CN119475310A - Offline authorization verification method, system, terminal and storage medium for application program - Google Patents
Offline authorization verification method, system, terminal and storage medium for application program Download PDFInfo
- Publication number
- CN119475310A CN119475310A CN202411646823.1A CN202411646823A CN119475310A CN 119475310 A CN119475310 A CN 119475310A CN 202411646823 A CN202411646823 A CN 202411646823A CN 119475310 A CN119475310 A CN 119475310A
- Authority
- CN
- China
- Prior art keywords
- authorization
- information
- machine code
- certificate
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2211/00—Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
- G06F2211/007—Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
- G06F2211/008—Public Key, Asymmetric Key, Asymmetric Encryption
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2137—Time limited access, e.g. to a computer or data
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of computers, in particular to an offline authorization verification method, a system, a terminal and a storage medium of an application program, which comprise the steps of receiving an authorization request, generating a key pair containing a public key and a private key based on the authorization request, and extracting a machine code from the authorization request; generating authorization information based on the machine code, wherein the authorization information comprises an authorization period, an authorization code and authority information, taking the system time as the authorization time, encrypting the authorization information and the authorization time by using a private key to obtain an authorization certificate, issuing the public key and the authorization certificate to a client side sending the authorization request, and designating a storage directory of the authorization certificate in the client side. By introducing the timing task, the invention enables the authorization management to be more flexible and can adapt to changeable market demands.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to an offline authorization verification method, system, terminal and storage medium of an application program.
Background
In the digital age background, copyright protection of computer software is critical. Currently, software authorization verification depends on an online server, and although the method is effective, the method is limited by the stability and the security of network connection. Furthermore, a centralized authorization server may be the target of an attack and may involve the transmission of user privacy data during the authorization process, with potential risk of leakage. Therefore, developing an offline authorization verification system that does not rely on network connection, has higher security, and can protect user privacy is an important need for technical development in this field.
One commonly employed method in the prior art is to generate an authorization code based on a time stamp and a hardware feature code. The method can realize offline authorization to a certain extent, but has a plurality of defects that firstly, authorization codes can be easily cracked, especially under the condition that an encryption algorithm is not complex enough, secondly, if a user replaces hardware, the original authorization codes are not effective any more, so that authorization verification fails, and finally, the generation and verification processes of the authorization codes possibly relate to the processing of user privacy data, and the risk of privacy leakage is increased.
Disclosure of Invention
The invention provides an offline authorization verification method, an offline authorization verification system, an offline authorization verification terminal and a storage medium for an application program, aiming at the defects of the prior art, so as to solve the technical problems.
In a first aspect, the present invention provides an offline authorization method for an application, including:
Receiving an authorization request, generating a key pair comprising a public key and a private key based on the authorization request, and extracting a machine code from the authorization request;
Generating authorization information based on the machine code, wherein the authorization information comprises an authorization period, an authorization code and authority information;
Taking the system time as the authorization time, and encrypting the authorization information and the authorization time by using a private key to obtain an authorization certificate;
and sending the public key and the authorization certificate to a client side sending the authorization request, and designating a storage directory of the authorization certificate in the client side.
In an alternative embodiment, authorization information is generated based on the machine code, the authorization information including an authorization deadline, an authorization code, and rights information, including:
Inquiring user information matched with the machine code from a user database;
And generating corresponding authorization codes and authority information based on the user information.
In an alternative embodiment, taking the system time as the authorized time, encrypting the authorized information and the authorized time by using a private key to obtain an authorized certificate, including:
Encrypting the authorization information and the system time based on the private key by using an asymmetric encryption algorithm to obtain an encrypted file;
and encrypting the encrypted file by using a Kaiser encryption algorithm to obtain an authorized file.
In a second aspect, the present invention provides an offline authorization verification method for an application program, including:
Reading an authorization certificate from the storage catalog, decrypting the authorization certificate by utilizing the public key, and obtaining authorization information and authorization time;
Acquiring system time, and verifying the system time by using the authorization time and the authorization deadline in the authorization information;
if the system time passes the verification, generating an actual machine code based on the hardware information, and verifying the actual machine code by using the machine code in the authorization information;
and if the actual machine code fails to pass the verification, controlling the interceptor to intercept all the user requests.
In an alternative embodiment, the method further comprises:
based on a preset timing task, time verification and machine code verification are periodically performed.
In an alternative embodiment, generating an actual machine code based on the hardware information and verifying the actual machine code using the machine code in the authorization information includes:
Collecting hardware information, wherein the hardware information comprises a CPU sequence packet, a motherboard serial number, a hard disk serial number and a network card MAC address;
integrating the hardware information into a character string;
encrypting the character string by utilizing a hash algorithm to obtain an actual machine code;
and comparing the consistency of the machine code and the actual machine code, and judging that the machine code and the actual machine code pass the verification if the machine code and the actual machine code are consistent.
In a third aspect, the present invention provides an offline authorization system for an application, comprising:
The request receiving module is used for receiving an authorization request, generating a key pair comprising a public key and a private key based on the authorization request, and extracting a machine code from the authorization request;
The authorization generation module is used for generating authorization information based on the machine code, wherein the authorization information comprises an authorization period, an authorization code and authority information;
the certificate generation module is used for taking the system time as the authorization time, and carrying out encryption processing on the authorization information and the authorization time by using a private key to obtain an authorization certificate;
and the certificate issuing module is used for issuing the public key and the authorization certificate to the client side sending the authorization request and designating the storage directory of the authorization certificate in the client side.
In an alternative embodiment, the certificate generation module includes:
The first encryption unit is used for encrypting the authorization information and the system time based on the private key by utilizing an asymmetric encryption algorithm to obtain an encrypted file;
And the second encryption unit is used for encrypting the encrypted file by using a Kaiser encryption algorithm to obtain an authorized file.
In a fourth aspect, there is provided a terminal comprising:
A memory for storing an offline authorization program of the application program;
and a processor for implementing the steps of the method for offline authorization of an application as provided in the first aspect when executing the offline authorization of the application.
In a fifth aspect, there is provided a computer readable storage medium having stored thereon an offline authorization program of an application, which when executed by a processor implements the steps of the offline authorization method of an application as provided in the first aspect.
The method, the system, the terminal and the storage medium for off-line authorization of the application program have the advantages that the secure and reliable encryption of the authorization information is realized through the generation and the application of the key pair by adopting an asymmetric encryption algorithm, the dependence on network connection is completely eliminated, the potential safety hazard of a centralized authorization server is effectively avoided, the exposure of user privacy data is minimized in the authorization process, and the protection of the user privacy is enhanced.
In addition, the invention has reliable design principle, simple structure and very wide application prospect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a schematic flow chart of a method of one embodiment of the invention.
Fig. 2 is another schematic flow chart of a method of one embodiment of the invention.
FIG. 3 is a schematic block diagram of a system of one embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
In order to make the technical solution of the present invention better understood by those skilled in the art, the technical solution of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
The offline authorization method of the application program provided by the embodiment of the invention is executed by the computer equipment, and correspondingly, the offline authorization system of the application program is operated in the computer equipment.
FIG. 1 is a schematic flow chart of a method of one embodiment of the invention. The execution subject of fig. 1 may be an offline authorization system of an application. The order of the steps in the flow chart may be changed and some may be omitted according to different needs.
As shown in fig. 1, the method includes:
S1, receiving an authorization request, generating a key pair containing a public key and a private key based on the authorization request, and extracting a machine code from the authorization request.
Receiving an authorization request the system first receives an authorization request from a client. This request typically contains basic information about the client, such as device identification, application identification, etc., as well as the specific content for which authorization is requested.
Generating a key pair, namely after receiving the authorization request, the system generates a key pair comprising a public key and a private key by utilizing a built-in key generation algorithm (such as RSA, ECC and the like). The public key will be used for subsequent encryption and verification of the information, while the private key is used for signing and decryption.
Extracting the machine code, namely extracting the machine code of the client from the authorization request. The machine code is typically a unique identifier obtained by reading client hardware information (such as a CPU serial number, a motherboard serial number, a hard disk serial number, or a MAC address of a network card) and performing a specific algorithm processing.
S2, generating authorization information based on the machine code, wherein the authorization information comprises an authorization period, an authorization code and authority information.
Generating an authorization period, namely setting a valid period for authorization according to service requirements. This period may be a fixed period of time or a dynamic period triggered based on some condition.
An authorization code is generated, which is a unique code for verifying the validity of authorization. It may be a randomly generated string or a value processed by a specific algorithm.
And setting authority information, namely adding corresponding authority information for the authorization information according to the request of the client and the authority setting of the system. Such rights information may include rights to access a particular resource, rights to perform a particular operation, and the like.
S3, taking the system time as the authorization time, and encrypting the authorization information and the authorization time by using a private key to obtain an authorization certificate.
Recording the authorization time, namely, before generating the authorization certificate, the system needs to record the current system time as the authorization time. This time will be used for subsequent verification of whether the authorization has expired.
Encryption processing, namely, encryption processing is carried out on authorization information (including authorization deadline, authorization code and authority information) and authorization time by utilizing a private key. The encrypted data will be the primary content of the authorization certificate.
Generating an authorization certificate, namely packaging the encrypted data and necessary metadata (such as certificate format, version number and the like) into a complete authorization certificate.
S4, the public key and the authorization certificate are issued to the client side sending the authorization request, and a storage catalog of the authorization certificate in the client side is designated.
And issuing the public key, namely issuing the generated public key to the client. The client will use this public key to verify the authenticity and integrity of the authorization certificate.
Issuing the authorization certificate, namely issuing the generated authorization certificate to the client. The client needs to keep this certificate well for use in subsequent authorization verification.
Designating a storage directory, the system may also designate a storage directory under which the client is recommended to store the certificate when issuing the authorized certificate. This helps the client to better manage the credentials and prevents them from being lost or stolen.
In one embodiment of the invention, authorization information is generated based on the machine code, wherein the authorization information comprises an authorization period, an authorization code and authority information, and the authorization information comprises the steps of inquiring user information matched with the machine code from a user database and generating corresponding authorization code and authority information based on the user information.
In a specific example, there is a user database in which personal information of users, purchased software or service information, and their corresponding machine codes (which were generated when users first installed the software or registered services) are stored. Now, a user requests authorization for software on his new device.
Receiving an authorization request and a machine code:
The user sends an authorization request via a software interface or command line tool, which contains the machine code of the new device.
Querying a user database:
After the system receives the request, it first uses the provided machine code to query the user database. This query is intended to find a user record that matches the machine code. Possible query logic includes:
it is checked whether the machine code is present directly in a certain field of the user record.
If the machine code is generated by a particular algorithm, the algorithm outputs are calculated and compared.
In some cases, it may also be necessary to verify other information (such as a user-provided email address or user name) to further confirm the identity.
Verifying user information:
Once a matching user record is found, the system will further verify the validity of the user information. This may include checking the status of the user account (whether active, expired, etc.), and any associated security verification (e.g., password, sms verification code, etc.).
Generating an authorization code:
If the user information is verified successfully, the system will generate a unique authorization code. This authorization code may be a randomly generated string or a hash value based on the user information and the current timestamp. Importantly, the authorization code should be difficult to guess and unique to ensure its security.
Determining authority information:
Based on the purchase information or service level stored in the user database, the system will determine the appropriate rights information for the user. The rights information may include:
Software modules or service functions that allow access.
Read-write rights for a particular resource.
The number of allowed concurrent users (if applicable).
Any other restrictions or conditions related to authorization.
Setting an authorization period:
The system will also set an authorization period for the user. This may be a fixed period of time (e.g., one year, one month, etc.), or may be a dynamic period based on certain conditions (e.g., expiration date of a user subscription).
Generating authorization information:
Finally, the system combines all the above information (authorization deadline, authorization code, rights information) into one structured authorization information object. This object may be a JSON, XML or custom formatted document for delivery to the client in a subsequent step.
In one embodiment of the invention, the preferred method of step S3 comprises encrypting the authorization information and the system time based on the private key by using an asymmetric encryption algorithm to obtain an encrypted file, and encrypting the encrypted file by using a Kaiser encryption algorithm to obtain the authorization file.
And encrypting the authorization information by using the private key to generate an authorization file. In order to enhance security, encryption is performed first using an asymmetric encryption algorithm, and then secondary encryption is performed using a Kaiser encryption algorithm. Based on this, the present system employs an enhanced Kaiser encryption algorithm that stores a plurality of displacement values by using a predefined integer array KAISER_KEY, rather than a single number. The design remarkably improves encryption safety, because the encryption of each character depends on displacement values of different positions in the array, and single fixed displacement limitation of the traditional Kaiser encryption is avoided. In the encryption process, the system selects the displacement of the corresponding position in the KAISER_KEY array for dynamic displacement encryption according to the position of each character of the authorization information in the information. The dynamic displacement mechanism based on the position ensures that the encryption result of each character is unique, and greatly improves the security of the encrypted data.
In a specific example, it is assumed that there is already a character string containing authorization information, where the character string contains key data such as authorization deadline, authorization code, and rights information. Now, we need to encrypt this string to ensure its security.
Preliminary encryption is performed using a private key and an asymmetric encryption algorithm:
First, we encrypt the authorization information string using the RSA private key. RSA is a widely used asymmetric encryption algorithm that uses a public key for encryption and a private key for decryption. But in this scenario we use the private key for encryption, whereas decryption will use the public key when verifying authorization.
Secondary encryption using an enhanced Kaiser encryption algorithm:
next, the primarily encrypted data is secondarily encrypted using an enhanced Kaiser encryption algorithm. The enhanced Kaiser encryption algorithm uses a predefined integer array KAISER_KEY to store a plurality of displacement values.
The encrypted data is packaged into a complete authorized file format along with other metadata (e.g., file header, checksum, etc.). Through the above steps, a doubly encrypted authorization information string is obtained, which can be securely stored in an authorization file and decrypted and verified as needed.
The invention also provides a verification method, which specifically comprises the following steps:
based on a preset timing task, time verification and machine code verification are periodically executed:
to ensure the validity and security of the authorization credentials, the system may set a timed task that will automatically perform time verification and machine code verification at predetermined intervals (e.g., daily, weekly, or monthly). The following are the detailed steps of the process:
1. Reading an authorization certificate and a public key
And reading the authorization certificate from the storage catalog, wherein the system automatically searches and reads the authorization certificate stored in the storage catalog according to the storage catalog designated before.
Decrypting the authorization certificate by using the public key, namely decrypting the authorization certificate by using the public key issued to the client before. The decrypted data will contain authorization information and authorization time.
2. Time verification
Acquiring the system time, namely, when the verification task is executed, the system firstly acquires the current system time.
And verifying by using the authorization time and the authorization period, namely comparing the decrypted authorization time with the current system time and checking the authorization period in the authorization information. If the current time is within the authorized period, the time verification is passed, otherwise, the time verification fails.
3. Machine code verification
And acquiring hardware information, namely acquiring hardware information of a client by a system, wherein the hardware information comprises a CPU serial number, a motherboard serial number, a hard disk serial number and an MAC address of a network card. This information is the basis for generating machine codes.
Integrating the hardware information into a character string, namely integrating the acquired hardware information into a character string according to a certain rule. This string should be able to uniquely identify the hardware environment of the client.
Encrypting the character string by using a hash algorithm to obtain an actual machine code, namely encrypting the integrated character string by using a preset hash algorithm (such as SHA-256) to obtain the actual machine code.
And comparing the consistency of the machine code and the actual machine code, namely comparing the decrypted machine code (stored in the authorization information) with the actual machine code. If the two are consistent, the machine code verification passes, otherwise, the machine code verification fails.
4. Control interceptor
If the actual machine code passes verification, if both the time verification and the machine code verification pass, the system considers the client to be legal and valid. At this time, the system may control the interceptor to cancel interception of the user request, allowing the user to normally access the protected resource or service.
If the actual machine code fails verification, if the time verification or the machine code verification fails, the system considers that the client may be illegal or changed. At this point, the system will control the interceptor to intercept all user requests, preventing illegal access or potential security risks.
In order to facilitate understanding of the present invention, the offline authorization method of the application program provided by the present invention is further described below with reference to the offline authorization process of the application program in the embodiment.
The technical solution of the invention mainly comprises the following key components:
encryption tools class, which is one of the core components of the system, is responsible for generating asymmetric key pairs, including a public key and a private key, and authorization files generated based on these keys. By using the private key, the system can encrypt the authorization information to generate an authorization file, so that the security of the authorization information in the storage and transmission processes is ensured. In order to enhance the security, the class also adopts a Kaiser encryption algorithm to carry out secondary encryption on the encrypted data, thereby providing an additional security layer for the authorization information.
And the authorization tool class decrypts the information in the authorization file by using the public key and verifies the validity of the authorization information. It checks whether the authorization information meets preset conditions, such as an authorization period, user hardware information, etc., to ensure the validity of the authorization.
Controller-the controller provides a set of HTTP interfaces for components in the encryption tool, allowing users to apply for authorization and authentication through these interfaces. These interfaces allow the authorization process to be remotely triggered and monitored.
Interceptor the interceptor is a component in the authorization tool, typically provided in the form of an SDK, integrating the authorization tool SDK in applications requiring offline encryption, responsible for intercepting users' requests and performing authorization verification before those requests are requested to access restricted resources. If the user fails the authorization verification, the request will be denied, thereby protecting the restricted resource from unauthorized access.
System time recording, namely aiming at the problem that the system time is tampered possibly encountered in offline authorization verification, the authorization tool class of the invention comprises a system time recording module. When the encrypted file is generated, the authorization time is taken as the system time, the encrypted time is recorded in the authorization file, and the authorization time is taken as the system time reference to compare the authorization time limit, so that the authorization verification problem caused by the fact that the equipment time is modified is effectively avoided. The authorization tool class also comprises a timing task, and after the application is started, the timing task is started together, and the system time in the authorization file is updated in real time at a fixed frequency, so that the accuracy and timeliness of authorization verification are ensured.
Specifically, referring to fig. 2, the offline authorization verification method of the application program includes:
The flow of the application for authorization is described in detail as follows:
And generating a key pair, namely generating a pair of asymmetric keys by the encryption tool class for each application needing offline authorization by using an RSA algorithm in the system initialization stage. The generated key pair includes a public key and a private key. The public key will be distributed to the user and the private key stored in the encrypted storage system of the server.
Authorization information is generated by designating an application on an authorized device through a machine code (the machine code is usually user hardware information and the like), and a set of authorization information is generated by the system according to a request of a user and the hardware information, wherein the authorization information comprises an authorization period, an authorization code and other authorization information (such as authorization times, accessible functional range and the like) needing encryption.
Encrypting the authorization information by using the private key to encrypt the authorization information to generate an authorization file. In order to enhance security, encryption is performed first using an asymmetric encryption algorithm, and then secondary encryption is performed using a Kaiser encryption algorithm. Based on this, the present system employs an enhanced Kaiser encryption algorithm that stores a plurality of displacement values by using a predefined integer array KAISER_KEY, rather than a single number. The design remarkably improves encryption safety, because the encryption of each character depends on displacement values of different positions in the array, and single fixed displacement limitation of the traditional Kaiser encryption is avoided. In the encryption process, the system selects the displacement of the corresponding position in the KAISER_KEY array for dynamic displacement encryption according to the position of each character of the authorization information in the information. The dynamic displacement mechanism based on the position ensures that the encryption result of each character is unique, and greatly improves the security of the encrypted data.
And storing the authorization file, namely distributing the encrypted authorization file and the public key to the user, and putting the encrypted authorization file and the public key into a specified directory for authorization verification of the encrypted application of the user.
The authorization verification process is described in detail as follows:
and (3) reading the authorization file, wherein the authorization tool class is integrated into an application needing encryption in the form of an SDK, and an interceptor is adopted to intercept all functions needing rights. The application system reads the stored authorization file when starting or when needed, and after the interceptor intercepts the request, the public key and the authorization file under the appointed directory are inquired. If not, inquiring the machine code of the equipment, providing the machine code for technicians to generate an authorized file, and if so, entering a decryption process. The machine code is generally formed by combining codes for acquiring various hardware information of the system, including a CPU ID, a motherboard serial number, a BIOS version number and the like.
Decrypting the authorization information using the public key to decrypt the information in the authorization file. Firstly, using an asymmetric encryption algorithm to decrypt, and then applying the inverse process of a Kaiser encryption algorithm to decrypt secondarily.
And verifying the authorization information, namely verifying the decrypted authorization information by the system, wherein the authorization information comprises whether the authorization period is expired, whether the hardware information is matched with the decrypted authorization information, and other authorization information needing verification.
And (3) authorizing the result, namely determining whether the user is allowed to access the application system or not by the system according to the verification result. If the authorization verification is passed, the user can continue to use the application, and if the verification is failed, the access request of the user is refused.
The method has the beneficial effects that:
The security is enhanced by combining the asymmetric encryption technology and the secondary encryption of the Kaiser encryption algorithm, and the security of the authorization information is greatly enhanced by the system. The method effectively prevents unauthorized access and potential network attacks and protects software applications and user data from being damaged.
Offline authorization capability, namely the system can complete authorization verification in a completely offline environment, and solves the limitation that the traditional online authorization system cannot work in a network-free environment. This allows the user to use the software normally even without a network connection, improving the usability and flexibility of the software.
The system time recording module is designed to effectively prevent attack of bypassing authorization verification by tampering with the system time, and ensure accuracy and reliability of authorization deadline.
The system effectively protects the copyright interests of software developers and reduces the risks of piracy and illegal copying by ensuring that only legally authorized users can access and use the software.
The maintenance cost is reduced, and the dependence on a centralized authorization server is reduced due to the design of the system, so that the maintenance cost and the potential attack risk of the server are reduced, and meanwhile, the load of the server is also reduced.
In some embodiments, the offline authorization system of the application may include a plurality of functional modules comprised of computer program segments. The computer program of each program segment in the offline authorization system of the application program may be stored in a memory of a computer device and executed by at least one processor to perform (see fig. 1 for details) the functions of offline authorization of the application program.
In this embodiment, the offline authorization system of the application program may be divided into a plurality of functional modules according to the functions performed by the offline authorization system, as shown in fig. 3. Functional modules of system 300 may include a request receiving module 310, an authorization generating module 320, a certificate generating module 330, and a certificate issuing module 340. The module referred to in the present invention refers to a series of computer program segments capable of being executed by at least one processor and of performing a fixed function, stored in a memory. In the present embodiment, the functions of the respective modules will be described in detail in the following embodiments.
The request receiving module is used for receiving an authorization request, generating a key pair comprising a public key and a private key based on the authorization request, and extracting a machine code from the authorization request;
The authorization generation module is used for generating authorization information based on the machine code, wherein the authorization information comprises an authorization period, an authorization code and authority information;
the certificate generation module is used for taking the system time as the authorization time, and carrying out encryption processing on the authorization information and the authorization time by using a private key to obtain an authorization certificate;
and the certificate issuing module is used for issuing the public key and the authorization certificate to the client side sending the authorization request and designating the storage directory of the authorization certificate in the client side.
Optionally, as an embodiment of the present invention, the certificate generation module includes:
The first encryption unit is used for encrypting the authorization information and the system time based on the private key by utilizing an asymmetric encryption algorithm to obtain an encrypted file;
And the second encryption unit is used for encrypting the encrypted file by using a Kaiser encryption algorithm to obtain an authorized file.
Fig. 4 is a schematic structural diagram of a terminal 400 according to an embodiment of the present invention, where the terminal 400 may be used to execute the offline authorization method of the application program according to the embodiment of the present invention.
The terminal 400 may include a processor 410, a memory 420, and a communication unit 430. The components may communicate via one or more buses, and it will be appreciated by those skilled in the art that the configuration of the server as shown in the drawings is not limiting of the invention, as it may be a bus-like structure, a star-like structure, or include more or fewer components than shown, or may be a combination of certain components or a different arrangement of components.
The memory 420 may be used to store instructions for execution by the processor 410, and the memory 420 may be implemented by any type of volatile or nonvolatile memory terminal or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk, or optical disk. The execution of the instructions in memory 420, when executed by processor 410, enables terminal 400 to perform some or all of the steps in the method embodiments described below.
The processor 410 is a control center of the storage terminal, connects various parts of the entire electronic terminal using various interfaces and lines, and performs various functions of the electronic terminal and/or processes data by running or executing software programs and/or modules stored in the memory 420, and invoking data stored in the memory. The processor may be comprised of an integrated circuit (INTEGRATED CIRCUIT, simply referred to as an IC), for example, a single packaged IC, or may be comprised of multiple packaged ICs connected to one another for the same function or for different functions. For example, the processor 410 may include only a central processing unit (Central Processing Unit, CPU for short). In the embodiment of the invention, the CPU can be a single operation core or can comprise multiple operation cores.
And a communication unit 430 for establishing a communication channel so that the storage terminal can communicate with other terminals. Receiving user data sent by other terminals or sending the user data to other terminals.
The present invention also provides a computer storage medium in which a program may be stored, which program may include some or all of the steps in the embodiments provided by the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a random-access memory (random access memory RAM), or the like.
It will be apparent to those skilled in the art that the techniques of embodiments of the present invention may be implemented in software plus a necessary general purpose hardware platform. Based on such understanding, the technical solution in the embodiments of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium such as a U-disc, a mobile hard disc, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, etc. various media capable of storing program codes, including several instructions for causing a computer terminal (which may be a personal computer, a server, or a second terminal, a network terminal, etc.) to execute all or part of the steps of the method described in the embodiments of the present invention.
The same or similar parts between the various embodiments in this specification are referred to each other. In particular, for the terminal embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference should be made to the description in the method embodiment for relevant points.
In the several embodiments provided by the present invention, it should be understood that the disclosed systems and methods may be implemented in other ways. For example, the system embodiments described above are merely illustrative, e.g., the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with respect to each other may be through some interface, indirect coupling or communication connection of systems or modules, electrical, mechanical, or other form.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present invention may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
Although the present invention has been described in detail by way of preferred embodiments with reference to the accompanying drawings, the present invention is not limited thereto. Various equivalent modifications and substitutions may be made in the embodiments of the present invention by those skilled in the art without departing from the spirit and scope of the present invention, and it is intended that all such modifications and substitutions be within the scope of the present invention/be within the scope of the present invention as defined by the appended claims.
Claims (10)
1. An offline authorization method for an application program, comprising:
Receiving an authorization request, generating a key pair comprising a public key and a private key based on the authorization request, and extracting a machine code from the authorization request;
Generating authorization information based on the machine code, wherein the authorization information comprises an authorization period, an authorization code and authority information;
Taking the system time as the authorization time, and encrypting the authorization information and the authorization time by using a private key to obtain an authorization certificate;
and sending the public key and the authorization certificate to a client side sending the authorization request, and designating a storage directory of the authorization certificate in the client side.
2. The method of claim 1, wherein generating authorization information based on the machine code, the authorization information including an authorization deadline, an authorization code, and rights information, comprises:
Inquiring user information matched with the machine code from a user database;
And generating corresponding authorization codes and authority information based on the user information.
3. The method according to claim 1, wherein the encrypting the authorization information and the authorization time with the private key using the system time as the authorization time to obtain the authorization certificate comprises:
Encrypting the authorization information and the system time based on the private key by using an asymmetric encryption algorithm to obtain an encrypted file;
and encrypting the encrypted file by using a Kaiser encryption algorithm to obtain an authorized file.
4. A method of offline authorization verification of an application program, based on the method of any of claims 1-3, comprising:
Reading an authorization certificate from the storage catalog, decrypting the authorization certificate by utilizing the public key, and obtaining authorization information and authorization time;
Acquiring system time, and verifying the system time by using the authorization time and the authorization deadline in the authorization information;
if the system time passes the verification, generating an actual machine code based on the hardware information, and verifying the actual machine code by using the machine code in the authorization information;
and if the actual machine code fails to pass the verification, controlling the interceptor to intercept all the user requests.
5. The method according to claim 4, wherein the method further comprises:
based on a preset timing task, time verification and machine code verification are periodically performed.
6. The method of claim 4, wherein generating an actual machine code based on the hardware information and verifying the actual machine code using the machine code in the authorization information comprises:
Collecting hardware information, wherein the hardware information comprises a CPU sequence packet, a motherboard serial number, a hard disk serial number and a network card MAC address;
integrating the hardware information into a character string;
encrypting the character string by utilizing a hash algorithm to obtain an actual machine code;
and comparing the consistency of the machine code and the actual machine code, and judging that the machine code and the actual machine code pass the verification if the machine code and the actual machine code are consistent.
7. An offline authorization system for an application, comprising:
The request receiving module is used for receiving an authorization request, generating a key pair comprising a public key and a private key based on the authorization request, and extracting a machine code from the authorization request;
The authorization generation module is used for generating authorization information based on the machine code, wherein the authorization information comprises an authorization period, an authorization code and authority information;
the certificate generation module is used for taking the system time as the authorization time, and carrying out encryption processing on the authorization information and the authorization time by using a private key to obtain an authorization certificate;
and the certificate issuing module is used for issuing the public key and the authorization certificate to the client side sending the authorization request and designating the storage directory of the authorization certificate in the client side.
8. The system of claim 7, wherein the certificate generation module comprises:
The first encryption unit is used for encrypting the authorization information and the system time based on the private key by utilizing an asymmetric encryption algorithm to obtain an encrypted file;
And the second encryption unit is used for encrypting the encrypted file by using a Kaiser encryption algorithm to obtain an authorized file.
9. A terminal, comprising:
A memory for storing an offline authorization program of the application program;
A processor for implementing the steps of the method for offline authorization of an application according to any of claims 1-3 when executing the offline authorization of said application.
10. A computer readable storage medium storing a computer program, characterized in that the readable storage medium has stored thereon an offline authorization program of an application program, which when executed by a processor, implements the steps of the offline authorization method of an application program according to any of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411646823.1A CN119475310A (en) | 2024-11-18 | 2024-11-18 | Offline authorization verification method, system, terminal and storage medium for application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411646823.1A CN119475310A (en) | 2024-11-18 | 2024-11-18 | Offline authorization verification method, system, terminal and storage medium for application program |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119475310A true CN119475310A (en) | 2025-02-18 |
Family
ID=94581448
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411646823.1A Pending CN119475310A (en) | 2024-11-18 | 2024-11-18 | Offline authorization verification method, system, terminal and storage medium for application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119475310A (en) |
-
2024
- 2024-11-18 CN CN202411646823.1A patent/CN119475310A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111914293B (en) | Data access right verification method and device, computer equipment and storage medium | |
| EP1942430B1 (en) | Token Passing Technique for Media Playback Devices | |
| US7844832B2 (en) | System and method for data source authentication and protection system using biometrics for openly exchanged computer files | |
| US20040255119A1 (en) | Memory device and passcode generator | |
| CN109412812B (en) | Data security processing system, method, device and storage medium | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| US20020107804A1 (en) | System and method for managing trust between clients and servers | |
| CN111431707B (en) | Service data information processing method, device, equipment and readable storage medium | |
| US20090276474A1 (en) | Method for copying protected data from one secured storage device to another via a third party | |
| US20090193249A1 (en) | Privacy-preserving information distribution system | |
| CN111625829A (en) | Application activation method and device based on trusted execution environment | |
| CN101689237A (en) | Activation system architecture | |
| CN112364305A (en) | Digital content copyright protection method and device based on block chain platform | |
| CN101174295A (en) | A method and system for offline DRM authentication | |
| CN106936588B (en) | Hosting method, device and system of hardware control lock | |
| CN110096849A (en) | A kind of License authorization and authentication method, device, equipment and readable storage medium storing program for executing | |
| CN111275419A (en) | Block chain wallet signature right confirming method, device and system | |
| KR101817152B1 (en) | Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential | |
| CN111932261A (en) | Asset data management method and device based on verifiable statement | |
| CN119918029A (en) | License verification method and device for private deployment in k8s or docker environment | |
| KR101711024B1 (en) | Method for accessing temper-proof device and apparatus enabling of the method | |
| KR100750697B1 (en) | Digital document security system with shared storage having user access function, and document processing method using the system | |
| CN114070548A (en) | Software copyright encryption protection method based on soft dongle device | |
| US7770001B2 (en) | Process and method to distribute software product keys electronically to manufacturing entities | |
| US20230393831A1 (en) | Software distribution system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |