[go: up one dir, main page]

CN103491097B - Software Authorization System Based on Public Key Cryptosystem - Google Patents

Software Authorization System Based on Public Key Cryptosystem Download PDF

Info

Publication number
CN103491097B
CN103491097B CN201310456961.9A CN201310456961A CN103491097B CN 103491097 B CN103491097 B CN 103491097B CN 201310456961 A CN201310456961 A CN 201310456961A CN 103491097 B CN103491097 B CN 103491097B
Authority
CN
China
Prior art keywords
user
software
certificate
authority
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310456961.9A
Other languages
Chinese (zh)
Other versions
CN103491097A (en
Inventor
张昭理
杨宗凯
刘三女牙
易宝林
舒江波
孙建文
郑婷
彭晛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central China Normal University
Original Assignee
Central China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central China Normal University filed Critical Central China Normal University
Priority to CN201310456961.9A priority Critical patent/CN103491097B/en
Publication of CN103491097A publication Critical patent/CN103491097A/en
Application granted granted Critical
Publication of CN103491097B publication Critical patent/CN103491097B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of software authorization system based on public-key cryptosystem, including server end and client, wherein server end includes mechanism's certificate of authority generation module, receiver module, authentication module and user's certificate of authority generation module;User's certificate of authority generation module specifically includes: Digital Signature module, and user registers the computer hardware feature h in file with RSA private key0It is digitally signed, generates s0;Encryption string generation module, for the software version information v that will obtain, user profile u, licensing term ex, current time cur and s0The hybrid operation carrying out presetting generates encryption string signB64;Certificates constructing module, for generating user's certificate of authority together by encryption string signB64 and RSA PKI.The present invention can prevent software to be illegally duplicated, and is managed concentratedly by software publishing person simultaneously, facilitates software to carry out upgrading, follows the tracks of and push personalized service etc. for user and manage after sale.

Description

基于公钥密码体制的软件授权系统Software Authorization System Based on Public Key Cryptosystem

技术领域technical field

本发明涉及软件授权方法,尤其涉及一种基于公钥密码体制的软件授权系统。The invention relates to a software authorization method, in particular to a software authorization system based on a public key cryptosystem.

背景技术Background technique

盗版的存在已经成为制约计算机软件业发展的重要因素,软件具有易复制性、复制成本低等性质,如今企业亟需采取技术措施来保护自己的版权。因此研究设计出一种有效的、实用的且具有安全强度的软件授权方法,具有重要的现实意义。The existence of piracy has become an important factor restricting the development of the computer software industry. Software is easy to copy and the copy cost is low. Now companies urgently need to take technical measures to protect their copyrights. Therefore, it is of great practical significance to study and design an effective, practical and secure software authorization method.

在公钥密码体制中,加密密钥不同于解密密钥。迄今为止的所有公钥密码体系中,RSA算法是最著名、使用最广泛的一种。RSA算法很好地解决了对称加密算法的密钥的利用公开信道传输分发的难题,还可利用RSA算法来完成对信息的数字签名以对抗信息的否认与抵赖,同时还可以利用数字签名较容易地发现攻击者对信息的非法篡改,以保护数据信息的完整性。In public key cryptography, the encryption key is different from the decryption key. Among all public key cryptosystems so far, the RSA algorithm is the most famous and widely used one. The RSA algorithm solves the problem of using the public channel transmission and distribution of the key of the symmetric encryption algorithm well. It can also use the RSA algorithm to complete the digital signature of the information to resist the denial and denial of the information. At the same time, it is easier to use the digital signature It can detect illegal tampering of information by attackers in order to protect the integrity of data information.

常用的软件保护方式一般分为软加密和硬加密两种。硬加密主要是指加密狗或加密锁。硬件加密锁的优点是授权发放简单、可移动。但是随着互联网的使用越来越普及,也暴露出不少缺点:1)适用于传统的一次性永久授权,无法实现试用版本和按需购买;2)硬件的存在带来额外的生产、初始化、物流、安装和维护的成本;3)安装驱动和客户端组件以及额外的硬件设备影响了客户的使用体验;4)无法实现基于互联网的电子化发行;5)难以进行升级、跟踪及售后管理。软加密不依靠特别硬件来实现的对软件的保护技术。它的最大优势在于极低的加密成本。目前主要有序列号方案、License文件方案、密码表方案等。其中License文件的授权机制逐渐得到广泛的应用,软件商可以限定只有购买了License的用户才能在特定的机器上使用软件产品。License文件机制主要有以下功能:1)应用程序可以创建以及验证绑定给用户、系统等实体的license;2)防止用户随意拷贝软件和license;3)license可以是永久性的或者临时性的;4)license的验证由JAVASecurityAPI提供的数字签名机制来实现,安全性有保证。但是目前的license文件授权机制在机构管理环境下使用还存在明显的不足,它无法实现按用户级别进行模块化的授权。机构管理员角色无法有效管理其下普通用户的授权信息。Commonly used software protection methods are generally divided into two types: soft encryption and hard encryption. Hard encryption mainly refers to dongles or dongles. The advantage of the hardware dongle is that authorization is issued easily and can be moved. However, as the use of the Internet becomes more and more popular, many shortcomings are also exposed: 1) It is suitable for traditional one-time permanent authorization, and trial versions and on-demand purchases cannot be realized; 2) The existence of hardware brings additional production and initialization , logistics, installation and maintenance costs; 3) installation of drivers and client components and additional hardware devices affect customer experience; 4) electronic distribution based on the Internet cannot be realized; 5) it is difficult to perform upgrades, tracking and after-sales management . Soft encryption is a protection technology for software that does not rely on special hardware. Its biggest advantage is its extremely low encryption cost. At present, there are mainly serial number schemes, license file schemes, and password table schemes. Among them, the license file authorization mechanism has been widely used gradually, and software vendors can limit that only users who have purchased the license can use the software product on a specific machine. The license file mechanism mainly has the following functions: 1) applications can create and verify licenses bound to users, systems and other entities; 2) prevent users from copying software and licenses at will; 3) licenses can be permanent or temporary; 4) The verification of the license is realized by the digital signature mechanism provided by JAVASecurityAPI, and the security is guaranteed. However, the current license file authorization mechanism still has obvious deficiencies when used in an institutional management environment. It cannot realize modular authorization by user level. The organization administrator role cannot effectively manage the authorization information of ordinary users under it.

发明内容Contents of the invention

本发明要解决的技术问题在于针对现有技术中加密技术的不足之处,提供一种方便在机构环境下适用,基于公钥密码体制,可以在互联网环境下使用,有效的、实用的且具有安全强度的软件授权系统。The technical problem to be solved by the present invention is to aim at the deficiencies of the encryption technology in the prior art, to provide a convenient and applicable in the institutional environment, based on the public key cryptosystem, which can be used in the Internet environment, effective, practical and has Security-strength software licensing system.

本发明解决其技术问题所采用的技术方案是:The technical solution adopted by the present invention to solve its technical problems is:

提供一种基于公钥密码体制的软件授权系统,包括服务器端和客户端,其中:Provide a software authorization system based on public key cryptography, including server and client, wherein:

服务器端包括:The server side includes:

机构授权证书生成模块,用于根据机构用户的申请信息加密生成机构授权证书;The institution authorization certificate generation module is used to encrypt and generate the institution authorization certificate according to the application information of the institution user;

接收模块,用于接收由客户端传来的机构授权证书和注册文件;The receiving module is used to receive the agency authorization certificate and registration file transmitted by the client;

验证模块,用于对接收的机构授权证书进行解密,并对解密后的信息进行验证;A verification module, configured to decrypt the received agency authorization certificate, and verify the decrypted information;

用户授权证书生成模块,用于在验证时,对注册文件进行加密,生成用户授权证书并返回给客户端;The user authorization certificate generation module is used to encrypt the registration file during verification, generate a user authorization certificate and return it to the client;

客户端包括:Clients include:

注册文件获取模块,用于在用户初次使用软件时,获取包含计算机硬件特征、用户信息、软件版本信息的XML格式的注册文件;The registration file acquisition module is used to obtain the registration file in XML format that includes computer hardware features, user information, and software version information when the user uses the software for the first time;

用户授权证书存储模块,用于存储用户授权证书;The user authorization certificate storage module is used to store the user authorization certificate;

解密和验证模块,用于客户启动软件时,对用户授权证书进行解密及验证,若解密验证成功,则启动软件,否则,软件不启动;The decryption and verification module is used to decrypt and verify the user authorization certificate when the customer starts the software. If the decryption verification is successful, the software is started, otherwise, the software does not start;

其中,用户授权证书生成模块具体包括:Among them, the user authorization certificate generation module specifically includes:

数字签名模块,用RSA私钥对用户注册文件中的计算机硬件特征h0进行数字签名,生成s0The digital signature module digitally signs the computer hardware feature h0 in the user registration file with the RSA private key to generate s0 ;

加密串生成模块,用于将获取的软件版本信息v、用户信息u、授权期限ex、当前时间cur以及s0进行预设的混合运算生成加密串signB64;The encrypted string generation module is used to generate the encrypted string signB64 by performing preset mixed operations on the obtained software version information v, user information u, authorization period ex, current time cur and s0 ;

证书生成模块,用于将加密串signB64与RSA公钥一起生成用户授权证书。The certificate generation module is used to generate the user authorization certificate together with the encrypted string signB64 and the RSA public key.

本发明所述的系统中,所述加密串生成模块进行复杂混合运算时具体用于:In the system of the present invention, the encrypted string generating module is specifically used for:

i.获取系统当前时间cur,并执行操作ex+cur后获取字节数组b8;i. Obtain the current time cur of the system, and execute the operation ex+cur to obtain the byte array b8;

ii.服务器端生成22位随机数ran22,并与b8、v、u组合成32位字节数组bt32;ii. The server generates a 22-bit random number ran22, and combines it with b8, v, u to form a 32-bit byte array bt32;

iii.将bt32与b8的第8个字节b8[8]执行操作b32b8[8]产生btxor32;iii. Perform operation b32 on the 8th byte b8[8] of bt32 and b8 b8[8] produces btxor32;

iv.执行操作h0 btxor32产生mixXor32;iv. Execute operation h 0 btxor32 generates mixXor32;

v.合并mixXor32与s0产生mixFinal64;v. Merge mixXor32 and s 0 to generate mixFinal64;

vi.对mixFinal64进行Base64编码产生signB64。vi. Perform Base64 encoding on mixFinal64 to generate signB64.

本发明所述的系统中,所述计算机硬件特征包括BIOS编号、硬盘序列号和MAC地址。In the system of the present invention, the computer hardware features include BIOS number, hard disk serial number and MAC address.

本发明所述的系统中,所述用户信息包括用户ID和职称。In the system of the present invention, the user information includes user ID and job title.

本发明所述的系统中,服务器端还包括权限设置模块,用于机构用户登录服务器端时查询或修改其机构下个体软件用户的权限。In the system of the present invention, the server side also includes a permission setting module, which is used for inquiring or modifying the permission of individual software users under the organization when the organization user logs in to the server side.

本发明产生的有益效果是:本发明的软件授权系统使用RSA算法来保证用户授权证书的安全性和完整性,用户授权证书可以使用互联网等公开信道传输。因此,本发明的软件授权方法,软件可以实现基于互联网的电子化发行,并且可以实现软件的试用版本授权和按需购买授权。另外,本发明将用户授权证书与用户计算机硬件特征、用户信息、软件版本信息进行绑定,防止软件被非法拷贝,同时由软件发行者集中管理,方便软件进行升级、跟踪及为用户推送个性化服务等售后管理。The beneficial effects produced by the invention are: the software authorization system of the invention uses the RSA algorithm to ensure the safety and integrity of the user authorization certificate, and the user authorization certificate can be transmitted through open channels such as the Internet. Therefore, with the software authorization method of the present invention, the software can be electronically issued based on the Internet, and software trial version authorization and on-demand purchase authorization can be realized. In addition, the present invention binds the user authorization certificate with the user's computer hardware features, user information, and software version information to prevent the software from being illegally copied, and at the same time, it is centrally managed by the software issuer to facilitate software upgrades, tracking, and personalized pushes for users. Service and other after-sales management.

再者,本发明方便机构管理员用户查询和管理其下不同级别用户的授权,使不同级别用户有针对性的使用软件的不同模块。Furthermore, the present invention facilitates organization administrators to inquire and manage the authorization of users of different levels under them, so that users of different levels can use different modules of the software in a targeted manner.

附图说明Description of drawings

下面将结合附图及实施例对本发明作进一步说明,附图中:The present invention will be further described below in conjunction with accompanying drawing and embodiment, in the accompanying drawing:

图1是本发明实施例的基于公钥密码体制的软件授权方法流程图;Fig. 1 is the flow chart of the software authorization method based on the public key cryptosystem of the embodiment of the present invention;

图2是本发明实施例客户端申请机构授权证书的示意图;Fig. 2 is a schematic diagram of a client applying for an agency authorization certificate according to an embodiment of the present invention;

图3是本发明实施例用户授权证书的生成示意图。Fig. 3 is a schematic diagram of generating a user authorization certificate according to an embodiment of the present invention.

具体实施方式detailed description

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本发明,并不用于限定本发明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

本发明实施例基于公钥密码体制的软件授权系统,如图1所示,包括服务器端和客户端,其中:The software authorization system based on the public key cryptosystem in the embodiment of the present invention, as shown in Figure 1, includes a server end and a client end, wherein:

服务器端包括:The server side includes:

机构授权证书生成模块,用于根据机构用户的申请信息加密生成机构授权证书;所述机构授权证书为服务器端根据机构用户的申请信息加密生成,并提供给机构用户管理保存,机构用户分发给个体软件用户,个体软件用户只有将机构授权证书与注册文件同时上传至服务器端才能进行授权操作。机构授权证书的内容包括机构信息、购买软件版本、购买授权数量等基本信息;The institution authorization certificate generation module is used to encrypt and generate the institution authorization certificate according to the application information of the institution user; the institution authorization certificate is generated by the server end according to the application information of the institution user, and is provided to the institution user for management and storage, and the institution user distributes to the individual Software users, individual software users can only perform authorized operations if they upload the agency authorization certificate and registration file to the server at the same time. The content of the organization authorization certificate includes basic information such as organization information, purchased software version, and purchased authorization quantity;

所述注册文件为软件用户初次使用软件时,从客户端获取的包含计算机硬件特征、用户信息、软件版本信息的XML格式文件。本发明的实施例中,所述计算机硬件特征包括BIOS编号、硬盘序列号和MAC地址等。所述用户信息包括用户ID和职称等。The registration file is an XML format file obtained from the client when the software user uses the software for the first time, including computer hardware features, user information, and software version information. In the embodiment of the present invention, the computer hardware features include BIOS number, hard disk serial number, MAC address and the like. The user information includes user ID and job title.

接收模块,用于接收由客户端传来的机构授权证书和注册文件;The receiving module is used to receive the agency authorization certificate and registration file transmitted by the client;

验证模块,用于对接收的机构授权证书进行解密,并对解密后的信息进行验证;在本发明的一个实施例中,对解密后的信息进行验证具体为:首先,服务器端检查数据库里是否存在客户端传来的机构ID,若存在,则判断机构授权数量是否有余;否则,退出验证。其次,服务器端判断客户端传来的能代表计算机硬件特征的机器码是否在数据库记录里唯一,若是,则根据授权数量是否剩余来确定返回给客户端的是正式版或是试用版的用户授权证书,若否,则判断库里对应该机器码申请的用户授权证书是否已过期,若是,则退出验证,否则通过验证。The verification module is used to decrypt the received agency authorization certificate, and verify the decrypted information; in one embodiment of the present invention, the verification of the decrypted information is as follows: first, the server checks whether the database contains There is an organization ID sent by the client. If it exists, it is judged whether the authorized number of organizations is sufficient; otherwise, exit the verification. Secondly, the server judges whether the machine code that can represent the characteristics of the computer hardware transmitted by the client is unique in the database record. If so, it determines whether the official version or the trial version of the user authorization certificate returned to the client is based on whether the authorized quantity remains. , if not, judge whether the user authorization certificate corresponding to the machine code application in the library has expired, if so, exit the verification, otherwise pass the verification.

用户授权证书生成模块,用于在验证时,对注册文件进行加密,生成用户授权证书并返回给客户端;The user authorization certificate generation module is used to encrypt the registration file during verification, generate a user authorization certificate and return it to the client;

客户端包括:Clients include:

注册文件获取模块,用于在用户初次使用软件时,获取包含计算机硬件特征、用户信息、软件版本信息的XML格式的注册文件;The registration file acquisition module is used to obtain the registration file in XML format that includes computer hardware features, user information, and software version information when the user uses the software for the first time;

用户授权证书存储模块,用于存储用户授权证书;The user authorization certificate storage module is used to store the user authorization certificate;

解密和验证模块,用于客户启动软件时,对用户授权证书进行解密及验证,若解密验证成功,则启动软件,否则,软件不启动;The decryption and verification module is used to decrypt and verify the user authorization certificate when the customer starts the software. If the decryption verification is successful, the software is started, otherwise, the software does not start;

其中,用户授权证书生成模块具体包括:Among them, the user authorization certificate generation module specifically includes:

数字签名模块,用RSA私钥对用户注册文件中的计算机硬件特征h0进行数字签名,生成s0The digital signature module digitally signs the computer hardware feature h0 in the user registration file with the RSA private key to generate s0 ;

加密串生成模块,用于将获取的软件版本信息v、用户信息u、授权期限ex、当前时间cur以及s0进行预设的混合运算生成加密串signB64;The encrypted string generation module is used to generate the encrypted string signB64 by performing preset mixed operations on the obtained software version information v, user information u, authorization period ex, current time cur and s0 ;

证书生成模块,用于将加密串signB64与RSA公钥一起生成用户授权证书。The certificate generation module is used to generate the user authorization certificate together with the encrypted string signB64 and the RSA public key.

本发明的一个实施例中,所述加密串生成模块进行复杂混合运算时具体用于:In one embodiment of the present invention, the encrypted string generation module is specifically used for:

i.获取系统当前时间cur,并执行操作ex+cur后获取字节数组b8;i. Obtain the current time cur of the system, and execute the operation ex+cur to obtain the byte array b8;

ii.服务器端生成22位随机数ran22,并与b8、v、u组合成32位字节数组bt32;ii. The server generates a 22-bit random number ran22, and combines it with b8, v, u to form a 32-bit byte array bt32;

iii.将bt32与b8的第8个字节b8[8]执行操作b32b8[8]产生btxor32;iii. Perform operation b32 on the 8th byte b8[8] of bt32 and b8 b8[8] produces btxor32;

iv.执行操作h0 btxor32产生mixXor32;iv. Execute operation h 0 btxor32 generates mixXor32;

v.合并mixXor32与s0产生mixFinal64;v. Merge mixXor32 and s 0 to generate mixFinal64;

vi.对mixFinal64进行Base64编码产生signB64。vi. Perform Base64 encoding on mixFinal64 to generate signB64.

本发明的另一实施例中,可选择另一中混合运算,具体为:In another embodiment of the present invention, another mixed operation can be selected, specifically:

1、执行ex+cur,获取字节数组b8;1. Execute ex+cur to get the byte array b8;

2、服务器端生成20位随机数ran20,并与b8、v、u、p(2个字节)、合并生成32位字节数组bt32;2. The server generates a 20-bit random number ran20, and combines it with b8, v, u, p (2 bytes) to generate a 32-bit byte array bt32;

3、执行模运算:h0modbt32,生成sign32;3. Execute modulo operation: h 0 modbt32, generate sign32;

4、执行异或运算:b8的第八个字节b8[8]sign32生成btxor32;4. Execute XOR operation: the eighth byte b8[8] of b8 sign32 generates btxor32;

5、执行异或操作:h0 btxor32产生mixXor32;5. Execute XOR operation: h 0 btxor32 generates mixXor32;

6、合并mixXor32与s0,生成mixFinal64;6. Merge mixXor32 and s 0 to generate mixFinal64;

7、对mixFinal64进行Base64编码产生signB64。7. Perform Base64 encoding on mixFinal64 to generate signB64.

本发明的实施例中,服务器端还包括权限设置模块,用于机构用户登录服务器端时查询或修改其机构下个体软件用户的权限。In the embodiment of the present invention, the server end further includes an authority setting module, which is used for inquiring or modifying the authority of individual software users under the organization when the organization user logs in to the server end.

如图2所示,本发明的一个实施例中,客户端申请机构授权证书的步骤具体包括:服务器端接收客户端传来的机构信息、购买软件版本、购买授权数量等基本信息,对这些基本信息进行加密,生成机构授权证书,并将机构的基本信息与机构授权信息保存至数据库中,然后将机构授权证书返回给客户端。As shown in Figure 2, in one embodiment of the present invention, the steps for the client to apply for an organization authorization certificate specifically include: the server receives basic information such as organization information, purchased software version, purchased authorization quantity, etc. The information is encrypted to generate an organization authorization certificate, and the organization's basic information and organization authorization information are saved in the database, and then the organization authorization certificate is returned to the client.

机构用户可以登录服务器端查询或修改其机构下个体软件用户的权限,从而使不同级别用户有针对性的使用软件的不同模块。Institutional users can log in to the server to query or modify the permissions of individual software users under their organization, so that users at different levels can use different modules of the software in a targeted manner.

如图3所示,本发明的一个较佳实施例中,基于公钥密码体制的软件授权系统的软件授权方法具体包括:As shown in Figure 3, in a preferred embodiment of the present invention, the software authorization method of the software authorization system based on the public key cryptosystem specifically includes:

(1)软件发行者使用RSA算法生成一对密钥(公钥P和私钥S),S由软件发行者秘密保存,P可公开下载;(1) The software issuer uses the RSA algorithm to generate a pair of keys (public key P and private key S), S is kept secret by the software issuer, and P can be downloaded publicly;

(2)软件用户初次使用软件时,软件将用户的计算机硬件特征、用户信息、软件版本等信息生成XML格式的注册文件,用户将注册文件(License-A.dat)提交给软件发行者;(2) When the software user uses the software for the first time, the software generates a registration file in XML format with the user's computer hardware features, user information, software version and other information, and the user submits the registration file (License-A.dat) to the software issuer;

(3)软件发行者使用SHA1算法,用(1)中的S对(2)中License-A.dat文件里的计算机硬件特征进行数字签名;(3) The software publisher uses the SHA1 algorithm to digitally sign the computer hardware features in the License-A.dat file in (2) with S in (1);

(4)软件发行者将软件版本信息、授权期限和当前时间等信息一起进行特定的混合运算(上述实施例中已经具体描述,在此不赘述);(4) The software issuer performs a specific mixed operation with information such as software version information, authorization period, and current time (it has been described in detail in the above-mentioned embodiments and will not be repeated here);

(5)软件发行者将(3)中的加密信息、(4)中的混合信息与(1)中的P一起生成用户授权证书(License-B.dat),返还给软件用户;(5) The software issuer generates a user authorization certificate (License-B.dat) together with the encrypted information in (3), the mixed information in (4) and P in (1), and returns it to the software user;

(6)软件使用(1)中的P对(3)中的加密信息进行解密验证,并通过(4)中混合运算的逆运算获取授权期限等授权信息;若验证通过并且授权期限有效,则软件开始正常运行,否则软件停止运行。(6) The software uses P in (1) to decrypt and verify the encrypted information in (3), and obtain authorization information such as the authorization period through the inverse operation of the mixed operation in (4); if the verification is passed and the authorization period is valid, then The software starts running normally, otherwise the software stops running.

本发明基于公钥密码体制的软件授权系统使用RSA算法和SHA1算法保证用户授权证书的安全性和完整性,用户授权证书可以使用互联网等公开信道传输。因此,本发明可以实现基于互联网的电子化发行,并且可以实现软件的试用版本授权和按需购买授权。The software authorization system based on the public key cryptosystem of the present invention uses the RSA algorithm and the SHA1 algorithm to ensure the security and integrity of the user authorization certificate, and the user authorization certificate can be transmitted through open channels such as the Internet. Therefore, the present invention can realize Internet-based electronic distribution, and can realize software trial version authorization and on-demand purchase authorization.

本发明将用户授权证书与用户计算机硬件特征、用户信息、软件版本信息进行绑定,防止软件被非法拷贝,同时由软件发行者集中管理,方便软件进行升级、跟踪及为用户推送个性化服务等售后管理。The invention binds the user authorization certificate with the user's computer hardware features, user information, and software version information to prevent the software from being illegally copied, and at the same time, it is managed centrally by the software issuer to facilitate software upgrades, tracking, and personalized services for users. After-sales management.

应当理解的是,对本领域普通技术人员来说,可以根据上述说明加以改进或变换,而所有这些改进和变换都应属于本发明所附权利要求的保护范围。It should be understood that those skilled in the art can make improvements or changes based on the above description, and all these improvements and changes should belong to the protection scope of the appended claims of the present invention.

Claims (5)

1. the software authorization system based on public-key cryptosystem, it is characterised in that include server end and client, wherein:
Server end includes:
Mechanism's certificate of authority generation module, encrypts the generating mechanism certificate of authority for the application information according to organization user;
Receiver module, for receiving the mechanism's certificate of authority transmitted by client and registration file;
Authentication module, for the mechanism's certificate of authority received is decrypted, and is verified the information after deciphering;
User's certificate of authority generation module, for when checking, being encrypted registration file, generate user's certificate of authority and return to client;
Client includes:
Registration file acquisition module, for when user uses software for the first time, obtaining the registration file of the XML format comprising computer hardware feature, user profile, software version information;
User's authorization certificate storage module, is used for storing user's certificate of authority;
Deciphering and authentication module, when starting software for client, be decrypted user's certificate of authority and verify, if decryption verification success, then starts software, and otherwise, software does not start;
Wherein, user's certificate of authority generation module specifically includes:
Digital Signature module, registers the computer hardware feature h in file with RSA private key to user0It is digitally signed, generates s0
Encryption string generation module, for the software version information v that will obtain, user profile u, licensing term ex, current time cur and s0The COMPLEX MIXED computing carrying out presetting generates encryption string signB64;
Certificates constructing module, for generating user's certificate of authority together by encryption string signB64 and RSA PKI.
2. system according to claim 1, it is characterised in that when described encryption string generation module carries out the COMPLEX MIXED computing preset specifically for:
I. obtain current time in system cur, and perform operation ex+cur after obtain byte arrays b8;
Ii. server end generates 22 random number ran22, and is combined into 32 bit byte array bt32 with b8, v, u;
Iii. the 8th of bt32 and b8 the byte b8 [8] is performed operationProduce btxor32;
Iv. operation is performedProduce mixXor32;
V. mixXor32 and s is merged0Produce mixFinal64;
Vi. mixFinal64 is carried out Base64 coding and produces signB64.
3. system according to claim 1, it is characterised in that described computer hardware feature includes BIOS numbering, hard disk serial number and MAC Address.
4. system according to claim 1, it is characterised in that described user profile includes ID and academic title.
5. system according to claim 1, it is characterised in that server end also includes priority assignation module, inquires about or revises the authority of individual software users under its mechanism during for organization user's login service device end.
CN201310456961.9A 2013-09-30 2013-09-30 Software Authorization System Based on Public Key Cryptosystem Active CN103491097B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310456961.9A CN103491097B (en) 2013-09-30 2013-09-30 Software Authorization System Based on Public Key Cryptosystem

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310456961.9A CN103491097B (en) 2013-09-30 2013-09-30 Software Authorization System Based on Public Key Cryptosystem

Publications (2)

Publication Number Publication Date
CN103491097A CN103491097A (en) 2014-01-01
CN103491097B true CN103491097B (en) 2016-07-13

Family

ID=49831056

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310456961.9A Active CN103491097B (en) 2013-09-30 2013-09-30 Software Authorization System Based on Public Key Cryptosystem

Country Status (1)

Country Link
CN (1) CN103491097B (en)

Families Citing this family (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103971034A (en) * 2014-04-24 2014-08-06 福建联迪商用设备有限公司 Method and device for protecting Java software
CN103995991B (en) * 2014-05-07 2017-02-15 华中师范大学 Method for binding hardware information and secret keys in software copyright protection
CN104009839A (en) * 2014-06-16 2014-08-27 华中师范大学 A method for generating a key carrying user information
CN106650325B (en) * 2016-10-14 2019-07-05 杭州优稳自动化系统有限公司 A kind of software platform management method based on softdog
CN106529216B (en) * 2016-10-27 2022-04-22 西安交通大学 A software authorization system and software authorization method based on a public storage platform
CN106789891A (en) * 2016-11-22 2017-05-31 国云科技股份有限公司 A multi-dimensional software authorization control method suitable for IaaS cloud platform
CN108124480B (en) * 2016-12-27 2022-01-11 深圳配天智能技术研究院有限公司 Software authorization method, system and equipment
CN108259163B (en) * 2016-12-29 2020-10-02 北京博瑞彤芸文化传播股份有限公司 Authorization method of terminal equipment
CN108268767A (en) * 2016-12-30 2018-07-10 北京国双科技有限公司 Web application authorization method and device
CN107181591B (en) * 2017-05-10 2020-11-17 上海上讯信息技术股份有限公司 Method and apparatus for system password generation
CN107689957B (en) * 2017-08-31 2021-02-12 云宏信息科技股份有限公司 Digital certificate management method, electronic equipment and storage medium
CN108062461A (en) * 2017-11-23 2018-05-22 珠海格力电器股份有限公司 Software authorization method, device and system
CN110213306B (en) * 2018-02-28 2022-03-08 北京金风科创风电设备有限公司 Wind generating set starting control method and device
CN109408074A (en) * 2018-09-26 2019-03-01 平安普惠企业管理有限公司 Installation method, device, computer equipment and the storage medium of application program
CN109344569B (en) * 2018-09-28 2020-09-18 北京赛博贝斯数据科技有限责任公司 Software use authorization method and system
CN109598104B (en) * 2018-11-28 2021-08-10 武汉虹旭信息技术有限责任公司 Software authorization protection system and method based on timestamp and secret authentication file
CN110149338B (en) * 2019-05-27 2021-12-24 深圳市天启时代科技有限公司 Cloud platform encryption authorization method
CN110662172A (en) * 2019-08-16 2020-01-07 深圳市豪位科技有限公司 Indoor positioning and navigation system with wireless beacons and cloud platform networking
CN110493723A (en) * 2019-08-16 2019-11-22 豪位控股有限公司 The variable indoor positioning navigation system of beacon identity code
CN110826030B (en) * 2019-11-08 2023-09-15 湖南长城医疗科技有限公司 Self-service software and related module authorization use method
CN111258615A (en) * 2019-12-26 2020-06-09 北京威努特技术有限公司 Industrial control host, method and device for upgrading software of industrial control host and mobile storage medium
CN113127814B (en) * 2019-12-31 2023-03-14 杭州海康威视数字技术股份有限公司 Software anti-copying method and device, electronic equipment and readable storage medium
CN113268715A (en) * 2020-02-14 2021-08-17 中移(苏州)软件技术有限公司 Software encryption method, device, equipment and storage medium
CN111555887B (en) * 2020-04-26 2023-08-15 布比(北京)网络技术有限公司 Block chain certificate compatibility processing method, device and computer storage medium
CN111737657B (en) * 2020-06-16 2024-03-12 湖南省星岳天璇科技有限公司 Method for realizing authorization control on JAVA software based on license file
CN111708991B (en) * 2020-06-17 2024-07-09 腾讯科技(深圳)有限公司 Service authorization method, device, computer equipment and storage medium
CN112016082B (en) * 2020-10-26 2021-01-22 成都掌控者网络科技有限公司 Authority list safety control method
CN112579989B (en) * 2020-12-23 2022-06-24 杭州安司源科技有限公司 Anti-piracy method for network service software
CN113656101B (en) * 2021-08-17 2024-06-11 成都长城开发科技股份有限公司 Authorization management method, system, server and user side
CN114297587A (en) * 2021-11-18 2022-04-08 宁波小匠物联网科技有限公司 A method for controlling license in cloud deployment of IoT
CN114117360A (en) * 2021-12-02 2022-03-01 湖南麒麟信安科技股份有限公司 Access method and access authorization method and device of external network source and computer equipment
CN114329355A (en) * 2021-12-08 2022-04-12 浪潮软件集团有限公司 A License Authorization Authentication Method for B/S Architecture Application
CN114239012B (en) * 2021-12-15 2024-07-12 成都飞机工业(集团)有限责任公司 RSA offline encryption technology suitable for CAA secondary development software
CN115760143A (en) * 2022-11-16 2023-03-07 成都安恒信息技术有限公司 Method for counting off-line software information
CN116010904B (en) * 2022-12-26 2023-09-15 北京航天智造科技发展有限公司 Offline authorization method and system
CN115994343B (en) * 2023-03-22 2024-03-26 济南邦德激光股份有限公司 Software authorization method and system for laser cutting equipment
US20250030556A1 (en) * 2023-07-17 2025-01-23 Apple Inc. Terminal profile generation
CN118228210B (en) * 2024-03-28 2025-01-28 深圳市乐凡信息科技有限公司 Software security authentication method, device and storage medium
CN119808046B (en) * 2025-03-11 2025-07-25 广东中科亿星物联技术有限公司 A software platform license authorization management method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1345494A (en) * 1999-03-26 2002-04-17 摩托罗拉公司 Secure wireless e-commerce system with digital product certificate and digital license certificate
CN1971576A (en) * 2006-12-08 2007-05-30 华中科技大学 On-line digital copyright management method and its management server
CN101521884A (en) * 2009-03-25 2009-09-02 刘建 Terminal and security association establishment method under ad hoc network mode and
CN103078858A (en) * 2012-12-31 2013-05-01 上海同岩土木工程科技有限公司 Web service and signature certificate-based software trial authorization method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6907530B2 (en) * 2001-01-19 2005-06-14 V-One Corporation Secure internet applications with mobile code
US20020161997A1 (en) * 2001-04-26 2002-10-31 Fujitsu Limited Content distribution system
US7747531B2 (en) * 2002-02-05 2010-06-29 Pace Anti-Piracy Method and system for delivery of secure software license information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1345494A (en) * 1999-03-26 2002-04-17 摩托罗拉公司 Secure wireless e-commerce system with digital product certificate and digital license certificate
CN1971576A (en) * 2006-12-08 2007-05-30 华中科技大学 On-line digital copyright management method and its management server
CN101521884A (en) * 2009-03-25 2009-09-02 刘建 Terminal and security association establishment method under ad hoc network mode and
CN103078858A (en) * 2012-12-31 2013-05-01 上海同岩土木工程科技有限公司 Web service and signature certificate-based software trial authorization method

Also Published As

Publication number Publication date
CN103491097A (en) 2014-01-01

Similar Documents

Publication Publication Date Title
CN103491097B (en) Software Authorization System Based on Public Key Cryptosystem
CN103491098B (en) Software authorization method based on public-key cryptosystem
CN101872399B (en) Dynamic digital copyright protection method based on dual identity authentication
CN103490901B (en) Key based on combination key system generates and distribution method
CN101447008B (en) Digital content network copyright management system and method
CN100576148C (en) Systems and methods for providing secure server key operations
KR100912276B1 (en) Electronic Software Distribution Method and System Using a Digital Rights Management Method Based on Hardware Identification
KR101509377B1 (en) Device and method for a backup of rights objects
CN101206696A (en) Devices, methods and systems for protecting personal information
KR100502580B1 (en) Method for distrubution of copyright protected digital contents
CN101094062B (en) Method for implementing safe distribution and use of digital content by using memory card
JP4561146B2 (en) Content distribution system, encryption apparatus, encryption method, information processing program, and storage medium
CN103995991A (en) Method for binding hardware information and secret keys in software copyright protection
CN101714195A (en) Digital certificate-based novel digital copyright protection method and device
CN101192261A (en) Method and device for generating proxy signature and issuing proxy signature certificate
KR102560295B1 (en) User-protected license
CN101379487A (en) Method and apparatus for generating rights object in authorized manner
CN101103591A (en) Method for moving rights object between devices and method and device for using content object based on moving method and device
CN101883100A (en) A Distributed Authorization Method for Digital Content
CN101286994A (en) Digital rights management method, server and system for multi-device content sharing
CN102143178A (en) Network teaching management system
Win et al. Privacy enabled digital rights management without trusted third party assumption
CN104966000A (en) Multimedia copyright protection method based on security engine
Nair et al. Enabling DRM-preserving digital content redistribution
WO2009061171A2 (en) Secure software licensing control mechanism

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant