[go: up one dir, main page]

CN115329323A - A service authorization method and system based on Python virtual machine - Google Patents

A service authorization method and system based on Python virtual machine Download PDF

Info

Publication number
CN115329323A
CN115329323A CN202211053554.9A CN202211053554A CN115329323A CN 115329323 A CN115329323 A CN 115329323A CN 202211053554 A CN202211053554 A CN 202211053554A CN 115329323 A CN115329323 A CN 115329323A
Authority
CN
China
Prior art keywords
web server
file
python
virtual machine
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211053554.9A
Other languages
Chinese (zh)
Inventor
袁祖祥
林逸
杨利华
郭子文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Yunyou Interactive Network Technology Co ltd
Online Tuyoo Beijing Technology Co ltd
Original Assignee
Beijing Yunyou Interactive Network Technology Co ltd
Online Tuyoo Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yunyou Interactive Network Technology Co ltd, Online Tuyoo Beijing Technology Co ltd filed Critical Beijing Yunyou Interactive Network Technology Co ltd
Priority to CN202211053554.9A priority Critical patent/CN115329323A/en
Publication of CN115329323A publication Critical patent/CN115329323A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Stored Programmes (AREA)

Abstract

The application provides a Python virtual machine-based service authorization method and a Python virtual machine-based service authorization system, wherein the method comprises the following steps: compiling the Python source code into a pyc file, symmetrically encrypting the Python source code and the Python source code, and providing the Python source code and the Python virtual machine to a software user; because symmetric encryption is used, all pyc files need to be decrypted only once and take a short time. And in order to prevent the Python virtual machine and the pyc file from being copied and transplanted together, the software provider also provides an authentication service realized by Go language for verifying the Web server where the Python virtual machine is located, wherein the Web server and the authentication service use asymmetric encryption for private http communication, thereby realizing the binding of the Web server and the software function and further improving the safety level of the scheme. Through the embodiment of the application, the system of the software user can finish the authorization and the authentication of the software without being networked to the server of the software provider, and the method and the system are suitable for the environment with higher requirements on the security of the system.

Description

一种基于Python虚拟机的服务授权方法及系统A service authorization method and system based on Python virtual machine

技术领域technical field

本申请涉及计算机技术领域,特别涉及一种基于Python虚拟机的服务授权方法及系统、计算设备和计算机可读存储介质。The present application relates to the field of computer technology, in particular to a service authorization method and system based on a Python virtual machine, a computing device, and a computer-readable storage medium.

背景技术Background technique

现有技术中,由于Python语言所具有的高级语言特性,天然适合服务器端Web应用的开发,各个互联网公司都采用Python语言作为服务器端应用的开发语言。但是Python语言是基于解释的语言,其开发的程序都基于解释器执行,程序源代码无需编译成字节码,所以无法对源代码进行较好的保护,将其用于商业行为。所以,在现有技术中基于Python开发的Web应用多是免费的公共服务、企业内部服务或一些开源的项目。因此,亟需一种能够将Python语言开发的Web应用进行商业化的方案,可以在特定的场景下将软件产品安全、易用地交付给客户。In the prior art, due to the high-level language features of the Python language, it is naturally suitable for the development of server-side Web applications, and various Internet companies use the Python language as a development language for server-side applications. However, the Python language is an interpretation-based language. The programs developed by it are executed based on an interpreter. The source code of the program does not need to be compiled into bytecode, so the source code cannot be well protected and used for commercial activities. Therefore, most of the web applications developed based on Python in the prior art are free public services, internal services of enterprises or some open source projects. Therefore, there is an urgent need for a solution that can commercialize web applications developed in the Python language, and can deliver software products to customers safely and easily in specific scenarios.

发明内容Contents of the invention

有鉴于此,本申请实施例提供了一种基于Python虚拟机的服务授权方法及系统、计算设备和计算机可读存储介质,以解决现有技术中存在的技术缺陷。In view of this, the embodiment of the present application provides a service authorization method and system based on a Python virtual machine, a computing device, and a computer-readable storage medium, so as to solve the technical defects existing in the prior art.

根据本申请实施例的第一方面,提供了一种基于Python虚拟机的服务授权方法,包括:According to the first aspect of the embodiment of the present application, a service authorization method based on a Python virtual machine is provided, including:

将Python源代码编译为pyc文件,并对所述pyc文件进行加密;Compile the Python source code into a pyc file, and encrypt the pyc file;

运行在Web服务器的Python虚拟机对所述pyc文件进行解密后加载所述pyc文件;The Python virtual machine running on the web server decrypts the pyc file and loads the pyc file;

所述Web服务器向认证服务发送认证请求;所述认证服务根据所述Web服务器的许可文件对所述认证请求进行认证;The Web server sends an authentication request to the authentication service; the authentication service authenticates the authentication request according to the permission file of the Web server;

所述Web服务器接收客户端的请求,提供所述pyc文件中实现的Web服务;所述Web服务器、认证服务均在内网环境。The Web server receives the client's request and provides the Web service implemented in the pyc file; the Web server and the authentication service are all in an intranet environment.

根据本申请实施例的第二方面,提供了一种基于Python虚拟机的服务授权系统,包括:According to the second aspect of the embodiment of the present application, a service authorization system based on a Python virtual machine is provided, including:

部署在Web服务器的Python虚拟机;Python virtual machine deployed on the web server;

所述Python虚拟机对经过加密的pyc文件进行解密后加载所述pyc文件;The Python virtual machine loads the pyc file after decrypting the encrypted pyc file;

认证服务器,所述Web服务器向认证服务发送认证请求;所述认证服务根据所述Web服务器的许可文件对所述认证请求进行认证;An authentication server, the Web server sends an authentication request to an authentication service; the authentication service authenticates the authentication request according to the permission file of the Web server;

所述Web服务器接收客户端的请求,提供所述pyc文件实现的Web服务。The Web server receives the client's request and provides the Web service implemented by the pyc file.

根据本申请实施例的第三方面,提供了一种计算设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机指令,所述处理器执行所述指令时实现所述基于Python虚拟机的服务授权方法的步骤。According to a third aspect of the embodiments of the present application, there is provided a computing device, including a memory, a processor, and computer instructions stored in the memory and operable on the processor, and the processor implements the computer instructions when executing the instructions. The steps of the service authorization method based on the Python virtual machine.

根据本申请实施例的第四方面,提供了一种计算机可读存储介质,其存储有计算机指令,该指令被处理器执行时实现所述基于Python虚拟机的服务授权方法的步骤。According to a fourth aspect of the embodiments of the present application, a computer-readable storage medium is provided, which stores computer instructions, and when the instructions are executed by a processor, the steps of the service authorization method based on a Python virtual machine are implemented.

本申请实施例中,为了实现基于Python语言的软件的保护和商业化,将开发完成的Python源代码编译为pyc文件,并对pyc文件进行对称加密后提供给软件使用方。与此同时,将具有解密功能的Python虚拟机提供给软件使用方,由于使用了对称加密,所有的pyc文件仅需要解密一次且耗时较短,兼顾了代码保护的效果和加载的效率。并且为了防止Python虚拟机和pyc文件被一起复制和移植,软件提供商还提供一个由Go语言实现的认证服务,用于对Python虚拟机所在的Web服务器进行验证,其中Web服务器与认证服务之间使用非对称加密进行私有http通讯,从而实现了对Web服务器和用Python语言实现的Web服务的绑定。由于使用了非对称加密,可以防止验证请求被拦截和破解,进一步提升了方案的安全等级,比单独基于pyc文件和虚拟机加密的方案具有更高的安全性。最后,通过本申请的实施例,软件使用方的系统无需联网到软件提供方的服务器即可完成软件的授权与认证,适合对系统安全性要求较高的环境。In the embodiment of the present application, in order to realize the protection and commercialization of software based on the Python language, the developed Python source code is compiled into a pyc file, and the pyc file is symmetrically encrypted and provided to the software user. At the same time, the Python virtual machine with decryption function is provided to the software user. Due to the use of symmetric encryption, all pyc files only need to be decrypted once and the time is short, taking into account the effect of code protection and the efficiency of loading. And in order to prevent the Python virtual machine and pyc files from being copied and transplanted together, the software provider also provides an authentication service implemented by the Go language, which is used to verify the Web server where the Python virtual machine is located. Use asymmetric encryption for private http communication, thus realizing the binding of the Web server and the Web service implemented in Python language. Due to the use of asymmetric encryption, the verification request can be prevented from being intercepted and cracked, which further improves the security level of the scheme, and has higher security than the scheme based on pyc file and virtual machine encryption alone. Finally, through the embodiments of the present application, the system of the software user can complete the authorization and authentication of the software without being connected to the server of the software provider, which is suitable for environments with high requirements on system security.

附图说明Description of drawings

图1是本申请实施例提供的计算设备的结构框图;FIG. 1 is a structural block diagram of a computing device provided by an embodiment of the present application;

图2是本申请实施例提供的一种基于Python虚拟机的服务授权方法的流程示意图;FIG. 2 is a schematic flow diagram of a service authorization method based on a Python virtual machine provided by an embodiment of the present application;

图3是本申请实施例提供的一种基于Python虚拟机的服务授权系统的一结构示意图。Fig. 3 is a schematic structural diagram of a service authorization system based on a Python virtual machine provided by an embodiment of the present application.

具体实施方式Detailed ways

在下面的描述中阐述了很多具体细节以便于充分理解本申请。但是本申请能够以很多不同于在此描述的其它方式来实施,本领域技术人员可以在不违背本申请内涵的情况下做类似推广,因此本申请不受下面公开的具体实施的限制。In the following description, numerous specific details are set forth in order to provide a thorough understanding of the application. However, the present application can be implemented in many other ways different from those described here, and those skilled in the art can make similar promotions without violating the connotation of the present application. Therefore, the present application is not limited by the specific implementation disclosed below.

在本申请一个或多个实施例中使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请一个或多个实施例。在本申请一个或多个实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本申请一个或多个实施例中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。Terms used in one or more embodiments of the present application are for the purpose of describing specific embodiments only, and are not intended to limit the one or more embodiments of the present application. As used in one or more embodiments of this application and the appended claims, the singular forms "a", "the", and "the" are also intended to include the plural forms unless the context clearly dictates otherwise. It should also be understood that the term "and/or" used in one or more embodiments of the present application refers to and includes any and all possible combinations of one or more associated listed items.

应当理解,尽管在本申请一个或多个实施例中可能采用术语第一、第二等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本申请一个或多个实施例范围的情况下,第一也可以被称为第二,类似地,第二也可以被称为第一。取决于语境,如在此所使用的词语“如果”可以被解释成为“响应于确定”。It should be understood that although the terms first, second, etc. may be used to describe various information in one or more embodiments of the present application, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, first may also be referred to as second, and similarly, second may also be referred to as first, without departing from the scope of one or more embodiments of the present application. Depending on the context, the word "if" as used herein may be interpreted as "in response to a determination."

在本申请中,提供了一种基于Python虚拟机的服务授权方法及系统、计算设备和计算机可读存储介质,在下面的实施例中逐一进行详细说明。In this application, a service authorization method and system based on a Python virtual machine, a computing device, and a computer-readable storage medium are provided, which will be described in detail in the following embodiments one by one.

图1示出了根据本申请一实施例的计算设备100的结构框图。该计算设备100的部件包括但不限于存储器110和处理器120。处理器120与存储器110通过总线130相连接,数据库150用于保存数据。FIG. 1 shows a structural block diagram of a computing device 100 according to an embodiment of the present application. Components of the computing device 100 include, but are not limited to, a memory 110 and a processor 120 . The processor 120 is connected to the memory 110 through the bus 130, and the database 150 is used for storing data.

计算设备100还包括接入设备140,接入设备140使得计算设备100能够经由一个或多个网络160通信。这些网络的示例包括公用交换电话网(PSTN)、局域网(LAN)、广域网(WAN)、个域网(PAN)或诸如因特网的通信网络的组合。接入设备140可以包括有线或无线的任何类型的网络接口(例如,网络接口卡(NIC))中的一个或多个,诸如IEEE802.11无线局域网(WLAN)无线接口、全球微波互联接入(Wi-MAX)接口、以太网接口、通用串行总线(USB)接口、蜂窝网络接口、蓝牙接口、近场通信(NFC)接口,等等。Computing device 100 also includes access device 140 that enables computing device 100 to communicate via one or more networks 160 . Examples of these networks include the Public Switched Telephone Network (PSTN), Local Area Network (LAN), Wide Area Network (WAN), Personal Area Network (PAN), or a combination of communication networks such as the Internet. Access device 140 may include one or more of any type of network interface (e.g., a network interface card (NIC)), wired or wireless, such as an IEEE 802.11 wireless local area network (WLAN) wireless interface, Worldwide Interoperability for Microwave Access ( Wi-MAX) interface, Ethernet interface, Universal Serial Bus (USB) interface, cellular network interface, Bluetooth interface, Near Field Communication (NFC) interface, etc.

在本申请的一个实施例中,计算设备100的上述部件以及图1中未示出的其他部件也可以彼此相连接,例如通过总线。应当理解,图1所示的计算设备结构框图仅仅是出于示例的目的,而不是对本申请范围的限制。本领域技术人员可以根据需要,增添或替换其他部件。In an embodiment of the present application, the above-mentioned components of the computing device 100 and other components not shown in FIG. 1 may also be connected to each other, for example, through a bus. It should be understood that the structural block diagram of the computing device shown in FIG. 1 is only for the purpose of illustration, rather than limiting the scope of the application. Those skilled in the art can add or replace other components as needed.

计算设备100可以是任何类型的静止或移动计算设备,包括移动计算机或移动计算设备(例如,平板计算机、个人数字助理、膝上型计算机、笔记本计算机、上网本等)、移动电话(例如,智能手机)、可佩戴的计算设备(例如,智能手表、智能眼镜等)或其他类型的移动设备,或者诸如台式计算机或PC的静止计算设备。计算设备100还可以是移动式或静止式的服务器。Computing device 100 may be any type of stationary or mobile computing device, including mobile computers or mobile computing devices (e.g., tablet computers, personal digital assistants, laptop computers, notebook computers, netbooks, etc.), mobile telephones (e.g., smartphones), ), wearable computing devices (eg, smart watches, smart glasses, etc.), or other types of mobile devices, or stationary computing devices such as desktop computers or PCs. Computing device 100 may also be a mobile or stationary server.

接下来说明本申请实施例提供的一种基于Python虚拟机的服务授权方法,参见图2,图2示出了根据本申请一实施例提供的基于Python虚拟机的服务授权方法的流程图,包括步骤202至步骤208。Next, a service authorization method based on a Python virtual machine provided by an embodiment of the present application is described. Referring to FIG. 2, FIG. 2 shows a flow chart of a service authorization method based on a Python virtual machine provided according to an embodiment of the present application, including Step 202 to step 208.

步骤202:将Python源代码编译为pyc文件,并对pyc文件进行加密。Step 202: Compile the Python source code into a pyc file, and encrypt the pyc file.

在一种可行的实施方式中,软件提供商首先将通过Python语言实现的程序源代码编译为pyc文件。其中,pyc文件是一种二进制文件,是由Python语言的源代码文件即py文件经过编译后生成的文件,它是一种字节码文件,加载速度相比py文件有所提高;而且pyc文件是跨平台的,在各个平台上由Python虚拟机来执行。In a feasible implementation manner, the software provider first compiles the program source code implemented by the Python language into a pyc file. Among them, the pyc file is a binary file, which is a file generated by compiling the source code file of the Python language, that is, the py file. It is a bytecode file, and the loading speed is improved compared with the py file; and the pyc file It is cross-platform and executed by the Python virtual machine on each platform.

不过,虽然pyc文件是字节码文件,但是还是存在反编译工具能够将其还原为源代码,因此为了保护源代码,需要进一步对pyc文件进行加密。However, although the pyc file is a bytecode file, there are still decompilation tools that can restore it to the source code. Therefore, in order to protect the source code, the pyc file needs to be further encrypted.

在一种可行的实施方式中,软件提供商通过加密器对pyc文件进行对称加密,对称加密是一种加密和解密使用同一个密钥的加密方式,发送方使用密钥将明文数据加密成密文,接收方收到密文后,使用同一个密钥将密文解密成明文读取。对称加密具有加密计算量小、速度快的优点,适合对大量数据进行加密的场景。通过对pyc文件的加密,防止其被反编译工具还原成源代码。In a feasible implementation, the software provider uses an encryptor to perform symmetric encryption on the pyc file. Symmetric encryption is an encryption method that uses the same key for encryption and decryption. The sender uses the key to encrypt plaintext data into encrypted files. After receiving the ciphertext, the receiver uses the same key to decrypt the ciphertext into plaintext for reading. Symmetric encryption has the advantages of small amount of encryption calculation and high speed, and is suitable for the scenario of encrypting a large amount of data. By encrypting the pyc file, it is prevented from being restored to the source code by the decompilation tool.

步骤204:运行在Web服务器的Python虚拟机对pyc文件进行解密后加载pyc文件。Step 204: the Python virtual machine running on the web server decrypts the pyc file and loads the pyc file.

在一种可行的实施方式中,软件的提供方将Python虚拟机与加密后的pyc文件提供给软件使用方。由于对pyc文件进行了加密,使用方无法轻易将其反编译获取源代码。软件使用方将Python虚拟机部署在Web服务器,当软件启动时Python虚拟机利用密匙对pyc文件进行解密,解密成功后执行pyc文件,完成pyc文件的加载。其中,Python虚拟机在加载加密后的pyc文件时,使用预设的密钥进行解密,由于使用了对称加密,所有的pyc文件仅需要解密一次且耗时较短,兼顾了加密的效果和代码加载的效率。In a feasible implementation manner, the software provider provides the Python virtual machine and the encrypted pyc file to the software user. Since the pyc file is encrypted, the user cannot easily decompile it to obtain the source code. The software user deploys the Python virtual machine on the web server. When the software starts, the Python virtual machine uses the key to decrypt the pyc file. After the decryption is successful, the pyc file is executed to complete the loading of the pyc file. Among them, when the Python virtual machine loads the encrypted pyc file, it uses the preset key to decrypt it. Due to the use of symmetric encryption, all pyc files only need to be decrypted once and take a short time, taking into account the encryption effect and code loading efficiency.

步骤206:Web服务器向认证服务发送认证请求;认证服务根据Web服务器的许可文件对认证请求进行认证。Step 206: the Web server sends an authentication request to the authentication service; the authentication service authenticates the authentication request according to the permission file of the Web server.

在一种可行的实施方式中,当pyc文件中的Python程序在Python虚拟机中启动时,还需要对当前的Web服务器进行验证,否则基于Python可移植的特性,可以将Python虚拟机和pyc文件拷贝和移植到任意的计算机,导致无法实现商业化的要求。In a feasible implementation, when the Python program in the pyc file is started in the Python virtual machine, the current Web server needs to be verified, otherwise, based on the portability of Python, the Python virtual machine and the pyc file can be Copying and porting to any computer makes it impossible to realize the requirements of commercialization.

因此,当Python程序在Python虚拟机中启动时,通过Python虚拟机所在的Web服务器向一个认证服务发送认证请求,该认证服务根据Web服务器的许可文件对认证请求进行认证。因此,在通过认证服务对认证请求进行认证之前,需要获取软件使用方Web服务器的许可文件。Therefore, when the Python program is started in the Python virtual machine, the Web server where the Python virtual machine is located sends an authentication request to an authentication service, and the authentication service authenticates the authentication request according to the license file of the Web server. Therefore, before the authentication request is authenticated through the authentication service, the license file of the Web server of the software user needs to be obtained.

具体的,提前在软件使用方的Web服务器上运行软件提供商提供的授权工具,得到Web服务器的硬件信息;软件提供商根据上述硬件信息和预授权内容,利用授权管理工具进行非对称加密后得到属于该Web服务器的许可文件License;进而将许可文件提供给软件使用方,并部署在认证服务可以访问的位置,用于对相应的Web服务器的认证请求进行认证。当验证成功后,Web服务器开始提供服务。Specifically, run the authorization tool provided by the software provider on the Web server of the software user in advance to obtain the hardware information of the Web server; the software provider uses the authorization management tool to perform asymmetric encryption based on the above hardware information and pre-authorized content to obtain The license file License belonging to the Web server; and then the license file is provided to the software user and deployed in a location that the authentication service can access to authenticate the authentication request of the corresponding Web server. When the authentication is successful, the Web server starts to provide services.

进一步的,认证服务使用公钥验证许可文件并确认授权内容;Further, the authentication service uses the public key to verify the license file and confirm the authorized content;

进一步的,Web服务器与认证服务之间使用非对称加密进行私有http通讯,从而实现对Web服务器上运行的用Python语言实现的Web服务的验证与授权。通过对认证服务进行非对称加密,可以防止请求被拦截破解,进一步提升了方案的安全等级Furthermore, asymmetric encryption is used between the Web server and the authentication service for private http communication, so as to realize the verification and authorization of the Web service implemented in the Python language running on the Web server. By performing asymmetric encryption on the authentication service, requests can be prevented from being intercepted and cracked, further improving the security level of the solution

进一步的,该认证服务通过Go语言实现。由于Go语言需要编译执行不容易被破解的特性,将认证的功能基于该服务实现,比单独基于pyc文件和虚拟机加密的方案具有更高的安全性。Further, the authentication service is implemented by Go language. Since the Go language needs to be compiled and executed, which is not easy to be cracked, the authentication function is implemented based on this service, which has higher security than the scheme based solely on pyc file and virtual machine encryption.

在另一种可行的实施方式中,当Web服务器上的服务运行时间到达预期的时间周期时,重新向认证服务发送认证请求,确定Web服务器的最新授权信息。例如,当Web服务器的许可文件的授权期限为1年时,当经过1年后,运行在Web服务器上的Python程序重新发起验证请求,用于验证该Web服务器是否更新了许可文件。In another feasible implementation manner, when the running time of the service on the Web server reaches the expected time period, the authentication request is resent to the authentication service to determine the latest authorization information of the Web server. For example, when the authorization period of the license file of the web server is 1 year, after 1 year, the Python program running on the web server re-initiates a verification request to verify whether the web server has updated the license file.

步骤208:Web服务器接收各个客户端的请求,提供pyc文件实现的Web服务;Web服务器、认证服务均在内网环境。Step 208: the web server receives requests from various clients, and provides web services realized by pyc files; both the web server and the authentication service are in the intranet environment.

在现有技术中的一些场景中,一些重要的计算机系统由于安全的要求通常运行在内网中,与互联网是隔绝的,例如企业内部的运维管理系统、日志管理系统等,因此传统的基于联网认证的商业软件授权方法在该条件下无法进行。In some scenarios in the prior art, due to security requirements, some important computer systems usually run on the intranet and are isolated from the Internet, such as the operation and maintenance management system and log management system within the enterprise, so the traditional system based on The commercial software authorization method of online authentication cannot be carried out under this condition.

在本申请的一种可行的实施方式中,运行了Python虚拟机的Web服务器和认证服务均可部署在内网环境,根据软件提供方提供的Web服务器的许可文件,在内网中即可完成商业授权,无需联网到软件提供商的授权服务器。当Web服务器通过验证后可接收各个客户端的请求,通过Python虚拟机提供pyc文件实现的Web服务。In a feasible implementation of this application, both the web server and the authentication service running the Python virtual machine can be deployed in the intranet environment, and can be completed in the intranet according to the license file of the web server provided by the software provider. Commercial licenses do not require networking to the software provider's license server. After the web server passes the verification, it can receive requests from each client, and provide web services implemented by pyc files through the Python virtual machine.

在本申请的上述实施例中,针对现有技术中Python开发的软件较难进行源代码保护和商业化的问题,软件提供方将开发完成的Python源代码编译为pyc文件,并对pyc文件进行对称加密后提供给软件使用方。与此同时,将具有解密功能的Python虚拟机提供给软件使用方,当软件启动时Python虚拟机利用密匙对pyc文件进行解密,解密成功后才能执行pyc文件。由于使用了对称加密,所有的pyc文件仅需要解密一次且耗时较短,兼顾了代码保护的效果和加载的效率。进一步,为了防止Python虚拟机和pyc文件被一起复制和移植,软件提供商还提供一个由Go语言实现的认证服务,用于对Python虚拟机所在的Web服务器进行验证,该认证服务使用公钥验证Web服务器许可文件并确认授权内容,其中Web服务器与认证服务之间使用非对称加密进行私有http通讯,从而实现了对特定Web服务器上运行的用Python语言实现的Web服务的验证与授权。由于使用了非对称加密,可以防止验证请求被拦截和破解,进一步提升了方案的安全等级;该认证服务通过Go语言实现,由于Go语言需要编译,使用认证服务结合文件加密的方式,比单独基于pyc文件和虚拟机加密的方案具有更高的安全性。最后,通过本申请的实施例,软件使用方的系统无需联网到软件提供方的服务器即可完成软件的授权与认证,适合对系统安全性要求较高的环境。In the above-mentioned embodiments of the present application, in view of the difficulty in source code protection and commercialization of software developed by Python in the prior art, the software provider compiles the developed Python source code into a pyc file, and executes the pyc file After symmetrical encryption, it is provided to the software user. At the same time, the Python virtual machine with decryption function is provided to the software user. When the software starts, the Python virtual machine uses the key to decrypt the pyc file, and the pyc file can only be executed after the decryption is successful. Due to the use of symmetric encryption, all pyc files only need to be decrypted once and take a short time, taking into account the effect of code protection and the efficiency of loading. Further, in order to prevent the Python virtual machine and pyc files from being copied and transplanted together, the software provider also provides an authentication service implemented by the Go language to verify the Web server where the Python virtual machine is located. This authentication service uses public key authentication The Web server licenses the file and confirms the authorized content. The Web server and the authentication service use asymmetric encryption for private http communication, thereby realizing the verification and authorization of the Web service implemented in Python language running on a specific Web server. Due to the use of asymmetric encryption, the verification request can be prevented from being intercepted and cracked, which further improves the security level of the scheme; the authentication service is implemented through the Go language. Since the Go language needs to be compiled, using the authentication service combined with file encryption is more efficient than using the authentication service alone. The scheme of pyc file and virtual machine encryption has higher security. Finally, through the embodiments of the present application, the system of the software user can complete the authorization and authentication of the software without being connected to the server of the software provider, which is suitable for an environment requiring high system security.

与上述方法实施例相对应,本申请还提供了一种基于Python虚拟机的服务授权系统的实施例,该系统运行在内网环境,包括:Corresponding to the above method embodiments, the present application also provides an embodiment of a service authorization system based on a Python virtual machine, the system runs in an intranet environment, including:

部署在Web服务器的Python虚拟机;Python virtual machine deployed on the web server;

Python虚拟机对经过加密的pyc文件进行解密后加载pyc文件;The Python virtual machine decrypts the encrypted pyc file and loads the pyc file;

认证服务器,Web服务器向认证服务器发送认证请求;认证服务器根据Web服务器的许可文件对认证请求进行认证;Authentication server, the Web server sends an authentication request to the authentication server; the authentication server authenticates the authentication request according to the permission file of the Web server;

Web服务器接收各个客户端的请求,提供pyc文件实现的Web服务。The web server receives requests from various clients and provides web services implemented by pyc files.

上述为本实施例的一种基于Python虚拟机的服务授权系统的示意性方案。需要说明的是,该系统的技术方案与上述的一种基于Python虚拟机的服务授权方法的技术方案属于同一构思,该系统的技术方案未详细描述的细节内容,均可以参见上述一种基于Python虚拟机的服务授权方法的技术方案的描述。The foregoing is a schematic solution of a service authorization system based on a Python virtual machine in this embodiment. It should be noted that the technical solution of this system belongs to the same idea as the above-mentioned technical solution of a service authorization method based on a Python virtual machine. A description of the technical solution of the service authorization method for the virtual machine.

本申请一实施例中还提供一种计算设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机指令,所述处理器执行所述指令时实现所述的一种基于Python虚拟机的服务授权方法的步骤。An embodiment of the present application also provides a computing device, including a memory, a processor, and computer instructions stored in the memory and operable on the processor. When the processor executes the instructions, the above-mentioned one based on The steps of the service authorization method for the Python virtual machine.

上述为本实施例的一种计算设备的示意性方案。需要说明的是,该计算设备的技术方案与上述的一种基于Python虚拟机的服务授权方法的技术方案属于同一构思,计算设备的技术方案未详细描述的细节内容,均可以参见上述一种基于Python虚拟机的服务授权方法的技术方案的描述。The foregoing is a schematic solution of a computing device in this embodiment. It should be noted that the technical solution of the computing device belongs to the same idea as the technical solution of the above-mentioned service authorization method based on the Python virtual machine. A description of the technical solution of the service authorization method for the Python virtual machine.

本申请一实施例还提供一种计算机可读存储介质,其存储有计算机指令,该指令被处理器执行时实现如前所述一种基于Python虚拟机的服务授权方法的步骤。An embodiment of the present application also provides a computer-readable storage medium, which stores computer instructions, and when the instructions are executed by a processor, the steps of the service authorization method based on the Python virtual machine as described above are implemented.

上述为本实施例的一种计算机可读存储介质的示意性方案。需要说明的是,该存储介质的技术方案与上述的一种基于Python虚拟机的服务授权方法的技术方案属于同一构思,存储介质的技术方案未详细描述的细节内容,均可以参见上述一种基于Python虚拟机的服务授权方法的技术方案的描述。The foregoing is a schematic solution of a computer-readable storage medium in this embodiment. It should be noted that the technical solution of the storage medium belongs to the same idea as the technical solution of the above-mentioned service authorization method based on the Python virtual machine. A description of the technical solution of the service authorization method for the Python virtual machine.

上述对本申请特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The foregoing describes specific embodiments of the present application. Other implementations are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in an order different from that in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. Multitasking and parallel processing are also possible or may be advantageous in certain embodiments.

所述计算机指令包括计算机程序代码,所述计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质可以包括:能够携带所述计算机程序代码的任何实体或系统、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、电载波信号、电信信号以及软件分发介质等。需要说明的是,所述计算机可读介质包含的内容可以根据司法管辖区内立法和专利实践的要求进行适当的增减,例如在某些司法管辖区,根据立法和专利实践,计算机可读介质不包括电载波信号和电信信号。The computer instructions include computer program code, which may be in source code form, object code form, executable file or some intermediate form, and the like. The computer-readable medium may include: any entity or system capable of carrying the computer program code, recording medium, U disk, removable hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM, Read-Only Memory) , Random Access Memory (RAM, Random Access Memory), electrical carrier signal, telecommunication signal, and software distribution medium, etc. It should be noted that the content contained in the computer-readable medium may be appropriately increased or decreased according to the requirements of legislation and patent practice in the jurisdiction. For example, in some jurisdictions, computer-readable media Excludes electrical carrier signals and telecommunication signals.

需要说明的是,对于前述的各方法实施例,为了简便描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请并不受所描述的动作顺序的限制,因为依据本申请,某些步骤可以采用其它顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定都是本申请所必须的。It should be noted that, for the sake of simplicity of description, the aforementioned method embodiments are expressed as a series of action combinations, but those skilled in the art should know that the present application is not limited by the described action sequence. Depending on the application, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by this application.

在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其它实施例的相关描述。In the foregoing embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.

以上公开的本申请优选实施例只是用于帮助阐述本申请。可选实施例并没有详尽叙述所有的细节,也不限制该发明仅为所述的具体实施方式。显然,根据本申请的内容,可作很多的修改和变化。本申请选取并具体描述这些实施例,是为了更好地解释本申请的原理和实际应用,从而使所属技术领域技术人员能很好地理解和利用本申请。本申请仅受权利要求书及其全部范围和等效物的限制。The preferred embodiments of the present application disclosed above are only used to help clarify the present application. Alternative embodiments are not exhaustive in all detail, nor are the inventions limited to specific implementations described. Obviously, many modifications and changes can be made according to the content of this application. This application selects and specifically describes these embodiments in order to better explain the principles and practical applications of this application, so that those skilled in the art can well understand and use this application. This application is to be limited only by the claims, along with their full scope and equivalents.

Claims (10)

1.一种基于Python虚拟机的服务授权方法,其特征在于,包括:1. A service authorization method based on a Python virtual machine, characterized in that, comprising: 将Python源代码编译为pyc文件,并对所述pyc文件进行加密;Compile the Python source code into a pyc file, and encrypt the pyc file; 运行在Web服务器的Python虚拟机对所述pyc文件进行解密后加载所述pyc文件;The Python virtual machine running on the web server decrypts the pyc file and loads the pyc file; 所述Web服务器向认证服务发送认证请求;所述认证服务根据所述Web服务器的许可文件对所述认证请求进行认证;The Web server sends an authentication request to the authentication service; the authentication service authenticates the authentication request according to the permission file of the Web server; 所述Web服务器接收客户端的请求,提供所述pyc文件中实现的Web服务;所述Web服务器、认证服务均在内网环境。The Web server receives the client's request and provides the Web service implemented in the pyc file; the Web server and the authentication service are all in an intranet environment. 2.根据权利要求1所述的方法,其中,所述认证服务根据所述Web服务器的许可文件对所述认证请求进行认证之前包括:2. The method according to claim 1, wherein said authentication service comprises: 在Web服务器上运行授权工具,得到所述Web服务器的硬件信息;Run the authorization tool on the Web server to obtain the hardware information of the Web server; 根据所述硬件信息和预授权内容,软件提供方利用授权管理工具进行非对称加密得到所述Web服务器的许可文件;使得所述认证服务能够访问该许可文件。According to the hardware information and pre-authorized content, the software provider uses the authorization management tool to perform asymmetric encryption to obtain the license file of the Web server; so that the authentication service can access the license file. 3.根据权利要求1所述的方法,其中,对所述pyc文件进行加密包括:3. The method according to claim 1, wherein, encrypting the pyc file comprises: 利用加密器对所述pyc文件进行对称加密。The pyc file is encrypted symmetrically with an encryptor. 4.根据权利要求1所述的方法,其中,所述Web服务器向认证服务发送认证请求包括:4. The method according to claim 1, wherein the sending of the authentication request by the Web server to the authentication service comprises: 当Python程序在Python虚拟机中启动时,向认证服务发送认证请求;或者,When the Python program starts in the Python virtual machine, send an authentication request to the authentication service; or, 当到达预期的时间周期时,向认证服务重新发送认证请求。When the expected time period is reached, the authentication request is resent to the authentication service. 5.根据权利要求1所述的方法,其中,所述认证服务根据所述Web服务器的许可文件对所述认证请求进行认证包括:5. The method according to claim 1, wherein the authenticating the authentication request by the authentication service according to the permission file of the Web server comprises: 所述认证服务使用公钥验证许可文件并确认授权内容;The authentication service uses the public key to verify the license file and confirm the authorized content; Web服务器与认证服务间使用非对称加密进行私有http通讯。Asymmetric encryption is used for private http communication between the web server and the authentication service. 6.根据权利要求1所述的方法,其中,所述认证服务由Go语言实现。6. The method according to claim 1, wherein the authentication service is implemented by Go language. 7.一种基于Python虚拟机的服务授权系统,运行在内网环境,其特征在于,包括:7. A service authorization system based on a Python virtual machine, running in an intranet environment, is characterized in that, comprising: 部署在Web服务器的Python虚拟机;Python virtual machine deployed on the web server; 所述Python虚拟机对经过加密的pyc文件进行解密后加载所述pyc文件;The Python virtual machine loads the pyc file after decrypting the encrypted pyc file; 认证服务器,所述Web服务器向认证服务发送认证请求;所述认证服务根据所述Web服务器的许可文件对所述认证请求进行认证;An authentication server, the Web server sends an authentication request to an authentication service; the authentication service authenticates the authentication request according to the permission file of the Web server; 所述Web服务器接收客户端的请求,提供所述pyc文件实现的Web服务。The Web server receives the client's request and provides the Web service implemented by the pyc file. 8.根据权利要求7所述的系统,其中,所述许可文件的获取方法为:8. The system according to claim 7, wherein the method for obtaining the license file is: 在Web服务器上运行授权工具,得到所述服务器的硬件信息;Run the authorization tool on the web server to obtain the hardware information of the server; 根据所述硬件信息和授权内容,软件提供方利用授权管理工具进行非对称加密得到对应的许可文件;使得所述认证服务能够访问该许可文件。According to the hardware information and authorization content, the software provider uses the authorization management tool to perform asymmetric encryption to obtain the corresponding license file; so that the authentication service can access the license file. 9.一种计算设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机指令,其特征在于,所述处理器执行所述指令时实现权利要求1-6任意一项所述方法的步骤。9. A computing device, comprising a memory, a processor, and computer instructions stored on the memory and operable on the processor, wherein any one of claims 1-6 is realized when the processor executes the instructions The steps of the method. 10.一种计算机可读存储介质,其存储有计算机指令,其特征在于,该指令被处理器执行时实现权利要求1-6任意一项所述方法的步骤。10. A computer-readable storage medium storing computer instructions, wherein the steps of the method according to any one of claims 1-6 are implemented when the instructions are executed by a processor.
CN202211053554.9A 2022-08-30 2022-08-30 A service authorization method and system based on Python virtual machine Pending CN115329323A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211053554.9A CN115329323A (en) 2022-08-30 2022-08-30 A service authorization method and system based on Python virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211053554.9A CN115329323A (en) 2022-08-30 2022-08-30 A service authorization method and system based on Python virtual machine

Publications (1)

Publication Number Publication Date
CN115329323A true CN115329323A (en) 2022-11-11

Family

ID=83928722

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211053554.9A Pending CN115329323A (en) 2022-08-30 2022-08-30 A service authorization method and system based on Python virtual machine

Country Status (1)

Country Link
CN (1) CN115329323A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050114683A1 (en) * 2003-11-26 2005-05-26 International Business Machines Corporation Tamper-resistant trusted java virtual machine and method of using the same
CN103995992A (en) * 2014-05-28 2014-08-20 全联斯泰克科技有限公司 Method and device for protecting software
CN113434874A (en) * 2021-06-11 2021-09-24 湖南大学 Python source code protection method and system based on pyc encryption
CN113656784A (en) * 2021-07-14 2021-11-16 西安万像电子科技有限公司 Authentication method, server and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050114683A1 (en) * 2003-11-26 2005-05-26 International Business Machines Corporation Tamper-resistant trusted java virtual machine and method of using the same
CN103995992A (en) * 2014-05-28 2014-08-20 全联斯泰克科技有限公司 Method and device for protecting software
CN113434874A (en) * 2021-06-11 2021-09-24 湖南大学 Python source code protection method and system based on pyc encryption
CN113656784A (en) * 2021-07-14 2021-11-16 西安万像电子科技有限公司 Authentication method, server and system

Similar Documents

Publication Publication Date Title
US20160294794A1 (en) Security System For Data Communications Including Key Management And Privacy
CN107146120B (en) Electronic invoice generation method and generation device
CN110636043A (en) A blockchain-based file authorization access method, device and system
JP2015532054A (en) Secure app ecosystem with key and data exchange according to corporate information management policy
US6990582B2 (en) Authentication method in an agent system
CN102957708B (en) Application encrypting and decrypting method, server and terminal
CN104145446A (en) Method of operating a computing device, computing device and computer program
Sivakumar et al. Securing data and reducing the time traffic using AES encryption with dual cloud
US10462113B1 (en) Systems and methods for securing push authentications
CN116436682A (en) Data processing method, device and system
CN111709047A (en) Information management system and method therefor
CN112507296A (en) User login verification method and system based on block chain
CN110602075A (en) File stream processing method, device and system for encryption access control
CN113486372A (en) Data backup method, data backup device and server
CN111831978B (en) A method and device for protecting configuration files
CN115329323A (en) A service authorization method and system based on Python virtual machine
CN117640241A (en) Unified management method, system, equipment and storage medium for enterprise-level soft keys
CN106529216A (en) Software authorization system based on public storage platforms and software authorization method
CN116346450A (en) Serial number activating scheme for attendance equipment in building industry
CN109409112A (en) A kind of disk binding method and device
CN114205357A (en) Blockchain-based data processing method and device
CN109564615B (en) Method, device, equipment and storage medium for loading model data
CN110619236A (en) File authorization access method, device and system based on file credential information
US20250245360A1 (en) Systems and Methods for Enabling Secured Communications Between Non-Quantum Equipped Devices and Quantum Equipped Devices
CN107862209A (en) A kind of file encryption-decryption method, mobile terminal and the device with store function

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination