties exchange their respective public keys.
The public key of the user is sent to the other party and the public key of the other party is received.
Shared key calculation: the two parties use the public key of the other party and the private key of the other party to calculate the shared secret key.
And performing dot multiplication operation by using the private key of the user and the public key of the other party to obtain a shared secret key.
3.Curve25519 EdDSA signature verification tag
Implementing Curve25519 EdDSA signing and verification typically involves the following steps:
elliptic curve is selected: curve25519 was chosen as the base elliptic Curve.
And (3) key generation: public and private key pairs are generated using the selected elliptic curve parameters.
Signature generation: the digital signature is generated by executing the EdDSA signature algorithm using the private key and the data to be signed.
And (5) checking labels: the validity of the digital signature is verified by executing the EdDSA signing algorithm using the public key, the signature and the data to be verified.
The application has the following beneficial effects:
1. the security of the whole system can be improved by combining multiple security algorithms with hardware binding, and even if one algorithm has a problem, other algorithms can still provide protection.
2. Scalability, new encryption algorithms may be extended in the future with minimal variation.
3. The system has the characteristics of universality, a set of framework, unified API, cross-language, cross-platform and the like.
4. Compatibility, the use of multiple security algorithms may provide better compatibility. Different systems and devices may support different encryption algorithms, and interoperability and compatibility under different environments may be ensured by using multiple algorithms.
5. Against attacks, certain encryption algorithms may be threatened by certain types of attacks or new attack methods. By using multiple algorithms, the ability to resist various attacks can be increased. If one algorithm is attacked, the other algorithm may provide an alternative to secure the data and system.
6. The registration is diversified, different industrial site security levels are different, the authorized registration mode of the whole scene can be met, and the generation of license by ST, FBD and LD languages is supported.
Example 2:
The whole License generation framework mainly comprises two authorization modes, namely online authorization and offline authorization, and the roles are divided into an authorization server and a product machine. The main functions include the following:
service: the service operates the encryption hardware through the hardware interface and communicates with other hardware units to co-operate the encryption hardware.
External library: an interface implementation provided to the developer.
Data requirements: encryption and decryption, plaintext length not exceeding 7.5KB, ciphertext length not exceeding 7.5KB, signature verification, MAC algorithm, input plaintext not exceeding 15KB.
Generating an RSA key pair: the public and private keys required by the RSA algorithm are generated. The private key is used for signing and decrypting and the public key is used for encrypting and verifying.
Acquiring hardware information: device information associated with the hardware device, such as a hardware serial number, a MAC address, a CPU model, etc., is acquired.
Generating authorization information: the format and content defining the authorization information, such as license terms, functional limitations, hardware information, etc., may represent the authorization information using json or other structuring.
Encryption authorization information: the authorization information is encrypted using AES.
Digital signature: and digitally signing the encrypted authorization information by using an RSA private key.
Generating an authorization file/license: combining encrypted authorization information and digital signature into one file or license
Software authorization verification: the legitimacy of the authorization file or license is verified while the software is running.
Authorization expiration checking: when verifying the authorization, the license terms in the authorization file or license are checked to determine if the authorization is expired. Limiting use of software or requiring the user to re-apply for authorization if the authorization expires
Hardware information verification: and when the authorization is verified, comparing whether the bound hardware information is matched with the hardware information of the current system. If the hardware information does not match, the use of the software is restricted or the user is required to re-apply for authorization.
License generation: license=aeskey16+aesenc (data). Length+aesenc (data) +rsasign (AesEnc (data));
this means that the final generated license consists of four parts, connected together in series.
Aekey 16: this is a randomly generated 16-bit AES key (Advanced Encryption Standard) used for subsequent data encryption.
AesEnc (data). Length: this is the length of the authorization information (data) after AES encryption. The AES encryption algorithm encrypts the authorization information using the AES key generated before.
AesEnc (data): this is the authorization information after AES encryption, encrypted using the AES key generated before.
Rsasign (Aesenc (data)): this is the result of RSA private key signing of the AES encrypted authorization information. The RSA signature algorithm encrypts data using a private key to verify the authenticity and integrity of the license.
This process of generating a license is a common way to ensure the security and integrity of the license by encrypting and signing sensitive data. The privacy of the authorization information is protected by AES encryption, and the authenticity of the license is verified by RSA signature. It should be noted that the specific implementation details may vary depending on the particular encryption library, algorithm, and system environment. In practical applications, each step may be performed using an appropriate encryption library and algorithm, and secure and reliable key generation, encryption, and signing processes are ensured.
Example 3
FIG. 2 is a flowchart of online authorization, specifically including:
1. acquiring hardware information: and reading related hardware information including CPU hardware information, memory information, BIOS information and mainboard information by software. The information has the characteristic of no repetition, and the use of the information as hardware binding can improve the security of the system.
2. Authorization description information: the obtained hardware information is serialized, and the data information can be described by using json, XML, YAML or protobuf formats and the like. Why the signature is performed twice.
3. Encryption authorization description information: by encrypting the authorization description information, an unauthorized person or system may be prevented from reading or modifying the sensitive data. Only authorized entities can decrypt and access the data. Some authorization description information may contain sensitive personal, business, or confidential data. By encryption, it can be ensured that these data are not illegally acquired or revealed during transmission.
4. Private key signature: private key signing is the process of encrypting data using a private key to generate a digital signature.
(1) Data preparation: first, data to be signed (e.g., authorization description information) is prepared. This may be any form of data such as text, files, digital summaries, etc.
(2) Digital abstract generation: to improve efficiency and security, a hash function (e.g., SHA-256) is typically used to generate a digital digest of the data. The hash function converts the data into a fixed-length unique hash value.
(3) And (3) encryption signature generation: next, the digital digest is encrypted using the private key of the signer having the associated public key. Encryption algorithms typically use asymmetric encryption algorithms, such as RSA. The private key is used to encrypt the digital digest to generate a unique digital signature.
(4) Digital signature attachment: the generated digital signature is communicated with the original data. This means that the digital signature is tied to the data and cannot be used alone. It is common practice to append a digital signature to the end of the data.
License generation (final flow of the complete technical scheme of the invention)
6. Public key signature verification: public key signing is a process of verifying digital signatures for verifying the integrity, authenticity and origin of data. Which is an operation corresponding to a private key signature.
(1) Receive data and digital signature: the recipient obtains a message containing the data and the digital signature.
(2) Obtaining a public key: the receiver obtains a public key paired with the digital signature. The public key is generated by the private key of the signer and is widely distributed to the parties that need to verify the digital signature.
(3) Decrypting the signature: the digital signature is decrypted using the public key to obtain the original digital digest.
(4) Generating a data abstract: a digital digest is generated of the received data using the same hash function. The hash function converts the data into a fixed-length unique hash value.
(5) Digital summary comparison: and comparing the decrypted digital signature with the generated digital digest. If the two match, the integrity and authenticity of the representation data is verified.
Aes decryption: AES decryption is a process of restoring encrypted data to original data by using the same key and the opposite algorithm.
(1) Preparing a key: the correct decryption key is obtained, ensuring a match with the key used in the encryption.
(2) Segmentation data: the encrypted data is divided into fixed-length blocks of data, typically 128 bits (16 bytes).
(3) Initializing a decryptor: the AES decryptor is initialized with the key. The decryptor needs to know the key to be used in order to decrypt the data correctly.
(4) Decrypting the data block: the inverse AES algorithm, also known as inverse transform, is applied to each data block. The data block is decrypted using a decryptor and a key.
(5) Decryption mode: if a specific encryption mode is used for encryption (e.g., ECB, CBC, CFB, OFB, etc.), the same encryption mode and Initialization Vector (IV) must be used during decryption.
(6) Merging the data blocks: the decrypted data blocks are combined into the original plaintext data.
8. Hardware information checking: and retrieving the content of the hardware information, such as CPU information, memory information, BIOS information and the like, whether the content is matched with the current machine or not.
9. Authorization information modification: modifying custom items such as scope of functions used, expiration time, user information, etc.
Aes encryption:
(1) Preparing a key: the appropriate key is selected as input to the AES encryption algorithm. The key length may be 128 bits (16 bytes), 192 bits (24 bytes), or 256 bits (32 bytes). The security and randomness of the key are ensured.
(2) Segmentation data: the data to be encrypted is divided into fixed-length blocks of data, typically 128 bits (16 bytes). If the data length is not a multiple of 128 bits, a data fill is required to meet the block length requirement.
(3) Initializing an encryptor: the AES encryptor is initialized with the key. The encryptor needs to know the key to be used in order to perform the encryption operation.
(4) Encrypting a block of data: an AES algorithm, also known as AES transform, is applied to each data block. The data block is encrypted using an encryptor and a key.
(5) Encryption mode: an appropriate encryption mode is selected, such as ECB (electronic codebook mode), CBC (cipher block chaining mode), CFB (cipher feedback mode), OFB (output feedback mode), or the like. The encryption mode affects the dependency between data blocks and the uniqueness of the encryption result.
(6) Merging the data blocks: and merging the encrypted data blocks into encrypted ciphertext data.
11. The private key signature is the same as in step 4.
License regeneration.
FIG. 3 is a flowchart of offline authorization, and the specific flow includes:
when the offline authorization is performed, the generated License is stored in advance, and authorization description information is copied to an authorization server through a dongle or a USB flash disk, or the License is directly generated through a License registration machine, so that the offline authorization is completed. Offline authorization is essentially the same as online authorization and does not require the process of signing and verifying the signature, in which case the license or authorization information is typically generated in advance and stored locally rather than in real-time or dynamically. Thus, for verifying offline authorization, there is no need to use digital signatures and mechanisms to verify the signatures to verify their integrity and authenticity. The rest steps are the same as the online authorization process.
FIG. 4 is a block diagram of a license generation system according to the present invention, including:
the first authorization module 401 is configured to read hardware information through software when performing online authorization, and serialize the obtained hardware information to generate authorization description information, where the hardware information includes CPU hardware information, memory information, BIOS information, and motherboard information;
a first encryption module 402, configured to generate a key by using a symmetric encryption algorithm, and encrypt the authorization description information based on the key;
A generating module 403, configured to generate a key pair using an asymmetric encryption algorithm, where the key pair includes a public key and a private key, perform private key signing on encrypted authorization description information by using the private key to generate a digital signature, and combine the encrypted authorization description information and the digital signature to generate a license;
the second authorization module 404 is configured to read the hardware information through software and serialize the obtained hardware information to generate the authorization description information when performing offline authorization;
a second encryption module 405 for generating a key using the symmetric encryption algorithm, and encrypting the authorization description information based on the key to generate a license.
Accordingly, in a specific application scenario, the generating module 403 is specifically configured to:
converting the authorization description information into text, file or digital abstract according to the hash function;
and encrypting the text, the file or the digital abstract by using the private key to generate a unique digital signature.
Correspondingly, in a specific application scenario, the system further comprises a verification module, which is used for verifying the integrity, the authenticity and the source of the license when the software runs after the license is generated by online authorization.
Finally, it should be noted that: the foregoing description is only of the preferred embodiments of the invention and is not intended to limit the scope of the invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A license generation method, the method comprising:
when on-line authorization is performed, reading hardware information through software, and serializing the obtained hardware information to generate authorization description information, wherein the hardware information comprises CPU hardware information, memory information, BIOS information and main board information;
generating a key by using a symmetric encryption algorithm, and encrypting the authorization description information based on the key;
generating a key pair by utilizing an asymmetric encryption algorithm, wherein the key pair comprises a public key and a private key, carrying out private key signature on encrypted authorization description information through the private key to generate a digital signature, and combining the encrypted authorization description information and the digital signature to generate a license;
when offline authorization is performed, reading the hardware information through software, and serializing the obtained hardware information to generate the authorization description information;
Generating a key using the symmetric encryption algorithm, encrypting the authorization description information based on the key to generate a license.
2. The method of claim 1, wherein private key signing the encrypted authorization description information with the private key to generate a digital signature comprises:
converting the authorization description information into text, file or digital abstract according to the hash function;
and encrypting the text, the file or the digital abstract by using the private key to generate a unique digital signature.
3. The method of claim 2, further comprising, after the online authorization to generate the license, a software authorization verification for verifying the integrity, authenticity, and origin of the license when the software is running,
when online authorization is performed, the software authorization verification includes:
transmitting the authorization description information and the digital signature to an authorization server, wherein the authorization server decrypts the digital signature through the public key to obtain the original text, file or digital abstract;
converting the authorization description information by using the hash function to generate text, file or digital digest;
And matching and comparing the obtained original text, file or digital abstract with the text, file or digital abstract generated by converting the authorization description information by using the hash function, and if so, successfully verifying the license.
4. A method according to claim 3, further comprising, after the software authorization verification is completed:
the authorization server obtains a decryption key, and the decryption key is matched with a key for encrypting the authorization description information;
the authorization server divides the encrypted authorization description information into data blocks with fixed lengths;
the authorization server initializes a decryptor using a key and decrypts the data block based on the decryptor and the key;
the authorization server merges the decrypted data blocks into the original plaintext data.
5. The method of claim 4, further comprising, after merging the decrypted data blocks into the original plaintext data:
verifying whether the hardware information matches the local machine currently used by the user side,
and if the function range, the expiration time or the user information is matched, carrying out modification of the authorization description information, wherein the modification of the authorization description information is modification of a user-defined item, and the user-defined item is a function range, the expiration time or the user information.
6. The method of claim 5, wherein the method further comprises:
encrypting the changed authorization description information, carrying out private key signature on the changed authorization description information to generate a digital signature, and combining the changed encrypted authorization description information and the digital signature to regenerate a license;
and importing the regenerated license to a local machine of the user side through a network to complete online authorization.
7. The method according to claim 1, wherein the method further comprises:
when offline authorization is performed, the generated license is stored in advance, authorization description information is copied to an authorization server through a dongle or a USB flash disk,
or directly generating a License through a License registration machine to complete offline authorization.
8. A license generation system, comprising:
the first authorization module is used for reading hardware information through software when online authorization is carried out, and serializing the obtained hardware information to generate authorization description information, wherein the hardware information comprises CPU hardware information, memory information, BIOS information and main board information;
the first encryption module is used for generating a key by utilizing a symmetric encryption algorithm and encrypting the authorization description information based on the key;
The generation module is used for generating a key pair by utilizing an asymmetric encryption algorithm, the key pair comprises a public key and a private key, the encrypted authorization description information is subjected to private key signature through the private key to generate a digital signature, and the encrypted authorization description information and the digital signature are combined to generate a license;
the second authorization module is used for reading the hardware information through software and serializing the obtained hardware information to generate the authorization description information when offline authorization is performed;
and the second encryption module is used for generating a key by utilizing the symmetric encryption algorithm, and encrypting the authorization description information based on the key to generate a license.
9. The system according to claim 8, wherein the generating module is specifically configured to:
converting the authorization description information into text, file or digital abstract according to the hash function;
and encrypting the text, the file or the digital abstract by using the private key to generate a unique digital signature.
10. The system of claim 8, further comprising a verification module for verifying the integrity, authenticity, and origin of the license when the software is running after the license is generated by the online authorization.
CN202310990170.8A 2023-08-07 2023-08-07 License generation method and system Pending CN116881865A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310990170.8A CN116881865A (en) 2023-08-07 2023-08-07 License generation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310990170.8A CN116881865A (en) 2023-08-07 2023-08-07 License generation method and system

Publications (1)

Publication Number Publication Date
CN116881865A true CN116881865A (en) 2023-10-13

Family

ID=88266396

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310990170.8A Pending CN116881865A (en) 2023-08-07 2023-08-07 License generation method and system

Country Status (1)

Country Link
CN (1) CN116881865A (en)

Similar Documents

Publication Publication Date Title
US11233659B2 (en) Method of RSA signature or decryption protected using a homomorphic encryption
US7516321B2 (en) Method, system and device for enabling delegation of authority and access control methods based on delegated authority
US8300828B2 (en) System and method for a derivation function for key per page
US20060195402A1 (en) Secure data transmission using undiscoverable or black data
JP4616345B2 (en) A method for directly distributing a certification private key to a device using a distribution CD
KR100702499B1 (en) System and method for guaranteeing software integrity
US20030159053A1 (en) Secure reconfigurable input device with transaction card reader
CN110663215B (en) Elliptic curve point multiplication device and method in white-box scene
CN101213814A (en) Secure patch system
CN109951276B (en) Embedded equipment remote identity authentication method based on TPM
US7894608B2 (en) Secure approach to send data from one system to another
EP3379769A1 (en) Method of rsa signature or decryption protected using multiplicative splitting of an asymmetric exponent
US10630462B2 (en) Using white-box in a leakage-resilient primitive
Agarwal et al. A survey on cloud computing security issues and cryptographic techniques
Sathya et al. A comprehensive study of blockchain services: future of cryptography
Khelifi et al. Enhancing protection techniques of e-banking security services using open source cryptographic algorithms
Klimushin et al. Potential application of hardware protected symmetric authentication microcircuits to ensure the security of internet of things
CN116866029B (en) Random number encryption data transmission method, device, computer equipment and storage medium
GB2395304A (en) A digital locking system for physical and digital items using a location based indication for unlocking
CN116881865A (en) License generation method and system
Rasna et al. Comparison of Security Signing Data Authentication Integrity in Combination of Digest And AES Message Algorithm
JP2015082077A (en) Encryption device, control method, and program
Rahouma Reviewing and applying security services with non-english letter coding to secure software applications in light of software trade-offs
Shaik et al. A compatible hexadecimal encryption-booster algorithm for augmenting security in the advanced encryption standard
Adithya et al. Advanced Encryption Standard Crypto Block Verification Utility

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination