CN117041966A - Subscription service authentication method and device and electronic equipment - Google Patents

Subscription service authentication method and device and electronic equipment Download PDF

Info

Publication number
CN117041966A
CN117041966A CN202310983227.1A CN202310983227A CN117041966A CN 117041966 A CN117041966 A CN 117041966A CN 202310983227 A CN202310983227 A CN 202310983227A CN 117041966 A CN117041966 A CN 117041966A
Authority
CN
China
Prior art keywords
target
authentication
authentication file
file
subscription service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310983227.1A
Other languages
Chinese (zh)
Inventor
李佳栗
周鑫强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zero Beam Technology Co ltd
Original Assignee
Zero Beam Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zero Beam Technology Co ltd filed Critical Zero Beam Technology Co ltd
Priority to CN202310983227.1A priority Critical patent/CN117041966A/en
Publication of CN117041966A publication Critical patent/CN117041966A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a subscription service authentication method, a subscription service authentication device and electronic equipment, wherein the subscription service authentication method comprises the following steps: determining an index number corresponding to the target subscription service; determining a first target authentication file corresponding to the target subscription service according to the index number, wherein the first target authentication file is a pre-stored file which is used for verifying the validity of the target subscription service and is subjected to security processing; checking first authentication information corresponding to the first target authentication file; under the condition that the first authentication information passes verification, decrypting the first target authentication file to obtain a first initial authentication file; and authenticating the validity of the target subscription service according to the first initial authentication file. The validity of the target subscription service is checked through the first target authentication file stored in advance, so that illegal actions such as tampering, unauthorized use and the like of the target subscription service are effectively prevented. The first target authentication file is obtained through secure transmission, so that the security of the target subscription service in the whole life cycle is ensured.

Description

Subscription service authentication method and device and electronic equipment
Technical Field
The present application relates to the field of subscription service authentication technologies, and in particular, to a subscription service authentication method, device and electronic equipment.
Background
With the continuous development of vehicle functions, vehicles have been changed from mechanical terminals for one-time delivery to mobile terminals for sustainable iterative upgrade, and software subscription services on vehicles are also increasing. At present, a plurality of functions capable of providing software subscription service for users, such as automatic driving, intelligent cabins, advanced internet of vehicles and the like, are available on the vehicles, and unlocking of the corresponding subscription service functions is realized in a software subscription service authorization mode. At present, in the process of using the software subscription service, the conditions of unauthorized use of the function of the unsubscribed service, legal configuration of copying the software subscription service and falsification of the service period of the software subscription are frequently encountered. Therefore, the conventional software subscription service has the problems of low security and easy tampering.
Disclosure of Invention
The application provides a subscription service authentication method, a device, electronic equipment and a storage medium, which can acquire a first target authentication file corresponding to target subscription service in the use process of the target subscription service, and verify the validity of the target subscription service by utilizing the first target authentication file, so that the security of the target subscription service is improved.
In order to solve the above technical problem, in a first aspect, an embodiment of the present application provides a subscription service authentication method, which is applied to a first electronic device, and the method includes: determining an index number corresponding to the target subscription service; determining a first target authentication file corresponding to the target subscription service according to the index number, wherein the first target authentication file is a pre-stored file which is used for verifying the validity of the target subscription service and is subjected to security processing; checking first authentication information corresponding to the first target authentication file; under the condition that the first authentication information passes verification, decrypting the first target authentication file to obtain a first initial authentication file; and authenticating the validity of the target subscription service according to the first initial authentication file.
Based on the subscription service authentication method, when the first electronic equipment uses the target subscription service, a first target authentication file is firstly acquired from the first electronic equipment, and verification processing is carried out on first authentication information corresponding to the first target authentication file; under the condition that the first authentication information passes the verification, a first initial authentication file is obtained; and verifying the validity of the target subscription service according to the first initial authentication file. Thus, the target subscription service can be used only if the validity of the target subscription service is checked by the first target authentication file stored in advance, and if the check is passed. If the target subscription service is tampered and used in an unauthorized manner, the target subscription service cannot pass through the first initial authentication file when the validity check is carried out, and cannot be used at the moment, so that illegal actions such as tampering and unauthorized use of the target subscription service are effectively prevented. And the validity of the target subscription service can be checked only if the first target authentication file corresponding to the target subscription service is stored in the first electronic device, and when the software subscription service is illegally copied, the copied target subscription service has no corresponding first target authentication file, the corresponding first target file is an encrypted file, the decryption key is not available, the validity check of the target subscription service cannot be passed, and at the moment, the target subscription service cannot be used, so that the safety of the target subscription service is ensured.
Further, the first target authentication file is obtained through security processing and is finally stored in the first electronic device, so that the security of the first target authentication file is ensured, and the use security of the target subscription service is further ensured.
In a possible implementation of the first aspect, the first target authentication file is obtained by: and receiving a second target authentication file sent by the second electronic equipment, and under the condition that the second target authentication file meets the requirements, decrypting the second target authentication file to obtain a second initial authentication file, wherein the second target authentication file is obtained by encrypting a third initial authentication file by the second electronic equipment by using a first symmetric key, the third initial authentication file is a file corresponding to a target subscription service sent by the third electronic equipment to the second electronic equipment, and the third electronic equipment is electronic equipment comprising a software mall. And encrypting the second initial authentication file by using the second symmetric key to obtain a first target authentication file.
In the implementation mode of the application, in the process of acquiring the first target authentication file, the third initial authentication file corresponding to the target subscription service is subjected to multiple times of encryption, verification, decryption and other processes, and then the first target authentication file is acquired. The security transmission process ensures the security of the third initial authentication file in the whole life cycle process, and further ensures the security of the target subscription service in the whole life cycle process.
In a possible implementation manner of the first aspect, the second target authentication file is obtained by encrypting, by the second electronic device, the third initial authentication file with the first symmetric key, and includes: receiving a third initial authentication file corresponding to a target subscription service sent by third electronic equipment, and generating a first random number as a first symmetric key; encrypting the third initial authentication file by using the first symmetric key to obtain a first authentication file ciphertext; obtaining an authentication file header according to the target subscription service and the identification information of the first electronic equipment; and performing splicing processing on the first authentication file ciphertext and the authentication file header to obtain a second target authentication file.
In the implementation manner of the application, when the second electronic equipment generates the random number as the first symmetric key to encrypt the third initial authentication file, the symmetric encryption can accelerate the encryption and decryption speeds. Obtaining an authentication file header according to the target subscription service and the identification information of the first electronic equipment; and splicing the ciphertext of the first authentication file and the authentication file header to obtain a second target authentication file, so that the integrity and the legality of the second target authentication file are ensured, the integrity and the legality of the first target authentication file obtained through the second target authentication file are further ensured, and the security of the target subscription service is effectively increased.
In a possible implementation of the first aspect, receiving a second target authentication file includes: and under the condition that the first electronic equipment and the second electronic equipment pass the bidirectional identity authentication, the first electronic equipment receives the second target authentication file. Thus, the security in the process of sending the second target authentication file is increased.
In one possible implementation of the first aspect, the authentication file header includes a signature certificate, a signature and an authentication hash value, and the case that the second target authentication file meets the requirements includes that the second target authentication file has authenticity and integrity, and that a binding relationship between the second target authentication file and the first electronic device has validity; determining that the second target authentication file meets the requirements includes: verifying the signature certificate by utilizing a pre-stored root certificate to verify the validity of the second electronic equipment; under the condition that the second electronic equipment is legal, checking the signature and the authentication hash value; and under the condition that the signature and the authentication hash value pass verification, determining that the second target authentication file has authenticity and integrity and that the binding relationship between the second target authentication file and the first electronic equipment has validity.
In the implementation mode of the application, the signature certificate is checked by utilizing the pre-stored root certificate, the validity of the second electronic equipment is verified, and the safety of the second electronic equipment is ensured first. Under the condition that the second electronic equipment is legal, checking the signature and the authentication hash value in the authentication file header; and under the condition that the signature and the authentication hash value pass verification, determining that the second target authentication file has authenticity and integrity and that the binding relationship between the second target authentication file and the first electronic equipment has validity. Through multiple times of verification, the security of the second target authentication file is effectively increased, the integrity and the legality of the first target authentication file obtained through the second target authentication file are further ensured, and the security of the target subscription service is effectively increased.
In a possible implementation manner of the first aspect, in a case that the second target authentication file meets a requirement, performing decryption processing on the second target authentication file to obtain a second initial authentication file, where the decrypting includes: sending first decryption key acquisition request information to the second electronic equipment, wherein the first decryption key acquisition request information comprises a first public key prestored in the first electronic equipment; the second electronic equipment receives a first decryption key ciphertext obtained according to the first decryption key obtaining request information, decrypts the first decryption key ciphertext by utilizing a pre-stored first private key to obtain a first decryption key, decrypts the second target authentication file by utilizing the first decryption key to obtain a second initial authentication file, and encrypts the first decryption key ciphertext by utilizing the first public key by the second electronic equipment to obtain the first initial authentication file.
In the implementation mode of the application, the first decryption key is encrypted and sent in the process of sending the first decryption key, so that the safety of the first decryption key in the process of sending is ensured. And the second target authentication file is decrypted by utilizing the safe first decryption key, so that the second initial authentication file can be obtained, and the security of the second initial authentication file is increased, so that the security of the first target authentication file obtained through the second initial authentication file is also increased, and the security of target subscription service is effectively increased.
In one possible implementation of the first aspect, sending the first decryption key acquisition request information to the second electronic device includes: generating first decryption key acquisition request data according to the second target authentication file, and signing the first decryption key acquisition request data by using a first private key to generate signed first decryption key acquisition request data; generating first decryption key acquisition request information according to the signed first decryption key acquisition request data and an identity certificate of the first electronic device, and sending the first decryption key acquisition request information to the second electronic device, wherein the identity certificate comprises the first public key.
In the implementation manner of the application, the first decryption key acquisition request data is signed before the first decryption key acquisition request information is sent to the second electronic device, so that the security of the first decryption key acquisition request information is increased, the security of the first decryption key decryption acquisition process is further increased, and the security of the target subscription service is effectively increased.
In a possible implementation of the first aspect, the first authentication information includes a verification message code and an authentication hash value; encrypting the second initial authentication file by using the second symmetric key to obtain a first target authentication file, wherein the first target authentication file comprises: generating a second random number as a second symmetric key, and encrypting the second initial authentication file by using the second symmetric key to obtain a second authentication file ciphertext; generating a third random number as a third key, and obtaining a verification message code corresponding to the second authentication file ciphertext by using the third key; and obtaining the first target authentication file according to the second authentication file ciphertext, the authentication message code, the authentication hash value and the index number.
In the implementation mode of the application, the second initial authentication file is encrypted by using the second symmetric key to obtain the second authentication file ciphertext, and the symmetric encryption mode effectively increases the encryption and decryption speeds of the second authentication file ciphertext. Further, a verification message code corresponding to the second authentication file ciphertext is obtained by using the third secret key; according to the second authentication file ciphertext, the authentication message code, the authentication hash value and the index number, the security and the integrity of the obtained first target authentication file are increased, and the security of the target subscription service is effectively increased.
In a second aspect, an embodiment of the present application provides a subscription service authentication apparatus, applied to a first electronic device, configured to perform a subscription service authentication method described in the first aspect, where the apparatus includes:
the first processing module is used for determining an index number corresponding to the target subscription service; the second processing module is used for determining a first target authentication file corresponding to the target subscription service according to the index number, wherein the first target authentication file is a pre-stored file subjected to security processing for verifying the validity of the target subscription service; the third processing module is used for checking the first authentication information corresponding to the first target authentication file; the fourth processing module is used for decrypting the first target authentication file to obtain a first initial authentication file under the condition that the first authentication information passes verification; and the fifth processing module is used for authenticating the validity of the target subscription service according to the first initial authentication file.
In a third aspect, an embodiment of the present application provides an electronic device, including: a memory for storing a computer program, the computer program comprising program instructions; a processor configured to execute program instructions to cause an electronic device to perform the subscription service authentication method provided by the first aspect and/or any one of the possible implementation manners of the first aspect.
In a fourth aspect, an embodiment of the present application provides a computer readable storage medium storing a computer program comprising program instructions for execution by an electronic device to cause performance of a subscription service authentication method as provided by the above first aspect and/or any one of the possible implementations of the first aspect.
In a fifth aspect, an embodiment of the present application provides a computer program product comprising a computer program/instruction which, when executed by a processor, implements the subscription service authentication method provided by the first aspect and/or any one of the possible implementations of the first aspect.
The application has the beneficial effects that:
when the subscription service authentication method provided by the application is used, a first target authentication file is firstly acquired from the first electronic equipment and the first authentication information corresponding to the first target authentication file is checked; under the condition that the first authentication information passes the verification, a first initial authentication file is obtained; and verifying the validity of the target subscription service according to the first initial authentication file. Thus, the target subscription service can be used only if the validity of the target subscription service is checked by the first target authentication file stored in advance and the check is passed. If the target subscription service is tampered and used in an unauthorized manner, the target subscription service cannot pass through the first initial authentication file when the validity check is carried out, and cannot be used at the moment, so that illegal actions such as tampering and unauthorized use of the target subscription service are effectively prevented. And the validity of the target subscription service can be checked only if the first target authentication file corresponding to the target subscription service is stored in the first electronic device, and when the software subscription service is illegally copied, the copied target subscription service has no corresponding first target authentication file, the corresponding first target file is an encrypted file, the decryption key is not available, the validity check of the target subscription service cannot be passed, and at the moment, the target subscription service cannot be used, so that the safety of the target subscription service is ensured.
Further, the first target authentication file is obtained through security processing in the process of obtaining the first target authentication file and is finally stored in the first electronic device, so that the security of the first target authentication file is ensured, and the use security of the target subscription service is further ensured.
