CN117997546A

CN117997546A - License-based service deployment method and device and computer equipment

Info

Publication number: CN117997546A
Application number: CN202311870217.3A
Authority: CN
Inventors: 伊尚丰; 卜凡起; 郑航; 展兆建
Original assignee: Baweitong Technology Co ltd
Current assignee: Baweitong Technology Co ltd
Priority date: 2023-12-29
Filing date: 2023-12-29
Publication date: 2024-05-07

Abstract

The application discloses a service deployment method, a device and computer equipment based on a license, which are suitable for various service processing scenes with license application, such as scenes of loading a digital twin resource package or deploying digital twin service based on the license. In the specific implementation of the application, when the information volume carried by the license is large, the license generation and the license verification (or decryption) are carried out by combining asymmetric encryption and symmetric encryption, so that the license cracking difficulty is improved, the license generation efficiency is ensured, and the security and the processing efficiency of business processing are further improved. In addition, as for the secret key adopted in the license application process, the secret key is stored outside the information carried by the license, so that the license verification process can be realized in a traditional mode, the universality of the license application principle is ensured, and the license application principle can be further enabled to fall to a richer service deployment scene.

Description

License-based service deployment method and device and computer equipment

Technical Field

The present application relates to the field of digital encryption technologies and computer technologies, and in particular, to a license-based service deployment method, device, and computer equipment.

Background

In the process of developing business based on computer technology, development of a plurality of business functions (or business services) is generally involved, and some business functions may be functions that are commonly available in a plurality of business fields. Some service developers can encapsulate such service functions into a service which can be accessed from outside after developing the service functions, so that other objects can realize the development of the service functions by accessing the service. The process of accessing the service may also be referred to as a deployment process of the service.

In order to protect the copyright of the service developed by the service developer and reduce the potential safety hazard caused by service external supply, the service developer generally adopts a digital encryption technology to generate a deployment license based on various information approved by both parties when the service needs to be provided to other objects, so that the related objects can only deploy and apply the related service when the license is valid. However, in the current technical solution, the efficiency of generating the license mainly depends on the information amount of the information adopted when the license is generated, and in the case that the information amount is large, the efficiency of generating the license is generally low, which in turn results in low efficiency of service deployment. Therefore, how to improve service deployment efficiency and security of service providers in the service deployment scenario becomes an important research topic in the field of service development.

Disclosure of Invention

The embodiment of the application provides a license-based service deployment method, a license-based service deployment device and computer equipment, which can improve service deployment efficiency and security of a service provider under a service deployment scene.

In one aspect, an embodiment of the present application provides a license-based service deployment method applied to a service provider providing a target service, including:

Responding to a service deployment request of a service access party to a target service, and determining deployment indication information of the service access party, wherein the deployment indication information is used for indicating the target service and the application authority of the service access party in the target service;

Carrying out key mixed signature on the deployment indication information by adopting a symmetric key and an asymmetric encryption key generated by the service provider to obtain signature data of the service provider;

Acquiring an information ciphertext of the deployment indication information and a key ciphertext of the symmetric key, and generating a deployment license comprising the information ciphertext, the signature data and the key ciphertext; the information ciphertext is obtained by symmetrically encrypting the deployment indication information by adopting the symmetric key;

and sending the deployment license to the service access party so that the service access party deploys the target service based on the deployment license.

In still another aspect, an embodiment of the present application provides a license-based service deployment apparatus, including:

the response unit is used for responding to a service deployment request of a service access party to a target service, determining deployment indication information of the service access party, wherein the deployment indication information is used for indicating the target service and the application authority of the service access party in the target service;

an encryption unit, configured to perform a key mixed signature on the deployment indication information by using a symmetric key and an asymmetric encryption key generated by the service provider, to obtain signature data of the service provider;

the generation unit is used for acquiring the information ciphertext of the deployment indication information and the key ciphertext of the symmetric key and generating a deployment license comprising the information ciphertext, the signature data and the key ciphertext; the information ciphertext is obtained by symmetrically encrypting the deployment indication information by adopting the symmetric key;

And the sending unit is used for sending the deployment license to the service access party so that the service access party deploys the target service based on the deployment license.

In yet another aspect, an embodiment of the present application provides a computer apparatus, including:

A processor adapted to implement one or more computer programs;

a storage medium storing one or more computer programs adapted to be loaded by the processor and to perform the license-based service deployment method as in the first aspect.

In yet another aspect, an embodiment of the present application provides a storage medium storing one or more computer programs adapted to be loaded by a processor and to perform a license-based service deployment method as in the first aspect.

In the deployment license of the embodiment of the application, the signature data of the service provider and the information ciphertext of the deployment indication information of the service access party exist, the signature data of the service provider is obtained by carrying out key mixing on the deployment indication information of the service access party by combining a symmetric encryption technology and an asymmetric encryption technology, so that the forging difficulty of the signature data is improved, the cracking difficulty of the deployment license is further improved, the situation of license abuse caused by the leakage of the deployment license can be effectively reduced, and the security of the service provider and the target service is ensured. In addition, the information ciphertext is obtained by encrypting the deployment indication information by adopting a symmetric encryption technology, and the complexity of most of the current symmetric encryption algorithms is low, so that higher encryption efficiency can be maintained when the information volume is larger. Because the information needing to be encrypted under the license generation scene is complex and various, the corresponding information volume is unstable, the influence on the license generation efficiency caused by the information volume can be reduced or even eliminated by adopting a symmetrical encryption mode, so that the deployment license can keep higher generation efficiency, and the overall efficiency of service deployment is further improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of a service deployment system provided by an embodiment of the present application;

FIG. 2 is a schematic flow chart of a license-based service deployment method provided by an embodiment of the present application;

FIG. 3 is a schematic flow chart of yet another license-based service deployment method provided by an embodiment of the present application;

FIG. 4 is a schematic diagram of a license generation flow provided by an embodiment of the present application;

FIG. 5 is a schematic diagram of a license verification process according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a license-based service deployment apparatus according to an embodiment of the present application;

Fig. 7 is a schematic structural diagram of a service deployment device according to an embodiment of the present application.

Detailed Description

It should be noted in advance that, in order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, the embodiments of the present application will be clearly and completely described in connection with one or more drawings. Moreover, the drawings shown in the embodiments of the present application are only exemplary, and for example, the execution sequence of each step in the drawings may be adaptively adjusted according to the actual application scenario. Furthermore, in the embodiments of the present application, the block diagrams, modules, and units shown in the drawings are only functional entities, not necessarily corresponding to physically separate entities, and each module or unit may be a part of an overall module or unit that includes the functions of the module or unit. That is, the term "module" or "unit" referred to in the embodiments of the present application refers to a computer program or a part of a computer program having a predetermined function, which may work together with other relevant parts to achieve a predetermined object, may be implemented in whole or in part by using software, hardware (such as a processing circuit or a memory), or a combination thereof, or may be implemented in different networks and/or processor devices and/or microcontroller devices. Also, a processor (or multiple processors or memories) may be used to implement one or more modules or units.

Specifically, the embodiment of the application provides a service deployment scheme aiming at each service deployment scene realized based on the license, and by adopting the technical scheme, the efficiency of a service access party in service deployment and the safety of a service provider can be improved. The service provider refers to an object for developing or managing one or more service services, and the service access party refers to an object for calling one of the service services to implement service processing. Alternatively, the objects referred to herein may include businesses, individuals, institutions, or the like. For ease of understanding, the following service provider is used to provide a target service, and the service access party is used to deploy the target service as an example to illustrate an embodiment of the present application. The main principle of this solution can then be as follows:

When providing a target service to a service access party, a service provider firstly acquires deployment indication information of the service access party, and carries out key mixed signature on the deployment indication information by adopting a mode of combining a symmetric encryption technology and an asymmetric encryption technology to obtain signature data of the service provider, and further generates a deployment license based on the signature data and the deployment indication information, wherein the deployment license at least comprises the signature data, an information ciphertext obtained by carrying out symmetric encryption on the deployment indication information and a key ciphertext of a symmetric key adopted by the symmetric encryption. Finally, the deployment license is sent to the service access party, so that the service access party can realize the deployment of the target service by presenting the deployment license to the service provider within the validity period of the deployment license.

The deployment indication information is mainly used for indicating application rights of a target service and a service access party in the target service, so that an association relationship exists between a deployment license and the service access party, signature data is generated by combining a symmetric encryption technology and an asymmetric encryption technology, the forging difficulty of the signature data is improved, the cracking difficulty of the deployment license is improved, the situation of license abuse caused by leakage of the deployment license can be effectively reduced, the safety of the service provider and the target service is improved, and the service rights of the service provider are protected.

In addition, the information volume of the deployment indication information generally changes along with the application scene of the deployment license or the service requirement of the service access object, and the information volume can influence the efficiency of data encryption, so that the generation efficiency of the information ciphertext is closely related to the information volume of the deployment indication information. Furthermore, signature data, key ciphertext and information ciphertext in the deployment license exist independently (namely, information fusion or information splicing does not exist), so that the verification process of the signature data can be independently executed according to a general principle, the threshold of the technical scheme in actual application is reduced, the learning cost of a service access party in deploying target service can be saved, and the overall efficiency of service deployment can be improved to a certain extent.

That is, by adopting the technical scheme, the safety of the target service and the service provider can be maintained, and the overall service deployment efficiency can be improved.

In one embodiment, the above technical solution may be applied to a service deployment system as shown in fig. 1. As shown in fig. 1, the system may include a service provider (hereinafter referred to as service provider 101) denoted as 101, n service access parties (hereinafter referred to as service access party 102) denoted as 102, and m clients (hereinafter referred to as clients 103) denoted as 103, where m and n are both positive integers. In this service deployment system, there is a communication connection between the service provider 101 and the service access party 102, and the service access party 102 can establish a communication connection with the client 103. It will be appreciated that the communication connection referred to herein may be a direct communication connection or an indirect communication connection, and may be a wireless communication connection or a wired communication connection, as embodiments of the present application are not limited in this respect.

In practical applications, the service provider 101 may refer to a computer device that has management authority on a target service, and is mainly used to provide the target service to the service access party 102 in the service deployment system. The service access party 102 may refer to a computer device that needs to implement a business process with a target service, which may invoke the target service through a communication connection with the service provider 101 after obtaining permission from the service provider 101. As an example, the service provider 101 may generate a dedicated deployment license for the service access party 102, such that the service access party 102 proves that it may be allowed to invoke the target service by presenting the deployment license within the validity period, and the deployment license is generated according to the principles mentioned in the above technical solution.

Wherein the service access party 102 may specifically invoke the target service after receiving a service handling request of the client 103. The client 103 is a computer program for providing a network service implemented based on a target service to each service object through a man-machine interaction, and may be run in various terminal devices such as a smart phone, a smart wearable device, a vehicle-mounted terminal, a portable computer, and a desktop computer. That is, in providing network services to a service object, the client 103 has service logic that needs to be implemented by the service access party 102 invoking a target service, and thus the service access party 102 may be regarded as a computer device for providing service support to the client 103.

Furthermore, the above mentioned computer devices may be single type devices or composite type devices, and may depend on the device performance in the specific application scenario, which is not limited herein. When a single type of device, the computer device may contain only a server or only a terminal device; in the case of a composite type device, the computer device may contain both a server and a terminal device. The server may be a physical server, or may be a virtual server (or called cloud server) for providing cloud service, and the terminal device may be a smart phone, an intelligent wearable device, a vehicle-mounted terminal, a portable computer, a desktop computer, or the like.

It should be noted in particular that, for convenience of explanation and ease of understanding, the service access party mentioned in the following embodiments refers to a computer device employed for accessing a target service, which is managed by the service access party, without specific explanation. Correspondingly, the service provider mentioned later refers to a computer device employed for providing the target service, which is managed by the service provider.

Referring to fig. 2, fig. 2 is a schematic flowchart of a license-based service deployment method specifically proposed based on the above technical principles, and the method may be performed by a computer device in a service provider. As shown in fig. 2, the method includes steps S201 to S204:

S201, in response to a service deployment request of a service access party to a target service, determining deployment indication information of the service access party, wherein the deployment indication information is used for indicating the target service and the application authority of the service access party in the target service.

In a specific embodiment, the deployment indication information may include service description information and authority description information. The service description information is used for uniquely indicating the target service, and can be specifically used for describing one or more characteristics of the name, the function, the application scene, the deployment requirement and the like of the target service. In practical application, the service description information may be obtained from a preset database by the service provider after receiving the service deployment request, where the database may store at least one or more service description information, and the one or more services include the target service. Alternatively, the service description information may be pre-added to the service deployment request by the service access party, which is not limited herein. It should be noted that the features described in the service description information may be features related to the service access party (such as features related to the service functions used by the service access party), or may be all features of the target service itself, which is not limited herein.

In addition, the rights description information is used to indicate the application rights of the service access party in the target service, and may be specifically used to indicate the application rights that the service access party applies for passing at the service provider, or to indicate the application rights that the service access party wants to apply for. In particular, the application rights may include, but are not limited to: (1) Functions that can be specifically invoked when a target service is invoked; (2) call duration and/or call type of each function; (3) Calling scenarios of the target service, such as device type, device identification, business scope, etc.

In one implementation, if the application permission indicated by the permission description information is an application permission that the service access party applies for passing at the service provider, the application permission may specifically be an application permission that the service provider grants to the service access party in a historical period. In this case, the service access party can send a service deployment request containing the rights description information, so that the service provider can directly obtain the rights description information from the service deployment request, and then quickly enter the next processing stage, thereby being beneficial to improving the overall efficiency of service deployment. In addition, the permission description information can also be obtained by inquiring a preset database after the service provider receives the service deployment request.

Of course, the application authority may also be an authority given by the service provider for the present deployment application, and in this case, the authority description information may be generated after the service provider performs authority authentication on the service access party. And optionally, in the process of carrying out authority authentication on the service access party, risk assessment can be carried out on the service access party so as to determine the authority range obtained by the authority authentication based on the risk assessment level, thereby preventing the potential safety hazard of the service access party to the service provider to a certain extent.

In still another implementation manner, if the application right indicated by the right description information is a right that the service access party wants to apply for, the service deployment request may still include the right description information. In this case, when the service provider generates the deployment license, the deployment license may mark the application right that is audited and passed in the right description information, so that the service access party invokes (or deploys) the target service only within the range of the authority that is audited and passed, thereby improving the security of the target service.

S202, a symmetric key and an asymmetric encryption key generated by a service provider are adopted to carry out key mixed signature on deployment indication information, and signature data of the service provider are obtained.

In one embodiment, the symmetric key and the asymmetric encryption key may be generated by the service provider in advance for the target service. In this case, the symmetric key and the asymmetric encryption key adopted by the service provider when responding to the service deployment request initiated by each service access party for the same target service are the same, so that the key data required to be maintained by the service provider can be effectively reduced, the service provider can put more energy and resources in the security maintenance process of the key data, and finally the purpose of improving the security of the target service is achieved.

In still another embodiment, the symmetric key and the asymmetric encryption key may be generated by the service provider aiming at the service access object, so that key data adopted when responding to service deployment requests initiated by different service access parties aiming at the target service are different, thus the difficulty of data cracking among the service access parties can be improved, isolation of the service access parties can be realized, and the security of the service access parties when accessing the target service can be effectively improved.

It should be noted that, when generating the asymmetric encryption key, the service provider correspondingly generates the asymmetric decryption key, and the asymmetric decryption key may be used to decrypt data encrypted by the asymmetric encryption key. In practical applications, the asymmetric encryption key used in generating the digital signature is typically a private key that is only managed by the service provider, while the asymmetric decryption key is typically a public key that is still managed by the service provider in the embodiment of the present application and is applied to the verification process of the signed data. The digital signature is performed by adopting the asymmetric encryption key and the symmetric key, so that the signature process combines two encryption technologies (namely the asymmetric encryption technology and the symmetric encryption technology), and the forging difficulty of signature data can be improved.

S203, acquiring an information ciphertext of deployment indication information and a key ciphertext of a symmetric key, and generating a deployment license comprising the information ciphertext, signature data and the key ciphertext; the information ciphertext is obtained by symmetrically encrypting the deployment indication information by adopting a symmetric key.

In a specific embodiment, the information ciphertext of the deployment indication information is obtained by symmetrically encrypting the deployment indication information by using a symmetric key by a service provider, and the encryption efficiency is high because the calculation amount corresponding to a symmetric encryption algorithm adopted by the symmetric encryption is usually small, so that the overall service deployment efficiency can be improved to a certain extent. In addition, the key ciphertext of the symmetric key can be obtained by encrypting the asymmetric encryption key, and the leakage probability of the symmetric key can be reduced by encrypting the symmetric key, so that the data confidentiality and the data security in the data transmission process (such as the transmission process of deploying a license) are improved.

In order to facilitate verification of signature data in the deployment license and acquisition of deployment indication information, the deployment license generated by the service provider can directly contain three data, namely, key ciphertext, information ciphertext and signature data. The data format of each item of data in the deployment license can be uniformly in json format. Because json is a data format independent of programming language and operating system, data in json format can be converted between different platforms and languages, so that different development teams (or projects) can be more easily realized for collaborative development in actual work, and development efficiency is improved. In addition, the json format data structure is very similar to the data structures of a plurality of programming languages, so that the difficulty of analyzing and operating json data on different platforms is lower, and a developer can more efficiently process the data.

S204, the deployment license is sent to the service access party, so that the service access party deploys the target service based on the deployment license.

In particular embodiments, the service access party may present the deployment license to the service provider when the target service needs to be deployed, such that the service provider determines whether to add the service access party in the service object of the target service by verifying the signature data in the deployment license. If the service provider adds the service access party in the service object of the target service after determining that the signature data is the signature data generated by the service provider, the service access party completes the deployment of the target service.

Referring to fig. 3, fig. 3 is a schematic flowchart of another license-based service deployment method according to an embodiment of the present application. The method is further presented on the basis of fig. 2, whereby the method can still be performed by the computer device involved in the method shown in fig. 2. As shown in fig. 3, the method includes steps S301-S306:

s301, in response to a service deployment request of a service access party to a target service, determining deployment indication information of the service access party, wherein the deployment indication information is used for indicating the target service and the application authority of the service access party in the target service.

In a specific embodiment, the implementation principle of step S301 may refer to the implementation manner related to step S201, which is not described herein. However, it should be noted that, in an actual application scenario, the service deployment request may further include a deployment type to be adopted by the service access party when the target service is deployed. The deployment types may include a publicized deployment type and a privately-owned deployment type, and the privately-owned deployment types may specifically include a dongle-based privately-owned deployment type and a license-based privately-owned deployment type.

In one implementation, the commonplace deployment type refers to: and establishing communication connection with equipment of the service provider for deploying the target service so as to realize the deployment type of direct calling of the target service. It can be appreciated that when the service access party adopts the public deployment type, the management authority of the target service only belongs to the service provider. The privately-arranged type refers to: the target service is migrated (or replicated) to the device provided by the service access party itself so that the service access party can be provided with the deployment type of the management authority (part or all) for the target service.

The privacy deployment type based on the dongle refers to the privacy deployment type which needs to be realized by the dongle. The dongle may be provided by a third party authority, and the service provider is configured to add a deployment license to the dongle provided by the service provider and bind the dongle to the target service so that the service access party may deploy the target service in the device into which the dongle is inserted.

The license-based privatized deployment type refers to a privatized deployment type implemented with only deployment licenses. In this case, to avoid license abuse and thus maintain the interests of the service provider, the service provider may generate a deployment license in combination with the deployment indication information and the device information of the service access party (e.g., the machine fingerprint of the device). The device information is used for uniquely describing (or indicating) the computer device used by the service access party for deploying the target service, so that the deployment license is only valid when the service access party applies for deploying the target service to the device corresponding to the device information.

S302, a symmetric key and an asymmetric encryption key generated by a service provider are adopted to carry out key mixed signature on deployment indication information, and signature data of the service provider are obtained.

In one implementation, when generating signature data, the service provider may specifically generate a hash value of the symmetric key by using a hash algorithm, and encrypt the hash value by using an asymmetric encryption algorithm based on the asymmetric encryption key, so as to obtain the first signature fragment. In addition, a hash algorithm is adopted to generate a hash value of the deployment indication information, and then an asymmetric encryption algorithm is adopted to encrypt the hash value based on the asymmetric encryption key so as to obtain a second signature segment. And finally, generating signature data of the service provider according to the first signature fragment and the second signature fragment.

Alternatively, the service provider may directly use the first signature fragment and the second signature fragment as signature data of the service provider, or may use data obtained by performing a splicing process on the first signature fragment and the second signature fragment as signature data of the service provider. By introducing the symmetric key into the signature data, the complexity of the signature data can be increased, and the forging difficulty of the signature data can be further improved. And signature verification is carried out on the signature data after the symmetric key is introduced, so that the authenticity and the integrity of the deployment indication information can be verified, and the authenticity and the integrity of the symmetric key can be verified. If the verification of the signature data is passed, the symmetric key is not tampered, so that the success rate of executing the related decryption processing by adopting the symmetric key is high, and the resource waste can be avoided to a certain extent.

In still another implementation manner, when generating signature data, the service provider may also use a symmetric key to symmetrically encrypt the deployment indication information to obtain an information ciphertext of the deployment indication information, further use a hash algorithm to generate a hash value of the information ciphertext, and finally use an asymmetric encryption key to encrypt the hash value to obtain the signature data of the service provider, so that a license generation flow in the embodiment of the present application may be as shown in fig. 4. The data signature is carried out on the information ciphertext based on the deployment indication information, so that plaintext information (such as the deployment indication information) carried by the deployment license can not be revealed in the signature verification process, and the information security in the service deployment process is improved.

Specifically, when the license generation flow in the embodiment of the present application is as shown in fig. 4, the flow of verifying the signature data in the deployment license presented by the service access party by the service provider may be as follows: firstly, information ciphertext and signature data are obtained from a presented deployment license, then an asymmetric decryption key is adopted to decrypt the signature data to obtain decryption information, a hash algorithm is adopted to generate a hash value of the decryption information, and a hash algorithm is adopted to generate a hash value of the information ciphertext, finally, when the hash value of the decryption information is consistent with the hash value of the information ciphertext, signature data in the deployment license is confirmed to pass through verification, so that a license verification flow in the embodiment of the application can be shown as a figure 5.

In addition, it should be noted that the hash algorithm used in the license generation and license verification process according to the embodiments of the present application may be consistent, and may be specifically MD5, SHA, or SM3.

S303, acquiring an information ciphertext of deployment indication information and a key ciphertext of a symmetric key, and generating a deployment license comprising the information ciphertext, signature data and the key ciphertext; the information ciphertext is obtained by symmetrically encrypting the deployment indication information by adopting a symmetric key.

In a specific embodiment, the information ciphertext may be generated in a generation stage of the signature data, so, in order to improve the overall generation efficiency of the deployment license, the service provider may cache the information ciphertext in a generation process of the signature data, so that the information ciphertext may be directly obtained from the cache space.

In addition, the target service may be used to provide one or more resource data packets to the service access party. In this case, the deployment license may also contain a target number of resource authorization codes, which are used to generate the resource license, which may be used to indicate the loading rights of the service access party to the resource data package. The resource license and the resource data packet may be in one-to-one correspondence, and the resource license and the resource authorization code may also be in one-to-one correspondence. That is, one resource authorization code may be used to generate one resource license, and one resource license is bound to one resource data packet, such that one resource license may only be used to authorize loading of one resource data packet.

In a particular application, the deployment license may contain a target number of resource authorization codes such that the service access party is at most able to load (either a total load or a single load) a target number of resource data packets from the target service. By limiting the number of resource data packets loaded by the service access party, the response load of the service provider in responding to the resource loading request can be effectively controlled, so that the stability of the equipment of the service access party for deploying the target service is maintained. In addition, when the target number is used for limiting the total loaded number, by limiting the number of resource data packets loaded by the service access party, the application time limit of the service access party to the target service can be limited, so that the service access party can re-trigger the generation of the deployment license after a period of time, and the permission verification of the service access party exists in the generation stage of the deployment license, and the potential safety hazard brought by the service access party to the target service (or the service provider) can be prevented.

S304, acquiring the deployment type of the target service from the service deployment request, and determining the target access parameter associated with the deployment type of the target service according to the preset association relation between the deployment type and the access parameter of the target service.

In one embodiment, the service provider may provide a service deployment toolkit (i.e., SDK, software development kit) to the service access party based on the deployment type in the service deployment request, so that the service access party may deploy the target service using the service deployment toolkit.

In one implementation, the service provider may generate corresponding service deployment tools for each deployment type in advance, so that the service access party selects a desired deployment type from each deployment type, and then the service provider may determine a service deployment tool (or target SDK) that needs to be sent to the service access party by querying the service deployment tool corresponding to the deployment type. In this case, the service deployment tools are only related to the deployment types, and the service deployment tools corresponding to the respective deployment types are generated in advance, so that the workload of the service provider in responding to the service deployment request can be reduced, and the overall efficiency of service deployment can be further improved.

In yet another implementation, the service provider may combine the deployment type and the application authority of the service provider to generate a corresponding service deployment tool, so as to improve the demand fit degree between the service deployment tool and the service access party, so that the service access party may obtain a more comfortable user experience. As an example, the target access parameter may be used to represent the rights item (such as the number of resource authorization codes and the management rights of the resource data packet) in the application rights, and the application rights of the service access party may be represented by the parameter value of the service access party under the target access parameter.

In one embodiment, the service provider may also determine whether a deployment packet needs to be provided to the service access party based on the deployment type in the service deployment request. The deployment data package is generated based on the service resource package of the target service and the deployment license of the service access party. The service resource package may be obtained by packaging part or all of codes of the target service, and is used for implementing all or part of functions in the target service. Further, the deployment type in the service deployment request may be a publicized deployment type or a privatized deployment type, and the privatized deployment type may further include at least one of a dongle-based privatized deployment type and a license-based privatized deployment type.

In particular, when the deployment type of the target service is a publicized deployment type or a license-based privately-owned deployment type, there is no need to send a service resource package to the service access party, and thus the step of sending the deployment license to the service access party can be directly performed later.

When the deployment type in the service deployment request is a privacy deployment type based on the dongle, the service provider can acquire the service data packet of the target service, and further add the interface information and the deployment license of the target dongle into the service data packet to obtain the deployment data packet. Thereafter, the service data packet may be sent to the service access party to cause the service access party to deploy the target service based on the deployment data packet. The target dongle is used for carrying out security maintenance on the target service by the service access party.

S305, generating a target SDK according to the target access parameter, the parameter value of the service access party under the target access parameter and the source SDK of the target service.

In a specific embodiment, the source SDK of the target service may refer to a complete SDK that may use all functions and data (e.g., resource data packets) of the target service, where the target SDK is obtained by performing a function adjustment or a data adjustment on the source SDK.

S306, the target SDK and the deployment license are sent to the service access party, so that the service access party installs the target SDK, and deploys the target service by adopting the installed target SDK based on the deployment license.

In one embodiment, the target service is used to provide one or more resource data to the service access party. In this case, the service provider may further perform, when detecting the export operation of the resource data packet by the service access party, a permission check on the service access party to determine whether the service access party has permission to export the resource data packet. Export is understood to mean movement of resource data packets, specifically from application to application, or from hardware device (or module) to hardware device (or module).

When the deployment license contains a target number of resource authorization codes, the service provider can perform authorization verification on the service access party based on the derived number corresponding to the service access party and the target number. The derived number may refer to the number of resource data packets currently derived by the service access party, or may refer to the total number of resource data packets derived by the service access party during the use of the deployment license (or in another historical period). As an example, the service access party may determine that the rights verification for the service access party passes when the derived number is less than or equal to the target number.

When the authority verification of the service access party is passed, the service provider generates a resource license of the resource data packet to be exported for the service access party, and sends the resource license and the corresponding resource data packet to the service access party, so that the service access party can load the corresponding resource data packet based on the resource license. It is worth mentioning that a resource license is used to allow the service access party to load a resource data package.

For the embodiments in fig. 2 and 3, it is further required to be additionally described that:

(1) The asymmetric encryption algorithm adopted in the embodiment of the present application when performing asymmetric encryption may include an RSA encryption algorithm (RSA algorithm), an elliptic encryption algorithm (ECC, ellipseCurveCtyptography), SM2 (commercial cryptography algorithm 2), and the like. Taking RSA as an example, the key formats employed in RSA may include pkcs#1, pkcs#8, openSSL, and the like. The Padding modes adopted in the RSA can comprise RSA_No_padding, RSA_PKCS1_padding, RSA_PKCS1_ Oaep _padding and the like. As an example, in a scenario for Java program development, the Padding method adopted in the embodiment of the present application may be rsa_pkcs1_padding, and the adopted key format may be pkcs#8. The rsa_pkcs1_packing and pkcs#8 are default formats in Java, so that more Java program products can be matched.

(2) The symmetric encryption algorithm employed in performing symmetric encryption according to an embodiment of the present application may include a data encryption standard algorithm (DES, data Encryption Standard), an advanced encryption standard algorithm (AES, advanced Encryption Standard), SM1, SM4, and the like. Taking AES as an example, there are ECB, CBC, CFB, OFB and CTR etc. encryption modes that can be used in AES, and NoPadding, PKCS #7, ISO10126, ANSIX9.23 and ZerosPadding etc. filling modes that can be used. As an example, the embodiment of the present application mainly uses the ECB encryption mode and the pkcs#7 padding mode.

It is worth mentioning that pkcs#5 refers to pkcs#7 in the AES encryption in practice, and thus when pkcs#7 is not present in the encryption tool but pkcs#5 is present, pkcs#5 may be designated to represent pkcs#7.

(3) In the embodiment of the application, since algorithms such as encryption, decryption, hash and the like generally need to be operated based on binary data (byte array), and the operation result is binary data, the binary data is not beneficial to the reading and analysis of technicians, so the embodiment of the application proposes a data format adopting character strings in the data interaction process. Where conversion of a string to binary is involved, a base64 encoding scheme may be specifically employed to convert binary data (byte array) to a string, and an utf-8 encoding scheme may be employed to convert the string to binary.

Based on the above embodiments of the methods in fig. 2 and fig. 3, the present application also proposes a license-based service deployment apparatus, which may be a computer program running in a computer device of the above service provider, to execute the license-based service deployment method as shown in fig. 2 or fig. 3. Referring to fig. 6, the apparatus may at least include a response unit 601, an encryption unit 602, a generation unit 603, and a transmission unit 604, where:

A response unit 601, configured to determine deployment indication information of a service access party in response to a service deployment request of the service access party for a target service, where the deployment indication information is used to indicate the target service and an application authority of the service access party in the target service;

an encryption unit 602, configured to perform a key mixture signature on the deployment indication information by using a symmetric key and an asymmetric encryption key generated by the service provider, so as to obtain signature data of the service provider;

A generating unit 603, configured to obtain an information ciphertext of the deployment instruction information and a key ciphertext of the symmetric key, and generate a deployment license that includes the information ciphertext, the signature data, and the key ciphertext; the information ciphertext is obtained by symmetrically encrypting the deployment indication information by adopting the symmetric key;

And a sending unit 604, configured to send the deployment license to the service access party, so that the service access party deploys the target service based on the deployment license.

In one embodiment, when executing the symmetric key and the asymmetric encryption key generated by the service provider, the encryption unit 602 performs a key mixture signature on the deployment indication information to obtain signature data of the service provider, the encryption unit may be specifically configured to execute:

Generating a hash value of the symmetric key, and encrypting the hash value of the symmetric key by adopting the asymmetric encryption key to obtain a first signature fragment;

Generating a hash value of the deployment indication information, and encrypting the hash value of the deployment indication information by adopting the asymmetric encryption key to obtain a second signature fragment;

and generating signature data of the service provider according to the first signature fragment and the second signature fragment.

In still another embodiment, when executing the symmetric key and the asymmetric encryption key generated by the service provider, the encryption unit 602 performs a key mixture signature on the deployment indication information to obtain signature data of the service provider, the encryption unit may be specifically configured to execute:

Symmetrically encrypting the deployment indication information by adopting the symmetric key to obtain an information ciphertext of the deployment indication information;

and generating a hash value of the information ciphertext, and encrypting the Ha Xisan columns of values by adopting the asymmetric encryption key to obtain signature data of the service provider.

In yet another embodiment, the response unit 601 may be further configured to perform:

Receiving a service access request of the service access party to the target service, wherein the service access request comprises the deployment license and the description information of the service access party;

Performing license verification on the deployment license based on the asymmetric decryption key and the descriptive information;

And if the deployment license passes the verification, establishing service connection with the service access party so as to provide the target service for the service access party.

In yet another embodiment, the target service is configured to provide one or more resource data packages to the service access party, and the license-based service deployment device may further include a detection unit 605. The detection unit 605 may be specifically configured to perform:

If the export operation of the service access party to any resource data packet is detected, performing authority verification on the service access party;

If the authority verification of the service access party is passed, generating a resource license of any resource data packet for the service access party, wherein the resource license is used for allowing the service access party to load any resource data packet;

and sending the resource license and any resource data packet to the service access party so that the service access party loads any resource data packet based on the resource license.

In yet another embodiment, the deployment license contains a target number of resource authorization codes; the detecting unit 605, when used for performing the authority verification on the service access party, may be specifically configured to perform:

determining the export quantity corresponding to the service access party, and acquiring the target quantity from a deployment license of the service access party, wherein the export quantity comprises one or two of the total quantity of resource data packets exported in a historical time period and the quantity of the resource data packets exported currently;

and if the derived quantity is smaller than or equal to the target quantity, determining that the authority verification of the service access party passes.

In yet another embodiment, the service deployment request includes a deployment type of the target service; the sending unit 604 may further be configured to perform:

Acquiring the deployment type of the target service from the service deployment request, and determining a target access parameter associated with the deployment type of the target service according to a preset association relation between the deployment type and the access parameter of the target service;

Generating a target SDK according to the target access parameter, the parameter value of the service access party under the target access parameter and the source SDK of the target service;

And sending the target SDK to the service access party so that the service access party installs the target SDK and deploys the target service by adopting the installed target SDK based on the deployment license.

In yet another embodiment, the service deployment request includes a deployment type of the target service, the deployment type is a publicized deployment type or a privatized deployment type, and the privatized deployment type includes at least one of a dongle-based privatized deployment type and a license-based privatized deployment type, and the sending unit 604 is further configured to perform:

acquiring the deployment type of the target service from the service deployment request;

When the deployment type of the target service is the privacy deployment type based on the dongle, acquiring a service data packet of the target service;

Adding interface information of a target dongle and the deployment license into the service data packet to obtain a deployment data packet, and sending the service data packet to the service access party so that the service access party deploys the target service based on the deployment data packet; the target dongle is used by the service access party for carrying out security maintenance on the target service;

And when the deployment type of the target service is the public deployment type or the proprietary deployment type based on the license, executing the step of sending the deployment license to the service access party.

It should be noted that, each unit in the license-based service deployment device is divided based on a logic function, each unit may be separately or completely combined into one or several other units, or some unit(s) may be further split into a plurality of units with smaller functions to form a unit, which may achieve the same operation without affecting the implementation of the technical effects of the embodiments of the present application. In other embodiments of the present application, the apparatus may also include other units, and in practical applications, the functions may also be implemented with assistance from other units, and may be implemented by cooperation of multiple units.

Based on the related description of the license-based service deployment method and the device, the embodiment of the application also provides a computer device, so as to use the computer device to execute the method shown in fig. 2 or fig. 3. Wherein the structure of the computer device may be seen in fig. 7.

As shown in fig. 7, the computer device includes at least a processor 701 and a storage medium 702, and the processor 701 in the computer device is configured to connect the storage medium 702 through a bus or other manners. Wherein the storage medium 702 is a memory device in a computer device for storing programs and data. It is to be appreciated that the storage media 702 herein can include both built-in storage media in a computer device and extended storage media supported by the computer device. The storage medium 702 is used to provide storage space that stores an operating system of a computer device. Also stored in this memory space are one or more computer programs, which may be one or more program codes, adapted to be loaded and executed by the processor 701.

The storage medium herein may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory; optionally, at least one storage medium located remotely from the processor. The processor 701, or CPU (Central Processing Unit )), is a computing core and a control core of a computer device, which is adapted to implement one or more computer programs, in particular to load and execute one or more computer programs to implement the respective method flows or the respective functions.

In addition, the embodiment of the present application further provides a storage medium, where one or more computer programs corresponding to the license-based service deployment method are stored, and when one or more processors load and execute the one or more computer programs, descriptions of the license-based service deployment method in the embodiment may be implemented, which will not be repeated herein. It will be appreciated that a computer program may be deployed to be executed on one or more devices that are capable of communication with one another.

It can be appreciated that the beneficial effects generated by adopting the same method in the device, the computer device and the storage medium are the same as those mentioned in the related method embodiments, so that the description thereof is omitted here. Moreover, it will be appreciated by those of ordinary skill in the art that all or part of the flow of the above-described embodiment method may be accomplished by a computer program to instruct the relevant hardware, and the computer program may be stored in a storage medium, and the computer program may include, when executed, the flow of the above-described embodiment of the license-based service deployment method. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random-access Memory (Random Access Memory, RAM), or the like.

It should be noted that the foregoing embodiments are merely partial examples of the present application, and it is needless to say that the scope of the claims of the present application should not be limited thereto, and those skilled in the art can understand that all or part of the procedures for implementing the foregoing embodiments are implemented and equivalent changes according to the claims of the present application still fall within the scope of the present application.

Claims

1. A license-based service deployment method, the method being applied to a service provider providing a target service, comprising:

2. The method of claim 1, wherein the performing a key mixture signature on the deployment indication information using the symmetric key and the asymmetric encryption key generated by the service provider to obtain signature data of the service provider includes:

3. The method of claim 1, wherein the performing a key mixture signature on the deployment indication information using the symmetric key and the asymmetric encryption key generated by the service provider to obtain signature data of the service provider includes:

4. The method according to claim 1, wherein the method further comprises:

5. The method of claim 1, wherein the target service is configured to provide one or more resource data packets to the service access party; the method further comprises the steps of:

6. The method of claim 5, wherein the deployment license comprises a target number of resource authorization codes; the performing authority verification on the service access party comprises the following steps:

7. The method of claim 1, wherein the service deployment request includes a deployment type of the target service; the method further comprises the steps of:

8. The method of claim 1, wherein the service deployment request includes a deployment type of the target service, the deployment type is a public deployment type or a proprietary deployment type, and the proprietary deployment type includes at least one of a dongle-based proprietary deployment type and a license-based proprietary deployment type; the method further comprises the steps of:

9. A license-based service deployment apparatus, comprising:

10. A computer device, comprising:

A processor adapted to implement one or more computer programs;

a storage medium storing one or more computer programs adapted to be loaded by the processor and to perform the license-based service deployment method according to any of claims 1 to 8.