CN1606270A - Method for implementing computer driving service security network system - Google Patents
Method for implementing computer driving service security network system Download PDFInfo
- Publication number
- CN1606270A CN1606270A CN 200410009820 CN200410009820A CN1606270A CN 1606270 A CN1606270 A CN 1606270A CN 200410009820 CN200410009820 CN 200410009820 CN 200410009820 A CN200410009820 A CN 200410009820A CN 1606270 A CN1606270 A CN 1606270A
- Authority
- CN
- China
- Prior art keywords
- service
- certificate
- providing server
- driving
- item
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
This invention provides a realization method for a computer driving service safety network including: A driving service provider (SP) applies for a service providing identity certification (SPC) to an operation server(SM), the SP for providing driving programs (SPDP) provides the driving program (DF) to SM and examined by SM, the DF is issued by the service items SI. The SPSP registers a service of SI to SM. The user customer end program client gets the service of SI to ensure the true and legal driving program source.
Description
Technical field
The invention belongs to field of computer technology, relate in particular to a kind of implementation method of computer drives service safe network system.
Background technology
Along with Windows operating system being extensive use of of PC, people run into the fault of drive installation through regular meeting, cause equipment normally to use, many PC manufacturers or hardware device manufacturer also run into such situation in the process that service is provided to the user.There are some technological inventions to adopt variety of way that this is solved now.Solution user installation that these modes have drives the problem of difficulty, and the solution user who has can't detect the problem of faulty equipment type, and how the solution that also has finds suitable driver and the problem that downloads and installs or the like from network.But the safety issue of the driving service especially safety issue in network environment is not much accounted of.There is following safety problem in driver service in network environment:
1, the propagation of driver in network is without any safety guarantee.Driver is the bottom program of operating system, and is extremely important to the safety of custom system, is the part of operating system, has the operating right of operating system grade, relates to the stability and the fail safe of whole computer system.If driver is used to attack the safety of user machine system, that will be fatal.Driver is important even so, is but being propagated in network with common computer program or the same mode of data with a kind of.It is very mixed and disorderly that people obtain the source of driver, these sources do not have authority, uniqueness to say, a common personal website just can provide driver program download service, even some big PC manufacturer recommends the user to remove to search, download driver to some driving download site when providing support to the user unexpectedly.
2, the user can't judge the authenticity and the legitimacy in driver source (driver supplier in other words) simply after obtaining a driver.
The supplier who drives download service often is not the supplier of driver, and it is that oneself OEM vendor provides that some big PC manufacturers provide the driver of user's download also mostly.And installing and using in the process of these drivers, even the user is the professional person, also can't judge the authenticity and the legitimacy in driver source.
The driver signature file that comprises a CAT suffix in many drivers, can in being installed, the driving process check whether driver was modified for Windows, but many drivers may not comprise the .CAT file on the one hand, on the other hand, also have many drivers to have the drive installation program of oneself and do not use operating system to install, the pro forma complexity of this driver also is the major reason that the user can't judge driver source authenticity and legitimacy.
3, the user bears more risk in the process of using driver.
At present the common user form of accepting the service that drives has: from provide drive downloading service website download and install, by the long-range installation of online support engineer, install etc. by the engineer that makes house calls is manual.What the former faced is the safety problem of having discussed in the problem 1, and the dual mode user of back will face computer system by the possibility that other people invade, though this intrusion is carried out under subscriber authorisation.Driving the service provider is providing in the service process authenticity to the driving service content (being driver) that provides to the user to guarantee for the user, service process and service result to user's service are not had third-party, non repudiation record yet, and this is breakneck beyond doubt to the unit that information security has higher requirements to those.
Summary of the invention
The present invention has overcome above-mentioned driver service and had unsafe defective in network environment, and a kind of computer drives service safe network system implementation method that can guarantee safety is provided.
The implementation method of computer drives service safe network system, step comprises:
(1) (13-1 13-2) drives service providing server letter of identity SPC to driving Service Operation server S M (12) application to get to drive service providing server SP;
(2) provide the driving service providing server SPDP (13-1) of driver to provide driver DF to driving Service Operation server S M (12), after driving Service Operation server S M (12) audit was passed through, driver file DF was issued to drive service item SI;
(3) drive service providing server SPSP (13-2) to driving service that drives service item SI of Service Operation server S M (12) registration;
(4) subscription client program Client (14) obtains driving the service of service item SI.
Drive Service Operation server S M (12) and can issue certificate by certification authority server CA (11).
Drive service providing server SPDP (13-1) and provide driver DF, following substep is arranged to driving Service Operation server S M (12):
(1) SPDP (13-1) drives service item SI with driving service providing server letter of identity SPC to driving Service Operation server S M (12) registration;
(2) get the Green Light after, the driver file DF that SPDP (13-1) will drive service item SI correspondence is submitted to and drives Service Operation server S M (12), and the request issue;
(3) issued by rear drive program file DF through driving Service Operation server S M (12) audit, and be packaged into driver package DP and can not be modified again.
Drive service providing server SPSP (13-2) to driving service that drives service item SI of Service Operation server S M (12) registration, following substep arranged:
(1) SPSP (13-2) applies for the registration of to driving Operation Server SM (12) with service providing server letter of identity SPC and drives the service of service item SI;
(2) examine, issue driving service item SI authorization of service certificate SAC through Service Operation server S M (12), provide the service that drives service item SI to authorize SPSP (13-2) by certification authority server CA (11);
(3) SPSP (13-2) downloads and build-in services certificate of authority SAC;
(4) SPSP (13-2) downloads the corresponding driver package DP with driving service item SI, and fills in deployment parameters SIDP with authorization of service certificate SAC DP is deployed on the SPSP (13-2);
(5) SPSP (13-2) the relevant parameter SIP that fills in the service that drives service item SI opens the service that drives service item SI.
Subscription client program Client (14) accepts to drive the service of service item SI, and following substep is arranged.
(1) Client (14) applies to get Service Operation server user letter of identity SMUC from Service Operation server S M (12) for new user;
(2) Client (14) proposes to drive service request to Service Operation server S M (12), Service Operation server S M (12) finds the service of the driving service item SI that the driving service providing server SPSP (13-2) of coupling provides, and relevant parameter SIP is returned to Client (14);
(3) Client (14) drives service providing server user identity certificate SPUC by parameter S IP from driving service providing server SPSP (13-2) for new user applies to get;
(4) Client (14) is by the deployment parameters SIDP of parameter S IP from the service of driving service providing server SPSP (13-2) query driven service item SI.
(5) Client (14) applies to get service providing server user certificate of service SPSC with letter of identity SPUC from driving service providing server SPSP (13-2) by the deployment parameters SIDP of the service of driving service item SI;
(6) Client (14) downloads driver package DP and verifies whether the content of DP is modified from driving service providing server SPSP (13-2), if do not have, then unpacks and obtains driver file DF;
(7) Client install driver file DF is to solve the driver fault of equipment; And with Service Operation server user letter of identity SMUC, service providing server user certificate of service SPSC to Service Operation server S M (12) report service result.
Service providing server letter of identity SPC can comprise:
(1) version 1 character field: version, sequence number, signature algorithm, issuer, effective date (claim not only term of validity from date), Expiration Date (but also claiming the expiration of limitation period date), theme, PKI;
(2) standard expansion project: theme key identifier, enhancement mode key usage, issuing organization key identifier, miniature nomography, miniature figure;
(3) non-standard expansion project (promptly from the expansion project): certificate classification, certificate classification title.
Driving service item SI authorization of service certificate SAC can comprise:
(1) version 1 character field: version, sequence number, signature algorithm, issuer, effective date (claim not only term of validity from date), Expiration Date (but also claiming the expiration of limitation period date), theme, PKI.
(2) standard expansion project: theme key identifier, enhancement mode key usage, issuing organization key identifier, miniature nomography, miniature figure.
(3) non-standard expansion project (promptly from the expansion project): certificate classification, check code, certificate classification title, service identifiers, owner's certificate serial number, license number of times, authorize and to issue the certificate of service classification, authorize and to issue certificate of service homing sequence number, authorization service software platform applicatory, service item number.
Service providing server user certificate of service SPSC can comprise:
(1) version 1 character field: version, sequence number, signature algorithm, issuer, effective date, Expiration Date, theme, PKI;
(2) standard expansion project: theme key identifier, enhancement mode key usage, issuing organization key identifier, miniature nomography, miniature figure;
(3) non-standard expansion project: certificate classification, certificate classification title, check code, service identifiers, owner's certificate serial number, enhancement mode sequence number.
Driver package DP can comprise three files, file 1 is service item SI being produced by Service Operation server S M and the summary file of driver file DF, it has described the major parameter of service item SI and driver file DF, comprising: device identification DeviceID, INF filename InfName, INF install joint InfSection, drive the date, drive version, drive bag size etc.; The driver file DF compressed file that file 2 produces for Service Operation server S M; File 3 for Service Operation server identity certificate SMC private key to the sign signature file of generation of file 1 and file 2 contents.
Technique effect of the present invention: this scheme by the granting and the mandate of letter of identity and certificate of service, is carried out safety management to the identity and the behavior of each object in the system based on public-key architectures; Simultaneously, propagation in network has proposed methodology to driver, can solve the hidden danger that the insecurity of complexity, the propagation of driver form is brought effectively, guarantee the authenticity and the legitimacy in driver source, thus stop to list previously, the various unsafe problems of user in using driver.
The present invention has following characteristics:
1, the propagation of driver in network is safe, orderly.
The issue of driver and propagation all have strict review mechanism, driver can not be modified in communication process, providing of serving is provided also passed through examination and supervision, whole system has the authority of the issue of driving, the consistency that driving is propagated and fail safe and the order that drives service.
Driver can know clearly that driving service providers is whom, the supplier of driver is that who, driver whether be that safety is legal when offering the user.Whole process has third-party proof; Do assurance by public-key architectures technically, have non repudiation, these all are commercialization service conditio sune qua nons.
Because scheme is based on public-key architectures, so safe coefficient can be trusted.And As time goes on,, satisfy the demand for security that improves constantly as long as the length of upgrading key just can improve safe coefficient.
Because third-party existence provides service behavior to coordinate to driving between the ISP, therefore, provide confusion, the unordered situation of the service of driving just can change, the order that drives service is achieved.
2, the user just can obtain to drive service simply, quickly, safely by a unified driving service client program.
Because the issue of driver, propagation, providing of driving service are to carry out in an orderly environment, therefore, can farthest simplify the difficulty that the user obtains the service that drives, the user no longer needs to bother about wherein details and just can obtain to drive service, and these details comprise: needs drive the equipment of serving be what type, equipment be this equipment of where is it in what manufacturer production, the network driver, how to download, how to install or the like.The user only need obtain a driver client-side program, just can easily finish top all working by clicking a driving service button.
Because the issue of driver, propagation, providing of driving service are to carry out in an orderly environment, therefore can realize whole automations of the service that drives, the user can accept the driving service of continual, real-time response of 24 hours every days, a year 365 days, and the convenience of this service and agility are conspicuous.
3, user and hardware vendor can reduce the driving cost of serving.
In order to solve the driving malfunction of equipment, the user needs service engineering teacher to make house calls usually, and this all will pay bigger cost concerning user and driving service provider, even like this, owing to be manual service, the response speed of service and customer satisfaction can not guarantee.The present invention is head it off effectively, can realize the driving service of low cost, high efficiency and uniform quality by a driving service network system automation, service certainly, consider to drive the huge of service radix, this because the scale and benefit of the cost of serving that automation service replacement manual service is saved are huge.
Description of drawings
Below in conjunction with accompanying drawing, the present invention is made detailed description.
Fig. 1 is a system construction drawing;
Fig. 2 drives service providing server job step flow chart;
Fig. 3 is a subscription client program work flow chart of steps;
Fig. 4 is that the form of related certificate in the system: Fig. 4-a is Service Operation server user letter of identity SMUC; Fig. 4-b is service providing server user identity certificate SPUC; Fig. 4-c is service providing server user certificate of service SPSC; Fig. 4-d is Service Operation server identity certificate SMC; Fig. 4-e is the CA letter of identity; Fig. 4-f is that service providing server letter of identity SPC: Fig. 4-g is service providing server service item certificate of authority SAC.
Embodiment
With the driver service that relates to " PC 99 " standard is example.PC 99 is hardware and software specifications of various types of PC, comprise home PC, office PC, amusement PC, portable PC (not relating to Windows CE portable machine), 99 compatible qualification authentications will obtain the permission of " Designed for Microsoft Windows " through PC.PC 99 standards point out that driver must not use ini file and uses registration table.If possible, must use INF form installation file.Driver must be installed in the correct catalogue, and driver must not use the filename identical with system driver.Driver must be installed under the situation that does not have the user to import.
With reference to figure 1, drive service providing server SP13-1,13-2 if the service of driving is provided, be to driving Service Operation server S M12 application letter of identity SPC; Examine, issue service providing server letter of identity SPC through driving Service Operation server S M12 by certification authority server CA11.
To issuing the service providing server SPDP13-1 of driver, must drive service item SI to driving Service Operation server S M12 registration earlier, after obtaining to drive Service Operation server S M approval, service providing server SP13-1 is submitted to Service Operation server S M with driver file DF, through the audit by after issued, the serviced Operation Server SM of the driver file DF after the issue is packaged into driver package DP and can not be modified again.
To the service providing server SPSP13-2 that drives service item SI service will be provided, want earlier to driving the service that Operation Server SM12 registration drives service item SI, after examining, Service Operation server S M12 obtains the driving service item authorization of service certificate SAC that certification authority server CA11 issues, just can download corresponding driver package DP with this driving service item SI, and be deployed on the driving service server of oneself, open the service that this drives service item SI then.
If the user will accept to drive service, at first to issue Service Operation server user letter of identity SMUC for the user by subscription client program Client14 application Service Operation server S M12, Client14 proposes to drive service request to Service Operation server S M12 then, Service Operation server S M12 finds the service of the driving service item SI of coupling, and relevant parameter is returned to Client14; Client14 is earlier that new user applies drives service providing server user identity certificate SPUC by parameter, apply for service providing server user certificate of service SPSC then, download driver package DP and unpack from corresponding service providing server SP13-2 and obtain driver file DF, last Client14 installs this driver file DF, solves the driver fault of equipment; And with Service Operation server user letter of identity SMUC, service providing server user certificate of service SPSC to Service Operation server S M12 report service result.
With reference to figure 2, the service providing server job step is as follows:
Whether step 201 has installed service providing server letter of identity SPC in the certificate store inspection of the computer of service providing server.If also do not install, then execution in step 202, issue service providing server letter of identity SPC to Service Operation server S M application; If installed then execution in step 205.
Step 202 if service providing server does not also have letter of identity, is then carried out the application to get letter of identity.Following concrete operations are arranged: service providing server SP sends to Service Operation server S M and issues the application of service providing server letter of identity, and request content comprises: service provider's title, registered trade mark, address, Admin Account, password, contact method, the term of validity are with a pair of non-to becoming the PKI PK1 coding of key to KEY1; This request of Service Operation server S M response, check the authenticity and the legitimacy of application content, if check by issue service providing server letter of identity SPC, and notification service provides the success of server S P certificate request, by SPC_URL address application to get certificate.
Step 203 if Service Operation server S M issues service providing server letter of identity SPC operation failure, then finishes the service providing server job step; Otherwise, execution in step 204.
Step 208, service providing server SP submits to and issue driver file DF to Service Operation server S M after having registered the driver management power DM of service item SI.Driver file DF must meet " PC 99 " standard.Submit operation is unit with the file, is regardless of order, driver file DF is uploaded to Service Operation server file server one by one, and the file after the submission can also be deleted and resubmit.Before driver file DF did not also issue, it was available submitting function to always.Submission finishes if service providing server SP thinks driver file DF, just can issue this service content.Service content is in case issue just can not be carried out any modification to driver file DF again.Driver file DF issue request is surrounded by following content: 1, service item SIN; 2, service provider Admin Account, password; 3, the certificate private key of service providing server letter of identity coding, timestamp and the above content of registration service signature.The M response of Service Operation server S is also handled request, the relation between the driver file of having submitted to by the INF file analysis of driver file DF at first, whether check has file to be omitted, even comprise whether parameters such as file size, date are correct, whether whether soft, the hardware environment that can also check registration service have with the service item of submitting to conflicts (as: the VXD file is exactly conflict if operate in the WINDOWS2000 platform).If all inspections are passed through, just service item driver file DF is packed, generates driver package DP, download for service providing server, return service item issue SIPN at last, execution in step 209.
Driver package DP is a compressed file, comprises three file: SvcItemInfo.INF, SvcItemContent.CAB, SvcItemSign.SIG (filename of three files all is designates).SvcItemInfo.INF is service item SI being produced by the Service Operation server and the summary file of driver file DF, it has described the major parameter of service item SI and driver file DF, comprising: device identification DeviceID, INF filename InfName, INF install joint InfSection, drive the date, drive version, drive bag size etc.The SvcItemContent.CAB file is the driver file DF compressed file that the Service Operation server produces.SvcItemSign.SIG is the signature file of SvcItemInfo.INF and SvcItemContent.CAB content being signed and generating with Service Operation server identity certificate SMC private key.
Step 210 drives service item SI by service providing server SP to Service Operation server S M registration, produces a request earlier, comprises following content: 1, service provider Admin Account, password; 2, service item sign; 3, suitable soft, the hardware environment (comprising network environment) of service item; 4, can issue user's certificate of service type; 5, the term of validity of service item; 6, can issue user's certificate of service number; 7, the service item other guide that can add (as whether submitting to user's hardware information to give service providing server); 8, a pair of asymmetric close private is to the coding PK2E of KEY2 PKI PK2; 9, the SPC certificate private key signature of service providing server letter of identity coding SPCE, timestamp and request package content.Service Operation server response request, check Admin Account, password, validity earlier, and check whether have a service item SI to satisfy the condition of asking, if do not have, the request failure, otherwise, the service item SIN of the service item SI that preservation meets the demands, and the homing sequence SS of distributing user certificate of service SPSC, produce a service item authorization service certificate SAC application bag then, and send to certification authority CA.The content of request package comprises: 1, service item SIN; 2, service item sign; 3, user's certificate of service homing sequence SS that can issue; 4, the service item term of validity; 5, can issue user's certificate of service type; 6, can issue user's certificate of service number; 7, suitable soft, the hardware environment of service item; 8, PKI PK2 coding PK2E; 9, the service item other guide that can add; 10, the certificate SPC private key signature of service providing server letter of identity coding SPCE, timestamp and above content.Certification authority CA will produce service item authorization service certificate SAC, and return following content after receiving this request package: the service item authorization service certificate SAC SACE that encodes.The Service Operation server will be preserved this certificate to database after receiving this return information, and the service providing server SP of notification service project SI application for registration succeeds in registration, and can arrive address SP_SAC_URL application to get service item authorization service certificate SAC.
Step 211 if it is unsuccessful to check that registration drives service item SI, then finishes to drive service providing server SP workflow; Otherwise, execution in step 212.
Step 212 drives the driving service item certificate of authority SAC that issues after the service item SI success by service providing server SP to the registration of Service Operation server S M application to get step 210.Service providing server SP learns that driving service item certificate of authority SAC issues, just download by address SP_SAC_URL and install certificate to server, and with certificate with non-to becoming key that the private key of KEY2 is bound, finish the application to get of certificate.
Step 213 is downloaded the driver package DP of registered driving service item SI correspondence from Service Operation server S M by service providing server SP.Service providing server SP at first lists the driver package DPs of announced all versions under the service item SI by Service Operation server S M and chooses the driver package DP of a version, service item SIN by service item SI searches corresponding service item authorization service certificate SAC in the certificate store of service providing server machine then, if do not find the SAC certificate, then this step failure; Otherwise, produce a service item SI driver package DP download request bag to Service Operation server S M, comprise following content: 1, service item SIN; 2, service item issue SIPN; 3, drive service item certificate of authority coding SACE, timestamp, request package content certificate SAC private key signature.Service Operation server S M response request, check the validity of driving service item certificate of authority coding SACE and the validity of request package earlier, and check to drive the service item SIN whether service item among the service item certificate of authority SAC number equals request package, if success, find the driver package DP of service item issue SIPN correspondence, return following content behind the coding: 1, driver package DP encoding D PE.Service Operation server S M is saved among the DPF with document form behind this coding and decoding that returns, and uses during for service providing server SP arrangement driver package DP.
Step 214 is disposed the driver APMB package DPF that has downloaded by service providing server SP.At first, check the validity of service routine APMB package DPF.Service providing server SP is by SvcItemInfo.INF and the signature of SvcItemContent.CAB and the consistency of SvcItemSign.Sig signature file content in the Service Operation server S M letter of identity SMC public key verifications service routine APMB package DPF.If it is effectively that unanimity is then wrapped, otherwise, invalid, the failure of this step.Secondly, read the service item summary info among the SvcItemInfo.INF, information comprises: service item SIN, device identification, driving date, driving version, driving size etc.Search corresponding service item authorization service certificate SAC according to service item SIN again, read the major parameter of certificate, comprising: license number of times; The certificate of service classification is issued in mandate; Certificate of service homing sequence SS is issued in mandate; The spendable software platform of authorization service; Other authorization messages (as: whether granted access user hardware information etc.).At last, service item SIN, service item summary info, service item authorization service certificate SAC major parameter and service providing server certificate of service issue address SPSCURL, service providing server service item driver package download address SPDPURL writes the service providing server database, and produces a service item arrangement SIDN.
Step 215 is applied for turn up service project SI by service providing server SP to Service Operation server S M.Service providing server SP at first chooses registered service item SI, and the relevant parameter SIP that fills in the service of following driving service item SI opens request package to produce a service item: 1, service provider Admin Account, password; 2, service providing server is issued user certificate program address SPIU_URL; 3, service providing server letter of identity request module address SPC_URL; 4, service providing server service item enquiry module address SPSI_URL; 5, service item SIN; 6, the service providing server letter of identity SPC private key signature of service providing server letter of identity coding SPCE, timestamp, above content.This asks the M response of Service Operation server S, and checks the legitimacy of above-mentioned information, if success, then return following information: 1, service item SI opens (service item SIN).
With reference to figure 3, the job step of subscription client program Client is as follows:
Step 301 is enumerated equipment and state on the subscriber computer.
Step 302, if there is equipment DEVICE need drive service, then execution in step 303; Otherwise the Client job step finishes.
Step 303, if the user identity certificate SMUC of Service Operation server S M is arranged in the certificate store of subscriber computer, then execution in step 305; Otherwise, execution in step 304.
Step 304, Client is to Service Operation server S M application to get user identity certificate SMUC.The Client operation is kept at the Service Operation server user letter of identity of own data field and issues program address SM_UCI_URL, this program is responsible for producing application Service Operation server user letter of identity SMUC request, and request content comprises: 1, unsymmetrical key to the PKI among the KEY3 as Service Operation server S M user identity certificate SMUC PKI; Back Service Operation server S M response request is submitted in request to, and issues user identity certificate SMUC, returns user identity certificate SMUC coding SMUCE.Service Operation server user letter of identity is issued program SM_UCI_URL and is received SMUCE and be decoded as SMUC, the certificate store of SMUC to subscriber computer is installed then, simultaneously certificate and unsymmetrical key are bound the private key among the KEY3, finished the application to get of Service Operation server S M user identity certificate SMUC.
Step 305, Client drives service item SI to one of Service Operation server S M request scheduling.Client produces a service request bag, comprises following content: 1, user equipment information; 2, operating system of user platform OS information; 3, faulty equipment sign DeviceIDs; 4, the certificate SMUC private key signature of Operation Server user certificate SMUC coding SMUCE, timestamp, request package content.The M response of Service Operation server S should be asked, and search in the driving service item SI of registration according to the requirement of request content and whether to have qualifiedly, condition wherein comprises: the service identifiers of service item SI appears among the faulty equipment sign DeviceIDs, service item SI before the deadline, the service platform of service item SI comprised that issued user certificate of service number that operating system of user platform OS, Operation Server user certificate SMUC did not lose efficacy, drive service item certificate of authority SAC does not also use.If do not find qualified then operation failure; Otherwise, return the relevant parameter SIP content of the service of following driving service item SI: 1, service provider's title SPN; 2, service providing server user certificate parameter S PUCP; 3, service providing server is issued user certificate program address SPUCI_URL; 4, service providing server service item enquiry module address SPSI_URL; 5, service providing server meets requested service item number SIN; 6, service providing server letter of identity request module address SPC_URL.
Step 306 does not drive service item SI if step 305 successfully is dispatched to, and then the Client job step finishes; Otherwise, execution in step 307.
Step 307, Client searches the user identity certificate SPUC of the service providing server SP whether service providing server user certificate parameter S PUCP description is arranged in the certificate store of subscriber computer, if execution in step 309 is arranged; Otherwise, if for the first time then execution in step 308 if for the second time then the Client job step finish.
Step 308, Client is to service providing server SP application to get user identity certificate SPUC.Client produces a service providing server user identity certificate SPUC request and submits to service providing server and issue user certificate program address SPUCI_URL, and request content comprises; 1, unsymmetrical key is to the PKI of the PKI among the KEY4 as service providing server SP user identity certificate SPUC.Back SPUCI_URL response request is submitted in request to, and issues user identity certificate SPUC, returns SPUC coding SPUCE.Client receives SPUCE and is decoded as SPUC, and the certificate store of SPUC to subscriber computer is installed then, simultaneously certificate and unsymmetrical key is bound the private key among the KEY4, finishes the application to get of Service Operation server S P user identity certificate SPUC.Execution in step 307 checks whether SPUC applies to get success.
Step 309 produces service providing server service item query requests bag, comprises following content: 1, service providing server service item SIN; 2, the user certificate SPUC private key signature of service providing server user certificate coding SPUCE, timestamp, request package content.Client is submitted to service providing server service item enquiry module address SPSI_URL with the request package that produces.If failure, the Client job step finishes; As if success, return the deployment parameters SIDP content of the service that drives service item SI: 1, service providing server certificate of service parameter S PSCP; 2, service providing server service item deployment SIDN; 3, the service providing server certificate of service is issued module's address SPSCI_URL; 4, service providing server service item driver package download module address SPDPD_URL.
Whether Client will have service specified certificate SPSC according to the certificate store of the service providing server certificate of service parameter S PSCP inquiring user computer in the returned content.If the certificate of service SPSC that has found service providing server to issue, then execution in step 310; If do not have, Client will call the service providing server certificate of service and issue module's address SPSCI_URL and issue service providing server certificate of service SPSC and be responsible for install certificate for the user.Call request bag project comprises: 1, service providing server service item deployment SIDN; 2, the service providing server user certificate SPUC private key signature of service providing server user certificate coding SPUCE, timestamp, above content.The service providing server certificate of service is issued module's address SPSCI_URL returned content and is comprised: service providing server user certificate of service coding SPSCE.Execution in step 310.
Step 310, Client request download service provides the driver package DP of server S P service item SI.Client will produce a request package, and send to service providing server service item driver package download module address SPDPD_URL.The request package content comprises: 1, service providing server service item deployment SIDN; 2, the certificate of service SPSC private key signature of user's certificate of service coding SPSCE, timestamp, request package content.SPDPD_URL checks the validity of request package, if invalid, the request failure; Otherwise, return following content: 1, driver package encoding D PE.Client is responsible for driver package encoding D PE is saved in the subscriber computer with file DPC.Execution in step 311.
Step 311, Client checks the legitimacy that drives the driver package DPC that downloads.Client unpacks the DPC file earlier and obtains three file: SvcItemInfo.INF, SvcItemContent.CAB and SvcItemSign.Sig.Client downloads to Service Operation server identity certificate SMC by the Service Operation server identity certificate download address SMC URL that is kept at own data field, obtain the signature SM_SIG of SvcItemInfo.INF and SvcItemContent.CAB by the SMC PKI, if SM_SIG is consistent with the SvcItemSign.Sig file content, then DPC is a legal and valid, execution in step 312; Otherwise, invalid, the failure of this step.
Step 312, slave driver APMB package DPC restores driver file DFC.Client unpacks earlier and obtains three file: SvcItemInfo.INF, SvcItemContent.CAB and SvcItemSign.Sig, and then SvcItemContent.CAB unpacked obtains DFsC.
Step 313, install driver file DFsC.Client reads the parameter in the SvcItemInfi.INF; Device identification DeviceID, INF filename InfName and INF install section name and claim InfSection, and the driver DFsC of faulty equipment DEVICE is installed with the INF file mode by above-mentioned parameter.
Step 314, the facility information that Client will install after driving returns to Service Operation server S M.Client submits the feedback information request package to, and content comprises: 1, user equipment information; 2, operating system of user platform information; 3, faulty equipment sign DeviceIDs; 4, service providing server certificate of service coding SPSCE; 5, the certificate SMUC private key signature of Operation Server user certificate SMUC coding SMUCE, timestamp, request package content.This request of Service Operation server S M response, SPSCE is reduced to service providing server certificate of service SPSC with service providing server certificate of service coding, read the content of parameter among the SPSC, the service times of accumulative total service providing server SP service item SI, and above-mentioned information is preserved the back finish.The Client job step is all over.
With reference to figure 4, certificate comprises: Service Operation server user letter of identity SMUC, service providing server user identity certificate SPUC, service providing server user certificate of service SPSC, Service Operation server identity certificate SMC, CA letter of identity, service providing server letter of identity SPC, service providing server service item certificate of authority SAC.Above-mentioned certificate meets the X509 standard, comprising version 1 character field project: version, sequence number, signature algorithm, issuer, effective date (claim not only term of validity from date), Expiration Date (but also claiming the expiration of limitation period date), theme, PKI; Attribute and standard expansion project: theme key identifier, enhancement mode key usage, issuing organization key identifier, miniature nomography, miniature figure; Non-standard expansion project (or crying): certificate classification, check code, certificate classification title, service identifiers, owner's certificate serial number, license number of times, authorize and to issue the certificate of service classification, authorize and to issue certificate of service homing sequence number, authorization service software platform applicatory, service item number, enhancement mode sequence number from the expansion project.
" the version 1 character field project " of certificate and " attribute and standard expansion project " have clear and definite definition in the X509 of certificate standard, set forth " non-standard expansion project " below:
1, certificate classification: the numbering of certificate type has following certificate type at least in native system: 1, Service Operation server user letter of identity SMUC; 2, service providing server user identity certificate SPUC; 3, service providing server user certificate of service SPSC; 4, Service Operation server identity certificate SMC; 5, certification authority CA letter of identity; 6, service providing server letter of identity SPC; 7, service providing server service item certificate of authority SAC.
2, check code: be used for the legitimacy of authentication certificate content.
3, certificate classification title: the type of theme form is used for identifying the developer who drives service safe network system and the different and system of other system.
4, service identifiers: the unique identification of hardware device, for example: PCI VEN_1106﹠amp; DEV_3065.
5, owner's certificate serial number: " the service providing server user certificate of service SPSC " owner's " service providing server user identity certificate SPUC " the sequence number or " the service providing server service item certificate of authority SAC " owner's " service providing server letter of identity SPC " sequence number.
6, license number of times: service providing server service item certificate of authority SAC authorization service provides server S P to drive the service times of service item SI.
7, mandate can be issued the certificate of service classification: service providing server service item certificate of authority SAC authorization service provides server S P for driving " certificate classification " value that service item SI issues " service providing server user certificate of service SPSC ".
8, authorize and to issue certificate of service homing sequence number; Service providing server service item certificate of authority SAC authorization service provides server S P for driving " enhancement mode sequence number " minimum value that service item SI issues " service providing server user certificate of service SPSC ".
9, authorization service software platform applicatory: service providing server service item certificate of authority SAC authorization service provides server S P that the user software flat roof area that drives service item SI can be provided, and generally is meant operating system platform.
10, service item number: service providing server service item certificate of authority SAC authorization service provides server S P that the numbering of SI when driving service item SI can be provided.
11, enhancement mode sequence number: service providing server SP is for driving the numbering that service item SI is user " the service providing server user certificate of service SPSC " that issue.
Drive Service Operation server S M and issue " service providing server letter of identity SPC " and " service providing server service item certificate of authority SAC " by certificate authority server CA.Subscription client program Client will accept to drive the service of service item SI, must depend on " Service Operation server user letter of identity SMUC ", " driving service providing server user identity certificate SPUC " and " service providing server user certificate of service SPSC ".Drive service providing server SPSP the service that drives service item SI will be provided, must depend on " service providing server letter of identity SPC " and " driving service item SI authorization of service certificate SAC ".
Drive when service providing server SPSP provides the service that drives service item SI the constraint that is subjected to the condition stated in related item in " driving service item SI authorization of service certificate SAC ", these conditions comprise: drive the SPC certificate that service providing server SPSP must install specific " owner's certificate serial number ", time must be in " effective date " " Expiration Date " of appointment, serviced device identification must be " service identifiers " appointment, service times must can not surmount " licensing number of times ", the certificate of service enhancement mode sequence number of issuing must be in the scope of " mandate can issue certificate of service homing sequence number " and " licensing number of times " appointment, the operation system of software platform must be in " authorization service software platform applicatory " scope of appointment or the like.
Claims (9)
1, a kind of implementation method of computer drives service safe network system, step comprises:
(1) (13-1 13-2) drives service providing server letter of identity SPC to driving Service Operation server S M (12) application to get to drive service providing server SP;
(2) provide the driving service providing server SPDP (13-1) of driver to provide driver DF to driving Service Operation server S M (12), after driving Service Operation server S M (12) audit was passed through, driver file DF was issued to drive service item SI;
(3) drive service providing server SPSP (13-2) to the service that drives a service item SI of Service Operation server S M (12) registration;
(4) subscription client program Client (14) obtains driving the service of service item SI.
2, the implementation method of computer drives service safe network system as claimed in claim 1 is characterized in that: drive Service Operation server S M (12) and issue certificate by certification authority server CA (11).
3, the implementation method of computer drives service safe network system as claimed in claim 1 or 2 is characterized in that: drive service providing server SPDP (13-1) and provide driver DF to driving Service Operation server S M (12), following substep is arranged:
(1) SPDP (13-1) drives service item SI with driving service providing server letter of identity SPC to driving Service Operation server S M (12) registration;
(2) get the Green Light after, the driver file DF that SPDP (13-1) will drive service item SI correspondence is submitted to and drives Service Operation server S M (12), and the request issue;
(3) issued by rear drive program file DF through driving Service Operation server S M (12) audit, and be packaged into driver package DP and can not be modified again.
4, the implementation method of computer drives service safe network system as claimed in claim 1 or 2, it is characterized in that: drive service providing server SPSP (13-2) to driving service that drives service item SI of Service Operation server S M (12) registration, following substep is arranged:
(1) SPSP (13-2) applies for the registration of to driving Operation Server SM (12) with service providing server letter of identity SPC and drives the service of service item SI;
(2) examine, issue driving service item SI authorization of service certificate SAC through Service Operation server S M (12), provide the service that drives service item SI to authorize SPSP (13-2) by certification authority server CA (11);
(3) SPSP (13-2) downloads and build-in services certificate of authority SAC;
(4) SPSP (13-2) downloads the corresponding driver package DP with driving service item SI, and fills in deployment parameters SIDP with authorization of service certificate SAC DP is deployed on the SPSP (13-2);
(5) SPSP (13-2) the relevant parameter SIP that fills in the service that drives service item SI opens the service that drives service item SI.
5, the implementation method of computer drives service safe network system as claimed in claim 1 or 2 is characterized in that:
Subscription client program Client (14) obtains driving the service of service item SI, and following substep is arranged.
(1) Client (14) applies to get Service Operation server user letter of identity SMUC from Service Operation server S M (12) for new user;
(2) Client (14) proposes to drive service request to Service Operation server S M (12), Service Operation server S M (12) finds the service of the driving service item SI that the driving service providing server SPSP (13-2) of coupling provides, and relevant parameter SIP is returned to Client (14);
(3) Client (14) drives service providing server user identity certificate SPUC by parameter S IP from driving service providing server SPSP (13-2) for new user applies to get;
(4) Client (14) is by the deployment parameters SIDP of parameter S IP from the service of driving service providing server SPSP (13-2) query driven service item SI.
(5) Client (14) applies to get service providing server user certificate of service SPSC with letter of identity SPUC from driving service providing server SPSP (13-2) by the deployment parameters SIDP of the service of driving service item SI;
(6) Client (14) downloads driver package DP and verifies whether the content of DP is modified from driving service providing server SPSP (13-2), if do not have, then unpacks and obtains driver file DF;
(7) Client install driver file DF is to solve the driver fault of equipment; And with Service Operation server user letter of identity SMUC, service providing server user certificate of service SPSC to Service Operation server S M (12) report service result.
6, the implementation method of computer drives service safe network system as claimed in claim 1 is characterized in that: service providing server letter of identity SPC comprises:
(1) version 1 character field: version, sequence number, signature algorithm, issuer, effective date, Expiration Date, theme, PKI;
(2) standard expansion project: theme key identifier, enhancement mode key usage, issuing organization key identifier, miniature nomography, miniature figure;
(3) non-standard expansion project: certificate classification, certificate classification title.
7, the implementation method of computer drives service safe network system as claimed in claim 4 is characterized in that: drive service item SI authorization of service certificate SAC and comprise:
(1) version 1 character field: version, sequence number, signature algorithm, issuer, effective date, Expiration Date, theme, PKI.
(2) standard expansion project: theme key identifier, enhancement mode key usage, issuing organization key identifier, miniature nomography, miniature figure.
(3) non-standard expansion project; Certificate classification, check code, certificate classification title, service identifiers, owner's certificate serial number, license number of times, authorize and to issue the certificate of service classification, authorize and to issue certificate of service homing sequence number, authorization service software platform applicatory, service item number.
8, the implementation method of computer drives service safe network system as claimed in claim 5 is characterized in that: service providing server user certificate of service SPSC comprises:
(1) version 1 character field: version, sequence number, signature algorithm, issuer, effective date, Expiration Date, theme, PKI;
(2) standard expansion project: theme key identifier, enhancement mode key usage, issuing organization key identifier, miniature nomography, miniature figure;
(3) non-standard expansion project: certificate classification, certificate classification title, check code, service identifiers, owner's certificate serial number, enhancement mode sequence number.
9, the implementation method of computer drives service safe network system as claimed in claim 5, it is characterized in that: driver package DP comprises three files, file 1 is service item SI being produced by Service Operation server S M and the summary file of driver file DF, it has described the major parameter of service item SI and driver file DF, comprising: device identification DeviceID, INF filename InfName, INF install joint InfSection, drive the date, drive version, drive bag size etc.; The driver file DF compressed file that file 2 produces for Service Operation server S M; File 3 for Service Operation server identity certificate SMC private key to the sign signature file of generation of file 1 and file 2 contents.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100098203A CN100393033C (en) | 2004-11-18 | 2004-11-18 | Method for implementing computer driving service security network system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100098203A CN100393033C (en) | 2004-11-18 | 2004-11-18 | Method for implementing computer driving service security network system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1606270A true CN1606270A (en) | 2005-04-13 |
| CN100393033C CN100393033C (en) | 2008-06-04 |
Family
ID=34763105
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100098203A Expired - Fee Related CN100393033C (en) | 2004-11-18 | 2004-11-18 | Method for implementing computer driving service security network system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100393033C (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102542378A (en) * | 2010-12-20 | 2012-07-04 | 耿健 | Method and system for managing distribution and service system of electronic products |
| CN106599729A (en) * | 2016-12-09 | 2017-04-26 | 郑州云海信息技术有限公司 | Safety verification method and system for driving program |
| WO2020019971A1 (en) * | 2018-07-25 | 2020-01-30 | 百富计算机技术(深圳)有限公司 | Active security protection method for operating system, system and terminal device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4763866B2 (en) * | 1998-10-15 | 2011-08-31 | インターシア ソフトウェア エルエルシー | Method and apparatus for protecting digital data by double re-encryption |
| CN1260927C (en) * | 2002-11-26 | 2006-06-21 | 华为技术有限公司 | IP network system for realizing safety verification and method thereof |
| CN1509097A (en) * | 2002-12-20 | 2004-06-30 | Ӣҵ�O�ţ��Ϻ������Ӽ�������˾ | Method for conducting safe far-end electronic signing and checking through mobile telephone |
-
2004
- 2004-11-18 CN CNB2004100098203A patent/CN100393033C/en not_active Expired - Fee Related
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102542378A (en) * | 2010-12-20 | 2012-07-04 | 耿健 | Method and system for managing distribution and service system of electronic products |
| CN106599729A (en) * | 2016-12-09 | 2017-04-26 | 郑州云海信息技术有限公司 | Safety verification method and system for driving program |
| WO2020019971A1 (en) * | 2018-07-25 | 2020-01-30 | 百富计算机技术(深圳)有限公司 | Active security protection method for operating system, system and terminal device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100393033C (en) | 2008-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1287261C (en) | Document fill in system using electronic pen | |
| CN1602601A (en) | Methods and systems for automated authentication, processing and issuance of digital certificates | |
| CN1284088C (en) | Access control system | |
| CN103186725B (en) | software authorization method and device | |
| CN1225711C (en) | Digital content issuing system and digital content issuing method | |
| CN1698336A (en) | Communication apparatus and authentication apparatus | |
| CN100350342C (en) | Systems and methods for licensing and providing selective access to network applications | |
| CN1700641A (en) | Digital signature assurance system, method, program and apparatus | |
| CN1231862C (en) | Certification base structure system with CRL issue notice function | |
| CN1838593A (en) | Certificate acquisition system, certificate acquisition method, management communication apparatus and certification authority | |
| CN1777867A (en) | System and method for updating files utilizing delta compression patching. | |
| CN1668010A (en) | Tag-based schema for distributing update metadata in an update distribution system | |
| CN1568475A (en) | A system and a method relating to user profile access control | |
| CN1735862A (en) | System and method for updating installation components in a networked environment | |
| CN1308784C (en) | Authentication method of computer program stored in medium | |
| CN1409836A (en) | Computer system for application by accreditation access | |
| CN101047504A (en) | Network log-in authorization method and authorization system | |
| CN1946023A (en) | Authentication and authorization architecture for an access gateway | |
| CN101034984A (en) | Establishing the true identify database of the user with the personal information submitted by the user | |
| CN1787435A (en) | Providing tokens to access federated resources | |
| CN1728039A (en) | Method for processing rights object in digital rights management system and method and system for processing rights object using the same | |
| CN1471008A (en) | System and method of application programme distribution and configuration management for mobile apparatus | |
| CN1946203A (en) | Method for realizing user identifying module service and application for specific group users | |
| CN101075876A (en) | Physical certifying method and device | |
| CN1251098C (en) | Server, local server access system and access control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080604 Termination date: 20131118 |