Background technology
Except having the communicator function that voice are the master, also can carry out multiple online service, electronic dictionary function and navigation feature etc. in the general mobile communication terminal based on HDML (Handheld Device Markup Language-handheld device markup language), WML (Wireless Markup Language-WAP Markup Language), WAP (Wireless ApplicationProtocol-WAP (wireless application protocol)).
The software that above-mentioned value-added functionality as mobile communication terminal is used, it is developed all the time and will be updated to the software of redaction along with the process of time.
Thus, for the value-added functionality that increases mobile communication terminal or upgrade value-added functionality in the current use, often mobile communication terminal is downloaded and be installed in to the generation software that will be used for carrying out the respective service function by communication network or wired, wireless short-distance communication interface.
Fig. 1 is an example of carrying out the system of software download by the communication network of mobile communication terminal, and it illustrates the structural representation that is used for providing by mobile communication terminal the system of online JAVA game services.
As shown in Figure 1, in the system of reproducing the JAVA game services was provided by mobile communication terminal 1, the WAP server (WAP server:WirelessApplication Protocol server) 6 that can drive the mobile communication terminal of JAVA recreation and make the mobile communication terminal of above-mentioned execution JAVA recreation can be connected JAVA recreation and execution game on line connected and composed by communication network 30.
Be built-in with in the above-mentioned mobile communication terminal: be used to the WAP browser (WAP browser) 2 that is connected to the WAP server and carries out data communication; Be used to manage the JAVA application management program (JAM:JAVA Application Manager) 3 of the driving of JAVA recreation; Be used to carry out the JAVA virtual machine (JVM:JAVA Virtual Machine) 4 of JAVA recreation.
Wherein, above-mentioned WAP browser 2 makes mobile communication terminal be connected to the WAP server and can download the JAVA program, above-mentioned JAM (3) carries out and is installed in the mobile communication terminal by the corresponding compiling of the JAVA program of WAP browser downloads (compile) operation and with it, and the code (code) that 4 of JAVA virtual machines (JVM) read the JAVA program of above-mentioned compiling makes the user carry out the JAVA recreation.
Include in the above-mentioned WAP server 6: the WAP management department 7 that is used for providing the WAP Connection Service to mobile communication terminal; Be used for that recreation between a plurality of mobile communication terminals of relevant connection of the game on line of management of mobile telecommunication terminal and recreation is kept and the game management portion 8 of the transmitting-receiving operation of personal information data; The customer data base 9 that is used for managing user information.
Provide in the system in above-mentioned JAVA game services, after mobile communication terminal is connected to WAP server download JAVA program and installation, can carry out based on the online JAVA game services of communication network or the off line JAVA recreation of terminal unit.
But, in the software download process of the mobile communication terminal of above-mentioned prior art, mobile communication terminal can only by communication network from server or by wired, wireless short-distance wireless communication interface from computer, and can download required software by portable storage devices such as externally positioned type memories, it can't carry out verification operation to corresponding software.
Promptly, mobile communication terminal of the prior art can't confirm whether corresponding software is moved the worm-type virus of communication terminal Viruses such as (worm virus) or is used for the infection such as Hacker Program of leakage of personal information when downloading required software by communication network and installing.And under having installed by the situation of the software of virus infections, mobile communication terminal self does not have viral search function, and the general user can't confirm that whether the mobile communication terminal of oneself is by virus infections.
Thus, mobile communication terminal of the prior art will expose to Virus with the state that nothing is set up defences, and makes to cause mobile communication terminal to carry out misoperation because of above-mentioned Virus.More under the serious situation, outside other people can obtain the personal information in the mobile communication terminal easily by the Virus that comprises in the software, thereby can't provide trustworthy security performance to the user.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of software certification device and method thereof of mobile communication terminal, in the present invention, downloading by mobile communication terminal under the situation of software, add hash (hash) value be used to confirm the code corresponding and whether change, verification and (checksum) wait authentication information, thereby confirm that by mobile communication terminal the operation of the integrality of software code can detect by the software of infection such as virus with corresponding software.
For achieving the above object, the software certification device of the mobile communication terminal among the present invention, it is characterized in that, include following several sections: be used to store terminal storage portion by communication network or wired, wireless short-distance communication interface downloaded software and the authentication information relevant with above-mentioned software; In above-mentioned terminal storage portion is installed before the saved software, whether change and the software authentication portion of the integrality of verifying software by the code that utilizes above-mentioned authentication information to detect above-mentioned software.
And, for achieving the above object, the software certification device of the mobile communication terminal among the present invention, it is characterized in that, include: mobile communication terminal and software provide server, wherein, be provided with in the above-mentioned mobile communication terminal: being connected to software by communication network provides server or is connected to outside computer installation and downloads software and the terminal communication interface portion of the authentication information of above-mentioned software by the short-range communication mode; Be used to store the terminal storage portion of above-mentioned software and software authentication information; In above-mentioned terminal storage portion is installed before the saved software, whether change and the software authentication portion of the integrality of verifying software by the code that utilizes above-mentioned authentication information to detect above-mentioned software, above-mentioned software provides in the server and is provided with: be used to control the connection of above-mentioned mobile communication terminal and the server communications portion of software download operation; Be used to generate the software authentication information generating unit of the authentication information corresponding with above-mentioned software; Be used to store the server storage section of above-mentioned software and the authentication information corresponding with above-mentioned software.
And for achieving the above object, the software authentication method of the mobile communication terminal among the present invention is characterized in that, includes following several steps: the authentication information that generates the authentication information of the integrality be used to verify mobile communication terminal software generates step; The software distribution step of distributing above-mentioned software and above-mentioned authentication information; Utilize the authentication information corresponding to detect the integrality whether software authentication step of above-mentioned software code with above-mentioned software.
And above-mentioned authentication information generates in the step and also can include: the encrypting step that utilizes key that above-mentioned authentication information is encrypted; The certificates of recognition that generation has the certificates of recognition of the PKI corresponding with above-mentioned key (public key) generates step.
And, in above-mentioned software distribution step, with authentication information that distributes above-mentioned software and encrypt by above-mentioned key and certificates of recognition with PKI corresponding with above-mentioned key.In addition, also can include in the above-mentioned software distribution step: at the fee deduction treatment step of deducting fees of above-mentioned software.
And, also include in the above-mentioned software authentication step: the decryption step that the PKI that utilizes above-mentioned certificates of recognition is decrypted the authentication information of above-mentioned encryption.And, result in above-mentioned software authentication step works as under the situation of software change, if when in the software distribution step, carrying out fee deduction treatment, do not obtain authentication, the deduct fees cancellation step of cancellation at the fee deduction treatment of software will be carried out by the integrality that provides server to transmit software to software.
Wherein, above-mentioned authentication information can be appointed as the hashed value based on the above-mentioned software code of the hash function of preassignment, and above-mentioned hashed value can be encrypted by key.In the case, in order to distribute the hashed value of encrypting and the PKI corresponding to the user, will comprise certificates of recognition in the above-mentioned authentication information with above-mentioned PKI with above-mentioned key by above-mentioned key.
Above-mentioned hash function can together provide by the down operation of software, or can use the hash function of comparatively knowing usually.At this, under the situation of using the hash function of comparatively knowing usually, the hash function of use will be stored in mobile communication terminal in advance and software provides in the server.
Utilizing as mentioned above under the situation of the hash function of comparatively knowing usually, software provides server to generate hashed value and distribution software when software download operation taking place at every turn, or generating hashed value in advance at each software also distributes the above-mentioned software that includes hashed value after the interpolation.In addition, when the down operation of software takes place, mobile communication terminal will utilize the hash function of storage in advance and detect hashed value.
In the invention described above, above-mentioned authentication information is not to be defined in hashed value, as long as CRC (CycleRedundancy Check-cyclic redundancy check (CRC)), detect the method etc. of the mistake of bit column can be by verification and the change that (checksum) detects source code whether, it is any will to can be used as authentication information use.
Adopt the present invention, at the software of carrying out in the mobile communication terminal install or drive software before, the change whether authentication information of the source code by can confirming corresponding software is verified the integrality of software, make by aforesaid operations and confirm its whether infective virus etc., thereby can prevent that mobile communication terminal from being infected and improving the fail safe of the personal information of mobile communication terminal user by malignant virus etc.
Embodiment
With reference to the accompanying drawings the present invention is described in more detail.
The present invention can realize that different therewith, the present invention also can provide the software of software to provide server 20 to constitute by mobile communication terminal 10 with by communication network 30 by mobile communication terminal self.
Under the situation that the present invention realizes by mobile communication terminal self, as shown in Figure 2, include in the above-mentioned mobile communication terminal: be used to store terminal storage portion 13 by communication network 30 or wired, wireless short-distance terminal communication interface portion 11 downloaded software and the authentication information corresponding with above-mentioned software; In above-mentioned terminal storage portion 13 is installed before the saved software, whether change and the software authentication portion 12 of the integrality of verifying software by the code that utilizes above-mentioned authentication information to detect above-mentioned software.
In addition, provide the software of software to provide under the situation that server 20 constitutes by mobile communication terminal 10 with by communication network 30 in the present invention, can include among the present invention: mobile communication terminal 10 and software provide server 20, wherein, be provided with in the above-mentioned mobile communication terminal 10: being connected to software by communication network 30 provides server 20 or is connected to outside computer installation and downloads software and the terminal communication interface portion 11 of the authentication information of above-mentioned software by the short-range communication mode; Be used to store the terminal storage portion 13 of above-mentioned software and software authentication information; In above-mentioned terminal storage portion 13 is installed before the saved software, whether change and the software authentication portion 12 of the integrality of verifying software by the code that utilizes above-mentioned authentication information to detect above-mentioned software, above-mentioned software provides in the server 20 and is provided with: be used to control above-mentioned mobile communication terminal 10 by the connection of communication network 30 and the server communications portion 21 of software download operation; Be used to generate the software authentication information generating unit 22 of the authentication information corresponding with above-mentioned software; Be used to store the server storage section 23 of above-mentioned software and the authentication information corresponding with above-mentioned software.
In aforesaid structure, can include in the following structure at least more than one in the above-mentioned terminal communication interface portion 11: after being connected to software server 20 is provided by radio-frequency part (not shown) and communication network 30, retrieve above-mentioned software the stored information of storage in the server 20 and the WAP browser that can download are provided; Be used to provide with infrared communications set, bluetooth, the serial communication apparatus of the short-range communication of subscriber computer and be used to provide the nfc apparatus of user interface (interface); The externally positioned type memory interface.
That is, above-mentioned mobile communication terminal 10 can utilize terminal communication interface portion 11 to be connected to the external computer device that software provides server 20 or user, or downloads software and software authentication information by the externally positioned type memory.
Have when input under the situation of drive signal of the software that downloads to mobile communication terminal, the hash function that above-mentioned software authentication portion 12 together provides when utilizing the hash function of storage in the terminal storage portion 13 or downloading software obtain software hashed value and with authentication information in the hashed value that comprises compare, make by the integrality of checking software software verified.Wherein, under the situation that the hashed value that comprises in the software is encrypted by key, above-mentioned software authentication portion 12 also will carry out the process of utilizing the PKI that comprises in the certificates of recognition corresponding with above-mentioned software that the hashed value of above-mentioned encryption is decrypted.
Store software and the authentication information corresponding that downloads to mobile communication terminal in the above-mentioned terminal storage portion 13 with downloaded software, above-mentioned authentication information by the hashed value corresponding with above-mentioned software, have and the certificates of recognition that hashed value is carried out the corresponding PKI of encrypted secret key, and the information such as hash function that are used for the Hash operation of above-mentioned software constitute, but the present invention is defined in this, as long as the change that can confirm above-mentioned software code whether, it can use any information as authentication information.
Above-mentioned server communications portion 21 is used to provide based on the connection and the data of the communication network 30 of mobile communication terminal and downloads, and it can be by WAP server engine formations such as (engine).Promptly, when having the attended operation of mobile communication terminal, but above-mentioned server communications portion 21 makes the mobile communication terminal user retrieval software that canned data in the server 20 is provided, and when specific software is downloaded in request in retrieved message, will be from server storage section 23 reading software and software authentication information and send mobile communication terminal to.In addition, under the situation of operation of need deducting fees at software, with the information that mobile communication terminal user input deducted fees need in the operation and carry out fee deduction treatment.And, when receiving the signal of downloaded software change, with the fee deduction treatment of cancellation at the corresponding software execution from the mobile communication terminal of downloading software.
Above-mentioned software authentication information generating unit 22 is used to generate the hashed value as the relevant authentication information of the software that will distribute to mobile communication terminal, by key the hashed value that generates is carried out cryptographic operation, generation has the certificates of recognition of the PKI corresponding with key, and with the information stores of above-mentioned generation in functions such as server storage section 23.
In the above-mentioned server storage section 23 storing software and being used to generate software hashed value hash function, the hashed value corresponding, the key that is used for cryptographic operation, PKI with software and have the certificates of recognition of PKI.
In the present invention with as above structure, when to the mobile communication terminal distribution software, to in software, comprise at the hashed value of utilizing particular Hash function of above-mentioned software and distribute, after mobile communication terminal is carried out Hash operation and is calculated hashed value software by above-mentioned hash function, the hashed value that provides during with itself and distribution software compare and the change of confirming software code whether, thereby can confirm whether have virus, Hacker Program in the software.
Fig. 3 is the flow chart of the software authentication method detailed process process of the mobile communication terminal among the present invention.
As shown in Figure 3, know,, at first generate and the corresponding authentication information of software that needs distribution as will be by communication network or short-range communication net during to software that mobile communication terminal distributes in the present invention.Wherein, above-mentioned authentication information is made of the hashed value of specifying the software code that obtains at the hash function of corresponding software and the hash function by appointment etc., generates software hashed value (step S1).
Under situation about need encrypt to authentication informations such as hashed values, utilize key that hashed value is carried out cryptographic operation, it is added in the authentication information after generating certificates of recognition with PKI corresponding with key.Wherein, authentication information will be the hashed value of the aforesaid software code that obtains by preassigned hash function, and will comprise the hashed value of encryptionizations and have the certificates of recognition of PKI under the situation of carrying out cryptographic operation.In addition, under the undocumented situation of hash function, will also comprise above-mentioned hash function (certificates of recognition generation step), and promptly utilize key to encrypt the back and generate certificates of recognition (step S2) with PKI.
Above-mentioned S1 or S1 and S2 step will constitute authentication information and generate step.
After generating the authentication information corresponding as mentioned above, when needs distribute above-mentioned software, the authentication information corresponding with above-mentioned software will be distributed together with software.At this moment, above-mentioned software and authentication information will directly be assigned to mobile communication terminal by the mode that communication network is downloaded, or utilize computer and nfc apparatus to download to mobile communication terminal by CD (compact disk), hard disk (hard disk), floppy disk flash memory devices such as (floppy disk), or distribute (software distribution step) by the externally positioned type memory, i.e. distribution software (source, keyed hash value, certificates of recognition) (step S3).
The mobile communication terminal 10 that downloads to software and software authentication information by the way with software and software authentication information stores behind storage part, whether the code that utilizes software authentication information to detect software at the original execution time points such as installation of software changes and carries out the authentication operation of the integrality of confirming software.Wherein, under the disclosed situation of hash function that is used for obtaining the hashed value that the executive software authentication operation needs, above-mentioned hash function will be stored in the mobile communication terminal in advance, but if under the undocumented situation, will together distribute to mobile communication terminal in above-mentioned software distribution step.Thus, the software authentication portion 12 of mobile communication terminal will utilize the hash function of appointment in the software to generate the hashed value corresponding with saved software.
At this moment, under the encrypted situation of hashed value, the software authentication portion 12 of mobile communication terminal also will carry out and utilize the PKI that comprises in the certificates of recognition to the step that the hashed value of encrypting is decrypted, and promptly after certificates of recognition extracts PKI hashed value will be decrypted and detect source hashed value (step S4).
After the S4 step, the hashed value that adopts hash function in hashed value that the software authentication portion 12 of mobile communication terminal will provide in the time of will downloading software and the software code that downloads to and obtain compares, judge that promptly the decrypted hash value equates with the source hashed value? (step S5).
Relatively result is when hashed value is consistent in above-mentioned S5 step, and its code of representing corresponding software changes, and makes will to be judged as the infection that does not have virus etc. and to install or drive software, i.e. executive software (step S6).
In addition, the result who compares in above-mentioned S5 step is when hashed value is inconsistent, and code of its expression corresponding software changes, and makes will be judged as by infection and deletion downloaded software such as viruses.And, if in this process, take place under the situation of operating of deducting fees at software, also will carry out to software provides the server transmission to be used to point out downloaded software that the signal of change takes place, and the cancellation step of deducting fees that makes software provide the server cancellation to deduct fees operation is promptly deleted software (step S7).
<embodiment 〉
The embodiments of the invention that adopt in the online JAVA game services to mobile communication terminal describe below.
As shown in Figure 4, online JAVA game services in the situation of the online JAVA game services that offers mobile communication terminal provides in the system, its mobile communication terminal 100 and JAVA game server 200 by at least more than one connects and composes by communication network 30, wherein, after above-mentioned at least more than one mobile communication terminal 100 is connected to that JAVA game server 200 is downloaded the relevant JAVA source code of JAVA recreation and JAVA source authentication information and the JAVA source code authenticated, the JAVA source code of above-mentioned authentication is compiled (compile) and receives online JAVA game services; Above-mentioned JAVA game server 200 provides JAVA game services after above-mentioned mobile communication terminal 100 is provided for the JAVA source code of JAVA game services and is used for the authentication information of JAVA source authentication.
In said structure, include following several sections in the above-mentioned mobile communication terminal: be connected to JAVA game server 200 and download the JAVA source code and the WAP browser 101 of JAVA source authentication information by wireless Internet; By the JAVA execution portion 102 that the JAVA source code of downloading is carried out the JAVA application management program (JAM) of compilation operations and carried out JAVA virtual machine (JVM) formation of the JAVA program that compiles; Utilize the JAVA source authentication information of downloading to carry out the JAVA source authentication department 103 of the change whether authentication operation of compiling JAVA source code before; Be used to store the JAVA source code and the JAVA source authentication information that download to and reach the terminal storage portion 104 of the hash function of storage as required and in advance.
In addition, include following several sections in the above-mentioned JAVA game server 200: be used to provide the wireless Internet Connection Service of mobile communication terminal 100, and the WAP management department 201 that provides JAVA source code that mobile communication terminal 100 is selected and JAVA source authentication information to send WAP services such as mobile communication terminal to; Be used for managing the driving of the JAVA recreation of the relevant server end of online JAVA recreation that above-mentioned mobile communication terminal 100 carries out, and to carry out the game management portion 202 that the data message that produces is media execution game on line by the recreation between the game on line user; Be used to store the customer data base 203 of the user's who receives above-mentioned game services information; Be used to generate and the corresponding hashed value of JAVA source code that offers mobile communication terminal 100, and after utilizing the key pair hashed value corresponding to encrypt as required, generate the JAVA source authentication information generating unit 204 of certificates of recognition with PKI corresponding with key with the JAVA source code; Be used to store the server storage section 205 of above-mentioned JAVA source code, JAVA source authentication information, certificates of recognition and hash function with public key information.
Under the situation of the online JAVA game service system of the mobile communication terminal in having one embodiment of the invention of as above structure, store the JAVA source code that is used for the JAVA recreation in the JAVA game server 200, and when mobile communication terminal 100 requests that connect by communication network 300 are downloaded, send the JAVA source code of above-mentioned storage to mobile communication terminal, and the JAVA PROGRAMMED REQUESTS that drives in by mobile communication terminal will provide online JAVA game services to mobile communication terminal when online game services is provided.
The JAVA game server 200 of carrying out above-mentioned action will generate hashed value by the hash function of preassigned hash function or storage at the JAVA source code that needs send mobile communication terminal to, and it is offered mobile communication terminal as the JAVA source authentication performance corresponding with the JAVA source code.Wherein, above-mentioned hashed value as JAVA source authentication information can be encrypted by key, and in the case, above-mentioned JAVA game server 200 has generation the certificates of recognition of the PKI corresponding with key and offers mobile communication terminal.
The hashed value as JAVA source authentication information that provides at above-mentioned server, hash function, certificates of recognition etc. will generate and offer mobile communication terminal when downloading the JAVA source code, or after being formed and stored in server storage section 205 in advance, when downloading the JAVA source code, together send mobile communication terminal to.
In addition, the mobile communication terminal 100 of Fig. 4 will together download to the JAVA source authentication information of the hash function that includes hashed value and comprise certificates of recognition as required downloading under the situation of JAVA source code from JAVA game server 200.And, the JAVA source authentication department 103 of mobile communication terminal 100 is before the compilation operations to the JAVA source code, after utilizing hash function to obtain the hashed value corresponding with the JAVA source code, with its with and the hashed value that together provides of JAVA source code as authentication information compare.In this process, under the situation that hashed value is encrypted by key, the process of utilizing the PKI that comprises in the certificates of recognition to be decrypted execution.
After carrying out said process, under the consistent situation of the hashed value of the JAVA source code that generates in the JAVA source authentication department 103 of the hashed value of the JAVA source code that JAVA game server 200 provides and mobile communication terminal 100, do not change in its expression JAVA source code, making does not have infective virus etc. and carries out compilation operations being judged as.
In addition, under the inconsistent situation of hashed value of the JAVA source code that generates in the JAVA source authentication department 103 of the hashed value of the JAVA source code that JAVA game server 200 provides and mobile communication terminal 100, change in its expression JAVA source code, make and to be judged as the JAVA source code of infective virus etc. and deletion download.And, under the situation of having carried out at the JAVA source code of downloading of operating of deducting fees, also carry out the cancellation process of deducting fees that the cancellation information of will deducting fees sends JAVA game server 200 to and makes cancellation deduct fees and operate in the time of deletion JAVA source code.
By aforesaid process, can verify the JAVA integrity of source code of online download.
The invention effect:
In the present invention, at the software of carrying out in the mobile communication terminal install or drive software before, the change whether authentication information of the source code by can confirming corresponding software is verified the integrality of software, make by aforesaid operations and confirm its whether infective virus etc., thereby can prevent that mobile communication terminal from being infected and improving the fail safe of the personal information of mobile communication terminal user by malignant virus etc.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; being familiar with those of ordinary skill in the art ought can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.