Drawings
In order to more clearly illustrate the technical solution of the present application, the following description will briefly explain the drawings used in the description of the embodiments.
FIG. 1 is a flow diagram illustrating a subscription service authentication method, according to some implementations of the application;
FIG. 2 is a schematic flow diagram illustrating one process for obtaining a first target authentication file, according to some implementations of the application;
FIG. 3 is a schematic flow diagram illustrating one process for obtaining a second target authentication file, according to some implementations of the application;
FIG. 4 is a schematic flow diagram illustrating a process for determining that a second target authentication file is satisfactory, according to some implementations of the application;
FIG. 5 is a flow diagram illustrating a process for decrypting a second target authentication file to obtain a second initial authentication file, according to some implementations of the application;
FIG. 6 is a flow diagram illustrating an encryption process for a second initial authentication file using a second symmetric key to obtain a first target authentication file, according to some implementations of the application;
FIG. 7 is a schematic diagram illustrating the architecture of a security architecture, according to some implementations of the application;
FIG. 8 is a schematic diagram illustrating the structure of a subscription service authentication device, according to some implementations of the application;
fig. 9 is a schematic diagram illustrating the structure of an electronic device, according to some implementations of the application.
Detailed Description
The technical scheme of the application will be described in further detail with reference to the accompanying drawings.
As described above, in the process of using a software subscription service, it is often encountered that the function of unsubscribing from the service is used, the legal configuration of the software subscription service is copied, and the service period of the software subscription is tampered. Therefore, the conventional software subscription service has the problems of low security and easy tampering.
Based on the above, the application provides a subscription service authentication method, which can acquire a corresponding first target authentication file in the process of using a target subscription service, and verify the validity of the target subscription service by using the first target authentication file, thereby increasing the security of the target subscription service.
Next, with reference to fig. 1 to fig. 7, the implementation process and advantages of the subscription service authentication method provided by the present application will be described in detail.
In one implementation of the present application, as shown in fig. 1, the subscription service authentication method is applied to a first electronic device, and includes the following steps:
s100: and determining the index number corresponding to the target subscription service.
S200: and determining a first target authentication file corresponding to the target subscription service according to the index number, wherein the first target authentication file is a pre-stored file which is used for verifying the validity of the target subscription service and is subjected to security processing.
S300: and checking the first authentication information corresponding to the first target authentication file.
S400: and under the condition that the first authentication information passes verification, performing decryption processing on the first target authentication file to obtain a first initial authentication file.
S500: and authenticating the validity of the target subscription service according to the first initial authentication file.
The first electronic device may be a vehicle, a vehicle-mounted computer corresponding to the vehicle, a mobile phone, a tablet, or the like, which can use a subscription service function.
When the subscription service authentication method provided by the application is used, a first target authentication file is firstly acquired from the first electronic equipment and the first authentication information corresponding to the first target authentication file is checked; under the condition that the first authentication information passes the verification, a first initial authentication file is obtained; and verifying the validity of the target subscription service according to the first initial authentication file. Thus, the target subscription service can be used only if the validity of the target subscription service is checked by the first target authentication file stored in advance and the check is passed. If the target subscription service is tampered and used in an unauthorized manner, the target subscription service cannot pass through the first initial authentication file when the validity check is carried out, and cannot be used at the moment, so that illegal actions such as tampering and unauthorized use of the target subscription service are effectively prevented. And the validity of the target subscription service can be checked only if the first target authentication file corresponding to the target subscription service is stored in the first electronic device, and when the software subscription service is illegally copied, the copied target subscription service has no corresponding first target authentication file, the corresponding first target file is an encrypted file, the decryption key is not available, the validity check of the target subscription service cannot be passed, and at the moment, the target subscription service cannot be used, so that the safety of the target subscription service is ensured.
Further, the first target authentication file is obtained through security processing in the process of obtaining the first target authentication file and is finally stored in the first electronic device, so that the security of the first target authentication file is ensured, and the use security of the target subscription service is further ensured.
First, the content of the index number corresponding to the target subscription service determined in step S100 will be described.
The target subscription service refers to a subscription service to be currently used, and the index number may be understood as an identification information of the subscription service. There are typically a large number of subscription services for a first electronic device. Therefore, when the target subscription service is used, the index number of the current target subscription service needs to be known, so that information related to the target subscription service is called. When the first electronic device receives a command of using the target subscription service, an index number corresponding to the target subscription service can be obtained from a memory or a cloud according to the information of the target subscription service, and the index number can be extracted and sent from a vehicle end when the target subscription service is used.
Next, in step S200, the content of the first target authentication file corresponding to the target subscription service is determined according to the index number.
The first target authentication file is a file which is stored in advance by the first electronic equipment and is used for verifying the validity of the target subscription service and is subjected to security processing. In general, different subscription services have different corresponding first target authentication files, and the first target authentication files also include corresponding index number information, so that the first target authentication files corresponding to the target subscription services can be accurately obtained through the index numbers corresponding to the target subscription services.
The first target authentication file is obtained through secure transmission, so that the security and the integrity of the first target authentication file are ensured. In order to increase the security of the transmission process of the first target authentication file, the transmission can be performed in a manner of encryption and decryption for a plurality of times.
Specifically, in one implementation of the present application, as shown in fig. 2, the first target authentication file is obtained by:
s201: and receiving a second target authentication file sent by the second electronic equipment, and decrypting the second target authentication file to obtain a second initial authentication file under the condition that the second target authentication file meets the requirements. The second target authentication file is obtained by encrypting a third initial authentication file by the second electronic device through the first symmetric key, the third initial authentication file is a file corresponding to a target subscription service sent by the third electronic device to the second electronic device, and the third electronic device is an electronic device comprising a software mall.
S202: and encrypting the second initial authentication file by using the second symmetric key to obtain a first target authentication file.
The second electronic device may be a server, a cloud, an electronic device corresponding to the trusted service platform, and the like. And the third electronic device is an electronic device comprising a software mall. The software mall refers to a platform responsible for generating and managing authentication files (authentication files may also be referred to as rights files) related to subscription services, and the authentication files refer to configuration files generated by the software mall after a user completes subscription services successfully (may also be referred to as function subscriptions) and used for enabling corresponding services (or referred to as functions) of the first electronic device.
The content of the first initial authentication file, the second initial authentication file and the third initial authentication file are the same, the third initial authentication file is the initial file generated by the software mall, the second initial authentication file is the file obtained by encrypting the third initial authentication file and then decrypting, and the first initial authentication file is the file obtained by encrypting the second initial authentication file and then decrypting.
And in the process of acquiring the first target authentication file, encrypting, checking and decrypting the third initial authentication file corresponding to the target subscription service for multiple times, and then acquiring the first target authentication file. The security transmission process ensures the security of the third initial authentication file in the whole life cycle process, and further ensures the security of the target subscription service in the whole life cycle process.
In one implementation manner of the present application, as shown in fig. 3, the second target authentication file is obtained by encrypting the third initial authentication file by the second electronic device using the first symmetric key, and includes the following steps:
s2011: and receiving a third initial authentication file corresponding to the target subscription service sent by the third electronic equipment, and generating a first random number as a first symmetric key.
S2012: and encrypting the third initial authentication file by using the first symmetric key to obtain a first authentication file ciphertext.
S2013: and obtaining the authentication file header according to the target subscription service and the identification information of the first electronic equipment.
S2014: and performing splicing processing on the first authentication file ciphertext and the authentication file header to obtain a second target authentication file.
In one implementation manner of the present application, in order to ensure security, validity, etc. of the third initial authentication file, before the second electronic device communicates with the third electronic device, the second electronic device should first check the validity of the identity of the third electronic device (i.e. the software mall), and ensure that the third initial authentication file corresponding to the target subscription service sent by the third electronic device is obtained through communication after the identity check is passed.
The identification information of the first electronic device may then include information such as a signature of the first electronic device.
And after receiving the third initial authentication file synchronized by the third electronic device, the second electronic device generates a first random number as a first symmetric key, and symmetrically encrypts the third initial authentication file by using a standard national commercial cryptographic algorithm or an international cryptographic algorithm to obtain a first authentication file ciphertext. The third initial authentication file may be understood as an initial plaintext of an authentication file generated by the third electronic device according to the subscription service and used for authenticating the validity of the subscription service, where the third initial authentication file may include a package name, a service life, an authentication field, and other contents corresponding to the subscription service.
In particular, the second electronic device may be generated by a pseudo-random number generator when generating the random number, the key strength being dependent on the randomness of the random number generator to generate the random number.
And then generating an authentication file header for verifying the legality, and assembling the ciphertext of the first authentication file to obtain a second target authentication file.
The symmetric encryption of the third initial authentication file is mainly used for guaranteeing confidentiality of the third initial authentication file, and one third initial authentication file corresponds to one symmetric key. When the second electronic device generates a random number as the first symmetric key to encrypt the third initial authentication file, the symmetric encryption can accelerate the encryption and decryption. Obtaining an authentication file header according to the target subscription service and the first electronic equipment; and splicing the ciphertext of the first authentication file and the authentication file header to obtain a second target authentication file, so that the integrity and the legality of the second target authentication file are ensured, the integrity and the legality of the first target authentication file obtained through the second target authentication file are further ensured, and the security of the target subscription service is effectively increased.
Further, in order to ensure confidentiality and security of the second target authentication file in the sending process, in one implementation manner of the present application, the first electronic device needs to receive the second target authentication file only when the two-way identity authentication is passed between the first electronic device and the second electronic device. The two-way identity authentication between the first electronic device and the second electronic device may be performed after the two-way identity authentication is performed, or may be performed at a time before the second target authentication file is sent, and the specific two-way identity authentication method may be any one of the existing two-way identity authentication methods, which is not described herein.
In one implementation of the present application, the authentication file header includes a signature certificate, a signature, and an authentication hash value, and the case that the second target authentication file meets the requirements includes that the second target authentication file has authenticity and integrity, and that the binding relationship between the second target authentication file and the first electronic device has validity.
Specifically, as shown in fig. 4, determining that the second target authentication file meets the requirements includes the following steps:
s2021: and verifying the signature certificate by utilizing the pre-stored root certificate, and verifying the validity of the second electronic equipment.
S2022: and under the condition that the second electronic equipment is legal, checking the signature and the authentication hash value.
S2023: and under the condition that the signature and the authentication hash value pass verification, determining that the second target authentication file has authenticity and integrity and that the binding relationship between the second target authentication file and the first electronic equipment has validity.
The authentication header file is obtained by the second electronic device according to the target subscription service and the first electronic device, and specifically, the signature certificate in the authentication header file may be obtained by verifying and signing the public key, identity and other information stored in the second electronic device. After the first electronic device obtains the second target authentication file, the validity of the second electronic device can be verified according to the authentication file header in the second target authentication file, and under the condition that the second electronic device is legal, the signature and the authentication hash value are verified. Under the condition that the signature and the authentication hash value pass verification, the authenticity and the integrity of the second target authentication file are ensured, and the legality of the binding relationship between the second target authentication file and the first electronic equipment is ensured.
And verifying the signature certificate by utilizing a pre-stored root certificate to verify the legitimacy of the second electronic equipment, and firstly ensuring the safety of the second electronic equipment. And under the condition that the second electronic equipment is legal, checking the signature and the authentication hash value in the authentication file header, and under the condition that the signature and the authentication hash value are checked to pass, determining that the second target authentication file has authenticity and integrity and that the binding relationship between the second target authentication file and the first electronic equipment has validity. And the security of the second target authentication file is effectively increased by multiple times of verification, the integrity and the legality of the first target authentication file obtained through the second target authentication file are further ensured, and the security of the target subscription service is effectively increased.
In one implementation of the present application, the authentication file header further includes an index number corresponding to the target subscription service, the first target authentication file corresponding to the target subscription service is queried according to the index number,
further, as shown in fig. 5, in the case that the second target authentication file meets the requirement, the decryption process is performed on the second target authentication file to obtain a second initial authentication file, which includes the following steps:
s2024: and sending first decryption key acquisition request information to the second electronic device, wherein the first decryption key acquisition request information comprises a first public key prestored in the first electronic device.
S2025: and receiving a first decryption key ciphertext obtained by the second electronic equipment according to the first decryption key acquisition request information, decrypting the first decryption key ciphertext by utilizing a pre-stored first private key to obtain a first decryption key, and decrypting the second target authentication file by utilizing the first decryption key to obtain a second initial authentication file.
The first decryption key ciphertext is obtained by encrypting the first decryption key by the second electronic equipment through the first public key.
The first public key and the first private key pre-stored in the first electronic device are a pair of encryption and decryption keys, and the data encrypted by the first public key can be decrypted by using the first private key to obtain the original data.
Further, the first decryption key is used for decrypting the second target authentication file, and the second target authentication file is obtained by encrypting the first symmetric key, so that the first decryption key is identical to the first symmetric key, and the decryption speed is increased.
And in the process of sending the first decryption key, the first decryption key is sent in an encryption way, so that the safety of the first decryption key in the process of sending is ensured. And the second target authentication file is decrypted by utilizing the safe first decryption key, so that the second initial authentication file can be obtained, and the security of the second initial authentication file is increased, so that the security of the first target authentication file obtained through the second initial authentication file is also increased, and the security of target subscription service is effectively increased.
In order to increase the security of the first decryption key acquisition request information, in one implementation of the present application, the first electronic device sends the first decryption key acquisition request information to the second electronic device, including the steps of:
the first electronic device generates first decryption key acquisition request data according to the second target authentication file, and signs the first decryption key acquisition request data by using the first private key to generate signed first decryption key acquisition request data.
Generating first decryption key acquisition request information according to the signed first decryption key acquisition request data and an identity certificate of the first electronic device, and sending the first decryption key acquisition request information to the second electronic device, wherein the identity certificate comprises a first public key.
In order to fully ensure the security of the first decryption key acquisition request information, the first decryption key acquisition request data is signed by using a first private key, and the identity certificate of the first electronic device and the first decryption key acquisition request information are sent to the second electronic device together. The signing process may be performed on the first decryption key acquisition request data by adding a signature suffix to the first decryption key acquisition request data to generate signed first decryption key acquisition request data.
In one implementation manner of the present application, after receiving the first decryption key obtaining request information, the second electronic device should first check the validity of the identity certificate and the signature of the first electronic device, encrypt the first decryption key by using the first public key included in the identity certificate sent by the first electronic device after the verification is passed, obtain the ciphertext of the first decryption key, and send the first decryption key ciphertext to the first electronic device.
Before the first decryption key acquisition request information is sent to the first electronic device, the first decryption key acquisition request data is signed, so that the security of the first decryption key acquisition request information is improved, the security of the first decryption key acquisition process is further improved, and the security of the target subscription service is effectively improved.
In one implementation of the present application, the first authentication information includes a verification message code and an authentication hash value, as shown in fig. 6, and the second initial authentication file is encrypted by using a second symmetric key to obtain a first target authentication file, including the following steps:
s2031: and generating a second random number as a second symmetric key, and encrypting the second initial authentication file by using the second symmetric key to obtain a second authentication file ciphertext.
S2032: and generating a third random number as a third key, and obtaining a verification message code corresponding to the second authentication file ciphertext by using the third key.
S2033: and obtaining the first target authentication file according to the second authentication file ciphertext, the authentication message code, the authentication hash value and the index number.
The first electronic equipment generates a second random number as a second symmetric key, and symmetrically encrypts the second initial authentication file by using a standard national commercial cryptographic algorithm or an international cryptographic algorithm to obtain a second authentication file ciphertext, so that the confidentiality of local storage of the second initial authentication file is ensured, and the storage file can be prevented from being illegally copied and used.
Further, the first electronic device generates a third random number as a third key for calculating the verification message code, and calculates the verification message code of the second authentication file ciphertext, so that the integrity of storage of the second authentication file ciphertext is ensured.
And encrypting the initial authentication file by using the second symmetric key to obtain a second authentication file ciphertext, wherein the symmetric encryption mode effectively increases the encryption and decryption speeds of the second authentication file ciphertext. Further, a verification message code corresponding to the second authentication file ciphertext is obtained by using the third secret key; according to the second authentication file ciphertext, the authentication message code, the authentication hash value and the index number, the security and the integrity of the obtained first target authentication file are increased, and the security of the target subscription service is effectively increased.
Finally, step S300-S500 is executed to verify the first authentication information corresponding to the first target authentication file. And under the condition that the first authentication information passes the verification, decrypting the first target authentication file to obtain a first initial authentication file. And authenticating the validity of the target subscription service according to the first initial authentication file.
When the first electronic equipment uses the target subscription service, the first electronic equipment acquires a first target authentication file according to the index number, after the first electronic equipment finishes verification of the stored verification message code and the authentication hash value, the first target authentication file is decrypted to acquire a first initial authentication file, and at the moment, the first initial authentication file can be used for enabling the target subscription service.
In one implementation manner of the present application, when the authentication of the first target authentication file or the issuing of the third initial authentication file is unsuccessful, the second electronic device is required to acquire the third initial authentication file again from the third electronic device, and then the encryption, decryption and verification operations of the third initial authentication file are performed.
Next, in an implementation manner of the present application, as shown in fig. 7, a first electronic device is taken as a vehicle end, the vehicle end includes a trusted management module and a functional validation module, a second electronic device subscribes to a device corresponding to a trusted service platform for vehicle software, and a third electronic device is taken as an example of a security architecture corresponding to a subscription service authentication method provided by the present application for a device corresponding to a software mall, so that an implementation process of the subscription service authentication method provided by the present application is described in detail.
The functions of the components of the security architecture will be described first.
The software mall is used for a platform responsible for generating and managing a subscription function (i.e. subscription service) equity file (which is an example of a third initial authentication file); the rights file refers to a configuration file generated by the software mall after the user completes the function subscription successfully and used for enabling the corresponding function of the vehicle end.
The automobile software subscription trusted service platform is mainly used for interfacing all software malls and providing a unified trusted equity file manufacturing interface for all the software malls.
The automobile software subscription trusted service platform is also used for carrying out security operations such as encryption, signature and the like on the rights and interests files of the software mall, finally generating a trusted rights and interests file (serving as an example of a second target authentication file), and taking charge of management of symmetric keys, signature certificates and private keys corresponding to the signature certificates used for encryption and signature.
The automobile software subscription trusted service platform is also used for taking charge of the safety issuing of the trusted equity files and providing safety authentication verification and other functions for the automobile end.
The trusted management module at the vehicle end is used for being responsible for safe downloading of the trusted equity files, validity verification of the trusted equity files, safe storage and management of the trusted equity files and the like.
The function validation module of the vehicle end is used for reading the rights and interests file, enabling the subscription function and the like.
Next, the process of making, issuing, checking, storing, reading and the like of the trusted equity file in the subscription service authentication method provided by the application is described in detail.
Firstly, the software subscribes to a trusted service platform to make a trusted equity file.
The software subscription trusted service platform firstly checks the legitimacy of the identity of the software mall, ensures that the identity of the software mall is communicated with the software mall after passing the verification, and the software mall sends the generated rights and interests files corresponding to the subscription function to the software subscription trusted service platform.
After receiving the rights file synchronized by the software mall, the software subscription trusted service platform generates a random number (as an example of a first random number) as a symmetric key (as an example of a first symmetric key), and performs symmetric encryption by using a standard national commercial cryptographic algorithm or an international cryptographic algorithm to obtain a rights file ciphertext (as an example of a first authentication file ciphertext), then generates an authentication file header for validity verification, assembles the rights file ciphertext, and obtains a trusted rights file (as an example of a second target authentication file).
The authentication file header includes a signature certificate, a signature, an authentication HASH value (HASH), an application index number (i.e., an index number), etc., where the signature certificate and the signature are used to verify the authenticity and integrity of the rights file, and the authentication HASH is used to verify the binding relationship between the rights file and the vehicle or the account number; the application index number is used for indexing the different subscription functions.
After the software subscribes to the trusted service platform and the trusted rights file is manufactured, the trusted rights file is issued to the vehicle end.
Before issuing the trusted equity file, the cloud software subscribes to the trusted service platform and the vehicle-end trusted management module to perform bidirectional identity authentication, so that the trusted equity file is issued by using a secure communication channel after the identity authentication of the two communication parties is passed.
After receiving the trust file, the vehicle end needs to verify the trust file.
Specifically, the trusted management module at the vehicle end is configured to receive the trusted equity file, and after receiving the trusted equity file, verify the signature certificate by using the pre-embedded root certificate, and verify the validity of the identity of the signing party (i.e. the software subscribes to the trusted service platform). After the signature certificate passes verification, verification is carried out on the authentication HASH and the signature, so that the authenticity and the integrity of the received trusted equity file and the legality of the binding relationship between the equity file and the vehicle or the account number are ensured.
Under the condition that the received trust file has authenticity and integrity and the binding relation between the trust file and the vehicle or the account number has legitimacy, the trust management module initiates a trust file decryption key acquisition request (taken as an example of first decryption key acquisition request information) to the software subscription trust service platform, and in order to ensure the security fully, the request data is signed by using a private key (taken as an example of first private key) of the trust management module, and an identity certificate of the trust management module is sent to the software subscription trust service platform along with the request content.
After receiving the rights file decryption key acquisition request, the software subscription trusted service platform firstly verifies the validity of the identity certificate and the signature of the trusted management module, encrypts the decryption key (as an example of a first decryption key) by using a public key (as an example of a first public key) in the identity certificate of the trusted management module after the verification is passed, and sends a decryption key ciphertext (as an example of the first decryption key ciphertext) to the trusted management module.
After the trusted management module obtains the ciphertext of the decryption key, the decryption is performed by using a private key which is stored locally and safely to obtain the plaintext of the decryption key (namely the original decryption key), and then the ciphertext of the rights file in the trusted rights file is decrypted by using the obtained plaintext of the decryption key to obtain the rights file.
The trusted management module performs secure storage on the rights file after obtaining the rights file. The process of safe storage mainly comprises the following steps: the trusted management module generates a random number (as an example of the second random number) as a symmetric key (as an example of the second symmetric key), and symmetrically encrypts the equity file using a standard national commercial cryptographic algorithm or an international cryptographic algorithm to obtain an equity file ciphertext (as an example of the second authentication file ciphertext).
The trusted management module then generates a random number (as an example of a third random number) as a key (as an example of a third key) for the calculation of the MAC (i.e., message authentication code) and calculates the MAC value of the rights file ciphertext, thereby ensuring the integrity of the rights file ciphertext storage. And finally, the trusted management module stores the rights file ciphertext, the MAC value, the authentication HASH obtained in the steps, the application index number and the like into a safe storage area for storage.
When the vehicle end uses the subscription function, the vehicle end obtains stored rights file ciphertext, MAC value, authentication HASH and other contents from the trusted management module according to the application index number, the trusted unlocking module (not shown in the figure) completes verification of the authentication HASH and the MAC value, decrypts the rights file ciphertext to obtain a rights file, and the function validating module uses the rights file for enabling the subscription function.
Through the design of the security scheme in the processes of manufacturing, issuing, checking, storing, reading and the like of the trusted equity files, the security of equity files in the whole life cycle of subscription service is ensured, and the security of the whole life cycle of subscription service is further ensured.
The subscription service authentication method provided by the application can also be called as a trusted management scheme of the software subscription service, can support the access of various types of functional subscription services, and has wide application range. And the security scheme design of the processes of producing, issuing, checking, storing, reading and the like of the trusted equity file ensures the security of the whole life cycle of the subscription service and prevents illegal actions such as tampering, unauthorized use and the like. Furthermore, the architecture of the trusted service platform and the vehicle-end trusted management module is subscribed by cloud vehicle software to realize the decoupling design of the whole security scheme, security and service, so that the whole architecture is more flexible and the subsequent expansibility is stronger.
In one implementation manner of the present application, the subscription service authentication method provided by the present application may also include the following steps:
1) After the user completes the function subscription, the software mall generates a rights file for enabling the vehicle-end function. 2) The software mall sends the generated rights file to the software subscription trusted service platform. 3) The software subscribes to the trusted service platform to make and generate the trusted equity file. 4) The software subscribes to the trusted service platform to issue the trusted equity file to the vehicle end through the secure communication channel. 5) The vehicle-end trusted management module verifies the legitimacy of the trusted equity file, requests the software to subscribe to the trusted service platform to acquire a decryption key, and decrypts the ciphertext of the equity file to acquire the plaintext of the equity file. 6) The vehicle-end trusted management module is used for safely storing the rights and interests files. 7) When the vehicle end uses the subscription function, the trusted management verification module returns the plaintext of the rights file after checking the stored rights file, and is used for enabling the subscription function.
Referring to fig. 8, fig. 8 shows a subscription service authentication apparatus of the present application, applied to a first electronic device (e.g. a vehicle), the apparatus comprising:
and the first processing module is used for determining the index number corresponding to the target subscription service.
The second processing module is used for determining a first target authentication file corresponding to the target subscription service according to the index number, wherein the first target authentication file is a pre-stored file which is used for verifying the validity of the target subscription service and is subjected to security processing.
And the third processing module is used for checking the first authentication information corresponding to the first target authentication file.
And the fourth processing module is used for decrypting the first target authentication file to obtain a first initial authentication file under the condition that the first authentication information passes verification.
And the fifth processing module is used for authenticating the validity of the target subscription service according to the first initial authentication file.
The specific operation content that can be performed by each processing module refers to the subscription service authentication method corresponding to fig. 1. And, according to the specific operation steps of the subscription service authentication method, the subscription service authentication device may include more or less processing modules for processing the content in the subscription service authentication method.
When the subscription service authentication device uses the target subscription service, a first target authentication file is firstly acquired from the first electronic equipment, and first authentication information corresponding to the first target authentication file is checked; under the condition that the first authentication information passes the verification, a first initial authentication file is obtained; and verifying the validity of the target subscription service according to the first initial authentication file. Thus, the target subscription service can be used only if the validity of the target subscription service is checked by the first target authentication file stored in advance and the check is passed. If the target subscription service is tampered and used in an unauthorized manner, the target subscription service cannot pass through the first initial authentication file when the validity check is carried out, and cannot be used at the moment, so that illegal actions such as tampering and unauthorized use of the target subscription service are effectively prevented. And the validity of the target subscription service can be checked only if the first target authentication file corresponding to the target subscription service is stored in the first electronic device, and when the software subscription service is illegally copied, the copied target subscription service has no corresponding first target authentication file, the corresponding first target file is an encrypted file, the decryption key is not available, the validity check of the target subscription service cannot be passed, and at the moment, the target subscription service cannot be used, so that the safety of the target subscription service is ensured.
Further, the first target authentication file is obtained through security processing in the process of obtaining the first target authentication file and is finally stored in the first electronic device, so that the security of the first target authentication file is ensured, and the use security of the target subscription service is further ensured.
Specifically, the first processing module, the second processing module, the third processing module and the fourth processing module may be trusted management modules in the vehicle end, and the fifth processing module may be a function validation module in the vehicle end.
Referring to fig. 9, fig. 9 is a block diagram of an electronic device according to an embodiment of the present application. The electronic device can include one or more processors 1002, system control logic 1008 coupled to at least one of the processors 1002, system memory 1004 coupled to the system control logic 1008, non-volatile memory (NVM) 1006 coupled to the system control logic 1008, and a network interface 1010 coupled to the system control logic 1008.
The processor 1002 may include one or more single-core or multi-core processors. The processor 1002 may include any combination of general-purpose and special-purpose processors (e.g., graphics processor, application processor, baseband processor, etc.). In implementations herein, the processor 1002 may be configured to perform the subscription service authentication method described previously.
In some implementations, the system control logic 1008 may include any suitable interface controller to provide any suitable interface to at least one of the processors 1002 and/or any suitable device or component in communication with the system control logic 1008.
In some implementations, the system control logic 1008 may include one or more memory controllers to provide an interface to the system memory 1004. The system memory 1004 may be used for loading and storing data and/or instructions. The system memory 1004 of the electronic device can include any suitable volatile memory in some implementations, such as suitable dynamic random access memory (Dynamic Random Access Memory, DRAM).
NVM/memory 1006 may include one or more tangible, non-transitory computer-readable media for storing data and/or instructions. In some implementations, NVM/memory 1006 may include any suitable nonvolatile memory, such as flash memory, and/or any suitable nonvolatile storage device, such as at least one of a Hard Disk Drive (HDD), compact Disc (CD) Drive, digital versatile Disc (Digital Versatile Disc, DVD) Drive.
NVM/memory 1006 may include a portion of a memory resource installed on an apparatus of an electronic device, or it may be accessed by, but not necessarily part of, the device. For example, NVM/memory 1006 may be accessed over a network via network interface 1010.
In particular, system memory 1004 and NVM/storage 1006 may each include: a temporary copy and a permanent copy of instruction 1020. The instructions 1020 may include: instructions that, when executed by at least one of the processors 1002, cause the electronic device to implement the aforementioned subscription service authentication method. In some implementations, instructions 1020, hardware, firmware, and/or software components thereof may additionally/alternatively be disposed in system control logic 1008, network interface 1010, and/or processor 1002.
The network interface 1010 may include a transceiver to provide a radio interface for electronic devices to communicate with any other suitable device (e.g., front end module, antenna, etc.) over one or more networks. In some implementations, the network interface 1010 may be integrated with other components of the electronic device. For example, the network interface 1010 may be integrated with at least one of the processor 1002, the system memory 1004, the nvm/storage 1006, and a firmware device (not shown) having instructions that, when executed by at least one of the processor 1002, implement the subscription service authentication method described previously.
The network interface 1010 may further include any suitable hardware and/or firmware to provide a multiple-input multiple-output radio interface. For example, network interface 1010 may be a network adapter, a wireless network adapter, a telephone modem, and/or a wireless modem.
In one implementation, at least one of the processors 1002 may be packaged together with logic for one or more controllers of the system control logic 1008 to form a system package (System In a Package, siP). In one implementation, at least one of the processors 1002 may be integrated on the same die with logic for one or more controllers of the System control logic 1008 to form a System on Chip (SoC).
The electronic device may further include: input/output (I/O) devices 1012. The I/O device 1012 may include a user interface to enable a user to interact with the electronic device; the design of the peripheral component interface enables the peripheral component to also interact with the electronic device. In some implementations, the electronic device further includes a sensor for determining at least one of environmental conditions and location information associated with the electronic device.
In some implementations, the user interface may include, but is not limited to, a display (e.g., a liquid crystal display, a touch screen display, etc.), a speaker, a microphone, one or more cameras (e.g., still image cameras and/or video cameras), a flashlight (e.g., light emitting diode flash), and a keyboard.
In some implementations, the peripheral component interface may include, but is not limited to, a non-volatile memory port, an audio jack, and a power interface.
In some implementations, the sensors may include, but are not limited to, gyroscopic sensors, accelerometers, proximity sensors, ambient light sensors, and positioning units. The positioning unit may also be part of the network interface 1010 or interact with the network interface 1010 to communicate with components of a positioning network, such as global positioning system (Global Positioning System, GPS) satellites.
It should be understood that the structure illustrated in the implementation of the present application does not constitute a specific limitation on the electronic device. In other implementations of the application, the electronic device may include more or fewer components than shown, or certain components may be combined, or certain components may be separated, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Program code may be applied to input instructions to perform the functions described herein and generate output information. The output information may be applied to one or more output devices in a known manner. For purposes of implementations of the application, a processing system includes any system having a processor such as, for example, a digital signal processor (Digital Signal Processor, DSP), microcontroller, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or microprocessor.
The program code may be implemented in a high level procedural or object oriented programming language to communicate with a processing system. Program code may also be implemented in assembly or machine language, if desired. Indeed, the mechanisms described herein are not limited in scope to any particular programming language. In either case, the language may be a compiled or interpreted language.
One or more aspects of at least one implementation may be implemented by representative instructions stored on a computer-readable storage medium, which represent various logic in a processor, which when read by a machine, cause the machine to fabricate logic to perform the techniques described herein. These representations, referred to as "IP cores," may be stored on a tangible computer readable storage medium and provided to a plurality of customers or production facilities for loading into the manufacturing machine that actually manufactures the logic or processor.
It should be noted that in the drawings, some structural or method features may be shown in a specific arrangement and/or order. However, it should be understood that such a particular arrangement and/or ordering may not be required. Rather, in some implementations, the features can be arranged in a different manner and/or order than shown in the illustrative drawings. Additionally, the inclusion of structural or methodological features in a particular figure is not meant to imply that such features are required in all implementations, and in some implementations, such features may not be included or may be combined with other features.
It should be noted that the terms "first," "second," and the like are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
It should be noted that in the drawings, some structural or method features may be shown in a specific arrangement and/or order. However, it should be understood that such a particular arrangement and/or ordering may not be required. Rather, in some embodiments, these features may be arranged in a different manner and/or order than shown in the illustrative figures. Additionally, the inclusion of structural or methodological features in a particular figure is not meant to imply that such features are required in all embodiments, and in some embodiments, may not be included or may be combined with other features.
While the application has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those skilled in the art that the foregoing is a further detailed description of the application with reference to specific embodiments, and it is not intended to limit the practice of the application to those descriptions. Various changes in form and detail may be made therein by those skilled in the art, including a few simple inferences or alternatives, without departing from the spirit and scope of the present application.

Claims (10)

1. A subscription service authentication method, applied to a first electronic device, the method comprising:
determining an index number corresponding to the target subscription service;
determining a first target authentication file corresponding to the target subscription service according to the index number, wherein the first target authentication file is a pre-stored file subjected to security processing for verifying the validity of the target subscription service;
checking first authentication information corresponding to the first target authentication file;
under the condition that the first authentication information passes verification, decrypting the first target authentication file to obtain a first initial authentication file;
And authenticating the validity of the target subscription service according to the first initial authentication file.
2. The subscription service authentication method of claim 1, wherein the first target authentication file is obtained by:
receiving a second target authentication file sent by a second electronic device, and under the condition that the second target authentication file meets the requirement, decrypting the second target authentication file to obtain a second initial authentication file, wherein the second target authentication file is obtained by encrypting a third initial authentication file by the second electronic device through a first symmetric key, the third initial authentication file is a file corresponding to the target subscription service sent by the third electronic device to the second electronic device, and the third electronic device is an electronic device comprising a software mall;
and encrypting the second initial authentication file by using a second symmetric key to obtain the first target authentication file.
3. The subscription service authentication method according to claim 2, wherein the second target authentication file is obtained by encrypting a third initial authentication file by the second electronic device using a first symmetric key, and includes:
Receiving the third initial authentication file corresponding to the target subscription service sent by the third electronic device, and generating a first random number as the first symmetric key;
encrypting the third initial authentication file by using the first symmetric key to obtain a first authentication file ciphertext;
obtaining an authentication file header according to the target subscription service and the identification information of the first electronic equipment;
and performing splicing processing on the first authentication file ciphertext and the authentication file header to obtain the second target authentication file.
4. The subscription service authentication method of claim 3, wherein receiving the second target authentication file comprises:
and under the condition that the first electronic equipment and the second electronic equipment pass the bidirectional identity authentication, the first electronic equipment receives the second target authentication file.
5. The subscription service authentication method according to claim 3 or 4, wherein the authentication file header includes a signature certificate, a signature, and an authentication hash value, the case where the second target authentication file meets the requirements includes that the second target authentication file has authenticity and integrity, that the binding relationship between the second target authentication file and the first electronic device has validity, and determining that the second target authentication file meets the requirements includes:
Verifying the signature certificate by utilizing a pre-stored root certificate, and verifying the validity of the second electronic equipment;
under the condition that the second electronic equipment is legal, checking the signature and the authentication hash value;
and under the condition that the signature and the authentication hash value pass verification, determining that the second target authentication file has authenticity and integrity and that the binding relationship between the second target authentication file and the first electronic equipment has validity.
6. The subscription service authentication method according to claim 5, wherein, in the case where the second target authentication file meets the requirement, performing decryption processing on the second target authentication file to obtain the second initial authentication file, includes:
sending first decryption key acquisition request information to the second electronic equipment, wherein the first decryption key acquisition request information comprises a first public key prestored in the first electronic equipment;
and receiving a first decryption key ciphertext obtained by the second electronic device according to the first decryption key acquisition request information, decrypting the first decryption key ciphertext by using a pre-stored first private key to obtain the first decryption key, decrypting the second target authentication file by using the first decryption key to obtain the second initial authentication file, and encrypting the first decryption key by using the first public key by using the second electronic device.
7. The subscription service authentication method of claim 6, wherein transmitting first decryption key acquisition request information to the second electronic device comprises:
generating first decryption key acquisition request data according to the second target authentication file, and carrying out signature processing on the first decryption key acquisition request data by utilizing the first private key to generate signed first decryption key acquisition request data;
generating first decryption key acquisition request information according to the signed first decryption key acquisition request data and an identity certificate of the first electronic device, and sending the first decryption key acquisition request information to the second electronic device, wherein the identity certificate comprises the first public key.
8. The subscription service authentication method of claim 7, wherein the first authentication information comprises a verification message code and an authentication hash value; encrypting the second initial authentication file by using the second symmetric key to obtain the first target authentication file, wherein the method comprises the following steps:
generating a second random number as the second symmetric key, and encrypting the second initial authentication file by using the second symmetric key to obtain a second authentication file ciphertext;
Generating a third random number as a third key, and obtaining the verification message code corresponding to the second authentication file ciphertext by using the third key;
and obtaining the first target authentication file according to the second authentication file ciphertext, the verification message code, the authentication hash value and the index number.
9. A subscription service authentication apparatus for use with a first electronic device, the apparatus comprising:
the first processing module is used for determining an index number corresponding to the target subscription service;
the second processing module is used for determining a first target authentication file corresponding to the target subscription service according to the index number, wherein the first target authentication file is a pre-stored file subjected to security processing for verifying the validity of the target subscription service;
the third processing module is used for checking the first authentication information corresponding to the first target authentication file;
the fourth processing module is used for decrypting the first target authentication file to obtain a first initial authentication file under the condition that the first authentication information passes verification;
and a fifth processing module, configured to authenticate validity of the target subscription service according to the first initial authentication file.
10. An electronic device, comprising:
a memory for storing a computer program, the computer program comprising program instructions;
a processor configured to execute the program instructions to cause the electronic device to perform the subscription service authentication method according to any one of claims 1-8.
CN202310983227.1A 2023-08-07 2023-08-07 Subscription service authentication method and device and electronic equipment Pending CN117041966A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310983227.1A CN117041966A (en) 2023-08-07 2023-08-07 Subscription service authentication method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310983227.1A CN117041966A (en) 2023-08-07 2023-08-07 Subscription service authentication method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN117041966A true CN117041966A (en) 2023-11-10

Family

ID=88629238

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310983227.1A Pending CN117041966A (en) 2023-08-07 2023-08-07 Subscription service authentication method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN117041966A (en)

Similar Documents

Publication Publication Date Title
US20200177398A1 (en) System, certification authority, vehicle-mounted computer, vehicle, public key certificate issuance method, and program
JP4806235B2 (en) System and method for enforcing location privacy using rights management
US7225337B2 (en) Cryptographic security method and electronic devices suitable therefor
CN107493273A (en) Identity identifying method, system and computer-readable recording medium
CN111401902A (en) Service processing method, device and equipment based on block chain
CN110365486B (en) Certificate application method, device and equipment
CN108141444B (en) Improved authentication method and authentication device
EP2747377A2 (en) Trusted certificate authority to create certificates based on capabilities of processes
CN111565182B (en) Vehicle diagnosis method and device and storage medium
CN110958209A (en) Bidirectional authentication method, system and terminal based on shared secret key
FR3022664A1 (en) AUTHENTICATION METHOD AND SYSTEM
CN101140602B (en) Method and apparatus for generating rights object by reauthorization
CN113810410B (en) Method, system and storage medium for encryption of non-abusive key decentralization attribute base
CN110009342B (en) Data sending and receiving method and device and electronic equipment
CN111510448A (en) Communication encryption method, device and system in OTA (over the air) upgrade of automobile
CN111682937B (en) Method and device for applying and distributing key of enhanced CPK
CN117436043A (en) Method and device for verifying source of file to be executed and readable storage medium
CN109743283B (en) Information transmission method and equipment
CN116707983A (en) Authorization authentication method and device, access authentication method and device, equipment and medium
CN115776396A (en) Data processing method and device, electronic equipment and storage medium
KR102209531B1 (en) Method for Storing Digital Certificate and Priviate Key in Cloud Environment and for Downloading the Certificate and Private Key
CN117041966A (en) Subscription service authentication method and device and electronic equipment
KR102551592B1 (en) Method for preventing mileage tampering of car and mileage recording device using the same
CN111656729B (en) System and method for computing escrow and private session keys for encoding digital communications between two devices
WO2016165662A1 (en) Mobile phone quasi-digital certificate subsystem, and system and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination