[go: up one dir, main page]

CN113127815A - Anti-cracking method and device - Google Patents

Anti-cracking method and device Download PDF

Info

Publication number
CN113127815A
CN113127815A CN202010093956.6A CN202010093956A CN113127815A CN 113127815 A CN113127815 A CN 113127815A CN 202010093956 A CN202010093956 A CN 202010093956A CN 113127815 A CN113127815 A CN 113127815A
Authority
CN
China
Prior art keywords
app
mac
request
module
mep
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010093956.6A
Other languages
Chinese (zh)
Other versions
CN113127815B (en
Inventor
李飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to PCT/CN2020/140438 priority Critical patent/WO2021136216A1/en
Publication of CN113127815A publication Critical patent/CN113127815A/en
Application granted granted Critical
Publication of CN113127815B publication Critical patent/CN113127815B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/123Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Remote Sensing (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本申请公开了一种防破解方法及装置,涉及计算机技术领域,解决了MEC场景下APP防破解的问题。具体方案为:边缘狗模块接收到用于请求第一MAC的第一请求后,根据APP的运行环境信息,计算得到第一MAC,并将第一MAC返回给代理模块或者APP,由代理模块或者APP比较自身计算出的MAC以及接收到第一MAC验证边缘狗模块是否合法。本申请实施例用于APP防破解。

Figure 202010093956

The present application discloses an anti-cracking method and device, which relate to the field of computer technology and solve the problem of APP anti-cracking in the MEC scenario. The specific scheme is: after the edge dog module receives the first request for requesting the first MAC, it calculates and obtains the first MAC according to the operating environment information of the APP, and returns the first MAC to the agent module or the APP, and the agent module or The APP compares the MAC calculated by itself and receives the first MAC to verify whether the edge dog module is legal. The embodiments of the present application are used for anti-cracking of APPs.

Figure 202010093956

Description

Anti-cracking method and device
The present application claims priority of chinese patent application entitled "a tamper-proof method and apparatus" filed by the national intellectual property office at 31.12.2019 under application number 201911418601.3, the entire contents of which are incorporated herein by reference.
Technical Field
The present application relates to the field of computer technologies, and in particular, to an anti-cracking method and apparatus.
Background
After selling the APP to users, an Application (APP) manufacturer can adopt some additional measures to take the usage authority of the APP, namely, to perform constraint of APP anti-cracking. At present, the commonly used APP has two anti-cracking means:
firstly, protection is performed by adopting a Universal Serial Bus (USB) dog mode, and each APP purchaser purchases an APP and at the same time, an APP manufacturer attaches a USB dog matched with the APP. When the APP purchaser uses the APP, the USB dog is inserted into the computer where the APP is installed, and the APP can normally run. The specific mode is as shown in fig. 1, a dongle agent is integrated in the APP, in the running process of the APP, the dongle agent requests a fingerprint (such as an expected character string or data) from the USB dog, the USB dog generates the fingerprint after receiving the request, and feeds back the generated fingerprint to the dongle agent, if the fingerprint received by the dongle agent meets a preset condition, the operation is legal, and the APP runs normally.
Secondly, binding the APP and the specified hardware information by the APP manufacturer, and only allowing the APP to run on the computer with the specified hardware information. The specific mode is as follows: the APP user will wait to install the computer hardware information of APP and report to the APP firm, the APP firm that the APP firm wrote in with the hardware information, the APP user will bind the license input APP that has the hardware information, the APP reads the hardware information in the operational environment to compare with the hardware information in the license of storage, if discover inconsistent then stop activation or operation.
Currently, with the development of computer technology and communication technology, Mobile Edge Computing (MEC) becomes a key technology of the fifth generation (5th generation, 5G) mobile network. In the MEC scenario, an APP manufacturer deploys an APP on a mobile edge platform (MEC) provided by an operator, and the APP manufacturer also has the same APP tamper-proof appeal. If the above two schemes are still adopted for protection, the following problems exist: 1. the USB dog needs the hardware USB mouth, and when many APPs were disposed on the MEP jointly, the USB mouth that the server provided was limited, can't satisfy all APPs prevent the requirement of cracking. 2. In an MEC scene, an APP can be deployed in a Virtual Machine (VM) or a container, the VM and the container can be migrated, at the moment, hardware information of a server cannot be bound, and the existing two anti-cracking means are not suitable for preventing cracking of the APP in the MEC scene.
Disclosure of Invention
The application provides a cracking prevention method and device, and solves the problem of APP cracking prevention in an MEC scene.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, the present application provides a method of preventing cracking, the method comprising: the method comprises the steps that an edge dog module receives a first request which is used for requesting a first Message Authentication Code (MAC) and comprises the running environment information of an APP, calculates to obtain a first MAC used for verifying whether the edge dog module is legal or not according to the running environment information of the APP, and sends the first MAC.
Alternatively, the edge dog module can also sign the running environment information of the APP by using a private key of the edge dog module in an asymmetric key mode, and send the signed information, so that after the agent module or the APP receives the signed information, decryption processing is performed on the signed information according to a public key of the edge dog module, whether the edge dog module is legal or not is verified according to the decrypted information, and corresponding operation is performed on the APP according to the legal condition of the edge dog module.
Based on the method of the first aspect, after receiving the request for MAC, the edge dog module may generate MAC according to the running environment information of APP, and feed back the MAC to the peer end, such as: the agent module or the APP, so that the agent module or the APP compares the MAC generated by itself with the received MAC to verify whether the edge dog module is legal, for example: the MAC generated by the proxy module is the same as the MAC generated by the edge dog module, which indicates that the edge dog module is legal and can perform corresponding operation on the APP. So, bind edge dog module and APP's operational environment, the legal user only can calculate expected MAC when running APP on the operational environment of allowwing edge dog module, verifies successfully, and even illegal user has obtained this APP, also can calculate the MAC different with the MAC that receives because of not running APP on the operational environment of allowwing, verifies the failure, can't embezzle this APP. Compared with the prior art, the method provided by the first aspect can ensure the safety of APP usage in the MEC scene.
In a second aspect, the present application provides a method of preventing cracking, the method further comprising: the method comprises the steps that a marginal dog module receives a first request which is used for requesting to obtain a first MAC and comprises a fourth MAC and APP running environment information, wherein the fourth MAC is used for verifying whether the marginal dog module is legal or not; and the edge dog module calculates to obtain a first MAC according to the running environment information of the APP, compares the first MAC with a fourth MAC, and sends a response of the first request. When the first MAC and the fourth MAC are the same, the response APP of the first request indicates that the edge dog module is legal, and when the first MAC and the fourth MAC are different, the response APP of the first request indicates that the edge dog module is illegal.
Based on the method of the second aspect, after receiving the request for obtaining the MAC, the edge dog module may generate the MAC according to the running environment information of the APP, and compare the generated MAC with the MAC generated by the agent module to verify whether the edge dog module is legal, for example: the MAC generated by the proxy module is the same as the MAC generated by the edge dog module, which indicates that the edge dog module is legal and can perform corresponding operation on the APP. So, bind edge dog module and APP's operational environment, the legal user only can calculate expected MAC when running APP on the operational environment of allowwing edge dog module, verifies successfully, and even illegal user has obtained this APP, also can calculate the MAC different with the MAC that receives because of not running APP on the operational environment of allowwing, verifies the failure, can't embezzle this APP. Compared with the prior art, the method provided by the second aspect can ensure the safety of APP usage in the MEC scene.
In one possible design, the calculating, by the edge dog module, the first MAC according to the running environment information of the APP includes: the edge dog module takes the running environment information of the APP as an input parameter, and calculates to obtain a first MAC.
Based on the possible design, the first MAC can be derived according to the running environment information of the APP, the running environment information of the APP is bound with the first MAC, so that when the APP runs in an allowed environment, the edge dog module generates the MAC consistent with the MAC generated by the agent module, the normal running of the APP is guaranteed, and the safety of the APP under the MEC scene is improved.
In one possible design, the method further includes: and the edge dog module determines that the running environment information of the APP is matched with preset running environment information representing the legal running environment of the APP.
Based on the possible design, the first MAC can be generated when the APP runs in the allowed environment, and then validity verification is performed on the first operation of the APP based on the generated first MAC, so that power consumption caused by the fact that the APP is not deployed in the allowed running environment and the anti-cracking method provided by the aspect of the application is still executed is avoided.
In one possible design, the calculating, by the edge dog module, the first MAC according to the running environment information of the APP includes: and the edge dog module calculates to obtain a first MAC according to the running environment information and the safety parameters of the APP.
Based on this possible design, the border dog module can also bind security parameter and APP except that binding the operational environment information of APP with APP, based on security parameter, the operational environment information of APP calculates the MAC that is used for verifying the operation legitimacy of APP jointly, guarantee that only the user who possesses legal security parameter and operates APP on appointed operational environment can use this APP, and even if illegal user has obtained this APP, also can be because of unable acquisition legal security parameter and not operating APP on appointed operational environment, can't calculate the MAC the same with received MAC, verify failure, can't embezzle this APP. The possible design is based on multiple parameters to calculate MAC, and the safety level of APP usage under the MEC scene is improved.
In a third aspect, the present application provides an anti-hacking method, the method comprising: the edge dog module receives a first request for requesting the first MAC, calculates and obtains the first MAC for verifying whether the edge dog module is legal or not according to the security parameters, and sends the first MAC.
Alternatively, the edge dog module can also sign the security parameters by using a private key of the edge dog module in an asymmetric key mode and send the signed information, so that after the agent module or the APP receives the signed information, decryption processing is performed on the signed information according to a public key of the edge dog module, whether the edge dog module is legal or not is verified according to the decrypted information, and corresponding operation is performed on the APP according to the legal condition of the edge dog module.
Based on the method of the third aspect, after receiving the request for obtaining the MAC, the edge dog module may generate the MAC according to the security parameter, and feed back the generated MAC to the peer end, such as: the agent module or the APP, so that the agent module or the APP compares the MAC generated by the agent module and the MAC generated by the edge dog module, and verifies whether the edge dog module is legal, for example: the MAC generated by the proxy module is the same as the MAC generated by the edge dog module, which indicates that the edge dog module is legal and can perform corresponding operation on the APP. Therefore, a legal user can use legal safety parameters to calculate expected MAC through the edge dog module, and corresponding operation is executed on the APP under the condition that the legality of the edge dog module is guaranteed. Only the user who possesses legal security parameter can use this APP to realize, and even illegal user has obtained this APP, also can lead to verifying failure because of can't obtain the MAC that legal security parameter generation and agent module generated is unanimous, can't steal this APP. Compared with the prior art, the method provided by the third aspect ensures the safety of APP usage in the MEC scene.
In a fourth aspect, the present application provides a method of preventing cracking, the method further comprising: the edge dog module receives a first request comprising a fourth MAC, wherein the fourth MAC is used for verifying whether the edge dog module is legal or not; and the edge dog module calculates to obtain a first MAC according to the safety parameters, compares the first MAC with a fourth MAC and sends a response of the first request. When the first MAC and the fourth MAC are different, the response APP of the first request is illegal when the first operation is indicated, and the first operation is failed.
Based on the method of the fourth aspect, after receiving the request for obtaining the MAC, the edge dog module may generate the MAC according to the security parameter, and compare the generated MAC with the MAC generated by the agent module, to verify whether the edge dog module is legal, for example: the MAC generated by the proxy module is the same as the MAC generated by the edge dog module, which indicates that the edge dog module is legal and can perform corresponding operation on the APP. Therefore, a legal user can use legal safety parameters to calculate expected MAC through the edge dog module, and corresponding operation is executed on the APP under the condition that the legality of the edge dog module is guaranteed. Only the user who possesses legal security parameter can use this APP to realize, and even illegal user has obtained this APP, also can be because of can't obtain legal security parameter and generate the MAC unanimous with the MAC that agent module generated, lead to verifying failure, can't steal this APP. Compared with the prior art, the method provided by the fourth aspect can ensure the safety of APP usage in the MEC scene.
In one possible design, the calculating, by the edge dog module, the first MAC according to the security parameter includes: and the edge dog module takes the safety parameters as input parameters and calculates to obtain a first MAC.
Based on the possible design, the first MAC can be derived according to the safety parameters, and the safety parameters are bound with the first MAC, so that the MAC consistent with the MAC generated by the agent module is generated when the edge dog module has legal safety parameters, the normal operation of the APP is ensured, and the safety of the APP under the MEC scene is improved.
In one possible design, the calculating, by the edge dog module, the first MAC according to the security parameter includes: and the edge dog module calculates to obtain a first MAC according to the safety parameters and the APP operation environment information.
Based on this possible design, the marginal dog module is except binding security parameter and APP, can also bind APP's operational environment information and APP, based on security parameter, the operational environment information of APP calculates the MAC that is used for verifying APP's operation legitimacy jointly, guarantee that only the user who possesses legal security parameter and operates APP on appointed operational environment can use this APP, and even illegal user has obtained this APP, also can be because of unable acquisition legal security parameter and not operating APP on appointed operational environment, the MAC that is the same with received MAC can't be calculated, verify failure, can't steal this APP. The possible design is based on multiple parameters to calculate MAC, and the safety level of APP usage under the MEC scene is improved.
In one possible design, the calculating, by the edge dog module, the first MAC according to the security parameter and the running environment information of the APP includes: and the edge dog module takes the safety parameters and the APP operation environment information as input parameters and calculates to obtain a first MAC.
Based on this possible design, can derive first MAC according to the operational environment information of security parameter and APP, bind the operational environment information of security parameter and APP with first MAC to when the marginal dog module possess legal security parameter and APP operation when the environment that allows, generate the MAC unanimous with the MAC that the agent module generated, guarantee the normal operating of APP, improve the security of APP under the MEC scene.
In a possible design, the APP operating environment information includes any one or more of the following: identification of a Mobile Edge Platform (MEP) where the APP is located, information of a Virtual Machine (VM) or a container where the APP is located, information of a Trusted Platform Module (TPM) of the APP running platform, and information of hardware where the VM or the container where the APP runs are located.
Based on this possible design, can regard as the operational environment information of APP with the mark of MEP, the information of the virtual machine/container that APP belongs to, the TPM information of APP operation platform, the VM that APP operation place or the hardware information that the container belongs to, increase the variety of operational environment information of APP, utilize the diversified operational environment information of APP to improve the security level that APP ran on the MEC.
In one possible design, the above-mentioned safety parameters are pre-configured by the manufacturer of the APP to the edge dog module.
Based on the possible design, the manufacturer of the APP can pre-configure the safety parameters to the edge dog module, the third party manufacturer authorizes the use of legal safety parameters, the edge dog module is prevented from being copied by other people who are not authorized to use by the third party manufacturer, and the safety level of the APP legal use verified through the edge dog module is improved.
In one possible design, the method further includes: if the first request also carries an APP activating indication, the edge dog judges that the activation times of the APP are smaller than the maximum allowable activation times.
Based on the possible design, the anti-cracking method provided by the above aspect of the present application can be executed under the condition that the activation times of the APP are less than the maximum allowable activation times, so that power consumption caused by the fact that the anti-cracking method provided by the above aspect of the present application is still executed due to the fact that the APP has no remaining activation times is avoided.
In one possible design, the method further includes: the edge dog module receives an activation success message for indicating that the APP is successfully activated, updates the activation times of the APP according to the activation success message, and adds 1 to the activation times of the APP.
Based on this possible design, can be when APP is activated successfully, the activation number of times of update APP adds 1 with the activation number of times of APP, guarantees that the activation number of times of the APP of local storage in time obtains updating, is unanimous with the number of times that APP is actually activated successfully, improves the accuracy to the activation number of times monitoring of APP.
In one possible design, the method further includes: and the edge dog module receives a state synchronization request comprising the activation times of the APP from the agent module, and updates the activation times of the locally stored APP to the activation times of the APP.
Based on the possible design, the activation times of the APP stored in the edge dog module and the agent module can be synchronized, so that the two activation times of the APP are consistent in understanding, and the problem of verification failure caused by inconsistent understanding of the two activation times of the APP is avoided.
In one possible design, the method further includes: the edge dog module receives a second request which is used for requesting deactivation of the APP and comprises a second MAC, the second MAC is used for verifying whether the operation of deactivation of the APP is legal or not, a third MAC is obtained through calculation according to the safety parameters, the second MAC and the third MAC are compared, and a deactivation response is sent. When the second MAC and the third MAC are the same, the deactivation response is used for indicating that the APP is successfully deactivated, and when the second MAC and the third MAC are different, the deactivation response is used for indicating that the APP is unsuccessfully deactivated.
Based on the possible design, whether the operation of deactivating the APP is legal or not can be checked by the edge dog module according to the safety parameters, and the safety parameters and the operation of deactivating the APP are bound, so that only a user with legal safety parameters can successfully deactivate the APP, and the problem caused by malicious deactivation of the APP by illegal personnel is avoided.
In one possible design, the deploying of the APP in conjunction with the agent module, the receiving of the first request by the edge dog module includes: the edge dog module receives a first request from the agent module. With reference to any one of the first aspect to the second aspect or any possible design of any one of the first aspect to the second aspect, the sending, by the edge dog module, the first MAC includes: the edge dog module sends the first MAC to the proxy module. With reference to any one of the third aspect to the fourth aspect or any possible design of the third aspect to the fourth aspect, the sending, by the edge dog module, the response to the first request includes: the edge dog module sends a response to the first request to the proxy module.
Based on the possible design, under the condition that the agent module and the APP are deployed in a unified manner, the edge dog module receives the first request from the agent module and sends a response of the first MAC/first request to the agent module, namely, the first operation of the APP is verified through interaction between the edge dog module and the agent module in the APP, and the method is simple and easy to implement.
In one possible design, the APP is deployed separately from the agent module, and the edge dog module receiving the first request includes: the edge dog receives a first request from an APP. With reference to any one of the first aspect to the second aspect or any possible design of any one of the first aspect to the second aspect, the sending, by the edge dog module, the first MAC includes: the edge dog module sends the first MAC to the APP. With reference to any one of the third aspect to the fourth aspect or any possible design of the third aspect to the fourth aspect, the sending, by the edge dog module, the response to the first request includes: the edge dog module sends a response to the first request to the APP.
Based on the possible design, under the condition that the agent module and the APP are separately deployed, the edge dog module receives the first request from the APP and sends a response of the first MAC/first request to the APP, the edge dog module is not required to verify the first operation of the APP through interaction with the agent module, and the power consumption of the agent module is reduced.
In a fifth aspect, the present application provides a method of preventing cracking, the method comprising: the edge dog module receives a second request which is used for requesting deactivation of the APP and comprises a second MAC, the second MAC is used for verifying whether the operation of deactivation of the APP is legal or not, a third MAC is obtained through calculation according to the safety parameters, the second MAC and the third MAC are compared, and a deactivation response is sent. When the second MAC and the third MAC are the same, the deactivation response is used for indicating that the APP is successfully deactivated, and when the second MAC and the third MAC are different, the deactivation response is used for indicating that the APP is unsuccessfully deactivated.
Based on the method provided by the fifth aspect, whether the operation for deactivating the APP is legal or not can be checked by the edge dog module according to the security parameters, and the security parameters are bound with the operation for deactivating the APP, so that only a user with legal security parameters can successfully deactivate the APP, and the problem caused by malicious deactivation of the APP by illegal personnel is avoided.
In one possible design, the deployment of the APP in conjunction with the agent module, the receiving of the second request by the edge dog module includes: the edge dog module receives a second request from the agent module, and the sending of the deactivation response by the edge dog module comprises: the edge dog module sends a deactivation response to the agent module.
Based on the possible design, under the condition that the agent module and the APP are deployed in a unified mode, the edge dog module receives the second request from the agent module and sends the deactivation response to the agent module, the deactivation operation of the APP is verified through interaction between the edge dog module and the agent module in the APP, and the method is simple and easy to implement.
In one possible design, the APP module is deployed separately from the agent module; the edge dog module receiving the second request comprises: the edge dog module receives a second request from the APP, and the edge dog module sends a deactivation response including: the edge dog module sends a deactivation response to the APP.
Based on the possible design, under the condition that the agent module and the APP are separately deployed, the edge dog module receives the second request from the APP and sends a deactivation response to the APP, the edge dog module is not required to verify the deactivation operation of the APP through interaction with the agent module, and the power consumption of the agent module is reduced.
In a sixth aspect, the present application provides a rim dog module, which may be a functional module for implementing any one of the first to fifth aspects or any one of the possible designs of the first to fifth aspects. The edge dog module may implement the functions specified by the edge dog module in any one of the first to fifth aspects described above or in any possible design of any one of the first to fifth aspects, and the functions may be implemented by hardware executing corresponding software. The hardware or software comprises one or more modules corresponding to the functions. The edge dog module includes: the device comprises a receiving unit, a processing unit and a sending unit;
in one possible design, a receiving unit is configured to receive a first request including running environment information of an APP for requesting a first MAC; the processing unit is used for calculating to obtain a first MAC (media access control) for verifying whether the edge dog module is legal or not according to the running environment information of the APP; a transmitting unit configured to transmit the first MAC.
In yet another possible design, the receiving unit is configured to receive a first request for requesting to obtain the first MAC and including a fourth MAC, where the fourth MAC is used to verify whether the edge dog module is legal; the processing unit is used for calculating to obtain a first MAC according to the running environment information of the APP and comparing the first MAC with a fourth MAC; a sending unit, configured to send a response to the first request. When the first MAC and the fourth MAC are the same, the response APP of the first request indicates that the edge dog module is legal, and when the first MAC and the fourth MAC are different, the response APP of the first request indicates that the edge dog module is illegal.
In one possible design, a receiving unit to receive a first request to request a first MAC; the processing unit is used for calculating to obtain a first MAC (media access control) for verifying whether the edge dog module is legal or not according to the safety parameters; a transmitting unit configured to transmit the first MAC.
In yet another possible design, the receiving unit is configured to receive a first request for requesting to obtain the first MAC and including a fourth MAC, where the fourth MAC is used to verify whether the edge dog module is legal; the processing unit is used for calculating to obtain a first MAC according to the safety parameters and comparing the first MAC with a fourth MAC; a sending unit, configured to send a response to the first request. When the first MAC and the fourth MAC are the same, the response APP of the first request indicates that the edge dog module is legal, and when the first MAC and the fourth MAC are different, the response APP of the first request indicates that the edge dog module is illegal.
In another possible design, the receiving unit is configured to receive a second request including a second MAC for requesting deactivation of the APP, where the second MAC is used to verify whether an operation of deactivating the APP is legal; the processing unit is used for calculating to obtain a third MAC according to the safety parameters and comparing the second MAC with the third MAC; a sending unit, configured to send a deactivation response. When the second MAC and the third MAC are the same, the deactivation response is used for indicating that the APP is successfully deactivated, and when the second MAC and the third MAC are different, the deactivation response is used for indicating that the APP is unsuccessfully deactivated.
Wherein, the description of the safety parameters and the running environment information of the APP can be described with reference to any one of the possible designs of any one of the first aspect to the fifth aspect; the specific execution processes of the receiving unit, the processing unit, and the sending unit may refer to corresponding actions described in any one of the possible designs of the first aspect to the fifth aspect, and are not described in detail.
In a seventh aspect, a computer-readable storage medium is provided, which may be a readable non-volatile storage medium, and the computer-readable storage medium stores a computer instruction or a program, which when executed on a computer, causes the computer to execute the anti-cracking method of any one of the first aspect to the fifth aspect or any one of the possible designs of the first aspect to the fifth aspect.
In an eighth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any one of the first to fifth aspects described above or any one of the possible designs of the first to fifth aspects.
For technical effects brought by any design manner in the sixth aspect to the eighth aspect, reference may be made to technical effects brought by any design manner in any aspect of the first aspect to the fifth aspect or any possible design manner in any aspect of the first aspect to the fifth aspect, which is not repeated herein.
In a ninth aspect, the present application provides a method of preventing cracking, the method comprising: the agent module sends a first request including the running environment information of the APP to the edge dog module, wherein the first request is used for requesting a first MAC; the agent module receives a first MAC from the edge dog module, wherein the first MAC is used for verifying whether the edge dog module is legal or not; and the agent module calculates to obtain a fourth MAC according to the running environment information of the APP, compares the first MAC with the fourth MAC, determines that the edge dog module is legal if the first MAC is the same as the fourth MAC, and determines that the edge dog module is illegal if the first MAC is different from the fourth MAC.
Alternatively, the agent module can also receive information obtained after the edge dog module signs the running environment information of the APP by using the private key of the edge dog module, decrypt the signed information according to the public key of the edge dog module, verify whether the edge dog module is legal according to the decrypted information, and perform corresponding operation on the APP according to the legal condition of the edge dog module.
Based on the method described in the ninth aspect, after receiving the request including the running environment information of the APP for obtaining the first MAC, the agent module may generate a MAC according to the running environment information of the APP, and compare the MAC generated by the agent module with the received MAC to verify whether the edge dog module is legal, for example: and when the MAC generated by the edge dog module is the same as the received MAC, the edge dog module is legal, and corresponding operation is executed on the APP. So, bind edge dog module and APP's operational environment, the legal user only can calculate expected MAC when running APP on the operational environment of allowwing edge dog module, verifies successfully, and even illegal user has obtained this APP, also can calculate the MAC different with the MAC that receives because of not running APP on the operational environment of allowwing, verifies the failure, can't embezzle this APP. Compared with the prior art, the method provided by the ninth aspect can ensure the safety of APP usage in the MEC scene.
In a tenth aspect, the present application provides a method of preventing cracking, the method comprising: the agent module sends a first request for requesting the first MAC to the edge dog module, receives the first MAC from the edge dog module for verifying whether the edge dog module is legal or not, calculates a fourth MAC according to the security parameters, compares the first MAC with the fourth MAC, determines that the edge dog module is legal if the first MAC is the same as the fourth MAC, and otherwise determines that the edge dog module is illegal.
Alternatively, the agent module can also receive information obtained after the edge dog module signs the security parameters by using a private key of the edge dog module, decrypt the signed information according to a public key of the edge dog module, verify whether the edge dog module is legal according to the decrypted information, and perform corresponding operation on the APP according to the legal condition of the edge dog module.
Based on the method described in the tenth aspect, after receiving the request for obtaining the first MAC, the agent module may generate an MAC according to the security parameter, and compare the generated MAC with the received MAC to verify whether the edge dog module is legal, for example: and when the MAC generated by the edge dog module is the same as the received MAC, the edge dog module is legal, and corresponding operation is executed on the APP. Therefore, a legal user can use legal safety parameters to calculate expected MAC through the edge dog module, and corresponding operation is executed on the APP under the condition that the legality of the edge dog module is guaranteed. Only the user who possesses legal security parameter can use this APP to realize, and even illegal user has obtained this APP, also can lead to verifying failure because of can't obtain the MAC that legal security parameter generation and agent module generated is unanimous, can't steal this APP. Compared with the prior art, the method provided by the tenth aspect ensures the safety of APP usage in the MEC scene.
In one possible design, the calculating, by the proxy module, the fourth MAC according to the security parameter includes: and the agent module takes the security parameters as input parameters and calculates to obtain a fourth MAC.
Based on the possible design, the fourth MAC can be derived according to the security parameters, and the security parameters are bound with the fourth MAC, so that the MAC consistent with the MAC generated by the agent module is generated when the agent module has legal security parameters, the normal operation of the APP is ensured, and the security of the APP under the MEC scene is improved.
In one possible design, the calculating, by the proxy module, the fourth MAC according to the security parameter includes: and the agent module calculates to obtain a fourth MAC according to the security parameters and the APP operation environment information.
Based on this possible design, the agent module except with security parameter and APP binding, can also bind APP's operational environment information and APP, based on security parameter, the operational environment information of APP calculates the MAC that is used for verifying APP's operation legitimacy jointly, guarantee that only the user who possesses legal security parameter and operates APP on appointed operational environment can use this APP, and even illegal user has obtained this APP, also can be because of unable acquisition legal security parameter and not operating APP on appointed operational environment, can't calculate the MAC the same with received MAC, verify failure, can't embezzle this APP. The possible design is based on multiple parameters to calculate MAC, and the safety level of APP usage under the MEC scene is improved.
In an eleventh aspect, the application provides a cracking prevention method, where the agent module receives a third request for requesting a fourth MAC from the APP, calculates a fourth MAC for verifying whether the edge dog module is legal according to the security parameters, and sends the fourth MAC to the APP.
Based on the method of the eleventh aspect, after receiving the request for obtaining the fourth MAC, the agent module generates a MAC according to the security parameter itself, and sends the generated MAC to the APP, so that the APP sends the MAC generated by the agent module to the edge dog module, and the edge dog module compares the MAC generated by the agent module with the MAC generated by the edge dog module to verify whether the edge dog module is legal. Therefore, only the user with legal security parameters can use the APP, and even if the illegal user acquires the APP, the MAC which is consistent with the MAC generated by the agent module can be generated due to the fact that the legal security parameters cannot be acquired, so that the verification fails, and the APP cannot be stolen. Compared with the prior art, the method provided by the tenth aspect ensures the safety of APP usage in the MEC scene.
In a twelfth aspect, the application provides an anti-cracking method, where the agent module receives a third request including running environment information of the APP from the APP, the third request being used for requesting a fourth MAC, calculates a fourth MAC used for verifying whether the edge dog module is legal according to the running environment information of the APP, and sends the fourth MAC to the APP.
Based on the method of the twelfth aspect, after receiving the request for obtaining the fourth MAC, the agent module generates a MAC according to the running environment information of the APP, and sends the generated MAC to the APP, so that the APP sends the MAC generated by the agent module to the edge dog module, and the edge dog module compares the MAC generated by the agent module with the MAC generated by the edge dog module to verify whether the edge dog module is legal. So, bind APP and APP's operational environment, legal user just can calculate expected MAC when running APP on the operational environment that allows, verifies successfully, and illegal user even obtained this APP, also can calculate the MAC different with the MAC that receives because of not running APP on the operational environment that allows, verifies failure, can't embezzle this APP. Compared with the prior art, the method provided by the ninth aspect can ensure the safety of APP usage in the MEC scene.
In one possible design, the calculating, by the agent module according to the running environment information of the APP, the fourth MAC includes: and the agent module takes the running environment information of the APP as an input parameter and calculates to obtain a fourth MAC.
Based on the possible design, the fourth MAC can be derived according to the running environment information of the APP, and the running environment information of the APP is bound with the fourth MAC, so that when the APP runs in an allowed environment, the agent module generates the MAC consistent with the MAC generated by the agent module, the normal running of the APP is ensured, and the safety of the APP under the MEC scene is improved.
In one possible design, the method further includes: and the agent module determines that the running environment information of the APP is matched with preset running environment information representing the legal running environment of the APP.
Based on the possible design, the fourth MAC can be generated when the APP runs in the allowed environment, and then the validity verification is performed on the first operation of the APP based on the generated fourth MAC, so that power consumption caused by the anti-cracking method provided by the above aspect of the present application, which is still executed because the APP is not deployed in the allowed running environment, is avoided.
In one possible design, the calculating, by the agent module according to the running environment information of the APP, the fourth MAC includes: and the agent module calculates to obtain a fourth MAC according to the running environment information and the safety parameters of the APP.
Based on this possible design, the agent module can also bind the security parameter with APP except binding the operational environment information of APP with APP, based on the security parameter, the operational environment information of APP calculates the MAC that is used for verifying the operation legitimacy of APP jointly, guarantee that only the user who possesses legal security parameter and operates APP on appointed operational environment can use this APP, and even if illegal user has obtained this APP, also can be because of unable acquisition legal security parameter and not operating APP on appointed operational environment, can't calculate the MAC the same with received MAC, verify failure, can't embezzle this APP. The possible design is based on multiple parameters to calculate MAC, and the safety level of APP usage under the MEC scene is improved.
In one possible design, the calculating, by the agent module according to the security parameter and the running environment information of the APP, the fourth MAC includes: and the agent module takes the security parameters and the APP operation environment information as input parameters and calculates to obtain a fourth MAC.
Based on this possible design, can derive the fourth MAC according to the operational environment information of security parameter and APP, bind the operational environment information of security parameter and APP with the fourth MAC to when agent module possess legal security parameter and APP operation when the environment that allows, generate the MAC unanimous with the MAC that agent module generated, guarantee APP's normal operating, improve APP security under the MEC scene.
In one possible design, the security parameters are pre-configured by the manufacturer of the APP to the edge dog module.
Based on the possible design, the manufacturer of the APP can pre-configure the security parameters to the agent module, the third party manufacturer authorizes the use of legal security parameters, the edge dog module is prevented from being copied by other people who are not authorized to use by the third party manufacturer, and the security level of the APP which is legally used through the verification of the edge dog module is improved.
In one possible design, the identifier of the MEP where the APP is located, the information of the VM or the container where the APP is located, the TPM information of the APP running platform, and the hardware information of the VM or the container where the APP runs are located.
Based on this possible design, can regard as the operational environment information of APP with the mark of MEP, the information of the virtual machine/container that APP belongs to, the TPM information of APP operation platform, the VM that APP operation place or the hardware information that the container belongs to, increase the variety of operational environment information of APP, utilize the diversified operational environment information of APP to improve the security level that APP ran on the MEC.
In one possible design, the method further includes: if the first request also carries an APP activating indication, the agent module judges that the activation times of the APP are smaller than the maximum allowable activation times.
Based on the possible design, the anti-cracking method provided by the above aspect of the present application can be executed under the condition that the activation times of the APP are less than the maximum allowable activation times, so that power consumption caused by the fact that the anti-cracking method provided by the above aspect of the present application is still executed due to the fact that the APP has no remaining activation times is avoided.
In one possible design, the method further includes: and the agent module calculates a second MAC for verifying whether the operation for deactivating the APP is legal or not according to the security parameters, and sends a second request comprising the second MAC to the edge dog module. Or the agent module receives a fourth request for requesting deactivation of the APP from the APP, calculates a second MAC for verifying whether the operation for deactivating the APP is legal or not according to the security parameters, and sends the second MAC to the APP.
Based on the possible design, the agent module can obtain the MAC for verifying whether the operation for deactivating the APP is legal or not according to the security parameter check calculation, so that the security parameter is bound with the operation for deactivating the APP, only a user with legal security parameters can successfully deactivate the APP, and the problem caused by malicious deactivation of the APP by illegal personnel is avoided.
In a possible design, with reference to any one of the seventh to tenth aspects or any one of the seventh to tenth aspects, the method further includes: and the agent module sends a state synchronization request to the edge dog module, wherein the state synchronization request comprises the activation times of the APP.
Based on the possible design, the activation times of the APP stored in the edge dog module and the agent module can be synchronized, so that the two activation times of the APP are consistent in understanding, and the problem of verification failure caused by inconsistent understanding of the two activation times of the APP is avoided.
In a thirteenth aspect, the present application provides a proxy module, which may be a functional module for implementing any one of the ninth aspect to the twelfth aspect or any one of the ninth aspect to the twelfth aspect. The agent module may implement the functions specified by the agent module in any of the above-described ninth to twelfth aspects or any possible design of any of the ninth to twelfth aspects, which functions may be implemented by hardware executing corresponding software. The hardware or software comprises one or more modules corresponding to the functions. The agent module includes: the device comprises a receiving unit, a processing unit and a sending unit;
in one possible design, the sending unit is configured to send, to the edge dog module, a first request including runtime environment information of the APP for requesting the first MAC; the receiving unit is used for receiving a first MAC (media access control) which is used for verifying whether the edge dog module is legal or not from the edge dog module; and the processing unit is used for calculating to obtain a fourth MAC according to the running environment information of the APP, comparing the first MAC with the fourth MAC, determining that the edge dog module is legal if the first MAC is the same as the fourth MAC, and determining that the edge dog module is illegal if the first MAC is different from the fourth MAC.
In yet another possible design, the receiving unit is configured to receive a third request from the APP for requesting a fourth MAC; the processing unit is used for calculating and obtaining a fourth MAC used for verifying whether the edge dog module is legal or not according to the safety parameters; a sending unit, configured to send the fourth MAC to the APP.
In yet another possible design, the sending unit is configured to send a first request for requesting the first MAC to the edge dog module; the receiving unit is used for receiving a first MAC (media access control) which is used for verifying whether the edge dog module is legal or not from the edge dog module; and the processing unit is used for calculating to obtain a fourth MAC according to the safety parameters, comparing the first MAC with the fourth MAC, determining that the edge dog module is legal if the first MAC is the same as the fourth MAC, and determining that the edge dog module is illegal if the first MAC is not the same as the fourth MAC.
In another possible design, the receiving unit is configured to receive a third request including the operating environment information of the APP from the APP for requesting a fourth MAC; the processing unit is used for calculating and obtaining a fourth MAC used for verifying whether the edge dog module is legal or not according to the running environment information of the APP; a sending unit, configured to send the fourth MAC to the APP.
Wherein, the description of the safety parameters and the running environment information of the APP can be referred to any possible design of any one of the ninth aspect to the twelfth aspect; the specific execution processes of the receiving unit, the processing unit, and the sending unit may refer to corresponding actions in any possible design of any one of the ninth aspect to the twelfth aspect, and are not repeated herein.
In a fourteenth aspect, a computer-readable storage medium is provided, which may be a readable non-volatile storage medium, and which stores computer instructions or a program, which when run on a computer, causes the computer to perform the anti-hacking method of any one of the ninth to twelfth aspects or any one of the possible designs of the ninth to twelfth aspects.
In a fifteenth aspect, there is provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the anti-hacking method of any one of the ninth to twelfth aspects described above or any one of the possible designs of the ninth to twelfth aspects.
For technical effects brought by any design manner in the thirteenth aspect to the fifteenth aspect, reference may be made to any design manner in the ninth aspect to the twelfth aspect or any design manner in the ninth aspect to the twelfth aspect, which is not repeated herein.
In a sixteenth aspect, the present application further provides a mobile edge host, where the server includes one or more processors and a memory, where the one or more processors run a VM or a container, and the one or more containers include an agent module and an edge dog module, and the agent module is deployed in conjunction with the APP or deployed separately from the APP;
the edge dog module is used for executing the anti-cracking method of any one of the first aspect to the fifth aspect or any one of the possible designs of the first aspect to the fifth aspect;
when the agent module is deployed together with the APP, the agent module is configured to execute the anti-cracking method according to any one of the possible designs of the ninth aspect, the tenth aspect, or the ninth aspect, or any one of the possible designs of the tenth aspect. When the agent module is deployed separately from the APP, the agent module is configured to perform the anti-hacking method of the eleventh aspect or the twelfth aspect or any possible design of the eleventh aspect or any possible design of the twelfth aspect.
In a seventeenth aspect, the present application further provides an anti-cracking method, where the method is performed by a terminal on which an APP client is deployed, and the method includes: the terminal receives a first request, carrying an MEP, of an identifier from the APP server, wherein the first request is used for requesting a first MAC and carrying the MEP, the first MAC is obtained through calculation according to the identifier of the MEP, the first MAC is used for verifying whether the APP is legal or not, and the terminal sends the first MAC to the APP server.
Based on the method of the seventeenth aspect, the terminal can calculate the MAC for checking whether the APP is legal, and provide the check MAC value to the APP server, so that the APP server checks the validity of the APP according to the MAC calculated by the APP server and the MAC calculated by the terminal, and effectively binds the front end and the back end, and the server with the APP deployed at the back end also has the copy prevention and cracking prevention characteristics by means of the terminal at the front end.
In one possible design, with reference to the seventeenth aspect, the calculating, by the terminal, the first MAC according to the identity of the MEP includes: and the terminal calculates to obtain the first MAC according to the mark of the MEP and the hardware security parameter, wherein the hardware security parameter is configured in the network function virtualization infrastructure NFVI in advance, or the hardware security parameter is configured in the terminal in advance.
Based on this possible design, the terminal except with MEP's sign and APP binding, can also bind hardware security parameter and APP, based on hardware security parameter, MEP's sign calculates the MAC that is used for verifying APP's legitimacy jointly, guarantee that only possess legal hardware security parameter and can use this APP at the user of appointed MEP operation environment operation APP, and even illegal user has obtained this APP, also can be because of unable acquisition legal hardware security parameter and do not operate APP on appointed MEP operation environment, can't calculate the MAC the same with received MAC, verify failure, can't embezzle this APP. The possible design calculates MAC based on various parameters, and improves the safety level of APP usage.
In a possible design, with reference to the seventeenth aspect or any one of the seventeenth aspects, the hardware security parameter includes one or more of a secure chip identifier ID, a secure chip preset parameter, and a processor ID in the secure chip, and the secure chip preset parameter includes a random number or a root key.
Based on the possible design, the hardware security parameters are configured to be the intrinsic parameters of the security chip, so that the hardware security parameters have the characteristics of invariance, irreproducibility and difficulty in cracking, and the APP which is verified to be legal according to the hardware security parameters also has the characteristics of copy prevention and cracking.
In an eighteenth aspect, the present application provides an anti-cracking device, where the anti-cracking device may be a terminal, a chip in the terminal, or a system on a chip, and may also be a module or a unit in the terminal for implementing the anti-cracking method according to the embodiment of the present application. The anti-cracking device can realize the functions executed by the terminal in each aspect or each possible design, and the functions can be realized by hardware or by executing corresponding software by hardware. The hardware or software comprises one or more modules corresponding to the functions. Such as: the anti-tamper device may include: the device comprises an agent module and a processing module. Further, the processing module may include a security module or a security chip, and the security module or the security chip may be configured with the hardware security parameters in advance.
The agent module is used for receiving a first identifier request which is used for requesting a first MAC and carries an MEP from the APP server, wherein the first MAC is used for verifying whether the APP is legal or not.
And the processing module is used for obtaining a first MAC through calculation according to the identification of the MEP and sending the first MAC to the APP server through the proxy module.
The specific implementation manner of the anti-tamper device may refer to any one of the seventeenth aspect or the seventeenth aspect, and will not be described herein repeatedly. Thus, the provided anti-tamper device may achieve the same advantageous effects as any one of the possible designs of the seventeenth aspect or the seventeenth aspect.
In a nineteenth aspect, a tamper-proof device is provided, which may be a terminal or a chip in a terminal or a system on a chip. The anti-tamper apparatus may implement the functions performed by the terminal in each of the above aspects or possible designs, and the functions may be implemented by hardware. In one possible design, the anti-tamper device may include: the system comprises a processor, a communication interface and a security chip, wherein the security chip can be configured with hardware security parameters in advance. The processor may be adapted to support the anti-tamper apparatus to perform the functions referred to in any one of the possible designs of the seventeenth aspect above, such as: the processor is used for receiving a first request carrying an MEP identifier, which is used for requesting a first MAC from the APP server through the communication interface, calculating the first MAC according to the MEP identifier, and sending the first MAC to the APP server. In yet another possible design, the tamper-proof device may further include a memory for storing computer-executable instructions and data necessary for the tamper-proof device. When the anti-cracking device is operated, the processor executes the computer-executable instructions stored in the memory, so that the anti-cracking device executes the anti-cracking method of any one of the above-mentioned seventeenth aspect or seventeenth aspect.
A twentieth aspect provides a computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the anti-hacking method of the seventeenth aspect described above or any one of the possible designs of the aspects described above.
A twenty-first aspect provides a computer program product comprising instructions, which may comprise program instructions, which when run on a computer, cause the computer to perform the method of the seventeenth aspect or any possible design of the above aspect.
In a twenty-second aspect, a chip system is provided, the chip system comprising a processor, a communication interface; furthermore, a security chip can be included, and the security chip can be preconfigured with hardware security parameters. The chip system may be configured to implement the functions performed by the terminal in any possible design of the seventeenth aspect or the seventeenth aspect, for example, the processor is configured to receive, through the communication interface, a first request carrying an identifier of the MEP from the APP server, where the first request is used to request the first MAC, calculate the first MAC according to the identifier of the MEP, and send the first MAC to the APP server. In one possible design, the system-on-chip further includes a memory to hold program instructions and/or data. The chip system may be formed by a chip, and may also include a chip and other discrete devices, without limitation.
For technical effects brought by any design manner of the nineteenth aspect to the twenty-second aspect, reference may be made to the technical effects brought by any possible design of the seventeenth aspect or the seventeenth aspect, and details are not repeated.
In a twenty-third aspect, the present application further provides an anti-cracking method, where the method is applied to an APP server, and the method includes: the method comprises the steps that an APP server sends a first request to a terminal, wherein the first request is used for requesting a first message authentication code MAC; the first request carries an identifier of a Mobile Edge Platform (MEP);
the APP server receives a first MAC from the terminal, and the first MAC is used for verifying whether the APP is legal or not;
the APP server obtains a second MAC, and the second MAC is used for verifying whether the APP is legal or not;
the APP server compares the first MAC with the second MAC, if the first MAC is the same as the second MAC, the APP is determined to be legal, and if the first MAC is different from the second MAC, the APP is determined to be illegal.
Based on the method described in the twenty-third aspect, the APP server may receive the MAC for checking whether the APP is legal from the terminal, perform the check on the validity of the APP according to the obtained MAC and the MAC calculated by the terminal, effectively bind the front end and the back end, and enable the server with the APP deployed at the back end to have the copy prevention and cracking prevention characteristics by means of the terminal at the front end.
In one possible design, with reference to the twenty-third aspect, the obtaining, by the APP server, the second MAC includes: and the APP server calculates to obtain a second MAC according to the identification of the MEP.
Based on this possible design, the APP server binds the identification of the MEP with the APP and calculates to obtain the MAC, and guarantees that only the user who runs the APP on the appointed MEP operating environment can use the APP, and even if the illegal user acquires the APP, the APP can not be calculated out by the MAC same as the received MAC because the APP is not run on the appointed MEP operating environment, and the APP cannot be stolen.
In a possible design, with reference to the twenty-third aspect or any possible design of the twenty-third aspect, the calculating, by the APP server, the second MAC according to the identifier of the MEP includes: and the APP server calculates to obtain a second MAC according to the identifier of the MEP and the hardware security parameter, wherein the APP server receives the hardware security parameter from the NFVI, or the APP server receives the hardware security parameter from the terminal.
Based on this possible design, the APP server except with MEP's sign and APP bind, can also bind hardware security parameter and APP, based on hardware security parameter, MEP's sign calculates the MAC that is used for verifying APP's legitimacy jointly, guarantee that only possess legal hardware security parameter and can use this APP at the user of appointed MEP operational environment operation APP, and even illegal user has obtained this APP, also can be because of unable acquisition legal hardware security parameter and do not operate APP on appointed MEP operational environment, can't calculate the MAC the same with received MAC, verify failure, can't embezzle this APP. The possible design calculates MAC based on various parameters, and improves the safety level of APP usage.
In one possible design, with reference to the twenty-third aspect or any one possible design of the twenty-third aspect, the obtaining, by the APP server, the second MAC includes: the APP server sends a second request, wherein the second request is used for requesting a second MAC; the APP server receives the second MAC.
Based on the possible design, the APP server can receive the second MAC from other network elements, the MAC is obtained without self calculation, and power consumption caused by calculation of the MAC by the APP server is reduced.
In a possible design, with reference to the twenty-third aspect or any possible design of the twenty-third aspect, the second request carries an identifier of the MEP, or the second request carries the identifier of the MEP and the hardware security parameter.
Based on the possible design, the APP server can send the MEP identifier and/or the hardware security parameter to other network elements, so that the other network elements can calculate the MAC according to the MEP identifier and/or the hardware security parameter, and the safety level of APP verification is improved.
In a possible design, with reference to the twenty-third aspect or any possible design of the twenty-third aspect, the sending, by the APP server, the second request includes: the APP sends a second request to the MEP; the APP server receiving the second MAC comprises: the APP server receives a second MAC from the MEP; or, the sending, by the APP server, the second request includes: the APP sends a second request to the network function virtualization infrastructure NFVI; the APP server receiving the second MAC comprises: the APP server receives the second MAC from the NFVI.
Based on the possible design, the APP server can request the MEP or the NFVI to calculate to obtain the second MAC, the MAC is not required to be calculated by the APP server, and power consumption caused by calculation of the MAC by the APP server is reduced. The second MAC is calculated from the MEP or NFVI, so that the input parameters required for calculating the MAC, such as: the ID and the hardware security parameter of the MEP are not transmitted to the MEP or the NFVI through signaling interaction, so that the input parameter is prevented from being tampered, and the accuracy of APP verification is improved.
In a possible design, with reference to the twenty-third aspect or any one of the twenty-third aspects, the hardware security parameter includes one or more of a secure chip identifier ID, a secure chip preset parameter, and a processor ID in the secure chip, and the secure chip preset parameter includes a random number or a root key.
Based on the possible design, the hardware security parameters are configured to be the intrinsic parameters of the security chip, so that the hardware security parameters have the characteristics of invariance, irreproducibility and difficulty in cracking, and the APP which is verified to be legal according to the hardware security parameters also has the characteristics of copy prevention and cracking.
Twenty-fourth aspect, the present application provides an anti-cracking device, where the anti-cracking device may be an APP server or a chip or a system on a chip in the APP server, and may also be a module or a unit in the APP server for implementing the anti-cracking method described in this embodiment of the present application. The anti-cracking device can realize the functions executed by the APP server in each aspect or each possible design, and the functions can be realized by hardware or by executing corresponding software by hardware. The hardware or software comprises one or more modules corresponding to the functions. Such as: the anti-tamper device may include: the device comprises an agent module and a processing module.
The proxy module is used for sending a first request to the terminal and receiving a first MAC from the terminal, wherein the first request is used for requesting the first MAC; the first request carries an identification of the MEP;
the agent module is also used for acquiring a second MAC which is used for verifying whether the APP is legal or not;
and the processing module is used for comparing the first MAC with the second MAC, determining that the APP is legal if the first MAC is the same as the second MAC, and determining that the APP is illegal if the first MAC is different from the second MAC.
The specific implementation manner of the anti-tamper apparatus may refer to the behavior function of the terminal in the anti-tamper method provided by any one of the twenty-third aspect and the twenty-third aspect, and details are not repeated here. Thus, the provided anti-tamper device may achieve the same advantageous effects as any one of the twenty-third aspect or the twenty-third aspect of possible designs.
In a twenty-fifth aspect, an anti-cracking apparatus is provided, where the anti-cracking apparatus may be an APP server or a chip in the APP server or a system on a chip. The anti-cracking device can realize the functions executed by the APP server in each aspect or each possible design, and the functions can be realized by hardware. In one possible design, the anti-tamper device may include: the system comprises a processor, a communication interface and a security chip, wherein the security chip can be configured with hardware security parameters in advance. The processor may be configured to support the anti-tamper apparatus to perform the functions referred to in any one of the above twenty-third aspects or possible designs thereof, for example: the processor is used for sending a first request to the terminal through the communication interface and receiving a first MAC from the terminal, wherein the first request is used for requesting the first MAC; the first request carries an identification of the MEP; and obtaining a second MAC which is used for verifying whether the APP is legal or not, comparing the first MAC with the second MAC, determining that the APP is legal if the first MAC is the same as the second MAC, and determining that the APP is illegal if the first MAC is different from the second MAC. In yet another possible design, the tamper-proof device may further include a memory for storing computer-executable instructions and data necessary for the tamper-proof device. When the anti-cracking device is operated, the processor executes the computer-executable instructions stored in the memory, so that the anti-cracking device executes the anti-cracking method of any one of the twenty-third aspect and the twenty-third aspect.
A twenty-sixth aspect provides a computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the tamper-proof method of the twenty-third aspect or any one of the possible designs of the above aspect.
A twenty-seventh aspect provides a computer program product containing instructions, the computer program product may include program instructions that, when run on a computer, cause the computer to perform the method of the twenty-third aspect or any possible design of the above aspect.
In a twenty-eighth aspect, a chip system is provided, the chip system comprising a processor, a communication interface; furthermore, a security chip can be included, and the security chip can be preconfigured with hardware security parameters. The system on chip may be configured to implement the functions performed by the APP server in any of the twenty-third aspect or the twenty-third aspect, for example, where the processor is configured to send a first request to the terminal through the communication interface, receive a first MAC from the terminal, where the first request is used to request the first MAC; the first request carries an MEP identifier, a second MAC is obtained and used for verifying whether the APP is legal or not, the first MAC and the second MAC are compared, if the first MAC and the second MAC are the same, the APP is determined to be legal, and if the first MAC and the second MAC are different, the APP is determined to be illegal. In one possible design, the system-on-chip further includes a memory to hold program instructions and/or data. The chip system may be formed by a chip, and may also include a chip and other discrete devices, without limitation.
For technical effects brought by any design manner in the twenty-fifth aspect to the twenty-eighth aspect, reference may be made to technical effects brought by any possible design manner in the twenty-third aspect or the twenty-eighth aspect, and details are not repeated.
In a twenty-ninth aspect, the present application further provides a method for preventing disruption, the method being applied to an MEP or an NFVI, the method comprising: receiving a second request, wherein the second request is used for requesting a second MAC; the second request includes an identification of the MEP; and calculating to obtain a second MAC according to the MEP identifier, wherein the second MAC is used for verifying whether the APP is legal or not.
Based on the method in the twenty-ninth aspect, the MEP or the NFVI may calculate, according to the MEP or the NFVI, a MAC used for verifying whether the APP is legal, and provide a verification MAC value to the APP server, so that the APP server performs the verification of the APP validity according to the MAC calculated by the MEP or the NFVI and the MAC calculated by the terminal, and effectively binds the front end and the back end, and the server with the APP deployed at the back end also has the copy prevention and cracking prevention characteristics by means of the terminal at the front end.
In one possible design, in combination with the twenty-ninth aspect or any one possible design of the twenty-ninth aspect, the second request further includes hardware security parameters; and calculating to obtain a second MAC according to the identification of the MEP, wherein the second MAC comprises the following steps: and the MEP calculates to obtain a second MAC according to the identification of the MEP and the hardware security parameters.
Based on this possible design, except binding MEP's sign and APP, can also bind hardware security parameter and APP, based on hardware security parameter, MEP's sign calculates the MAC that is used for verifying APP's legitimacy jointly, guarantee that only the user who possesses legal hardware security parameter and operates APP on appointed MEP operational environment can use this APP, and even illegal user has obtained this APP, also can be because of unable acquisition legal hardware security parameter and do not operate APP on appointed MEP operational environment, the MAC that can't calculate the same with received MAC, verify failure, can't steal this APP. The possible design calculates MAC based on various parameters, and improves the safety level of APP usage.
In a possible design, with reference to the twenty-ninth aspect or any one of the twenty-ninth aspects, the hardware security parameter includes one or more of a secure chip identifier ID, a secure chip preset parameter, and a processor ID in the secure chip, and the secure chip preset parameter includes a random number or a root key.
Based on the possible design, the hardware security parameters are configured to be the intrinsic parameters of the security chip, so that the hardware security parameters have the characteristics of invariance, irreproducibility and difficulty in cracking, and the APP which is verified to be legal according to the hardware security parameters also has the characteristics of copy prevention and cracking.
In a possible design, in combination with the twenty-ninth aspect or any possible design of the twenty-ninth aspect, the method further includes: the second MAC is sent.
Based on the possible design, the MEP or NFVI can calculate the MAC which is used for checking whether the APP is legal or not to send out, so that the APP server receives the MAC value, the APP validity is checked according to the MAC calculated by the MEP or NFVI and the MAC calculated by the terminal, the front end and the back end are effectively bound, and the server with the APP deployed at the back end also has the copy prevention and cracking prevention characteristics by means of the terminal at the front end.
In one possible design, with reference to the twenty-ninth aspect or any possible design of the twenty-ninth aspect, the sending the second MAC includes: sending the second MAC to the APP server; alternatively, the second MAC is sent to the MEP.
Based on the possible design, the MEP or the NFVI can directly interact with the APP server to send the calculated MAC to the APP server, and can also send the MAC to the APP server through the MEP, and the sending mode is flexible and various and is suitable for various application scenes.
In one possible design, with reference to the twenty-ninth aspect or any possible design of the twenty-ninth aspect, when the method is applied to NFVI, the second request further includes the first MAC, and the method further includes: and comparing the first MAC with the second MAC, if the first MAC is the same as the second MAC, determining that the APP is legal, and if the first MAC is different from the second MAC, determining that the APP is illegal.
Based on the possible design, the legality of the APP can be checked by the NFVI according to the MAC, the legality of the APP does not need to be checked by the APP server, and power consumption caused by the fact that the APP server checks the legality of the APP is reduced.
In one possible design, with reference to the twenty-ninth aspect or any one of the twenty-ninth aspects, receiving the second request includes: receiving a second request from the APP server; alternatively, when the method is applied to NFVI, receiving the second request comprises: a second request is received from the MEP.
Based on the possible design, the MEP or the NFVI may directly receive the second request sent by the APP with the APP server; or the NFVI receives the second request sent by the APP server through the MEP, and the sending mode is flexible and various and is suitable for various application scenes.
In a thirtieth aspect, the present application provides an anti-crack device, where the anti-crack device may be an MEP, a chip in the MEP, or a system on a chip, and may also be a module or a unit in the MEP, which is used to implement the anti-crack method according to the embodiment of the present application. The method may also be a chip or a system on a chip in NFVI or NFVI, or a module or a unit in NFVI for implementing the anti-cracking method described in the embodiment of the present application. The anti-cracking device can realize the functions executed by the MEP or the NFVI in each of the above aspects or possible designs, and the functions can be realized by hardware or by hardware executing corresponding software. The hardware or software comprises one or more modules corresponding to the functions. Such as: the anti-tamper device may include: the device comprises a receiving module and a processing module. When the anti-cracking device is a chip in NFVI or a system on chip, a security chip may be further included, and hardware security parameters are preconfigured in the security chip.
The receiving module receives a second request, wherein the second request is used for requesting a second MAC; the second request includes an identification of the MEP.
And the processing module is used for calculating to obtain a second MAC according to the mark of the MEP, wherein the second MAC is used for verifying whether the APP is legal or not.
The specific implementation manner of the anti-cracking device may refer to any possible design of the twenty-ninth aspect or the twenty-ninth aspect, and the behavioral function of the terminal in the anti-cracking method is not repeated here. Thus, the provided anti-tamper device may achieve the same advantageous effects as the twenty-ninth aspect or any possible design of the twenty-ninth aspect.
In a thirty-first aspect, a cracking prevention apparatus is provided, where the cracking prevention apparatus may be an MEP, a chip in the MEP, or a system on a chip, and may also be a module or a unit in the MEP for implementing the cracking prevention method according to the embodiment of the present application. The method may also be a chip or a system on a chip in NFVI or NFVI, or a module or a unit in NFVI for implementing the anti-cracking method described in the embodiment of the present application. The anti-cracking device may implement the functions performed by the MEP or the NFVI in each of the above aspects or in each of the possible designs, and in one possible design, the anti-cracking device may include: the system comprises a processor, a communication interface and a security chip, wherein the security chip can be configured with hardware security parameters in advance. The processor may be adapted to support the anti-tamper apparatus to perform the functions referred to in any one of the above twenty-ninth or twenty-ninth possible designs, for example: the processor is configured to receive a second request through the communication interface, wherein the second request is for requesting a second MAC; the second request comprises an identification of the MEP, and a second MAC is obtained through calculation according to the identification of the MEP, wherein the second MAC is used for verifying whether the APP is legal or not. In yet another possible design, the tamper-proof device may further include a memory for storing computer-executable instructions and data necessary for the tamper-proof device. When the anti-cracking device is operated, the processor executes the computer-executable instructions stored in the memory, so that the anti-cracking device executes the anti-cracking method according to any one of the above-mentioned twenty-ninth aspect or twenty-ninth aspect.
A thirty-second aspect provides a computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the tamper-proof method of the twenty-ninth aspect or any possible design of the above aspect.
In a thirty-third aspect, there is provided a computer program product containing instructions, the computer program product may include program instructions, which when run on a computer, cause the computer to perform the anti-hacking method of the twenty-ninth aspect or any possible design of the above.
In a thirty-fourth aspect, a chip system is provided, the chip system comprising a processor, a communication interface; furthermore, a security chip can be included, and the security chip can be preconfigured with hardware security parameters. The system on chip may be configured to implement the functions performed by the MEP or the NFVI in any one of the twenty-ninth aspect or the twenty-ninth aspect, for example, where the processor is configured to receive a second request through the communication interface, where the second request is for requesting a second MAC; the second request comprises an identification of the MEP, and a second MAC is obtained through calculation according to the identification of the MEP, wherein the second MAC is used for verifying whether the APP is legal or not. In one possible design, the system-on-chip further includes a memory to hold program instructions and/or data. The chip system may be formed by a chip, and may also include a chip and other discrete devices, without limitation.
For technical effects brought by any one of the design manners in the thirty-first aspect to the thirty-fourth aspect, reference may be made to the technical effects brought by any one of the twenty-ninth aspect and the twenty-ninth aspect, which are not described again.
In a thirty-fifth aspect, the present application further provides an anti-tamper system, which may comprise the anti-tamper device of any one of the eighteenth aspect to the twenty-second aspect, the anti-tamper device of any one of the twenty-fourth aspect to the twenty-eighth aspect, and the anti-tamper device of any one of the thirty-fourth aspect to the thirty-fourth aspect.
Drawings
FIG. 1 is a schematic diagram of a prior art tamper-proof method;
fig. 2 is a schematic architecture diagram of an MEC system provided in the present application;
FIG. 3 is a schematic diagram of a mobile edge host according to the present disclosure;
fig. 4 is a flowchart of a method for preventing cracking according to an embodiment of the present application;
fig. 5 is a flowchart of an anti-cracking method for activating APP according to an embodiment of the present disclosure;
fig. 6 is a flowchart of an anti-cracking method for running APP according to an embodiment of the present disclosure;
fig. 7 is a flowchart of an anti-cracking method when an APP is deactivated according to an embodiment of the present application;
fig. 8 is a flowchart of a method for preventing cracking according to an embodiment of the present application;
fig. 9 is a flowchart of an anti-cracking method for activating APP according to an embodiment of the present application;
fig. 10 is a flowchart of an anti-cracking method for running APP according to an embodiment of the present application;
fig. 11 is a flowchart of an anti-cracking method when deactivating APP according to an embodiment of the present application;
fig. 12 is a flowchart of a synchronization method provided in an embodiment of the present application;
fig. 13 is a block diagram of a rim dog module 130 according to an embodiment of the present disclosure;
fig. 14 is a block diagram of an agent module 140 according to an embodiment of the present disclosure;
fig. 15 is a schematic diagram of a system architecture in which APPs are deployed on a client and a server according to the present application;
FIG. 16 is a flow chart of yet another anti-tamper method provided by an embodiment of the present application;
FIG. 17 is a flow chart of yet another anti-tamper method provided by an embodiment of the present application;
FIG. 18 is a flow chart of yet another tamper-resistant method provided by an embodiment of the present application;
FIG. 19 is a flow chart of yet another anti-tamper method provided by an embodiment of the present application;
FIG. 20 is a flow chart of yet another tamper-resistant method provided by an embodiment of the present application;
FIG. 21 is a flow chart of yet another anti-tamper method provided by an embodiment of the present application;
fig. 22 is a flowchart of another anti-cracking method provided in the embodiment of the present application.
Detailed Description
Embodiments of the present application will be described in detail below with reference to the accompanying drawings.
The anti-cracking method provided by the application can be suitable for a Mobile Edge Computing (MEC) system and is used for realizing APP anti-cracking in an MEC scene. Fig. 2 is a schematic architecture diagram of an MEC system, and as shown in fig. 2, the MEC system may include: a plurality of mobile edge hosts (mobile edge hosts), and a Mobile Edge Platform Manager (MEPM). A Virtualization Infrastructure Manager (VIM) and a Container Infrastructure Manager (CIM) may also be included.
The movable edge platform manager mainly has the following functions: managing the lifecycle of mobile edge applications, such as: notifying the mobile edge coordinator/orchestrator of events related to the mobile edge application; providing an element management function for the mobile edge platform; rules and requirements governing mobile edge applications, such as: managing service authorizations for mobile edge applications, traffic rules, Domain Name System (DNS) configuration and resolving conflicts, etc.
The VIM can support the virtualization management of the VM and the management of the container, and mainly has two functions, namely: allocating, managing, and releasing virtualized resources (e.g., compute, storage, and network resources) on a virtualized infrastructure; preparing the virtualization infrastructure for running the software image, such as: configuring a virtualization infrastructure, receiving and storing software images, and the like; fast configuration mobile edge applications, such as: collecting and reporting the performance and fault information of the virtualized resources; performing a moving edge procedure relocation, etc.
Among other things, CIM may support management of containers. The method mainly has the following functions: allocating, managing and releasing container-related resources (e.g., computing, storage and network resources); receiving and storing a container image; and the method supports the rapid configuration of the mobile edge application, and collects and reports the performance, the fault information and the like of the resources related to the container. It should be noted that the CIM may be deployed in the MEC system shown in fig. 2 independently from the VIM, or may be deployed in the same functional entity in a centralized manner, which is not limited.
The mobile edge host may be a physical host or a server, and is mainly used for providing computing, storage, and network resources for the mobile edge application. As shown in fig. 2, the mobile edge host may include/be installed with a Mobile Edge Platform (MEP), a plurality of Applications (APP), a Virtualization Infrastructure (VI), and a Container Infrastructure (CI). The VI has the functions of a VM engine, and the CI has the functions of a container engine, such as: has the function of docker engine. In the MEC system, APP may also be referred to as mobile edge application (ME APP) or by other names, without limitation. The present application takes APP as an example for explanation.
The mobile edge platform is mainly used for providing mobile edge service (mobile edge service) for the mobile edge application and providing intermediate service for the mobile edge application, such as: services may be provided for discovery and use between mobile edge applications, etc.
The APP may include an Application (APP) running in a Virtual Machine (VM) on the virtualization infrastructure, or may include an APP running in a container on the container infrastructure. The APP can interact with the mobile edge platform to provide mobile edge services and can also interact with the mobile edge platform to perform mobile edge application lifecycle related processes, such as: indicating the availability of mobile edge applications, relocating user status, etc. In addition to this, the moving edge application has a certain number of rules and requirements associated with it, such as: but also the resources required by the mobile edge application, the maximum delay, the services required or useful, etc.
In the application, in order to ensure that the APP is not cracked, an agent module and an edge dog module corresponding to the APP can be installed and deployed in a mobile edge host, a symmetric key mode is adopted, the agent module and the edge dog module calculate the MAC according to a series of parameters such as safety parameters and/or APP running environment information, whether the edge dog module is legal or not is verified by comparing the MAC generated by the agent module and the MAC generated by the edge dog module, and then the APP is ensured not to be cracked according to a verification result; or, an asymmetric key mode is adopted, the edge dog module signs a series of parameters such as security parameters and/or APP operation environment information by using a private key of the edge dog module, the agent module authenticates the signature of the edge dog module by using a public key of the edge dog module to verify whether the edge dog module is legal or not, and then the APP is not cracked according to a verification result. Specifically, the agent module may be configured to perform actions specified by the agent module in fig. 4-11 described below, and the edge dog module may be configured to perform actions specified by the edge dog module in fig. 4-11 described below.
Wherein, as shown in fig. 2, an APP corresponds to an agent module, and the agent module may be deployed in combination with the APP, or separately deployed from the APP, as follows: the agent module and APP are independently deployed in the VM/container. When the agent module and the APP are separately deployed, a Software Development Kit (SDK) can be installed in the APP, and the agent module can interact with the APP through the SDK. One or more APPs correspond to an edge dog module, and the APP is guaranteed not to be cracked by verifying the legality of the edge dog module corresponding to the APP. In the MEC system shown in fig. 2, the edge dog module may be deployed in the same VM/container as the APP, or may be deployed in a different VM/container, without limitation. For example, as shown in fig. 2, APP1 is deployed in conjunction with agent module 1, APP1 corresponds to edge dog module 1, deployed in the same VM/container, APP2 is deployed separately from agent module 2, and APP2 corresponds to edge dog module 2, deployed in a different VM/container.
In the MEC system shown in fig. 2, the mobile edge hosts and the components in the mobile edge hosts may communicate with each other through interfaces (Mp) of the mobile edge platform, the mobile edge hosts and other devices in the MEC system may communicate with each other through mobile edge management (Mm), and the devices in the MEC system other than the mobile edge hosts may also communicate with each other through Mm interfaces, which is not limited. For example, as shown in fig. 2, the mobile edge platform and the mobile edge application may communicate with each other through Mp1, the mobile edge platform and the data plane in the virtualization infrastructure may communicate with each other through Mp2, and the mobile edge hosts may communicate with each other through Mp 3. The mobile edge platform manager and the mobile edge platform can communicate with each other through Mm5, and the mobile edge platform manager and the virtualization infrastructure manager can communicate with each other through Mm 6. The virtualization infrastructure manager and the virtualization infrastructure can communicate with each other through the Mm 7.
It should be noted that fig. 2 is only an exemplary diagram, the number of network elements included in the MEC system shown in fig. 2 is not limited, and the MEC system may include other devices and the like besides the network elements shown in fig. 2. In addition, the names of the devices and the interfaces between the devices in fig. 2 are not limited, and the names of the devices and the interfaces between the devices may be named as other names besides the names shown in fig. 2, which is not limited.
In particular, the mobile edge host in fig. 2 may include the components shown in fig. 3, and as shown in fig. 3, the mobile edge host 300 may include a processor 301 and network resources 302. Further, the mobile edge host 300 may further include a memory 303. The processor 301, the memory 303 and the network resource 302 may be connected via a communication line (not shown in fig. 3). In the mobile edge host shown in fig. 3, processor 301 may provide computing resources and memory 303 may provide storage resources. In practical application, a storage resource, a computing resource and a network resource can be divided as required to form a VM/container, and an APP including an agent module and an edge dog module are run on the VM/container; or, the agent module and the APP are separately deployed, and the agent module and the APP are independently operated without limitation. Specifically, the process of constructing the VM/container may refer to the prior art, and is not described in detail.
The processor 301 may be a Central Processing Unit (CPU), a general purpose processor Network (NP), a Digital Signal Processor (DSP), a microprocessor, a microcontroller, a Programmable Logic Device (PLD), or any combination thereof. The processor 301 may also be other means with processing functionality such as a circuit, a device, a software module, or the like.
Network resources 302 for communicating with other devices or other communication networks. The other communication network may be an ethernet, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), or the like. The network resource 302 may be a radio frequency module or any device capable of enabling communication. In the embodiment of the present application, the network resource 302 is only used as an example of a radio frequency module, where the radio frequency module may include an antenna, a radio frequency circuit, and the like, and the radio frequency circuit may include a radio frequency integrated chip, a power amplifier, and the like.
And the memory 303 is used for storing program instructions and an installation package corresponding to the APP. The program instructions may be a computer program, and may include, without limitation, program instructions for implementing functions specified by the agent module, program instructions for implementing functions specified by the edge dog module, and the like.
The memory 303 may be a read-only memory (ROM) or other types of static storage devices that can store static information and/or instructions, a Random Access Memory (RAM) or other types of dynamic storage devices that can store information and/or instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, magnetic disc storage media, or other magnetic storage devices, and the optical disc storage includes a compact disc, a laser disc, an optical disc, a digital versatile disc, a blu-ray disc, and the like.
It should be noted that the memory 303 may exist separately from the processor 301 or may be integrated with the processor 301. The memory 303 may be used for storing instructions or program code or some data etc. The memory 303 may be located inside the mobile edge host 300 or outside the mobile edge host 300, which is not limited. The processor 301 is configured to execute the instructions stored in the memory 303 to implement the anti-hacking method provided by the following embodiments of the present application.
In one example, the processor 301 may include one or more CPUs, such as CPU0 and CPU1 in fig. 3.
As an alternative implementation, mobile edge host 300 includes multiple processors, for example, processor 304 may be included in addition to processor 301 in fig. 3.
As an alternative implementation, the mobile edge host 300 further includes an output device and an input device. Illustratively, the input device is a keyboard, mouse, microphone, joystick, or the like, and the output device is a display screen, speaker (microphone), or the like.
It should be noted that the mobile edge host 300 may be a desktop, a laptop, a web server, a tablet, an embedded device, a system-on-a-chip, or a device with a similar structure as in fig. 3. Further, the components shown in FIG. 3 do not constitute a limitation on the moving edge host, which may include more or fewer components than shown, or some components in combination, or a different arrangement of components than those shown in FIG. 3.
In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
The following describes the anti-tamper method provided by the present application, with reference to the MEC system shown in fig. 2, by deploying the agent module and the APP in a unified manner, comparing the MAC generated by the agent module with the MAC generated by the edge dog module, and verifying whether the edge dog module is legal according to the comparison result:
fig. 4 is a flowchart of an anti-cracking method provided in the present application, and as shown in fig. 4, the method includes:
step 401: the agent module sends a first request to the edge dog module.
The agent module may be deployed in combination with an APP, which may be any APP in fig. 2. The edge dog module can be associated with the APP, and the edge dog module is matched with the agent module for use so as to protect the APP. For example, the agent module may be agent module 1 in fig. 2, the edge dog module may be edge dog module 1 in fig. 2, and APP may be APP1 in fig. 2.
The first request may be used to request the first MAC, where the first request may be triggered when the APP user performs a first operation on the APP, the first operation may be activating the APP or running the APP, and the first request may also be named as an activation request or a running request or a fingerprint request or other names, without limitation.
The first request may include running environment information of the APP, and may further include one or more parameters of other parameters such as a serial number (serial no) of the APP, an Identifier (ID) of the APP, and a timestamp (timestamp). The running environment information of the APP, the serial number of the APP, the identifier of the APP and the timestamp can be configured in the agent module in advance.
The running environment information of the APP may be used to indicate the running environment of the APP, and the running environment information of the APP may include any one or more of the following: the identification of MEP where the APP is located, the information of VM or container where the APP is located, the TPM information of the APP operation platform, and the hardware information of VM or container where the APP is operated. The identifier of the MEP may be used to identify the MEP, and the identifier of the MEP may be a number of the MEP in the MEC system, and may also be a Data Network Access Identifier (DNAI) of the MEP, which is not limited. The information of the VM may be used to uniquely identify the VM, and the information of the VM may include a VM ID, a Universal Unique Identifier (UUID) of the VM or a central processing unit Identifier (ID), a Media Access Control (MAC) address of a network card, hard disk information, a volume serial number, a memory ID, a motherboard ID, a processor core ID, and the like. The container information may be used to uniquely identify the container, the container information may include an identifier of the container (Pod ID), a UUID or a CPU ID, a MAC address of a network card, hard disk information, a volume serial number, a memory ID, a motherboard ID, a processor core ID, and the like, and the hardware information where the VM or the container of the APP running platform is located may include a host ID, or a CPU ID, a MAC address of a network card, hard disk information, a volume serial number, a memory ID, a motherboard ID, and a processor core ID, without limitation.
Wherein, the serial number of APP can indicate the factory number of APP, and the serial number of APP can be configured by the vendor of APP.
Wherein, the identifier of APP can be used for identifying one APP in the MEC system, and the identifier of APP can be configured to the agent module by the user of the MEC system.
Where the timestamp may refer to the last time the first operation was successfully performed on the APP. It should be noted that, in the present application, the initial value of the timestamp is zero or null, and subsequently, each time the first operation is successfully executed, the locally stored timestamp is updated to the time when the first operation is successfully executed.
For example, the agent module may send the first request to the edge dog module after receiving an operation request for activating or running the APP from the APP user. The operation request can be an operation request sent by clicking an APP icon on a human-computer interaction interface of the mobile edge host by an APP user.
The proxy module may pre-store an Internet Protocol (IP) address of the edge dog module, and the sending of the first request to the edge dog module by the proxy module may include: and the agent module sends a first request to the edge dog module according to the IP address of the edge dog module.
Before step 401 is executed, it is determined whether the following first condition and/or second condition is/are satisfied, if so, step 401 is executed, otherwise, step 401 is not executed:
and under the first condition, the activation times of the APP are less than the maximum allowable activation times.
For example, if the first request further carries an APP activation instruction, after the agent module receives an operation request sent by the APP, it is determined whether the activation time of the APP is less than the maximum allowable activation time, if the activation time of the APP is less than the maximum allowable activation time, step 401 is executed, otherwise, it is returned that the activation time of the APP exceeds the maximum allowable activation time.
The maximum allowable activation times can be set by the manufacturer of the APP according to needs and are pre-configured in the agent module.
The activation times of the APP may refer to total times of successful activation of the APP, and the activation times of the APP may be stored in the agent module corresponding to the identifier of the APP. Initially, the activation times of the APP are zero or null, and the activation times of the locally stored APP are updated every time the APP is successfully activated, and 1 is added to the activation times of the APP.
And secondly, the running environment information of the APP comprises preset running environment information.
Illustratively, the agent module determines whether the running environment information of the APP is included in the preset running environment information, if the running environment information of the APP is included in the preset running environment information, indicating that the APP runs in the secure environment, then step 401 is executed, otherwise, indicating that the APP does not run in the secure environment, and step 401 is not executed.
The preset running environment information can represent an environment allowing the APP to run, and can be configured in the agent module in advance.
Step 402: and the edge dog module receives the first request and calculates to obtain a first MAC according to the running environment information of the APP.
In one example, the calculating, by the edge dog module, the first MAC according to the running environment information of the APP may include: the edge dog module takes the running environment information of the APP as an input parameter and inputs the running environment information of the APP into a preset algorithm f to obtain a first MAC. Such as: f (operating environment information of APP).
In another example, the calculating, by the edge dog module according to the running environment information of the APP, the first MAC may include: and the edge dog module calculates to obtain a first MAC according to the safety parameters and the APP operation environment information.
For example, the edge dog module may input the security parameter and the running environment information of the APP as input parameters into the preset algorithm f to obtain the first MAC. Such as: f (security parameter, running environment information of APP).
Wherein, the safety parameters can be configured to the edge dog module by the manufacturer of the APP in advance. The security parameter may be a parameter combined by numbers, letters, or other symbols.
For example, the obtaining, by the edge dog module, the first MAC according to the security parameter and/or the running environment information of the APP may include: and the edge dog module takes the safety parameters and/or the APP operation environment information as input parameters and inputs the input parameters into a preset algorithm f to obtain a first MAC. Such as: the first MAC is f (security parameter), or the first MAC is f (operating environment information of the APP), or the first MAC is f (security parameter, operating environment information of the APP).
In each embodiment of the present application, the preset algorithm f may be an HMEC algorithm, such as: may be an HMEC-Secure Hash Algorithm (SHA) -256, or may be other CMEC algorithms or other algorithms, without limitation. The preset algorithm f can be configured in the agent module and the edge dog module in advance.
It should be noted that, instead of receiving the first request, the edge dog module in step 402 may obtain the first MAC according to the security parameter, that is, obtain the first MAC by using the security parameter as an input parameter, which is not limited.
In another example, the obtaining, by the edge dog module, the first MAC according to the running environment information of the APP may include: and when the edge dog module determines that the running environment information of the APP is matched with the preset running environment information, calculating to obtain a first MAC.
For example, the edge dog module may determine whether the running environment information of the APP is included in the preset running environment information, if the running environment information of the APP is included in the preset running environment information, the security parameter and/or the running environment information of the APP is used as an input parameter and is input to the preset algorithm f to obtain the first MAC, otherwise, if the running environment information of the APP is not included in the preset running environment information, it indicates that the APP is not running in an allowed running environment, and is an illegal operation, at this time, the edge dog module may return the running environment information to the agent module, which is illegal, and the process is ended.
If the first request also carries an APP activation instruction, after the marginal dog module receives the first request, it is determined whether the activation times of the APP are less than the maximum allowable activation times, if the activation times of the APP are less than the maximum allowable activation times, step 402 is executed, otherwise, it is returned to the agent module that the activation times of the APP have exceeded the maximum allowable activation times, and the process is ended.
The maximum allowable activation times can be set by the manufacturer of the APP according to needs and are configured in the edge dog module in advance. The number of activations of APP may refer to the total number of times APP is successfully activated, and the number of activations of APP may be stored in the dongle module. Initially, the activation times of the APP are zero or null, and each time the APP is successfully activated, the agent module sends an activation success message indicating that the APP is successfully activated to the edge dog module, so that the edge dog module updates the activation times of the locally stored APP according to the received activation success message, and adds 1 to the activation times of the APP.
In the embodiment of the application, in order to ensure the accuracy of MAC verification, the activation times of APPs stored in the agent module and the edge dog module need to be kept synchronous. Specifically, the activation times of the APP stored in the agent module and the activation times of the APP stored in the edge dog module may be synchronized by the method described in fig. 12 below.
It should be noted that, in the present application, one or more of the security parameter and the running environment information of the APP are not limited to be used as an input parameter to obtain the first MAC, and when the first request includes one or more of the serial number of the APP, the identifier of the APP, and the timestamp, the security parameter, the running environment information of the APP, and the serial number of the APP, the identifier of the APP, and the timestamp may be used as an input parameter to be input to the preset algorithm f together to obtain the first MAC. That is, the edge dog module may obtain the first MAC according to any one of the following modes (1) to (16):
(1) and taking the security parameters as input parameters to obtain a first MAC.
(2) And obtaining a first MAC by taking the running environment information of the APP as an input parameter.
(3) And obtaining the first MAC by taking the security parameters, the serial number of the APP, the identifier of the APP and the timestamp as input parameters.
(4) And obtaining the first MAC by taking the running environment information of the APP, the serial number of the APP, the identification of the APP and the timestamp as input parameters.
(5) And taking the security parameters and the serial number of the APP as input parameters to obtain a first MAC.
(6) And obtaining a first MAC by taking the running environment information of the APP and the serial number of the APP as input parameters.
(7) And taking the safety parameters and the APP identifications as input parameters to obtain a first MAC.
(8) And obtaining the first MAC by taking the running environment information of the APP and the identifier of the APP as input parameters.
(9) And obtaining the first MAC by taking the security parameter and the timestamp as input parameters.
(10) And obtaining a first MAC by taking the running environment information and the time stamp of the APP as input parameters.
(11) And obtaining the first MAC by taking the security parameters, the serial number of the APP and the identifier of the APP as input parameters.
(12) And obtaining the first MAC by taking the running environment information of the APP, the serial number of the APP and the identification of the APP as input parameters.
(13) And taking the security parameters, the serial number of the APP and the timestamp as input parameters to obtain a first MAC.
(14) And obtaining the first MAC by taking the running environment information of the APP, the serial number of the APP and the timestamp as input parameters.
(15) And taking the security parameters, the APP identification and the timestamp as input parameters to obtain a first MAC.
(16) And obtaining the first MAC by taking the running environment information of the APP, the identifier of the APP and the timestamp as input parameters.
In the above-described modes (1) to (16), the key k may be used as an input parameter, and the key k may be allocated to the agent module and the edge dog module in advance. When the first operation is running the APP, the number of activation times of the APP may also be used as an input parameter, without limitation.
Step 403: the edge dog module sends the first MAC to the proxy module.
For example, the edge dog module may send a first requested response to the proxy module, which may include the first MAC. When the first request further carries an APP activation indication, the response of the first request may be an activation response. When the first operation is running an APP, the response of the first request may be a fingerprint response.
Step 404: and the agent module receives the first MAC and calculates to obtain a fourth MAC according to the running environment information of the APP.
Illustratively, the agent module calculates to obtain the fourth MAC according to the running environment information of the APP, and may refer to a process in which the edge dog module obtains the first MAC according to the running environment information of the APP.
Specifically, the proxy module may obtain the fourth MAC by referring to any one of the above-described modes (1) to (16).
The preset algorithm f and the input parameters adopted by the agent module when calculating the fourth MAC are the same as those adopted by the edge dog module when calculating the first MAC, and double-transmission is agreed in advance.
It should be noted that the input parameters used by the agent module to calculate the fourth MAC are the same as the input parameters used by the edge dog module to calculate the first MAC: the input parameters adopted by the agent module when calculating the fourth MAC and the input parameters adopted by the edge dog module when calculating the first MAC are the same type of parameters, such as: the parameter information is security parameters, or is running environment information of the APP, or is running environment information of the security parameters and the APP, and the serial number of the APP, the identifier of the APP and the timestamp of one or more of the following parameters.
Step 405: and the agent module compares the first MAC with the fourth MAC and verifies whether the edge dog module is legal or not.
Illustratively, when the first MAC is the same as the fourth MAC, the edge dog module is valid, and allows corresponding operations to be performed on the APP, such as: activating APP or continuing to run APP and the like; when the first MAC is different from the fourth MAC, the edge dog module is illegal, preventing the first operation on the APP.
For example, if the first MAC calculated by the edge dog module is 10 and the fourth MAC calculated by the agent module is 11, the first MAC is different from the fourth MAC, and the edge dog module is illegal and is not allowed to perform corresponding operations on the APP.
Further, if the first request further carries an APP activation indication, and the edge dog module is legal, the method may further include: the agent module activates the APP, sets the state of the APP to be activated after the activation is successful, adds 1 to the activation times of the locally stored APP, and is used for indicating the activation success message that the APP is successfully activated to the edge dog module, so that after the edge dog module receives the activation success message, the activation times of the locally stored APP in the edge dog module are updated, and the activation times of the locally stored APP are added with 1.
Further, if the first operation is running APP and the edge dog module is legal, the method may further include: and the agent module triggers the APP to continue running.
In the method shown in fig. 4, whether the edge dog module is legal is determined by comparing the MACs, that is, whether the edge dog module is legal is verified in a symmetric key manner. Alternatively, whether the edge dog module is legal or not can be verified in an asymmetric key mode. For example, the edge dog module may also sign a series of parameters such as running environment information of the APP by using a private key of the edge dog module, and send the signed information to the agent module or the APP, so that after the agent module or the APP receives the signed information, the public key of the edge dog module is obtained according to a certificate of the edge dog module, decryption processing is performed after the signed information by using the public key of the edge dog module, whether the edge dog module is legal is verified according to the decrypted information, and corresponding operation is performed on the APP according to the legal condition of the edge dog module.
The private key of the edge dog module and the public key of the edge dog module are a pair of asymmetric keys, and the private key of the edge dog module and the public key of the edge dog module can be configured in the edge dog module in advance by an APP manufacturer or an edge dog module manufacturer. The certificate of the edge dog module can be configured in advance at the proxy module by the manufacturer of the APP.
Based on the method shown in fig. 4, after receiving the request for obtaining the first MAC, the edge dog module may generate a MAC according to the running environment information of the APP, and feed the MAC back to the agent module, and the agent module compares the MAC generated by the agent module with the received MAC to verify whether the edge dog module is legal, for example: and when the MAC generated by the edge dog module is the same as the received MAC, the edge dog module is legal, and corresponding operation is executed on the APP. So, bind edge dog module and APP's operational environment, the legal user only can calculate expected MAC when running APP on the operational environment of allowwing edge dog module, verifies successfully, and even illegal user has obtained this APP, also can calculate the MAC different with the MAC that receives because of not running APP on the operational environment of allowwing, verifies the failure, can't embezzle this APP. Compared with the prior art, the method shown in fig. 4 can ensure the safety of APP usage in the MEC scene.
The method shown in fig. 4 is described in detail below by taking the example that the agent module and the APP are deployed in a unified manner, the first request also carries an APP activation instruction, and the security parameter and the running environment information of the APP as input parameters.
Fig. 5 is a flowchart of another anti-cracking method provided in the present application, and as shown in fig. 5, the method includes:
step 501: the agent module receives an activation request from an APP user.
Wherein the activation request may be for requesting activation of the APP. The activation request may be a request issued by the APP user clicking on a human machine interface on the mobile edge host.
Step 502: the agent module judges whether the activation times of the APP are smaller than the maximum allowable activation times and whether the running environment information of the APP is included in the preset running environment information; if the activation times of the APP are smaller than the maximum allowable activation times and included in the preset running environment information, executing the step 502 to the step 513; otherwise, the agent module returns that the activation times of the APP exceed the maximum allowable activation times and/or are not in a legal running environment to the APP user, and the process is ended.
Step 503: the agent module sends a first request to the edge dog module.
Step 503 can be described with reference to step 401, and is not described in detail.
Step 504: the edge dog module receives the first request, judges whether the running environment information of the APP is included in the preset running environment information, and if the running environment information of the APP is included in the preset running environment information, executes steps 505 to 513; otherwise, the operation environment information is sent to the agent module illegally, and the process is ended.
Step 505: the marginal dog module judges whether the activation times of the APP are smaller than the maximum allowable activation times; if the activation times of the APP are less than the maximum allowable activation times, executing the step 506 to the step 513; otherwise, if the activation times of the APP are equal to or greater than the maximum allowable activation times, the edge dog module returns to the agent module that the activation times of the APP have exceeded the maximum allowable activation times, and the process ends.
Step 506: the edge dog module takes the safety parameters and the APP operation environment information as input parameters, and a first MAC is obtained through calculation.
The execution process of step 506 can be described with reference to step 402, and is not repeated herein.
Step 507: the edge dog module sends the first MAC to the proxy module.
The execution process of step 507 can be described with reference to step 403, and is not described in detail.
Step 508: and the agent module receives the first MAC, takes the security parameters and the running environment information of the APP as input parameters, and calculates to obtain a fourth MAC.
The execution process of step 508 can be described with reference to step 404, and is not repeated herein.
Step 509: the agent module compares the first MAC and the fourth MAC to verify whether activation of the APP is allowed.
The execution process of step 509 may refer to that described in step 405, and is not described in detail.
Step 510: and if the APP is allowed to be activated, the agent module activates the APP.
Step 511: after the APP is successfully activated, the agent module adds 1 to the activation times of the locally stored APP, and meanwhile, the agent module sets the state of the APP to be activated.
Step 512: the agent module is used for indicating an activation success message of the APP activated successfully to the edge dog module.
Step 513: and the edge dog module receives the activation success message, sets the state of the APP to be activated, updates the activation times of the APP stored locally in the edge dog module, and adds 1 to the activation times of the APP stored locally.
Based on the method shown in fig. 5, after receiving a request for activating the APP to the APP, the edge dog module may generate a MAC according to the security parameter and the running environment information of the APP, and feed the MAC back to the agent module, and the agent module compares the MAC generated by the agent module with the received MAC to verify whether the edge dog module is legal, for example: and when the MAC generated by the edge dog module is the same as the received MAC, the edge dog module is legal, and the APP is activated. So, legal user can use legal security parameter and APP's operating environment information to calculate expected MAC through marginal dog module, guarantees APP's legal use, realizes that only the user who possesses input parameter such as legal security parameter can use this APP, and even illegal user has obtained this APP, also can calculate the MAC different with the MAC that receives because of can't obtain this legal input parameter, can't steal this APP, and activate this APP.
The method shown in fig. 4 is described in detail below by taking the agent module and APP integrated deployment, the first operation being running APP, and the security parameter and the running environment information of APP as input parameters.
Fig. 6 is a flowchart of another anti-cracking method provided in the present application, and as shown in fig. 6, the method includes:
step 601: the agent module receives an operation request from an APP user.
Wherein the run request may be for requesting to run the APP. The running request may be a request issued by the APP user clicking a human machine interface on the mobile edge host.
Step 602: the agent module judges whether the APP is activated or not and whether the running environment information of the APP is included in the preset running environment information or not; if the APP is activated and the running environment information of the APP is included in the preset running environment information, executing the step 602 to the step 513; otherwise, the agent module returns that the APP is not activated and/or the running environment information is illegal to the APP user, and the process is ended.
Step 603: the agent module sends a first request to the edge dog module.
Step 603 can be referred to as step 401, and is not described in detail.
Step 604: the edge dog module receives the first request, judges whether the running environment information of the APP is included in the preset running environment information, and executes steps 605 to 513 if the running environment information of the APP is included in the preset running environment information; otherwise, the operation environment information is sent to the agent module illegally, and the process is ended.
Step 605: the edge dog module judges whether the APP is activated or not; if the APP is activated, executing the step 606 to the step 513; otherwise, if the APP is not activated, the edge dog module returns to the agent module that the APP is not activated, and the process is ended.
Step 606: the edge dog module takes the safety parameters and the APP operation environment information as input parameters, and a first MAC is obtained through calculation.
The execution process of step 606 can be described with reference to step 402, and is not described in detail.
Step 607: the edge dog module sends the first MAC to the proxy module.
The execution process of step 607 can be described with reference to step 403, and is not described in detail.
Step 608: and the agent module receives the first MAC and calculates to obtain a fourth MAC according to the security parameter and the running environment information of the APP as input parameters.
The execution process of step 608 can be described with reference to step 404, and is not described in detail.
Step 609: the agent module compares the first MAC and the fourth MAC and verifies whether the APP is allowed to run.
The execution process of step 609 can refer to that described in step 405, and is not described in detail.
Step 610: and if the APP is allowed to run, the agent module continues to run the APP.
Based on the method shown in fig. 6, after receiving a request for executing running the APP to the APP, the edge dog module may generate a MAC according to the security parameter and the running environment information of the APP, and feed the MAC back to the proxy module, and the proxy module compares the MAC generated by the proxy module with the received MAC to verify whether running the APP is allowed, for example: when the MAC generated by the device is the same as the received MAC, the device indicates that the APP is allowed to run. Therefore, a legal user can use legal safety parameters and the running environment information of the APP to calculate the expected MAC through the edge dog module, legal use of the edge dog module is guaranteed, only a user who has input parameters such as legal safety parameters can use the APP, and even if the illegal user obtains the APP, the illegal user can calculate the MAC which is different from the received MAC due to the fact that the legal input parameters cannot be obtained, and the APP cannot be embezzled and run.
The anti-cracking process when the APP is deactivated is described by integrating the agent module and the APP for deployment as follows:
fig. 7 is a flowchart of another anti-cracking method provided in the present application, and as shown in fig. 7, the method includes:
step 701: the agent module determines that a condition for deactivating the APP is satisfied.
Wherein the conditions for deactivating APP comprise one or more of the following conditions: and (I) receiving an APP unloading request sent by an APP user, wherein the APP unloading request is used for requesting to unload the APP. And (II) reaching the use validity period of the APP. The use validity period of the APP can be preset and is not limited.
Step 702: and the agent module calculates to obtain a second MAC according to the security parameters.
Wherein the second MAC may be used to verify whether the operation of deactivating the APP is legitimate.
For example, the proxy module may input the security reference as an input parameter into the preset algorithm f to obtain the second MAC.
When the deactivation APP is prevented from being cracked, the security parameters are not limited to be used as input parameters, one or more parameters such as the identification of the APP, the key k, the activation times of the APP, the serial number of the APP, the timestamp and the like can be used as the input parameters, and the second MAC is obtained through calculation.
Step 703: the agent module sends a second request to the edge dog module.
The second request may be used to request deactivation of the APP, and the second request may include the second MAC, and may further include one or more parameters such as an identifier of the APP, the number of activations of the APP, a sequence number of the APP, and a timestamp. The second request may also be named a deactivation request.
For example, the process of sending the second request to the edge dog module by the proxy module in step 401 may be referred to, and is not described in detail herein.
Step 704: and the edge dog module receives the second request, takes the safety parameters as input parameters, and calculates to obtain a third MAC.
The execution process of step 706 can be described with reference to step 702, and is not repeated herein.
Step 705: the edge dog module compares the second MAC with the third MAC and verifies whether the APP is allowed to be deactivated.
The execution process of step 706 can be described with reference to step 405, and is not described in detail.
Step 706: the edge dog module sends a deactivation response to the agent module.
Wherein the deactivation response may be used to indicate whether deactivation of the APP is allowed, such as: when the second MAC is the same as the third MAC, the deactivation response may be used to indicate that deactivation of the APP is allowed, whereas when the second MAC is different from the third MAC, the deactivation response may be used to indicate that deactivation of the APP is not allowed.
Step 707: if the APP is allowed to be deactivated and the condition for deactivating the APP is a condition (one), the edge dog module reduces the activation frequency of the locally stored APP by 1, and simultaneously marks the state of the APP as 'deactivation'; and if the APP is allowed to be deactivated and the condition for deactivating the APP is a condition (two), the state of the APP is marked as 'deactivation' by the edge dog module.
It should be noted that, the present application does not limit the execution order of step 706 and step 707, and step 706 may be executed first and then step 707 is executed, or step 707 may be executed first and then step 706 is executed, which is not limited.
Based on the method shown in fig. 7, after receiving a request for deactivating APP for APP, the edge dog module may generate MAC according to the security parameter, and compare the MAC generated by itself with the received MAC to verify whether to allow deactivation of APP, such as: when the generated MAC is the same as the received MAC, the APP is allowed to be deactivated. Therefore, legal users can use legal safety parameters and APP deactivation environment information to calculate expected MAC through the edge dog module, legal use of the edge dog module is guaranteed, only users who have legal safety parameters and other input parameters can use the APP, even if illegal users acquire the APP, the MAC which is different from the received MAC can be calculated due to the fact that the legal input parameters cannot be acquired, and the APP cannot be embezzled and deactivated.
Fig. 4 to fig. 7 take the deployment of the agent module and the APP as an example, and describe the anti-cracking process when activating the APP, the anti-cracking process when running the APP, and the anti-cracking process when deactivating the APP. In the following, by taking the separate deployment of the agent module and the APP as an example, a cracking prevention process when the APP is activated, a cracking prevention process when the APP is running, and a cracking prevention process when the APP is deactivated are described.
Fig. 8 is a flowchart of an anti-cracking method provided in the present application, and as shown in fig. 8, the method includes:
step 801: the APP sends a third request to the agent module.
The APP may be deployed separately from the agent module, for example, the agent module may be the agent module 2 in fig. 2, the edge dog module may be the edge dog module 2 in fig. 2, and the APP may be APP2 in fig. 2.
Wherein the third request may be for requesting a fourth MAC.
The third request may include running environment information of the APP, and may further include one or more parameters of a sequence number of the APP, an identifier of the APP, a timestamp, and the like. The sequence number of the APP, the identifier of the APP, and the related description of the timestamp may refer to those in step 401, which are not described in detail.
For example, the APP may send a third request to the agent module after receiving an operation request sent by the APP user to perform the first operation on the APP. The relevant description of the first operation may refer to the above step 401. The operation request can be an operation request sent by clicking an APP icon on a human-computer interaction interface of the mobile edge host by an APP user.
Illustratively, the APP may send the third request to the proxy module via the SDK.
Step 802: and the agent module receives the third request and calculates to obtain a fourth MAC according to the running environment information of the APP.
Illustratively, if the first request also carries an APP activation indication, after the agent module receives an operation request sent by the APP, it is determined whether the activation times of the APP are less than the maximum allowable activation times, if the activation times of the APP are less than the maximum allowable activation times, a fourth MAC is obtained by calculation according to the security parameter, otherwise, it is returned that the activation times of the APP have exceeded the maximum allowable activation times.
The proxy module may obtain the fourth MAC by referring to any one of the above-described modes (1) to (16).
The preset algorithm f and the input parameters adopted by the agent module when calculating the fourth MAC are the same as those adopted by the edge dog module when calculating the first MAC, and double-transmission is agreed in advance.
It should be noted that the input parameters used by the agent module to calculate the fourth MAC are the same as the input parameters used by the edge dog module to calculate the first MAC: the input parameters adopted by the agent module when calculating the fourth MAC and the input parameters adopted by the edge dog module when calculating the first MAC are the same type of parameters, such as: the parameters are all security parameters, or all the running environment information of the APP, or all the running environment information of the security parameters and/or the APP, and the serial number of the APP, the identifier of the APP, and the timestamp of one or more of the following parameters.
Step 803: the agent module sends a fourth MAC to the APP.
Illustratively, the proxy module may send the fourth MAC to the APP via the SDK.
Step 804: the APP sends a first request to the edge dog module.
The first request may be used to request to obtain the first MAC, where the first request may include the fourth MAC, and may further include one or more parameters of the running environment information of the APP, the identifier of the APP, the sequence number of the APP, and the timestamp, which are described in step 401.
Step 805: and the edge dog module receives the first request and calculates to obtain a first MAC according to the running environment information of the APP.
The edge dog module may obtain the first MAC by referring to any one of the manners (1) to (16), which is not described herein.
Step 806: and the edge dog module compares the first MAC with the fourth MAC and verifies whether the edge dog module is legal or not.
Illustratively, when the first MAC is the same as the fourth MAC, the edge dog module is legal and allows corresponding operations to be performed on the APP; the edge dog module is illegal when the first MAC is different from the fourth MAC.
Step 807: and the edge dog module sends a verification result to the APP.
Further, if the first request further carries an APP activation indication, and the edge dog module is legal, the method may further include: activating the APP by the APP, and sending an activation success message that the APP is successfully activated to the agent module and the edge dog module after the activation is successful. And the agent module receives the activation success message, sets the state of the APP to be activated, and adds 1 to the activation times of the locally stored APP. And after receiving the activation success message, the edge dog module updates the activation times of the locally stored APP in the edge dog module, and adds 1 to the activation times of the locally stored APP.
Further, if the first operation is to run the APP and the edge dog module is illegal, the running environment of the APP is unsafe, and the running of the APP is quitted.
It should be noted that, in the method shown in fig. 8, alternatively, the APP may also compare the first MAC and the fourth MAC to verify whether the edge dog module is legal, for example: the above steps 806 to 807 may be replaced by: the edge dog module sends the first MAC to the APP, and the APP compares the first MAC with the fourth MAC to verify whether the edge dog module is legal or not.
Based on the method shown in fig. 8, after receiving the request for obtaining the first MAC sent by the APP, the edge dog module may generate a MAC according to the security parameter and/or the running environment information of the APP, compare the MAC generated by itself with the received MAC, and verify whether the edge dog module is legal, for example: and when the MAC generated by the edge dog module is the same as the received MAC, the edge dog module is legal, and the verification result is fed back to the APP so that the APP can execute subsequent operations. So, legal user can use legal security parameter and other parameters to calculate MAC through marginal dog module, and the MAC that the matching agent module generated and the MAC that self generated, verify whether legal to the operation of APP, guarantee the legal use of marginal dog module, realize that only the user who possesses input parameters such as legal security parameter can only use this APP, and even illegal user has obtained this APP, also can calculate the MAC different with the MAC received because of unable acquisition this legal input parameter, can't steal this APP, compare with prior art, the security of APP use under the MEC scene can be guaranteed to the method shown in figure 8.
The method shown in fig. 8 is described in detail below by taking, as an example, that the agent module and the APP are deployed separately, and the first request also carries an APP activation instruction, a security parameter, and APP operating environment information as input parameters.
Fig. 9 is a flowchart of another anti-cracking method provided in the present application, and as shown in fig. 9, the method includes:
step 901: the APP receives an activation request from an APP user.
Wherein the activation request may be for requesting activation of the APP. The activation request may be a request issued by the APP user clicking on a human machine interface on the mobile edge host.
Step 902: the APP sends a third request to the agent module.
The description of the third request and the execution process of step 902 may refer to step 801, which is not repeated herein.
Step 903: the agent module receives the third request and judges whether the activation times of the APP are smaller than the maximum allowable activation times; if the activation times of the APP are less than the maximum allowable activation times, executing the steps 904-914; otherwise, if the activation times of the APP are equal to or greater than the maximum allowable activation times, the agent module returns to the APP that the activation times of the APP have exceeded the maximum allowable activation times, and the process ends.
Step 904: and the agent module calculates to obtain a fourth MAC according to the security parameters.
The execution process of step 904 can be described with reference to step 802, and is not repeated herein.
Step 905: the agent module sends a fourth MAC to the APP.
The execution process of step 905 can be described with reference to step 803, and is not described in detail.
Step 906: the APP sends a first request to the edge dog module.
Step 906 can be referred to as step 804, and is not described in detail.
Step 907: the edge dog module receives the first request, judges whether the running environment information of the APP is included in the preset running environment information, and executes steps 908-914 if the running environment information of the APP is included in the preset running environment information; otherwise, the running environment information is sent to the APP illegally, and the process is ended.
Step 908: the marginal dog module judges whether the activation times of the APP are smaller than the maximum allowable activation times; if the activation times of the APP are less than the maximum allowable activation times, executing steps 909 to 914; otherwise, if the activation times of the APP are equal to or greater than the maximum allowable activation times, the edge dog module returns to the APP that the activation times of the APP exceed the maximum allowable activation times, and the process is ended.
Step 909: the edge dog module takes the safety parameters and the APP operation environment information as input parameters, and a first MAC is obtained through calculation.
The execution process of step 909 can be described with reference to step 805, and is not described in detail.
Step 910: and the edge dog module compares the first MAC with the fourth MAC and verifies whether the edge dog module is legal or not.
The execution process of step 910 can be described with reference to step 806, and is not described in detail.
Step 911: and the edge dog module sends a verification result to the APP.
Step 912: if the APP is allowed to be activated, the APP is activated, and after the activation is successful, an activation success message that the APP is successfully activated is sent to the agent module and the edge dog module.
Step 913: and the agent module receives the activation success message, adds 1 to the activation times of the locally stored APP, and simultaneously sets the state of the APP to be activated.
Step 914: and the edge dog module receives the activation success message, adds 1 to the activation times of the locally stored APP, and simultaneously, the agent module sets the state of the APP to be activated.
It should be noted that, in the method shown in fig. 9, alternatively, the APP may also compare the first MAC and the fourth MAC to verify whether the edge dog module is legal, for example: the steps 910 to 911 may be replaced by: the edge dog module sends the first MAC to the APP, and the APP compares the first MAC with the fourth MAC to verify whether the APP is allowed to be activated or not.
Based on the method shown in fig. 9, after receiving a request from the APP to activate the APP, the edge dog module may generate a MAC according to the security parameter and the running environment information of the APP, compare the MAC generated by itself with the received MAC, and verify whether the edge dog module is legal, such as: and when the MAC generated by the edge dog module is the same as the received MAC, indicating whether the edge dog module is legal or not, and activating the APP. So, legal user can use legal security parameter and APP's operating environment information to calculate expected MAC through marginal dog module, guarantees the legal use of marginal dog module, realizes that only the user who possesses input parameter such as legal security parameter can use this APP, and even illegal user has obtained this APP, also can calculate the MAC different with received MAC because of can't obtain this legal input parameter, can't steal this APP, and activate this APP.
The method shown in fig. 8 is described in detail below by taking the agent module and the APP separately deployed, the first operation being running the APP, and the security parameter and the running environment information of the APP as input parameters.
Fig. 10 is a flowchart of another anti-cracking method provided in the present application, and as shown in fig. 10, the method includes:
step 1001: the APP receives an operation request from an APP user.
Wherein the run request may be for requesting to run the APP. The running request may be a request issued by the APP user clicking a human machine interface on the mobile edge host.
Step 1002: the APP sends a third request to the agent module.
The description of the third request and the execution process of step 1002 may refer to step 801, which is not repeated herein.
Step 1003: the agent module receives the third request and judges whether the APP is activated or not; if the APP is activated, executing steps 1004 to 1011; otherwise, the agent module returns that the APP is not activated to the APP, and the process is ended.
Step 1004: and the agent module calculates to obtain a fourth MAC according to the security parameters and the APP operation environment information.
The execution process of step 1004 can be described with reference to step 802, and is not described in detail.
Step 1005: the agent module sends a fourth MAC to the APP.
The execution process of step 1005 can be described with reference to step 803, and is not described in detail.
Step 1006: the APP sends a first request to the edge dog module.
The description of the first request and the step 1006 may refer to the description of the step 804, which is not repeated herein.
Step 1007: the edge dog module receives the first request, judges whether the running environment information of the APP is included in the preset running environment information, and if the running environment information of the APP is included in the preset running environment information, executes steps 1008-1011; otherwise, the running environment information is sent to the APP illegally, and the process is ended.
Step 1008: the edge dog module judges whether the APP is activated or not; if the APP is activated, executing the step 1009 to the step 1011; otherwise, the agent module returns that the APP is not activated to the APP, and the process is ended.
Step 1009: the edge dog module takes the safety parameters and the APP operation environment information as input parameters, and a first MAC is obtained through calculation.
The execution process of step 1009 can be described with reference to step 805, and is not described in detail.
Step 1010: the edge dog module sends the first MAC to the APP.
Step 1011: and the APP compares the first MAC with the fourth MAC to verify whether the edge dog module is legal or not.
Illustratively, if the first MAC is the same as the fourth MAC, it indicates that the edge dog module is legitimate, and allows running the APP, and continues running the APP. Otherwise, if the first MAC is different from the fourth MAC, the edge dog module is illegal, and the APP stops running.
It should be noted that, in the method shown in fig. 10, alternatively, the edge dog module may further compare the first MAC with the fourth MAC to verify that the edge dog module is illegal, such as: the above steps 1010 to 1011 may be replaced by: and the edge dog module compares the first MAC with the fourth MAC, verifies whether the APP is allowed to run or not, and sends a verification result to the APP.
Based on the method shown in fig. 10, after receiving a request for running the APP from the APP, the agent module may generate the MAC according to the security parameters and the running environment information of the APP, and feed the MAC back to the APP, and after receiving a request for running the APP from the APP, the edge dog module may generate the MAC according to the security parameters and the running environment information of the APP, and feed the MAC back to the APP, and the APP compares the MAC generated by the agent module and the MAC generated by the edge dog module, and verifies whether running the APP is allowed. Therefore, a legal user can use legal safety parameters and the running environment information of the APP to calculate the expected MAC through the edge dog module, legal use of the edge dog module is guaranteed, only a user who has input parameters such as legal safety parameters can use the APP, and even if the illegal user obtains the APP, the illegal user can calculate the MAC which is different from the received MAC due to the fact that the legal input parameters cannot be obtained, and the APP cannot be embezzled and run.
The agent module and the APP are separately deployed, and the anti-cracking process when the APP is deactivated is described as follows:
fig. 11 is a flowchart of another anti-cracking method provided in the present application, and as shown in fig. 11, the method includes:
step 1101: the APP determines that a condition for deactivating the APP is satisfied.
The conditions for deactivating the APP and the process for determining that the conditions for deactivating the APP satisfy may refer to the above step 701, which is not described in detail.
Step 1102: the APP sends a fourth request to the agent module.
Wherein the fourth request may be for requesting deactivation of the APP. The fourth request may include one or more parameters such as an identification of the APP, a sequence number of the APP, a timestamp, etc.
Step 1103: and the agent module receives the fourth request and calculates to obtain a second MAC according to the security parameters.
Wherein the second MAC may be used to verify whether the operation of deactivating the APP is legitimate.
For example, the proxy module may refer to step 702 to execute step 1103, which is not described in detail.
Step 1104: if the condition for deactivating the APP is a condition (one), the agent module reduces the activation frequency of the locally stored APP by 1, and simultaneously marks the state of the APP as 'deactivation'; and if the condition for deactivating the APP is the condition (II), the agent module marks the state of the APP as 'deactivation'.
It should be noted that, the present application does not limit the execution order of step 1103 and step 1104, and may execute the step 1103 and the step 1104 sequentially or simultaneously, or execute the step 1104 first and then execute the step 1103 without limitation.
Step 1105: the proxy module sends the second MAC to the APP.
Step 1106: the APP sends a second request to the edge dog module.
Wherein the second request may be for requesting deactivation of the APP, and the second request may include the second MAC. The second request may also be named a deactivation request.
The process of sending the second request to the edge dog module by the proxy module in step 401 may be referred to, and is not described in detail herein.
Step 1107: and the edge dog module receives the second request, takes the safety parameters as input parameters, and calculates to obtain a third MAC.
The execution process of step 1106 can be described with reference to step 706, and is not described in detail.
Step 1108: the edge dog module compares the second MAC with the third MAC and verifies whether the APP is allowed to be deactivated.
The execution process of step 1108 can be described with reference to step 405, and is not described in detail.
Step 1109: the edge dog module sends a deactivation response to the agent module.
Wherein the deactivation response may be used to indicate whether deactivation of the APP is allowed, such as: when the second MAC is the same as the third MAC, the deactivation response may be used to indicate that deactivation of the APP is allowed, whereas when the second MAC is different from the third MAC, the deactivation response may be used to indicate that deactivation of the APP is not allowed.
Step 1110: if the APP is allowed to be deactivated and the condition for deactivating the APP is a condition (one), the edge dog module reduces the activation frequency of the locally stored APP by 1, and simultaneously marks the state of the APP as 'deactivation'; and if the APP is allowed to be deactivated and the condition for deactivating the APP is a condition (two), the state of the APP is marked as 'deactivation' by the edge dog module.
It should be noted that the present application does not limit the execution order of step 1109 and step 1110, and step 1109 may be executed first and then step 1110 may be executed, or step 1110 may be executed first and then step 1109 may be executed, which is not limited.
Based on the method shown in fig. 11, after receiving a request for deactivating APP for APP, the edge dog module may generate MAC according to the security parameter, and compare the MAC generated by itself with the received MAC to verify whether to allow deactivation of APP, such as: when the generated MAC is the same as the received MAC, the APP is allowed to be deactivated. Therefore, legal users can use legal safety parameters and APP deactivation environment information to calculate expected MAC through the edge dog module, legal use of the edge dog module is guaranteed, only users who have legal safety parameters and other input parameters can use the APP, even if illegal users acquire the APP, the MAC which is different from the received MAC can be calculated due to the fact that the legal input parameters cannot be acquired, and the APP cannot be embezzled and deactivated.
In order to ensure that the activation times of the APP at the two ends of the agent module and the APP at the two ends of the edge dog module are synchronous, the application also provides a synchronization method. Fig. 12 is a flowchart of another state synchronization method provided in the present application, and as shown in fig. 12, the method includes:
step 1201: the agent module sends a state synchronization request to the edge dog module.
The state synchronization request may include the number of activations of the APP.
For example, the agent module may send a state synchronization request to the edge dog module in a case that the activation state of the APP is not successfully notified to the edge dog module; alternatively, the status synchronization request is sent to the edge dog module periodically, without limitation.
Step 1202: and the edge dog module receives the state synchronization request from the agent module and updates the activation times of the locally stored APP into the activation times of the APP.
Step 1203: the edge dog module sends a state synchronization response to the proxy module.
The state synchronization response may be used to instruct the edge dog module to synchronize the activation times of its APP to be consistent with the activation times of the APP of the agent module.
Based on the method described in fig. 12, the activation times of the APPs stored in the agent module and the edge dog module can be synchronized, so that the understanding of the two modules on the activation times of the APPs is consistent.
In the embodiments provided in the present application, the method provided in the embodiments of the present application is introduced from the perspective of interaction between the agent module and the edge dog module. It is understood that, for each network element, for example, the agent module and the edge dog module, to implement each function in the method provided in the foregoing embodiments of the present application, the network device and the terminal device include a hardware structure and/or a software module corresponding to each function. Those of skill in the art will readily appreciate that the present application is capable of hardware or a combination of hardware and computer software implementing the various illustrative algorithm steps described in connection with the embodiments disclosed herein. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, the agent module and the edge dog module may be divided into function modules according to the above method example, for example, each function module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
In the case of dividing each function module by corresponding functions, fig. 13 shows a structure diagram of an edge dog module 130, and the edge dog module 130 can be deployed on a VM/container of a mobile edge host. The edge dog module 130 may be configured to perform the functions of the edge dog module involved in the above-described method embodiments. The edge dog module 130 shown in fig. 13 includes: a receiving unit 1301, a processing unit 1302, and a transmitting unit 1303;
in one possible design, the receiving unit 1301 is configured to receive a first request including the running environment information of the APP for requesting the first MAC. For example, the receiving unit 1301 is used to support the edge dog module 130 to perform steps 402 and 805.
The processing unit 1302 is configured to calculate, according to the running environment information of the APP, to obtain a first MAC for verifying whether the edge dog module is legal. For example, the processing unit 1302 is configured to support the edge dog module 130 to perform the steps 402, 805, and 806.
A sending unit 1303, configured to send the first MAC. For example, the sending unit 1303 is configured to support the edge dog module 130 to perform steps 403 and 807.
In yet another possible design, the receiving unit 1301 is configured to receive a first request for requesting to obtain the first MAC and including a fourth MAC, where the fourth MAC is used to verify whether the edge dog module is legal; a processing unit 1302, configured to calculate a first MAC according to the running environment information of the APP, and compare the first MAC with a fourth MAC; a sending unit 1303, configured to send a response to the first request. When the first MAC and the fourth MAC are the same, the response APP of the first request indicates that the edge dog module is legal, and when the first MAC and the fourth MAC are different, the response APP of the first request indicates that the edge dog module is illegal.
In yet another possible design, the receiving unit 1301 is configured to receive a first request for requesting a first MAC; the processing unit 1302 is configured to calculate, according to the security parameter, to obtain a first MAC for verifying whether the edge dog module is legal; a sending unit 1303, configured to send the first MAC.
In yet another possible design, the receiving unit 1301 is configured to receive a first request for requesting to obtain the first MAC and including a fourth MAC, where the fourth MAC is used to verify whether the edge dog module is legal; a processing unit 1302, configured to calculate a first MAC according to the security parameter, and compare the first MAC with a fourth MAC; a sending unit 1303, configured to send a response to the first request. When the first MAC and the fourth MAC are the same, the response APP of the first request indicates that the edge dog module is legal, and when the first MAC and the fourth MAC are different, the response APP of the first request indicates that the edge dog module is illegal.
In another possible design, the receiving unit 1301 is configured to receive a second request including a second MAC for requesting deactivation of the APP, where the second MAC is used to verify whether an operation of deactivating the APP is legal; a processing unit 1302, configured to calculate a third MAC according to the security parameter, and compare the second MAC with the third MAC; a sending unit 1303, configured to send a deactivation response. When the second MAC and the third MAC are the same, the deactivation response is used for indicating that the APP is successfully deactivated, and when the second MAC and the third MAC are different, the deactivation response is used for indicating that the APP is unsuccessfully deactivated.
The related description of the security parameters and the APP operating environment information may refer to the method shown in fig. 4 to 12, and the specific execution processes of the receiving unit 1301, the processing unit 1302, and the sending unit 1303 may refer to the actions specified by the edge dog module in the method shown in fig. 4 to 12, which are not described again.
In the case of dividing each functional module by corresponding functions, fig. 14 shows a structure diagram of a proxy module 140, and the proxy module 140 can be deployed on a VM/container of a mobile edge host. The agent module 140 may be used to perform the functions of the agent module referred to in the above-described method embodiments. The agent module 140 shown in fig. 14 includes: a reception unit 1401, a processing unit 1402, and a transmission unit 1403;
in one possible design, the sending unit 1403 is configured to send a first request including the runtime environment information of the APP to the edge dog module, where the first request is used for requesting the first MAC. For example, the sending unit 1403 may support the proxy module 140 to perform step 401.
A receiving unit 1401, configured to receive a first MAC from the edge dog module, where the first MAC is used to verify whether the edge dog module is legal. For example, the receiving unit 1401 may support the proxy module 140 to perform step 404.
The processing unit 1402 is configured to calculate a fourth MAC according to the running environment information of the APP, compare the first MAC with the fourth MAC, determine that the edge dog module is legal if the first MAC is the same as the fourth MAC, and determine that the edge dog module is illegal if the first MAC is different from the fourth MAC. For example, the processing unit 1402 may enable the proxy module 140 to perform steps 404, 405.
In yet another possible design, the receiving unit 1401 is configured to receive a third request from the APP to request a fourth MAC; a processing unit 1402, configured to calculate, according to the security parameter, a fourth MAC used for verifying whether the edge dog module is legal; a sending unit 1403, configured to send the fourth MAC to the APP.
In yet another possible design, the sending unit 1403 is configured to send a first request for requesting the first MAC to the edge dog module; a receiving unit 1401, configured to receive a first MAC from the edge dog module, where the first MAC is used to verify whether the edge dog module is legal; the processing unit 1402 is configured to obtain a fourth MAC according to the security parameter calculation, compare the first MAC with the fourth MAC, determine that the edge dog module is legal if the first MAC is the same as the fourth MAC, and determine that the edge dog module is illegal if the first MAC is not the same as the fourth MAC.
In yet another possible design, the receiving unit 1401 is configured to receive a third request including the running environment information of the APP from the APP for requesting the fourth MAC. For example, the receiving unit 1401 may support the proxy module 140 to perform step 802.
The processing unit 1402 is configured to calculate, according to the running environment information of the APP, a fourth MAC used for verifying whether the edge dog module is legal. For example, the processing unit 1402 may enable the proxy module 140 to perform step 802.
A sending unit 1403, configured to send the fourth MAC to the APP. For example, the sending unit 1403 supports the proxy module 140 to perform step 803.
The related description of the security parameters and the running environment information of the APP may refer to the method shown in fig. 4 to 12, and the specific execution processes of the receiving unit 1401, the processing unit 1402 and the sending unit 1403 may refer to the actions specified by the proxy module in the method shown in fig. 4 to 12, which are not described again.
The embodiment of the application also provides a computer readable storage medium. All or part of the processes in the above method embodiments may be performed by relevant hardware instructed by a computer program, which may be stored in the above computer-readable storage medium, and when executed, may include the processes in the above method embodiments. The computer readable storage medium may be an internal storage unit of the communication device (including the data sending end and/or the data receiving end) of any previous embodiment, such as a hard disk or a memory of the communication device. The computer readable storage medium may also be an external storage device of the communication apparatus, such as a plug-in hard disk, a Smart Memory Card (SMC), a Secure Digital (SD) card, a flash memory card (flash card), or the like, provided on the communication apparatus. Further, the computer-readable storage medium may include both an internal storage unit and an external storage device of the communication apparatus. The computer-readable storage medium stores the computer program and other programs and data required by the communication apparatus. The above-described computer-readable storage medium may also be used to temporarily store data that has been output or is to be output.
In yet another possible design, in some application scenario, the APP may be deployed at a client (client) and a server (server). The client is usually deployed in a terminal located at the front end, the APP deployed on the client has strong copy prevention and cracking prevention characteristics, and the server is deployed in a virtual environment at the back end, such as: the method is deployed in the MEC system, the APP deployed in the MEC system is easy to copy and crack, and the safety of the APP deployed on the server is reduced.
In the method, a front-end terminal provides a check MAC value for a back-end server to check whether the APP deployed on the server is legal or not, so that corresponding remedial measures or processing measures are adopted under the condition that the APP is illegal, and the safety of the APP deployed on the server is improved. The anti-cracking method can effectively bind the front end and the back end, and the server with the APP deployed at the back end also has the anti-copying and anti-cracking characteristics by means of the terminal at the front end.
It should be noted that, in this embodiment of the application, the following terminal may refer to a terminal on which a client is deployed, and the client is deployed with an APP, and may be referred to as an APP client; further, for convenience of description, a server in which an APP is deployed may be referred to as an APP server.
The following describes another anti-cracking method provided by the present application with reference to the accompanying drawings 15-22.
Fig. 15 is a diagram of another system architecture provided in the present application, where the system is suitable for a scenario where APP is deployed on a client and a server. As shown in fig. 15, the system may include: the terminal, the APP server, may also include MEP and NFVI. The terminal is provided with an APP client, the APP client is provided with an agent module, the agent module can be used for executing the execution process of the terminal in the following method embodiment, in addition, the terminal can also be provided with a security module, the security module stores hardware security parameters, and the security module can be a fifth generation (5)thgeneration, 5G) module or other secure hardware (secure hardware) or secure chip, etc., and the secure module has a connection relationship with the agent module in the APP client. The APP server and the MEP can be deployed in a network function virtualization infrastructure (network fun)Section partitioned infra structure, NFVI). The NFVI may also include a security module, where the security module may store hardware security parameters in advance, and the security module may include a secure hardware such as a Trusted Platform Module (TPM) or a security chip. The APP server can be connected with the terminal and can be connected with the MEP.
In this embodiment of the present application, the hardware security parameter may be used to verify whether the APP on the APP server is legal, and the hardware security parameter may be pre-configured in the security module in the terminal and/or pre-configured in the security module of the NFVI. Specifically, the hardware security parameter may include, but is not limited to, a security chip Identifier (ID), a security chip preset parameter, and one or more parameters in a processor ID in the security chip, where the security chip preset parameter may include, but is not limited to, a random number or a root key.
It should be noted that fig. 15 is only an exemplary diagram, in fig. 15, the MEP and the APP server may be deployed in the NFVI, or may be deployed outside the NFVI, without limitation, and in the present application, the MEP and the APP server are separately deployed outside the NFVI as an example for explanation, and when the MEP and the APP server are separately deployed outside the NFVI, the APP server may interact with the NFVI through the MEP. Furthermore, the system includes other components in addition to those described in FIG. 15, without limitation.
The terminal may be a terminal equipment (terminal equipment), a User Equipment (UE), a Mobile Station (MS), a Mobile Terminal (MT), or the like. Specifically, the terminal may be a mobile phone (mobile phone), a tablet computer or a computer with a wireless transceiving function, and may also be a Virtual Reality (VR) terminal, an Augmented Reality (AR) terminal, a wireless terminal in industrial control, a wireless terminal in unmanned driving, a wireless terminal in telemedicine, a wireless terminal in a smart grid, a wireless terminal in a smart city (smart city), a smart home, a vehicle-mounted terminal, and the like.
The APP server may be configured to provide APP services for users, and as shown in fig. 15, the APP server may include a proxy module that may perform actions specified by the APP server in the method embodiments shown in fig. 16-22 described below.
The NFVI includes a virtualization layer (hypervisor or container management system, such as Docker and vSwitch) and physical resources, such as switches and storage devices. NFVI can be deployed across several physical locations, in which case the network providing data connectivity for these physical sites is also referred to as part of the NFVI. In order to be compatible with the existing network architecture, the network access point of the NFVI needs to be able to interwork with other physical networks. NFV supports multiple channels, NFVI is a common virtualization layer, and all virtual resources should be in a unified shared resource pool, and should not be restricted or treated specifically to some Virtual Network Functions (VNFs) running thereon.
Still another anti-crack method of the embodiment of the present application is described below with reference to the system shown in fig. 15.
Fig. 16 is a flowchart of an anti-cracking method provided in the embodiment of the present application, where the method may be interactively executed by a terminal deployed with an APP client, an APP server, and an MEP platform, a Transport Layer Security (TLS) connection is established between the terminal and the APP server, and a TLS connection is established between the APP server and the MEP; as shown in fig. 16, the method may include:
step 1601: the APP server sends a first request to the terminal.
The first request may be for requesting a first MAC, and the first MAC may be used for verifying whether the APP is legitimate.
It should be noted that, in each embodiment of the present application, verifying whether the APP is legal may also be described as/replaced by verifying whether the APP on the APP server is legal, or verifying whether the APP server operates in a secure environment, or verifying whether the APP client and the MEP at the front end are legal.
Specifically, the first request may include an identification of the MEP, and may further include one or more of a serial number of the APP, an ID of the APP, a timestamp (timestamp), a counter (counter), and other parameters.
Wherein the identification of the MEP may be used to uniquely identify the MEP. The description of the APP serial number, APP ID, and timestamp may refer to fig. 4, and is not repeated. The counter may be the number of times of successfully requesting the first MAC, and the value of the counter is incremented by 1 each time the first MAC is successfully requested.
Specifically, the first request may be a fingerprint request, and the fingerprint request may be used to check whether the APP on the server or the APP server operates in a secure environment, or check the validity of the APP client and the MEP at the front end.
Step 1602: and the terminal receives the first request and calculates to obtain a first MAC according to the MEP identifier.
The calculating, by the terminal, the first MAC according to the identifier of the MEP may include: and the terminal calculates to obtain a first MAC according to the mark of the MEP and the hardware security parameter. Such as: and inputting the identification of the MEP as an input parameter into the preset algorithm f to obtain a first MAC. Further, the terminal may also calculate the first MAC according to one or more of other parameters such as a secret key, a serial number of the APP, an ID of the APP, a timestamp, and a counter, such as: and inputting one or more parameters of other parameters such as a key, a serial number of the APP, an ID of the APP, a timestamp, a counter and the like as input parameters into the preset algorithm f to obtain the first MAC.
Step 1603: the terminal sends the first MAC to the APP server.
Illustratively, the terminal sends a response of the first request to the APP server, and the response of the first request may include the first MAC. The response to the first request may include other information, in addition to carrying the first MAC, without limitation.
Step 1604: the APP server receives the first MAC and sends a second request to the MEP.
Wherein the second request may be for requesting a second MAC; the second request may carry the identification of the MEP, and may also carry other information, such as: the serial number of the APP, the ID of the APP, the timestamp, the counter, and the like. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 1605: and the MEP receives the second request and calculates to obtain a second MAC according to the identification of the MEP.
The MEP calculates the second MAC according to the identifier of the MEP, which is not described in detail herein, referring to the process in which the terminal calculates the second MAC according to the identifier of the MEP in step 1602.
Step 1606: the MEP sends the second MAC to the APP server.
For example, the MEP may send a response to the second request to the APP server, and the response to the second request may include the second MAC.
Step 1607: and the APP server receives the second MAC, compares the first MAC with the second MAC, determines that the APP is legal if the first MAC is the same as the second MAC, and determines that the APP is illegal if the first MAC is different from the second MAC, and the operating environment of the APP server is unsafe.
It should be noted that, the execution action of the terminal described in fig. 16 may be executed by an agent module in the APP client in the terminal.
Based on the method shown in fig. 16, the front-end terminal may provide a check MAC value to the APP server, so that the APP server performs the check on the validity of the APP according to the MAC calculated by the front-end terminal and the MAC calculated by the terminal, and effectively binds the front end and the back end, and the front-end terminal enables the server with the APP deployed at the back end to have the copy prevention and cracking prevention characteristics.
Fig. 17 is a flowchart of an anti-cracking method provided in an embodiment of the present application, where the method may be interactively executed by a terminal deployed with an APP client, an APP server, and an NFVI, a TLS connection is established between the terminal and the APP server, a security module is deployed in the NFVI, and a hardware security parameter is preconfigured in the security module. As shown in fig. 17, the method may include:
step 1701: the NFVI sends the hardware security parameters to the APP server.
The hardware security parameters may be pre-configured in the security module in the NFVI, and the description of the hardware security parameters may refer to the description in the foregoing method embodiment, which is not repeated herein.
Specifically, the actions specified by NFVI in the method shown in fig. 17 may be performed by a security module within NFVI.
Step 1702: the APP server receives the hardware security parameters and sends a first request to the terminal.
The first request may be for requesting a first MAC, and the first MAC may be used for verifying whether the APP is legitimate.
Specifically, the first request may include an identification of the MEP and hardware security parameters, and may further include one or more of a serial number of the APP, an ID of the APP, a timestamp, a counter, and other parameters. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 1703: and the terminal receives the first request and calculates to obtain a first MAC according to the MEP identifier and the hardware security parameter.
The calculating, by the terminal, the first MAC according to the identifier of the MEP may include: and the terminal calculates to obtain a first MAC according to the mark of the MEP and the hardware security parameter. Such as: and inputting the MEP identifier and the hardware security parameter as input parameters into the preset algorithm f to obtain a first MAC. Further, the terminal may also calculate the first MAC according to one or more of other parameters such as a secret key, a serial number of the APP, an ID of the APP, a timestamp, and a counter, such as: and inputting one or more parameters of other parameters such as a key, a serial number of the APP, an ID of the APP, a timestamp, a counter and the like as input parameters into the preset algorithm f to obtain the first MAC.
Step 1704: the terminal sends the first MAC to the APP server.
Illustratively, the terminal sends a response of the first request to the APP server, and the response of the first request may include the first MAC. The response to the first request may include other information, in addition to carrying the first MAC, without limitation.
Step 1705: the APP server receives the first MAC and sends a second request to the NFVI.
Wherein the second request may be for requesting a second MAC; the second request may carry the identification of the MEP, and may also carry other information, such as: the serial number of the APP, the ID of the APP, the timestamp, the counter, and the like. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 1706: and the NFVI receives the second request, and calculates to obtain a second MAC according to the MEP identifier and the hardware security parameter.
The process of obtaining the second MAC by the NFVI according to the MEP identifier and the hardware security parameter may refer to the process of calculating the first MAC by the terminal in step 1703, which is not described in detail.
Step 1707: the NFVI sends the second MAC to the APP server.
For example, the NFVI may send a response to the second request to the APP server, and the response to the second request may include the second MAC.
Step 1708: and the APP server receives the second MAC, compares the first MAC with the second MAC, determines that the APP is legal if the first MAC is the same as the second MAC, and determines that the APP is illegal if the first MAC is different from the second MAC.
Alternatively, step 1707 and step 1708 may not be performed, but the first MAC is carried in the second request and sent to the NFVI, after the NFVI calculates the second MAC, the first MAC and the second MAC are compared, if the first MAC is the same as the second MAC, it is determined that the APP is legal, and if the first MAC is different from the second MAC, it is determined that the APP is illegal.
It should be noted that, the execution action of the terminal described in fig. 17 may be executed by an agent module in the APP client in the terminal.
Based on the method shown in fig. 17, the APP server may send the hardware security parameters in the NFVI to the terminal, the terminal at the front end calculates the MAC value according to the hardware security parameters, and provides the check MAC value to the APP server, so that the APP server performs the check on the APP validity according to the MAC calculated by the NFVI and the MAC calculated by the terminal, and effectively binds the front end and the back end, and the server with the APP deployed at the back end also has the copy prevention and cracking prevention characteristics by means of the terminal at the front end.
Fig. 18 is a flowchart of an anti-cracking method provided in the embodiment of the present application, where the method may be interactively executed by a terminal deployed with an APP client, an APP server, an MEP, and an NFVI, a TLS connection is established between the terminal and the APP server, and a TLS connection is established between the APP server and the MEP; as shown in fig. 18, the method may include:
step 1801: the NFVI sends hardware security parameters to the MEP.
The hardware security parameters may be pre-configured in the security module in the NFVI, and the description of the hardware security parameters may refer to the description in the foregoing method embodiment, which is not repeated herein.
Specifically, the actions specified by NFVI in the method shown in fig. 18 may be performed by a security module within NFVI.
Step 1802: and the MEP receives the hardware security parameters and sends the hardware security parameters to the APP server.
Step 1803: the APP server receives the hardware security parameters and sends a first request to the terminal.
The first request may be for requesting a first MAC, and the first MAC may be used for verifying whether the APP is legitimate.
Specifically, the first request may include an identification of the MEP and hardware security parameters, and may further include one or more of a serial number of the APP, an ID of the APP, a timestamp, a counter, and other parameters. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 1804: and the terminal receives the first request and calculates to obtain a first MAC according to the MEP identifier and the hardware security parameter.
The process of calculating, by the terminal, the first MAC according to the MEP identifier and the hardware security parameter is as described in step 1703 in the method shown in fig. 17, which is not described in detail.
Step 1805: the terminal sends the first MAC to the APP server.
Illustratively, the terminal sends a response of the first request to the APP server, and the response of the first request may include the first MAC. The response to the first request may include other information, in addition to carrying the first MAC, without limitation.
Step 1806: the APP server receives the first MAC and sends a second request to the MEP.
Wherein the second request may be for requesting a second MAC; the second request may carry the identification of the MEP, and may also carry other information, such as: the serial number of the APP, the ID of the APP, the timestamp, the counter, and the like. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 1807: the MEP receives the second request and sends the second request to the NFVI.
Step 1808: and the NFVI receives the second request, and calculates to obtain a second MAC according to the MEP identifier and the hardware security parameter.
The process of obtaining the second MAC by the NFVI according to the identifier of the MEP and the hardware security parameter through calculation is the same as the process of obtaining the second MAC by the terminal according to the identifier of the MEP and the hardware security parameter through calculation in step 1804, which is not described in detail.
Step 1809: the NFVI sends the second MAC to the MEP.
Step 1810: the MEP sends the second MAC to the APP server.
For example, the MEP may send a response to the second request to the APP server, and the response to the second request may include the second MAC.
Step 1811: and the APP server receives the second MAC, compares the first MAC with the second MAC, determines that the APP is legal if the first MAC is the same as the second MAC, and determines that the APP is illegal if the first MAC is different from the second MAC.
Alternatively, step 1809 to step 1811 may not be executed, but the first MAC is carried in the second request and sent to the MEP, the MEP sends the second request to the NFVI, the NFVI compares the first MAC with the second MAC after calculating the second MAC, if the first MAC is the same as the second MAC, it is determined that the APP is legal, and if the first MAC is different from the second MAC, it is determined that the APP is illegal.
It should be noted that, the execution actions of the terminal described in fig. 18 may be executed by an agent module in the APP client in the terminal.
Based on the method shown in fig. 18, NFVI sends hardware security parameters in NFVI to a terminal through MEP and APP servers, the terminal at the front end calculates MAC values according to the hardware security parameters and provides check MAC values to the APP server, and the NFVI server calculates MAC values according to the hardware security parameters and provides check MAC values to the APP server through MEP, so that the APP server performs APP validity check according to MAC calculated by the terminal and MAC calculated by the NFVI, and effectively binds the front end and the back end, and the server with APP deployed at the back end also has copy prevention and cracking prevention characteristics by means of the terminal at the front end.
Fig. 19 is a flowchart of an anti-cracking method provided in this embodiment, where the method may be interactively executed by a terminal deployed with an APP client, an APP server, and an NFVI, a TLS connection is established between the terminal and the APP server, and hardware security parameters are pre-configured in a security module in the terminal and a security module in the NFVI, and the related description of the hardware security parameters may refer to the above description and is not repeated; as shown in fig. 19, the method may include:
step 1901: the APP server sends a first request to an agent module within the APP client.
The first request may be for requesting a first MAC, and the first MAC may be used for verifying whether the APP is legitimate.
Specifically, the first request may include an identification of the MEP, and may further include one or more of a serial number of the APP, an ID of the APP, a timestamp, a counter, and other parameters. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 1902: and the agent module in the APP client receives the first request and sends the first request to the security module of the terminal.
Step 1903: and the security module of the terminal receives the first request and calculates to obtain a first MAC according to the MEP identifier and the hardware security parameters.
The process of obtaining the first MAC by the security module of the terminal according to the identification of the MEP and the hardware security parameter is as described in step 1703 in the method shown in fig. 17, which is not described in detail.
Step 1904: a security module in the terminal sends a first MAC to an agent module in the APP client.
Step 1905: and the agent module in the APP client receives the first MAC and sends the first MAC to the APP server.
Illustratively, a proxy module within the APP client sends a response to the first request to the APP server, which may include the first MAC.
Step 1906: the APP server receives the first MAC and sends a second request to the NFVI.
Wherein the second request may be for requesting a second MAC; the second request may carry the identification of the MEP, and may also carry other information, such as: the serial number of the APP, the ID of the APP, the timestamp, the counter, and the like. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 1907: and the NFVI receives the second request, and calculates to obtain a second MAC according to the MEP identifier and the hardware security parameter.
The NFVI calculates the second MAC according to the identifier of the MEP and the hardware security parameter, which refers to a process in which the security module of the terminal calculates the second MAC according to the identifier of the MEP and the hardware security parameter in step 1903, and is not described in detail.
Specifically, the actions specified by NFVI in the method shown in fig. 19 may be performed by a security module within NFVI.
Step 1908: the NFVI sends the second MAC to the APP server.
For example, the NFVI may send a response to the second request to the APP server, and the response to the second request may include the second MAC.
Step 1909: and the APP server receives the second MAC, compares the first MAC with the second MAC, determines that the APP is legal if the first MAC is the same as the second MAC, and determines that the APP is illegal if the first MAC is different from the second MAC.
Alternatively, step 1906 to step 1907 may not be performed, but the first MAC is carried in the second request and sent to the MEP, the MEP sends the second request to the NFVI, the NFVI compares the first MAC with the second MAC after calculating the second MAC, if the first MAC is the same as the second MAC, it is determined that the APP is legal, and if the first MAC is different from the second MAC, it is determined that the APP is illegal.
It should be noted that, the execution action of the terminal described in fig. 19 may be executed by an agent module in the APP client in the terminal.
Based on the method shown in fig. 19, the front-end terminal may calculate the MAC value according to the hardware security parameter and provide the check MAC value to the APP server, and the NFVI server may calculate the MAC value according to the hardware security parameter and provide the check MAC value to the APP server, so that the APP server may check the validity of the APP according to the MAC calculated by the terminal and the MAC calculated by the NFVI, and effectively bind the front end and the back end, and the server having the APP deployed at the back end also has the copy prevention and cracking characteristics by using the front-end terminal.
Fig. 20 is a flowchart of an anti-cracking method provided in the embodiment of the present application, where the method may be interactively executed by a terminal deployed with an APP client and an APP server, and a TLS connection is established between the terminal and the APP server; hardware security parameters are pre-configured in a security module of a security module in the terminal, and the description of the hardware security parameters can be referred to above and is not repeated; as shown in fig. 20, the method may include:
step 2001: the APP server sends a first request to an agent module within the APP client.
The first request may be for requesting a first MAC, and the first MAC may be used for verifying whether the APP is legitimate.
Specifically, the first request may include an identification of the MEP, and may further include one or more of a serial number of the APP, an ID of the APP, a timestamp, a counter, and other parameters. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 2002: and the agent module of the APP client receives the first request and sends the first request to the security module in the terminal.
Step 2003: and the security module of the terminal receives the first request and calculates to obtain a first MAC according to the MEP identifier and the hardware security parameters.
The process of obtaining the first MAC by the security module of the terminal according to the identification of the MEP and the hardware security parameter is as described in step 1703 in the method shown in fig. 17, which is not described in detail.
Step 2004: a security module in the terminal sends a first MAC to an agent module in the APP client.
Step 2005: and the agent module in the APP client receives the first MAC and sends the first MAC to the APP server.
Illustratively, the proxy module within the APP client sends a response to the first request to the APP server, the response to the first request may include the first MAC, and the response to the first request includes hardware security parameters in addition to the first MAC.
Step 2006: and the APP server receives the first MAC and calculates to obtain a second MAC according to the MEP identifier and the hardware security parameter.
The process of calculating by the APP server according to the identifier of the MEP and the hardware security parameter to obtain the second MAC may refer to the process of calculating by the terminal according to the identifier of the MEP and the hardware security parameter to obtain the first MAC, which is not described in detail.
Step 2007: the APP server compares the first MAC with the second MAC, if the first MAC is the same as the second MAC, the APP is determined to be legal, and if the first MAC is different from the second MAC, the APP is determined to be illegal.
It should be noted that, the execution actions of the terminal described in fig. 20 may be executed by an agent module in the APP client in the terminal.
Based on the method shown in fig. 20, the terminal at the front end may calculate the MAC value according to the hardware security parameter, and provide the check MAC value to the APP server, and the APP server may calculate the MAC value according to the hardware security parameter, and perform the check on the validity of the APP according to the MAC calculated by the terminal and the MAC calculated by the terminal, so as to effectively bind the front end and the back end, and the server with the APP deployed at the back end also has the copy prevention and cracking prevention characteristics by using the terminal at the front end.
Fig. 21 is a flowchart of an anti-cracking method provided in this embodiment, where the method may be interactively executed by a terminal deployed with an APP client, an APP server, an MEP, and an NFVI, a TLS connection is established between the terminal and the APP server, a TLS connection is established between the APP server and the MEP, both the terminal and the NFVI are preconfigured with hardware security parameters, and the description of the hardware security parameters may refer to the above description, which is not repeated; as shown in fig. 21, the method may include:
step 2101: the APP server sends a first request to an agent module within the APP client.
The first request may be for requesting a first MAC, and the first MAC may be used for verifying whether the APP is legitimate.
Specifically, the first request may include an identification of the MEP, and may further include one or more of a serial number of the APP, an ID of the APP, a timestamp, a counter, and other parameters. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 2102: and the agent module of the APP client receives the first request and sends the first request to the security module in the terminal.
Step 2103: and the security module of the terminal receives the first request and calculates to obtain a first MAC according to the MEP identifier and the hardware security parameters.
The process of obtaining the first MAC by the security module of the terminal according to the identification of the MEP and the hardware security parameter is as described in step 1703 in the method shown in fig. 17, which is not described in detail.
Step 2104: a security module in the terminal sends a first MAC to an agent module in the APP client.
Step 2105: and the agent module in the APP client receives the first MAC and sends the first MAC to the APP server.
Illustratively, a proxy module within the APP client sends a response to the first request to the APP server, which may include the first MAC.
Step 2106: the APP server receives the first MAC and sends a second request to the MEP.
Wherein the second request may be for requesting a second MAC; the second request may carry the identification of the MEP, and may also carry other information, such as: the serial number of the APP, the ID of the APP, the timestamp, the counter, and the like. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 2107: the MEP receives the second request and sends the second request to the NFVI.
Step 2108: and the NFVI receives the second request, and calculates to obtain a second MAC according to the MEP identifier and the hardware security parameter.
The process of obtaining the second MAC by the NFVI through calculation according to the identifier of the MEP and the hardware security parameter is the same as the process of obtaining the second MAC by the terminal through calculation according to the identifier of the MEP and the hardware security parameter, which is not repeated.
Specifically, the actions specified by NFVI in the method shown in fig. 21 may be performed by a security module within NFVI.
Step 2109: the NFVI sends the second MAC to the MEP.
Step 2110: the MEP sends the second MAC to the APP server.
For example, the MEP may send a response to the second request to the APP server, and the response to the second request may include the second MAC.
Step 2111: and the APP server receives the second MAC, compares the first MAC with the second MAC, determines that the APP is legal if the first MAC is the same as the second MAC, and determines that the APP is illegal if the first MAC is different from the second MAC.
Alternatively, step 2107 to step 2109 may not be executed, but the first MAC is carried in the second request and sent to the MEP, the MEP sends the second request to the NFVI, the NFVI compares the first MAC with the second MAC after calculating the second MAC, if the first MAC is the same as the second MAC, it is determined that the APP is legal, and if the first MAC is different from the second MAC, it is determined that the APP is illegal.
It should be noted that, the execution action of the terminal described in fig. 21 may be executed by an agent module in the APP client in the terminal.
Based on the method shown in fig. 21, the terminal at the front end may calculate an MAC value according to the hardware security parameter, and provide a check MAC value to the APP server, and the APP server requests the NFVI to calculate an MAC value according to the hardware security parameter, and performs a check on the validity of the APP according to the MAC calculated by the terminal and the MAC calculated by the NFVI, so as to effectively bind the front end and the back end, and the server having the APP deployed at the back end also has the copy prevention and cracking prevention characteristics by using the terminal at the front end.
Fig. 22 is a flowchart of an anti-cracking method provided in this embodiment, where the method may be interactively executed by a terminal deployed with an APP client, an APP server, and an MEP platform, a TLS connection is established between the terminal and the APP server, a TLS connection is established between the APP server and the MEP, a hardware security parameter is preconfigured in the terminal, and a description of the hardware security parameter may refer to the above description, which is not repeated herein; as shown in fig. 22, the method may include:
step 2201: the APP server sends a first request to an agent module within the APP client.
The first request may be for requesting a first MAC, and the first MAC may be used for verifying whether the APP is legitimate.
Specifically, the first request may include an identification of the MEP, and may further include one or more of a serial number of the APP, an ID of the APP, a timestamp, a counter, and other parameters. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 2202: and the agent module of the APP client receives the first request and sends the first request to the security module in the terminal.
Step 2203: and the security module of the terminal receives the first request and calculates to obtain a first MAC according to the MEP identifier and the hardware security parameters.
The process of obtaining the first MAC by the security module in the terminal according to the MEP identifier and the hardware security parameter is as described in step 1703 in the method shown in fig. 17, which is not described in detail.
Step 2204: a security module in the terminal sends a first MAC to an agent module in the APP client.
Step 2205: and the agent module in the APP client receives the first MAC and sends the first MAC to the APP server.
Illustratively, the terminal sends a response of the first request to the APP server, and the response of the first request may include the first MAC and the hardware security parameters.
Step 2206: the APP server receives the first MAC and sends a second request to the MEP.
Wherein the second request may be for requesting a second MAC; the second request may carry the identification of the MEP and hardware security parameters, and may also carry other information, such as: the serial number of the APP, the ID of the APP, the timestamp, the counter, and the like. The identification of MEP, the serial number of APP, the ID of APP, the timestamp, and the description of the counter may refer to the above descriptions, which are not repeated herein.
Step 2207: and the MEP receives the second request, and calculates to obtain a second MAC according to the identification of the MEP and the hardware security parameters.
The process of the MEP obtaining the second MAC through calculation according to the identifier of the MEP and the hardware security parameter is the same as the process of the terminal obtaining the second MAC through calculation according to the identifier of the MEP and the hardware security parameter, and details are omitted.
Step 2208: the MEP sends the second MAC to the APP server.
For example, the MEP may send a response to the second request to the APP server, and the response to the second request may include the second MAC.
Step 2209: and the APP server receives the second MAC, compares the first MAC with the second MAC, determines that the APP is legal if the first MAC is the same as the second MAC, and determines that the APP is illegal if the first MAC is different from the second MAC.
Based on the method shown in fig. 22, the terminal at the front end may calculate the MAC value according to the hardware security parameter, and provide the check MAC value to the APP server, and the APP server may calculate the MAC value according to the hardware security parameter, and perform the check on the validity of the APP according to the MAC calculated by the terminal and the MAC calculated by the terminal itself, so as to effectively bind the front end and the back end, and the server with the APP deployed at the back end also has the copy prevention and cracking prevention characteristics by using the terminal at the front end.
It should be noted that the terms "first" and "second" and the like in the description, claims and drawings of the present application are used for distinguishing different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
It should be understood that in the present application, "at least one" means one or more, "a plurality" means two or more, "at least two" means two or three and three or more, "and/or" for describing an association relationship of associated objects, meaning that three relationships may exist, for example, "a and/or B" may mean: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, represents: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical functional division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another device, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, that is, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The method provided by the embodiment of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, a network appliance, a terminal, or other programmable apparatus. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., Digital Video Disk (DVD)), or a semiconductor medium (e.g., SSD), among others.
The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (52)

1.一种防破解方法,其特征在于,所述方法包括:1. an anti-cracking method, is characterized in that, described method comprises: 边缘狗模块接收第一请求,其中,所述第一请求用于请求第一消息认证码MAC,所述第一请求携带应用APP的运行环境信息;The edge dog module receives the first request, wherein the first request is used to request the first message authentication code MAC, and the first request carries the running environment information of the application APP; 所述边缘狗模块根据所述APP的运行环境信息,计算得到所述第一MAC,其中,所述第一MAC用于验证所述边缘狗模块是否合法;The edge dog module calculates and obtains the first MAC according to the operating environment information of the APP, wherein the first MAC is used to verify whether the edge dog module is legal; 所述边缘狗模块发送所述第一MAC。The edge dog module sends the first MAC. 2.根据权利要求1所述的方法,其特征在于,所述方法还包括:2. The method according to claim 1, wherein the method further comprises: 所述边缘狗模块确定所述APP的运行环境信息与预设的运行环境信息匹配,所述预设的运行环境信息表征允许所述APP运行的环境。The edge dog module determines that the running environment information of the APP matches with preset running environment information, and the preset running environment information represents an environment in which the APP is allowed to run. 3.根据权利要求1或2所述的方法,其特征在于,所述边缘狗模块根据所述APP的运行环境信息,计算得到所述第一MAC包括:3. The method according to claim 1 or 2, wherein the edge dog module calculates and obtains the first MAC according to the operating environment information of the APP, comprising: 所述边缘狗模块根据所述APP的运行环境信息和安全参数,计算得到所述第一MAC,The edge dog module calculates and obtains the first MAC according to the operating environment information and security parameters of the APP, 其中,所述安全参数由所述APP的厂商预先配置给所述边缘狗模块。Wherein, the security parameter is pre-configured by the manufacturer of the APP to the edge dog module. 4.根据权利要求1-3任一项所述的方法,其特征在于,所述APP的运行环境信息包括以下任意一项或多项:所述APP所在移动边缘平台MEP的标识、所述APP所在虚拟机VM或者容器的信息、所述APP运行平台的可信平台模块TPM信息、所述APP运行所在的VM或者容器所在硬件信息。4. The method according to any one of claims 1-3, wherein the operating environment information of the APP comprises any one or more of the following: an identifier of the mobile edge platform MEP where the APP is located, the APP Information of the virtual machine VM or container where the APP is running, TPM information of the trusted platform module of the APP running platform, and hardware information of the VM or container where the APP is running. 5.根据权利要求1-4任一项所述的方法,其特征在于,所述方法还包括:5. The method according to any one of claims 1-4, wherein the method further comprises: 若所述第一请求还携带激活所述APP指示,则所述边缘狗判断所述APP的激活次数小于最大允许激活次数。If the first request also carries an instruction to activate the APP, the edge dog determines that the activation times of the APP is less than the maximum allowable activation times. 6.根据权利要求5所述的方法,其特征在于,所述方法还包括:6. The method according to claim 5, wherein the method further comprises: 所述边缘狗模块接收激活成功消息,所述激活成功消息用于指示所述APP被成功激活;The edge dog module receives an activation success message, and the activation success message is used to indicate that the APP is successfully activated; 所述边缘狗模块根据所述激活成功消息,更新所述APP的激活次数,将所述APP的激活次数加1。The edge dog module updates the activation times of the APP according to the activation success message, and adds 1 to the activation times of the APP. 7.根据权利要求1-6任一项所述的方法,其特征在于,所述方法还包括:7. The method according to any one of claims 1-6, wherein the method further comprises: 所述边缘狗模块接收来自代理模块的状态同步请求,其中,所述状态同步请求包括所述APP的激活次数;The edge dog module receives a state synchronization request from an agent module, wherein the state synchronization request includes the activation times of the APP; 所述边缘狗模块将本地存储的APP的激活次数更新为所述APP的激活次数。The edge dog module updates the activation times of the APP stored locally to the activation times of the APP. 8.根据权利要求1-7任一项所述的方法,其特征在于,所述方法还包括:8. The method according to any one of claims 1-7, wherein the method further comprises: 所述边缘狗模块接收第二请求,其中,所述第二请求用于请求去激活所述APP,所述第二请求包括第二MAC,所述第二MAC用于验证去激活所述APP的操作是否合法;The edge dog module receives a second request, wherein the second request is used to request deactivation of the APP, the second request includes a second MAC, and the second MAC is used to verify the deactivation of the APP. Whether the operation is legal; 所述边缘狗模块根据安全参数,计算得到第三MAC;The edge dog module calculates and obtains the third MAC according to the security parameter; 所述边缘狗模块比较所述第二MAC和所述第三MAC,发送去激活响应,其中,当所述第二MAC和所述第三MAC相同时,所述去激活响应用于指示所述APP去激活成功,当所述第二MAC和所述第三MAC不同时,所述去激活响应用于指示所述APP去激活失败。The edge dog module compares the second MAC and the third MAC, and sends a deactivation response, wherein, when the second MAC and the third MAC are the same, the deactivation response is used to indicate the The APP is deactivated successfully, and when the second MAC and the third MAC are different, the deactivation response is used to indicate that the APP deactivation fails. 9.一种防破解方法,其特征在于,所述方法包括:9. An anti-cracking method, characterized in that the method comprises: 代理模块向边缘狗模块发送第一请求,其中,所述第一请求用于请求第一消息认证码MAC;所述第一请求携带应用APP的运行环境信息;The proxy module sends a first request to the edge dog module, wherein the first request is used to request the first message authentication code MAC; the first request carries the running environment information of the application APP; 所述代理模块接收来自所述边缘狗模块的所述第一MAC,所述第一MAC用于验证所述边缘狗模块是否合法;The proxy module receives the first MAC from the edge dog module, and the first MAC is used to verify whether the edge dog module is legal; 所述代理模块根据所述APP的运行环境信息计算得到第四MAC;The proxy module calculates and obtains the fourth MAC according to the operating environment information of the APP; 所述代理模块比较所述第一MAC与所述第四MAC,若所述第一MAC与所述第四MAC相同,则确定所述边缘狗模块合法,若所述第一MAC与所述第四MAC不同,则确定所述边缘狗模块非法。The proxy module compares the first MAC and the fourth MAC, and if the first MAC is the same as the fourth MAC, then determines that the edge dog module is valid, and if the first MAC is the same as the fourth MAC, the edge dog module is determined to be valid. If the four MACs are different, it is determined that the edge dog module is illegal. 10.根据权利要求9所述的方法,其特征在于,所述方法还包括:10. The method according to claim 9, wherein the method further comprises: 所述代理模块确定所述APP的运行环境信息与预设的运行环境信息匹配,所述预设的运行环境信息表征允许所述APP运行的环境。The agent module determines that the running environment information of the APP matches with preset running environment information, and the preset running environment information represents an environment in which the APP is allowed to run. 11.根据权利要求9或10所述的方法,其特征在于,所述代理模块根据所述APP的运行环境信息,计算得到所述第四MAC包括:11. The method according to claim 9 or 10, wherein the proxy module, according to the running environment information of the APP, calculates and obtains the fourth MAC comprising: 所述代理模块根据所述APP的运行环境信息和安全参数,计算得到所述第四MAC,The proxy module calculates and obtains the fourth MAC according to the operating environment information and security parameters of the APP, 其中,所述安全参数由所述APP的厂商预先配置给所述代理模块。Wherein, the security parameter is pre-configured to the proxy module by the manufacturer of the APP. 12.根据权利要求9-11任一项所述的方法,其特征在于,所述APP的运行环境信息包括以下任意一项或多项:所述APP所在移动边缘平台MEP的标识、所述APP所在虚拟机VM或者容器的信息、所述APP运行平台的可信平台模块TPM信息、所述APP运行所在的VM或者容器所在硬件信息。12. The method according to any one of claims 9-11, wherein the operating environment information of the APP includes any one or more of the following: an identifier of a mobile edge platform MEP where the APP is located, the APP Information of the virtual machine VM or container where the APP is running, TPM information of the trusted platform module of the APP running platform, and hardware information of the VM or container where the APP is running. 13.根据权利要求9-12任一项所述的方法,其特征在于,所述方法还包括:13. The method according to any one of claims 9-12, wherein the method further comprises: 若所述第一请求还携带激活所述APP指示,所述代理模块判断所述APP的激活次数小于最大允许激活次数。If the first request also carries an instruction to activate the APP, the proxy module determines that the activation times of the APP are less than the maximum allowable activation times. 14.根据权利要求9-13任一项所述的方法,其特征在于,所述方法还包括:14. The method according to any one of claims 9-13, wherein the method further comprises: 所述代理模块根据安全参数,计算得到第二MAC,其中,所述第二MAC用于验证去激活所述APP的操作是否合法;The proxy module calculates and obtains a second MAC according to the security parameter, wherein the second MAC is used to verify whether the operation of deactivating the APP is legal; 所述代理模块向所述边缘狗模块发送第二请求,其中,所述第二请求用于请求去激活所述APP,所述第二请求包括所述第二MAC。The proxy module sends a second request to the edge dog module, wherein the second request is for requesting to deactivate the APP, and the second request includes the second MAC. 15.根据权利要求9-14任一项所述的方法,其特征在于,所述方法还包括:15. The method according to any one of claims 9-14, wherein the method further comprises: 所述代理模块向所述边缘狗模块发送状态同步请求,其中,所述状态同步请求包括所述APP的激活次数。The proxy module sends a state synchronization request to the edge dog module, wherein the state synchronization request includes the activation times of the APP. 16.一种防破解方法,其特征在于,所述方法包括:16. An anti-cracking method, characterized in that the method comprises: 代理模块接收来自应用APP的第三请求,其中,所述第三请求用于请求第四消息认证码MAC;所述第三请求包括应用APP的运行环境信息;The proxy module receives a third request from the application APP, wherein the third request is used to request a fourth message authentication code MAC; the third request includes the running environment information of the application APP; 所述代理模块根据所述APP的运行环境信息,计算得到第四MAC,其中,所述第四MAC用于验证边缘狗模块是否合法;The proxy module calculates and obtains a fourth MAC according to the operating environment information of the APP, wherein the fourth MAC is used to verify whether the edge dog module is legal; 所述代理模块向所述APP发送所述第四MAC。The proxy module sends the fourth MAC to the APP. 17.根据权利要求16所述的方法,其特征在于,所述方法还包括:17. The method of claim 16, wherein the method further comprises: 所述代理模块确定所述APP的运行环境信息与预设的运行环境信息匹配,所述预设的运行环境信息表征允许所述APP运行的环境。The agent module determines that the running environment information of the APP matches with preset running environment information, and the preset running environment information represents an environment in which the APP is allowed to run. 18.根据权利要求16或17所述的方法,其特征在于,所述代理模块根据所述APP的运行环境信息,计算得到所述第四MAC包括:18. The method according to claim 16 or 17, wherein the proxy module, according to the running environment information of the APP, calculates and obtains the fourth MAC comprising: 所述代理模块根据所述APP的运行环境信息和安全参数,计算得到所述第四MAC,The proxy module calculates and obtains the fourth MAC according to the operating environment information and security parameters of the APP, 其中,所述安全参数由所述APP的厂商预先配置给所述代理模块。Wherein, the security parameter is pre-configured to the proxy module by the manufacturer of the APP. 19.根据权利要求16-18任一项所述的方法,其特征在于,所述APP运行环境信息包括以下任意一项或多项:所述APP所在移动边缘平台MEP的标识、所述APP所在虚拟机VM或者容器的信息、所述APP运行平台的可信平台模块TPM信息、所述APP运行所在的VM或者容器所在硬件信息。19. The method according to any one of claims 16-18, wherein the APP running environment information comprises any one or more of the following: an identifier of a mobile edge platform MEP where the APP is located, a location where the APP is located Information about the virtual machine VM or container, the trusted platform module TPM information of the APP running platform, and the hardware information of the VM or container where the APP runs. 20.根据权利要求16-19任一项所述的方法,其特征在于,所述方法还包括:20. The method according to any one of claims 16-19, wherein the method further comprises: 若所述第三请求还携带激活所述APP指示,所述代理模块判断所述APP的激活次数小于最大允许激活次数。If the third request also carries an instruction to activate the APP, the proxy module determines that the number of activations of the APP is less than the maximum allowable number of activations. 21.根据权利要求16-20任一项所述的方法,其特征在于,所述方法还包括:21. The method according to any one of claims 16-20, wherein the method further comprises: 所述代理模块接收来自所述APP的第四请求,其中,所述第四请求用于请求去激活所述APP;The proxy module receives a fourth request from the APP, wherein the fourth request is used to request deactivation of the APP; 所述代理模块根据安全系数,计算得到第二MAC,其中,所述第二MAC用于验证去激活所述APP的操作是否合法;The proxy module calculates and obtains a second MAC according to the safety factor, wherein the second MAC is used to verify whether the operation of deactivating the APP is legal; 所述代理模块向所述APP发送所述第二MAC。The proxy module sends the second MAC to the APP. 22.根据权利要求16-21任一项所述的方法,其特征在于,所述方法还包括:22. The method according to any one of claims 16-21, wherein the method further comprises: 所述代理模块向所述边缘狗模块发送状态同步请求,其中,所述状态同步请求包括所述APP的激活次数。The proxy module sends a state synchronization request to the edge dog module, wherein the state synchronization request includes the activation times of the APP. 23.一种防破解系统,其特征在于,所述防破解系统包括:代理模块、边缘狗模块;23. An anti-cracking system, characterized in that the anti-cracking system comprises: an agent module and an edge dog module; 所述代理模块,用于向边缘狗模块发送第一请求,其中,所述第一请求用于请求第一消息认证码MAC;所述第一请求携带应用APP的运行环境信息;The proxy module is configured to send a first request to the edge dog module, wherein the first request is used to request the first message authentication code MAC; the first request carries the running environment information of the application APP; 所述边缘狗模块,用于接收第一请求,根据所述APP的运行环境信息,计算得到所述第一MAC,并向所述代理模块发送第一MAC,其中,所述第一MAC用于验证所述边缘狗模块是否合法;The edge dog module is used to receive the first request, calculate the first MAC according to the running environment information of the APP, and send the first MAC to the proxy module, where the first MAC is used for Verify whether the edge dog module is legal; 所述代理模块,还用于接收来自所述边缘狗模块的所述第一MAC,根据所述APP的运行环境信息计算得到第四MAC,比较所述第一MAC与所述第四MAC,若所述第一MAC与所述第四MAC相同,则确定所述边缘狗模块合法,若所述第一MAC与所述第四MAC不同,则确定所述边缘狗模块非法。The proxy module is further configured to receive the first MAC from the edge dog module, calculate and obtain a fourth MAC according to the operating environment information of the APP, and compare the first MAC with the fourth MAC. If the first MAC is the same as the fourth MAC, it is determined that the edge dog module is valid, and if the first MAC is different from the fourth MAC, it is determined that the edge dog module is invalid. 24.根据权利要求23所述的防破解系统,其特征在于,24. The anti-cracking system according to claim 23, wherein, 所述边缘狗模块,还用于确定所述APP的运行环境信息与预设的运行环境信息匹配,所述预设的运行环境信息表征允许所述APP运行的环境。The edge dog module is further configured to determine that the running environment information of the APP matches with preset running environment information, and the preset running environment information represents the environment in which the APP is allowed to run. 25.根据权利要求23或24所述的防破解系统,其特征在于,所述边缘狗模块,具体用于根据所述APP的运行环境信息和安全参数,计算得到所述第一MAC;25. The anti-cracking system according to claim 23 or 24, wherein the edge dog module is specifically configured to obtain the first MAC by calculation according to the operating environment information and security parameters of the APP; 所述代理模块,具体用于所述APP的运行环境信息和所述安全参数,计算得到所述第一MAC;其中,所述安全参数由所述APP的厂商预先配置给所述边缘狗模块。The proxy module is specifically used for the running environment information of the APP and the security parameter to calculate the first MAC; wherein the security parameter is pre-configured by the manufacturer of the APP to the edge dog module. 26.根据权利要求23-25任一项所述的防破解系统,其特征在于,所述APP的运行环境信息包括以下任意一项或多项:所述APP所在移动边缘平台MEP的标识、所述APP所在虚拟机VM或者容器的信息、所述APP运行平台的可信平台模块TPM信息、所述APP运行所在的VM或者容器所在硬件信息。26. The anti-cracking system according to any one of claims 23 to 25, wherein the operating environment information of the APP includes any one or more of the following: the identifier of the mobile edge platform MEP where the APP is located, the The information of the virtual machine VM or container where the APP is located, the TPM information of the trusted platform module of the APP running platform, and the hardware information of the VM or container where the APP is running. 27.根据权利要求23-26任一项所述的防破解系统,其特征在于,若所述第一请求还携带激活所述APP指示,则所述边缘狗还用于判断所述APP的激活次数小于最大允许激活次数,所述代理模块还用于判断所述APP的激活次数小于最大允许激活次数。27. The anti-cracking system according to any one of claims 23-26, wherein if the first request also carries an instruction to activate the APP, the edge dog is also used to determine the activation of the APP If the number of times is less than the maximum allowable number of activations, the proxy module is further configured to determine that the number of times of activation of the APP is less than the maximum allowable number of activations. 28.根据权利要求27所述的防破解系统,其特征在于,28. The anti-cracking system according to claim 27, wherein, 所述代理模块,还用于向所述边缘狗模块发送激活成功消息,所述激活成功消息用于指示所述APP被成功激活;The proxy module is further configured to send an activation success message to the edge dog module, where the activation success message is used to indicate that the APP is successfully activated; 所述边缘狗模块,还用于接收所述激活成功消息,根据所述激活成功消息,更新所述APP的激活次数,将所述APP的激活次数加1。The edge dog module is further configured to receive the activation success message, update the activation times of the APP according to the activation success message, and increase the activation times of the APP by 1. 29.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机指令或程序,当所述计算机指令或程序在计算机上运行时,使得所述计算机执行如权利要求1-8任一项所述的防破解方法。29. A computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions or programs that, when the computer instructions or programs are run on a computer, cause the computer to execute the method as claimed in claim 1 The anti-cracking method described in any one of -8. 30.一种计算机程序产品,其特征在于,当所述计算机程序产品在计算机上运行时,使得所述计算机执行如权利要求1-8任一项所述的防破解方法。30. A computer program product, characterized in that, when the computer program product runs on a computer, the computer is caused to execute the anti-cracking method according to any one of claims 1-8. 31.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机指令或程序,当所述计算机指令或程序在计算机上运行时,使得所述计算机执行如权利要求9-15任一项所述的防破解方法或者如权利要求16-22任一项所述的防破解方法。31. A computer-readable storage medium, characterized in that, the computer-readable storage medium stores computer instructions or programs that, when the computer instructions or programs are run on a computer, cause the computer to perform as claimed in claim 9 - The anti-cracking method according to any one of 15 or the anti-cracking method according to any one of claims 16-22. 32.一种计算机程序产品,其特征在于,当所述计算机程序产品在计算机上运行时,使得所述计算机执行如权利要求9-15任一项所述的防破解方法或者如权利要求16-22任一项所述的防破解方法。32. A computer program product, characterized in that, when the computer program product runs on a computer, the computer is made to execute the anti-cracking method according to any one of claims 9-15 or the method according to claim 16- The anti-cracking method of any one of 22. 33.一种防破解方法,其特征在于,所述方法由终端执行,所述终端上部署有应用APP客户端,所述方法包括:33. An anti-cracking method, characterized in that the method is executed by a terminal on which an application APP client is deployed, the method comprising: 所述终端接收来自APP服务器的第一请求,其中,所述第一请求用于请求第一消息认证码MAC,所述第一请求携带移动边缘平台MEP的标识,所述APP服务器部署在所述MEP上;The terminal receives a first request from an APP server, where the first request is used to request a first message authentication code MAC, and the first request carries the identifier of the mobile edge platform MEP, and the APP server is deployed in the on MEP; 所述终端根据所述MEP的标识,计算得到所述第一MAC,其中,所述第一MAC用于验证所述APP是否合法;The terminal calculates and obtains the first MAC according to the identifier of the MEP, where the first MAC is used to verify whether the APP is legal; 所述终端向所述APP服务器发送所述第一MAC。The terminal sends the first MAC to the APP server. 34.根据权利要求33所述的方法,其特征在于,所述所述终端根据所述MEP的标识,计算得到所述第一MAC包括:34. The method according to claim 33, wherein, calculating, by the terminal according to the identifier of the MEP, the first MAC comprises: 所述终端根据所述MEP的标识和硬件安全参数,计算得到所述第一MAC,其中,所述第一MAC用于验证所述APP是否合法,其中,所述硬件安全参数预先配置在网络功能虚拟化基础设施NFVI中,或,所述硬件安全参数预先配置在所述终端中。The terminal calculates and obtains the first MAC according to the identifier of the MEP and hardware security parameters, wherein the first MAC is used to verify whether the APP is legal, wherein the hardware security parameters are pre-configured in the network function. In the virtualization infrastructure NFVI, or, the hardware security parameters are pre-configured in the terminal. 35.根据权利要求34所述的方法,其特征在于,35. The method of claim 34, wherein 所述硬件安全参数包括安全芯片标识ID、安全芯片预置参数、安全芯片中处理器ID中的一种或者多种参数,所述安全芯片预置参数包括随机数或者根秘钥。The hardware security parameters include one or more parameters of a security chip identification ID, a security chip preset parameter, and a processor ID in the security chip, and the security chip preset parameter includes a random number or a root key. 36.一种防破解方法,其特征在于,所述方法应用于应用APP服务器,所述方法包括:36. An anti-cracking method, wherein the method is applied to an application APP server, the method comprising: 所述APP服务器向终端发送第一请求,其中,所述第一请求用于请求第一消息认证码MAC;所述第一请求携带移动边缘平台MEP的标识The APP server sends a first request to the terminal, where the first request is used to request a first message authentication code MAC; the first request carries the identifier of the mobile edge platform MEP 所述APP服务器接收来自所述终端的所述第一MAC,所述第一MAC用于验证所述APP是否合法;The APP server receives the first MAC from the terminal, where the first MAC is used to verify whether the APP is legal; 所述APP服务器获取第二MAC,所述第二MAC用于验证所述APP是否合法;The APP server obtains a second MAC, and the second MAC is used to verify whether the APP is legal; 所述APP服务器比较所述第一MAC与所述第二MAC,若所述第一MAC与所述第二MAC相同,则确定所述APP合法,若所述第一MAC与所述第二MAC不同,则确定所述APP非法。The APP server compares the first MAC and the second MAC, and determines that the APP is valid if the first MAC and the second MAC are the same, and if the first MAC and the second MAC are the same If not, it is determined that the APP is illegal. 37.根据权利要求36所述的方法,其特征在于,所述APP服务器获取所述第二MAC,包括:所述APP服务器根据所述MEP的标识计算得到所述第二MAC。The method according to claim 36, wherein obtaining the second MAC by the APP server comprises: calculating, by the APP server, the second MAC according to the identifier of the MEP. 38.根据权利要求36所述的方法,其特征在于,所述APP服务器根据所述MEP的标识计算得到所述第二MAC包括:所述APP服务器根据所述MEP的标识和硬件安全参数计算得到所述第二MAC,其中,所述APP服务器接收来自所述NFVI的所述硬件安全参数,或者,所述APP服务器接收来自所述终端的所述硬件安全参数。38. The method according to claim 36, wherein, calculating, by the APP server, the second MAC according to the identification of the MEP comprises: calculating, by the APP server, obtaining the second MAC according to the identification of the MEP and hardware security parameters In the second MAC, the APP server receives the hardware security parameter from the NFVI, or the APP server receives the hardware security parameter from the terminal. 39.根据权利要求36所述的方法,其特征在于,所述APP服务器获取所述第二MAC,包括:所述APP服务器发送第二请求,其中,所述第二请求用于请求第二MAC;39. The method according to claim 36, wherein acquiring the second MAC by the APP server comprises: the APP server sending a second request, wherein the second request is used to request the second MAC ; 所述APP服务器接收所述第二MAC。The APP server receives the second MAC. 40.根据权利要求39所述的方法,其特征在于,所述第二请求携带所述MEP的标识,或者,所述第二请求携带所述MEP的标识和硬件安全参数。40. The method according to claim 39, wherein the second request carries the identifier of the MEP, or the second request carries the identifier of the MEP and hardware security parameters. 41.根据权利要求39或40所述的方法,其特征在于,41. The method of claim 39 or 40, wherein 所述APP服务器发送第二请求包括:所述APP向所述MEP发送所述第二请求;所述APP服务器接收所述第二MAC包括:所述APP服务器接收来自所述MEP的所述第二MAC;或者,The sending, by the APP server, the second request includes: the APP sending the second request to the MEP; and the receiving, by the APP server, the second MAC includes: the APP server receiving the second request from the MEP MAC; or, 所述APP服务器发送第二请求包括:所述APP向网络功能虚拟化基础设施NFVI发送所述第二请求;所述APP服务器接收所述第二MAC包括:所述APP服务器接收来自所述NFVI的所述第二MAC。The sending of the second request by the APP server includes: the APP sends the second request to the network function virtualization infrastructure NFVI; and the receiving of the second MAC by the APP server includes: the APP server receives a message from the NFVI. the second MAC. 42.根据权利要求38或40所述的方法,其特征在于,42. The method of claim 38 or 40, wherein 所述硬件安全参数包括安全芯片标识ID、安全芯片预置参数、安全芯片中处理器ID中的一种或者多种参数,所述安全芯片预置参数包括随机数或者根秘钥。The hardware security parameters include one or more parameters of a security chip identification ID, a security chip preset parameter, and a processor ID in the security chip, and the security chip preset parameter includes a random number or a root key. 43.一种防破解方法,其特征在于,所述方法应用于移动边缘平台MEP或者网络功能虚拟化基础设施NFVI,所述方法包括:43. An anti-cracking method, wherein the method is applied to a mobile edge platform MEP or a network function virtualization infrastructure NFVI, the method comprising: 接收第二请求,其中,所述第二请求用于请求第二消息认证码MAC;所述第二请求包括所述MEP的标识;receiving a second request, wherein the second request is used to request a second message authentication code MAC; the second request includes the identifier of the MEP; 根据所述MEP的标识,计算得到所述第二MAC,其中,所述第二MAC用于验证所述APP是否合法。According to the identifier of the MEP, the second MAC is calculated and obtained, wherein the second MAC is used to verify whether the APP is legal. 44.根据权利要求43所述的方法,其特征在于,所述第二请求还包括硬件安全参数;所述根据所述MEP的标识,计算得到所述第二MAC,包括:44. The method according to claim 43, wherein the second request further comprises a hardware security parameter; the calculating the second MAC according to the identifier of the MEP, comprising: 所述MEP根据所述MEP的标识和所述硬件安全参数,计算得到所述第二MAC。The MEP calculates and obtains the second MAC according to the identifier of the MEP and the hardware security parameter. 45.根据权利要求44所述的方法,其特征在于,45. The method of claim 44, wherein 所述硬件安全参数包括安全芯片标识ID、安全芯片预置参数、安全芯片中处理器ID中的一种或者多种参数,所述安全芯片预置参数包括随机数或者根秘钥。The hardware security parameters include one or more parameters of a security chip identification ID, a security chip preset parameter, and a processor ID in the security chip, and the security chip preset parameter includes a random number or a root key. 46.根据权利要求43-45任一项所述的方法,其特征在于,46. The method of any one of claims 43-45, wherein 所述方法还包括:发送所述第二MAC。The method also includes sending the second MAC. 47.根据权利要求46所述的方法,其特征在于,所述发送所述第二MAC包括:47. The method of claim 46, wherein the sending the second MAC comprises: 向所述APP服务器发送所述第二MAC;或者,sending the second MAC to the APP server; or, 向所述MEP发送所述第二MAC。The second MAC is sent to the MEP. 48.根据权利要求43-45任一项所述的方法,其特征在于,当所述方法应用于所述NFVI时,所述第二请求还包括第一MAC,所述方法还包括:48. The method according to any one of claims 43-45, wherein when the method is applied to the NFVI, the second request further includes the first MAC, and the method further includes: 比较所述第一MAC与所述第二MAC,若所述第一MAC与所述第二MAC相同,则确定所述APP合法,若所述第一MAC与所述第二MAC不同,则确定所述APP非法。Comparing the first MAC and the second MAC, if the first MAC and the second MAC are the same, determine that the APP is valid, and if the first MAC and the second MAC are different, determine The APP is illegal. 49.根据权利要求43-48任一项所述的方法,其特征在于,49. The method of any one of claims 43-48, wherein 所述接收第二请求包括:接收来自APP服务器的所述第二请求;或者,The receiving the second request includes: receiving the second request from the APP server; or, 当所述方法应用于所述NFVI时,所述接收第二请求包括:接收来自所述MEP的所述第二请求。When the method is applied to the NFVI, the receiving the second request includes receiving the second request from the MEP. 50.一种防破解装置,其特征在于,所述装置包括一个或者多个处理器、通信接口,所述一个或者多个处理器以及所述通信接口用于支持所述防破解装置执行如权利要求33-35任一项所述的防破解方法。50. An anti-cracking device, characterized in that the device comprises one or more processors and a communication interface, and the one or more processors and the communication interface are used to support the anti-cracking device to execute the The anti-cracking method according to any one of requirements 33-35. 51.一种防破解装置,其特征在于,所述装置包括一个或者多个处理器、通信接口,所述一个或者多个处理器以及所述通信接口用于支持所述防破解装置执行如权利要求36-42任一项所述的防破解方法。51. An anti-cracking device, characterized in that, the device comprises one or more processors and a communication interface, and the one or more processors and the communication interface are used to support the anti-cracking device to perform as claimed in the claim. The anti-cracking method of any one of requirements 36-42. 52.一种防破解装置,其特征在于,所述装置包括一个或者多个处理器、通信接口,所述一个或者多个处理器以及所述通信接口用于支持所述防破解装置执行如权利要求43-49任一项所述的防破解方法。52. An anti-cracking device, characterized in that, the device comprises one or more processors and a communication interface, and the one or more processors and the communication interface are used to support the anti-cracking device to perform as claimed in the claim. The anti-cracking method according to any one of requirements 43-49.
CN202010093956.6A 2019-12-31 2020-02-14 Anti-cracking method and device Active CN113127815B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/140438 WO2021136216A1 (en) 2019-12-31 2020-12-28 Anti-cracking method and apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2019114186013 2019-12-31
CN201911418601 2019-12-31

Publications (2)

Publication Number Publication Date
CN113127815A true CN113127815A (en) 2021-07-16
CN113127815B CN113127815B (en) 2025-04-04

Family

ID=76772148

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010093956.6A Active CN113127815B (en) 2019-12-31 2020-02-14 Anti-cracking method and device

Country Status (1)

Country Link
CN (1) CN113127815B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101414342A (en) * 2007-10-19 2009-04-22 西门子(中国)有限公司 Software dog and method for implementing software protection
CN101980232A (en) * 2010-10-13 2011-02-23 中兴通讯股份有限公司 Method, system and device for trying JAVA application program
US20130191901A1 (en) * 2012-01-24 2013-07-25 Chuck A. Black Security actions based on client identity databases
CN108351937A (en) * 2015-12-18 2018-07-31 英特尔公司 Computing device
US20190191344A1 (en) * 2017-12-15 2019-06-20 Industrial Technology Research Institute Mobile edge platform servers and user equipment context migration management methods thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101414342A (en) * 2007-10-19 2009-04-22 西门子(中国)有限公司 Software dog and method for implementing software protection
CN101980232A (en) * 2010-10-13 2011-02-23 中兴通讯股份有限公司 Method, system and device for trying JAVA application program
US20130191901A1 (en) * 2012-01-24 2013-07-25 Chuck A. Black Security actions based on client identity databases
CN108351937A (en) * 2015-12-18 2018-07-31 英特尔公司 Computing device
US20190191344A1 (en) * 2017-12-15 2019-06-20 Industrial Technology Research Institute Mobile edge platform servers and user equipment context migration management methods thereof

Also Published As

Publication number Publication date
CN113127815B (en) 2025-04-04

Similar Documents

Publication Publication Date Title
EP3376378B1 (en) Container license management method, and apparatus
CN107548499B (en) Techniques for Secure Bootstrapping of Virtual Network Functions
JP5747981B2 (en) System and method for remote maintenance of multiple clients in an electronic network using virtual machines
US20120246470A1 (en) Information processing device, information processing system, software routine execution method, and remote attestation method
EP3566162B1 (en) Apparatus and method for certificate authority for certifying accessors
CN116208501B (en) TEE resource orchestration method, system, device and storage medium in NFV
CN108400875A (en) Authorization and authentication method, system, electronic equipment, storage medium based on key assignments
US11989279B2 (en) Method and system for service image deployment in a cloud computing system based on distributed ledger technology
CN113127815B (en) Anti-cracking method and device
CN114924752B (en) A blockchain smart contract deployment method, device and storage medium
CN108289105A (en) Data encryption storage method, device, equipment, system and readable storage medium storing program for executing
WO2021136216A1 (en) Anti-cracking method and apparatus
CN109286494B (en) Method and device for generating initialization credential of virtual network function VNF
WO2018120042A1 (en) Credential distribution method and apparatus
US20250190236A1 (en) Edge-based secure containerization
US20230067647A1 (en) Systems and methods for use of pre-boot resources by modern workspaces
WO2018040095A1 (en) Method and device for generating security credential
JP2025540639A (en) Updating the secure guest metadata for a specific guest instance
CN118819603A (en) Application updating method, communication system and electronic device
CN113408007A (en) Method for measuring initial state credibility of fog node
WO2020057119A1 (en) Authentication method, apparatus, and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant