CN120470602A

CN120470602A - Device encryption authorization method, system, storage medium and product

Info

Publication number: CN120470602A
Application number: CN202510530049.6A
Authority: CN
Inventors: 陈文明; 张世明; 吕周谨; 刘昊; 冯铭波; 倪世坤; 陈永金; 李达钦
Original assignee: Shenzhen Emeet Technology Co ltd
Current assignee: Shenzhen Emeet Technology Co ltd
Priority date: 2025-04-25
Filing date: 2025-04-25
Publication date: 2025-08-12

Abstract

The present application discloses a device encryption authorization method, system, storage medium, and product, which relate to the field of chip encryption technology, including: when the host computer has not authorized the target device, responding to the encryption request initiated by the host computer and actively initiating an encryption challenge to the host computer to ensure that the host computer has legal authorization capabilities; once the encryption challenge is successful, the target device will encrypt its stored device identifier, generate a first identifier, and send it to the host computer; the host computer decrypts the first identifier to obtain a second identifier, and at the same time generates a target key, decrypts the second identifier with the target key, and sends the encrypted identifier and target key to the target device; the target device receives and stores the encrypted identifier and target key returned by the host computer, thereby completing the encryption authorization of the target device. The present application solves the technical problem of how to effectively prevent the theft and illegal use of firmware.

Description

Device encryption authorization method, system, storage medium and product

Technical Field

The present application relates to the field of chip encryption technologies, and in particular, to a device encryption authorization method, an electronic device, a storage medium, and a computer program product.

Background

In applications of embedded devices, firmware is used as a core carrier of device functions, and bears important technical and commercial values, and security and intellectual property protection thereof become key requirements of industry. However, with the wide application of embedded devices in the fields of smart home, industrial automation, medical equipment and the like, the risks of firmware theft and illegal use are obviously increased, so that the market of legal products is damaged, and the safety and privacy of users face threats. Therefore, there is a problem in the current firmware protection of embedded devices how to effectively prevent the firmware from being stolen and illegally used.

The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present application and is not intended to represent an admission that the foregoing is prior art.

Disclosure of Invention

The application mainly aims to provide a device encryption and authorization method, electronic device, storage medium and computer program product, which aim to solve the technical problem of how to effectively prevent firmware from being stolen and illegally used.

In order to achieve the above object, the present application provides a device encryption and authorization method applied to a target device, where the target device stores a device identifier, the device encryption and authorization method includes:

Under the condition that the upper computer does not authorize the target equipment, responding to an encryption request initiated by the upper computer, and initiating an encryption challenge to the upper computer;

encrypting the equipment identifier under the condition that the encryption challenge is successful, obtaining a first identifier and sending the first identifier to the upper computer;

And receiving and storing the encrypted identifier and the target key sent by the upper computer to obtain the encryption authorization of the upper computer, wherein the encrypted identifier is generated by encrypting a second identifier by the target key generated by the upper computer, and the second identifier is obtained by decrypting the first identifier by the upper computer.

In an embodiment, the target device is provided with a database, and before the step of responding to the encryption request initiated by the upper computer, the method further includes:

detecting whether an encryption identifier and a target key are stored in the database;

determining that the authorization status of the target device is unauthorized if the encrypted identifier and the target key are not stored in the database;

And under the condition that the encrypted identifier and the target key are stored in the database, decrypting the encrypted identifier by using the target key to obtain a plaintext identifier, and under the condition that the plaintext identifier is inconsistent with the equipment identifier, judging that the authorization state of the target equipment is unauthorized.

In an embodiment, the target device further comprises a primary partition and a backup partition, and the step of decrypting the encrypted identifier with the target key further comprises:

Determining an error partition and a correct partition in the main partition and the backup partition under the condition that the encryption identifier in the main partition is inconsistent with the encryption identifier in the backup partition, and restoring the encryption identifier of the error partition by using the encryption identifier of the correct partition;

And under the condition that the target key in the main partition is inconsistent with the target key in the backup partition, determining an error partition and a correct partition in the main partition and the backup partition, and restoring the target key of the error partition by using the target key of the correct partition.

In an embodiment, the target device further stores a preset key, and the step of initiating the encryption challenge to the upper computer includes:

generating a first random number, and encrypting the first random number by using the preset key to obtain a first ciphertext;

And sending an opening challenge notice to the upper computer, wherein the opening challenge notice carries the first ciphertext, and the first ciphertext is decrypted by the upper computer and then is calculated based on a preset challenge algorithm to obtain a challenge random number.

In an embodiment, the step of initiating the encryption challenge to the upper computer further includes:

receiving a challenge result of the encryption challenge returned by the upper computer, wherein the challenge result comprises a first calculation result of a first random number generated by the upper computer on the target equipment based on a preset challenge algorithm;

and calculating the first random number based on a preset challenge algorithm to obtain a second calculation result, verifying whether the first calculation result is consistent with the second calculation result, and judging that the encryption challenge is successful under the condition that the first calculation result is consistent with the second calculation result.

The device encryption and authorization method is applied to an upper computer and comprises the following steps:

Under the condition that the target equipment is not authorized, an encryption request is initiated to the target equipment, and an encryption challenge initiated by the target equipment is responded;

Receiving a first identifier sent by the target equipment under the condition that the encryption challenge is successful, wherein the first identifier is obtained by encrypting the equipment identifier by the target equipment, and the equipment identifier is stored in the target equipment;

decrypting the first identifier to obtain a second identifier, generating a target key, encrypting the second identifier based on the target key to obtain an encrypted identifier, and sending the encrypted identifier and the target key to the target device to carry out encryption authorization on the target device.

In an embodiment, the upper computer is provided with a random number generation module, and the step of generating the target key includes:

Generating random binary data corresponding to a preset key length parameter through a random number generation module;

Performing format verification on the random binary data, removing random binary data which does not accord with preset key specifications, and generating standardized key original data;

And converting the standardized key original data into a character string format to obtain a target key.

In addition, in order to achieve the above object, the present application also proposes a device encryption and authorization system including a target device and an upper computer, the target device storing a device identifier, the device encryption and authorization system including:

the target equipment is used for responding to an encryption request initiated by the upper computer and initiating an encryption challenge to the upper computer under the condition that the upper computer does not authorize the target equipment;

The upper computer is used for initiating an encryption request to the target equipment under the condition that the target equipment is not authorized, and responding to the encryption challenge initiated by the target equipment;

In addition, in order to achieve the above object, the application also proposes an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program being configured to implement the steps of the device encryption authorization method as described above.

In addition, to achieve the above object, the present application also proposes a storage medium, which is a computer-readable storage medium, on which a computer program is stored, which when being executed by a processor implements the steps of the device encryption authorization method as described above.

Furthermore, to achieve the above object, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of a device encryption authorization method as described above.

The application provides a device encryption authorization method, which is applied to target devices, wherein the target devices store device identifiers, and the device encryption authorization method comprises the following steps: under the condition that the upper computer does not authorize the target equipment, responding to an encryption request initiated by the upper computer, and initiating an encryption challenge to the upper computer; and receiving and storing the encrypted identifier and the target key sent by the upper computer to obtain encryption authorization of the upper computer, wherein the encrypted identifier is generated by encrypting a second identifier by the target key generated by the upper computer, and the second identifier is obtained by decrypting the first identifier by the upper computer.

The device encryption authorization method comprises the steps of initiating an encryption request to target devices under the condition that the target devices are not authorized, responding to encryption challenges initiated by the target devices, receiving first identifiers sent by the target devices under the condition that the encryption challenges are successful, wherein the first identifiers are obtained by encrypting the device identifiers by the target devices, the device identifiers are stored in the target devices, decrypting the first identifiers to obtain second identifiers, generating target keys, encrypting the second identifiers based on the target keys to obtain encryption identifiers, and sending the encryption identifiers and the target keys to the target devices so as to carry out encryption authorization on the target devices.

The application responds to the encryption request initiated by the upper computer and initiatively initiates an encryption challenge to the upper computer under the condition that the upper computer does not authorize the target equipment, the encryption challenge is used for ensuring that the upper computer has legal authorization capability, once the encryption challenge succeeds, the target equipment can encrypt the equipment identifier stored by the upper computer to generate a first identifier and send the first identifier to the upper computer, the upper computer decrypts the first identifier to obtain a second identifier, and simultaneously generates a target secret key, decrypts the second identifier by using the target secret key, and sends the encryption identifier and the target secret key to the target equipment, and the target equipment receives and stores the encryption identifier returned by the upper computer and the target secret key, thereby completing the encryption authorization of the target equipment. Compared with the related scheme, the method is difficult to effectively cope with risks of firmware theft and illegal use, and by introducing encryption challenges and a two-way verification mechanism, a tighter and reliable authorization process is constructed, so that the accuracy of the authorization process is improved, and an attacker is effectively prevented from illegally using the firmware by cracking or forging authorization information.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.

FIG. 1 is a schematic flow chart of a method for encrypting and authorizing a device according to an embodiment of the present application;

FIG. 2 is a flow chart of a timed task provided by the present application;

Fig. 3 is a schematic flow chart of a second embodiment of an encryption and authorization method of the device according to the present application;

FIG. 4 is an overall flow chart provided by the present application;

FIG. 5 is a timing diagram of the authorization provided by the present application;

FIG. 6 is a schematic block diagram of an encryption and authorization system of an embodiment of the present application;

fig. 7 is a schematic device structure diagram of a hardware operating environment related to a device encryption and authorization method in an embodiment of the present application.

The achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the technical solution of the present application and are not intended to limit the present application.

For a better understanding of the technical solution of the present application, the following detailed description will be given with reference to the drawings and the specific embodiments.

The method for encrypting and authorizing the target equipment is applied to the target equipment, the target equipment stores the equipment identifier, the method comprises the steps of responding to an encryption request initiated by an upper computer under the condition that the upper computer does not authorize the target equipment, initiating an encryption challenge to the upper computer, encrypting the equipment identifier to obtain a first identifier and sending the first identifier to the upper computer under the condition that the encryption challenge is successful, and receiving and storing the encryption identifier and the target key sent by the upper computer to obtain the encryption authorization of the upper computer, wherein the encryption identifier is generated by encrypting a second identifier by the target key generated by the upper computer, and the second identifier is obtained by decrypting the first identifier by the upper computer.

In this embodiment, for convenience of description, the following description will be made with the device encryption authorization system as an execution subject.

As firmware theft and illegal use risks are remarkably increased along with the wide application of embedded equipment in the fields of intelligent home, industrial automation, medical equipment and the like, the market of legal products is damaged, and the safety and privacy of users face threats.

The application provides a solution, and constructs a tighter and reliable authorization flow by introducing encryption challenges and a bidirectional verification mechanism, thereby not only improving the accuracy of the authorization process, but also effectively preventing an attacker from illegally using the firmware by cracking or forging the authorization information.

It should be noted that, the execution body of the embodiment may be a computing service device with functions of data processing, network communication and program running, such as a tablet computer, a personal computer, a mobile phone, etc., or an apparatus encryption authorization system, a web page, an APP, etc. capable of implementing the above functions. The present embodiment and the following embodiments will be described below by taking a device encryption authorization system as an example.

Based on this, an embodiment of the present application provides a device encryption and authorization method, and referring to fig. 1, fig. 1 is a schematic flow chart of a first embodiment of the device encryption and authorization method of the present application.

In this embodiment, the method is applied to a target device, where the target device stores a device identifier, and the device encryption authorization method includes steps S01-S03:

Step S01, under the condition that the upper computer does not authorize the target equipment, an encryption request initiated by the upper computer is responded, and an encryption challenge is initiated to the upper computer;

It should be noted that, the target device refers to an embedded device that needs to perform encryption authorization, such as an intelligent home device, an industrial automation control unit, etc., for example, an intelligent thermostat is a target device, it may need to receive encryption authorization operations from a home automation system, the upper computer refers to a computer or a terminal device that communicates with the target device and performs encryption authorization operations, such as a personal computer, a smart phone, etc., for example, in the intelligent home system, the smart phone of the user may serve as an upper computer to initiate encryption authorization operations to the intelligent thermostat, where the encryption authorization operations refer to a series of encryption and verification operations performed by the upper computer on the target device to ensure that the target device obtains legal usage rights. The target device firstly detects the authorization state of the target device, wherein the authorization state refers to whether the target device currently has legal use authority or not, the target device is divided into authorized and unauthorized states, if the upper computer is detected to not authorize the target device, the encryption request is a request sent by the upper computer to the target device, the target device is required to carry out encryption verification and authorization, after responding to the encryption request, the target device can initiate an encryption challenge to the upper computer, and the encryption challenge is a series of encryption verification steps initiated by the target device for verifying the legitimacy of the upper computer and is used as a ring for verifying whether the upper computer has legal authorization capability.

In addition, it should be noted that when the target device and the upper computer perform communication interaction, the communication interaction is performed in a preset intranet, and the local server resource can be accessed only in the preset intranet, and due to the limitation of the preset intranet, the authorized software can be prevented from being stolen, so that illegal authorization operation is performed on illegal devices.

Additionally, it should be noted that, when the host computer has authorized the target device, a global authorized identifier is added to the target device and the light efficiency of the target device is updated to a default light efficiency, and when the host computer has not authorized the target device, a global unauthorized identifier is added to the target device and the light efficiency of the target device is updated to an unauthorized light efficiency. Specifically, when the host computer has authorized the target device, if the authorization status is authorized, a global authorized identifier (for example, a boolean variable isAuthorized =true or a specific file/etc/authorized_flag) is created in the device storage area, the identifier is used as an access condition of the device firmware core logic, and is used for the permission verification of the subsequent function module, and meanwhile, the light effect control module is called, the LED indicator light is switched to a default light effect (for example, a breathing light mode, a fixed color display, etc.), the light effect is used as authorization status feedback perceived by the user, for example, the intelligent home device displays a blue breathing light after the networking is successful, if the host computer does not authorize the target device, if the authorization status is unauthorized, a global unauthorized identifier (for example, isAuthorized =false or file/etc/unauthorized _flag) is generated, and the device is restricted to enter a limited operation mode, for example, the industrial controller prohibits access to sensitive configuration parameters when unauthorized, and simultaneously switches to the unauthorized light effect (for example, red flash, fast flash, etc.), so that the user device is intuitively indicated to be in an unauthorized state, for example, the industrial controller flashes at the LED frequency of 1Hz when the industrial controller is unauthorized.

In addition, the step of updating the light effect of the target device to the unauthorized light effect further comprises the steps of judging whether the waiting authorization time exceeds a first preset time, wherein the waiting authorization time represents the time for the upper computer to carry out encryption authorization operation on the target device, closing the target device when the waiting authorization time exceeds the first preset time, judging the authorization state of the target device when the waiting authorization time does not exceed the first preset time, and carrying out the step of judging whether the waiting authorization time exceeds the first preset time by dormancy of the target device when the authorization state is unauthorized. Specifically, when the device is detected to be unauthorized, the system switches the light effect of the target device into the unauthorized light effect (such as red flash) and starts a timing task, judges whether the waiting authorization time exceeds a first preset time, wherein the waiting authorization time is the time interval from the initiation of encryption authorization operation by the upper computer to the current moment, the first preset time is a preset authorization waiting timeout threshold (such as 5 minutes) for measuring the duration of the waiting authorization of the device, if the waiting authorization time exceeds the threshold, the judgment of the authorization operation is failed, continuously monitors the waiting authorization time and compares the waiting authorization time with the first preset time, if the waiting authorization time exceeds the first preset time, judges that the authorization fails, immediately closes the target device to prevent illegal use, for example, the industrial controller cuts off a power supply after the timeout to avoid the operation of unauthorized firmware, if the waiting authorization time does not exceed the first preset time, the equipment authorization state is further checked, if the equipment is still in an unauthorized state, the equipment is dormant for a second preset time (such as 1 second), the encryption authorization operation is ready to be carried out again, after the dormancy is finished, the system judges whether the waiting authorization time exceeds the first preset time, the first preset time is formed, the preset time is not to exceed the preset, the preset state is formed, and the number of times of the unauthorized authorization is reset, and the authorized state is only can be triggered if the equipment is not authorized to reach the authorized state, and the number of times is not authorized, and the authorized state is triggered, and the authorized state is only is triggered to be reversely, and the authorized state is triggered.

For example, in order to facilitate understanding of the technical concept or technical principle of the present application, referring to fig. 2, fig. 2 provides a timing task flow chart, after updating the light effect of the target device to the unauthorized light effect, starting the timing task, judging whether the waiting authorization time exceeds the first preset time, shutting down the target device if the waiting authorization time exceeds the first preset time, judging whether the authorization state of the target device is authorized if the waiting authorization time does not exceed the first preset time, if the authorization state is unauthorized, sleeping the target device for the second preset time, returning to execute the step of judging whether the waiting authorization time exceeds the first preset time, and shutting down the timing task if the authorization state is authorized.

It can be understood that, in step S01, by monitoring the authorization status of the device in real time, the device can be ensured not to perform illegal operation when not authorized, so as to avoid the firmware from being illegally used, realize intelligent detection of the authorization status of the target device, improve the validity and security of the firmware, and in the unauthorized status, the device can actively respond to the encryption request of the upper computer, lay a foundation for subsequent encryption challenges and authorization processes, thereby effectively preventing the firmware from being stolen and illegally used.

Step S02, under the condition that the encryption challenge is successful, encrypting the equipment identifier to obtain a first identifier and sending the first identifier to an upper computer;

it should be noted that, after the host computer successfully responds to the encryption challenge, the host computer returns to the target device, and when the encryption challenge is successful, the target device encrypts the device identifier stored in the host computer, where the device identifier is a unique identifier of the target device and is used to distinguish different devices, for example, each intelligent thermostat will have a unique serial number as the device identifier when leaving the factory, and the encrypted device identifier is called a first identifier, and the identifier is then sent to the host computer.

It can be understood that, in step S02, by encrypting the device identifier, a unique first identifier that is difficult to crack can be generated, so as to protect the firmware from being illegally copied and stolen, and the encrypted first identifier can be used as a verification basis for the identity of the device, so that only the device that is legally authorized can normally operate, the encryption processing of the device identifier is realized, and the security and uniqueness of the firmware are improved, so that the firmware is protected from being illegally copied and stolen.

And S03, receiving and storing an encryption identifier and a target key sent by the upper computer to obtain encryption authorization of the upper computer, wherein the encryption identifier is generated by encrypting a second identifier by the target key generated by the upper computer, and the second identifier is obtained by decrypting the first identifier by the upper computer.

It should be noted that, after the host computer receives the first identifier, it will firstly decrypt the first identifier to recover the original device identifier to obtain the second identifier, where the second identifier obtained by decryption may be the recovered original device identifier directly, or may not be consistent with the first identifier due to a communication attack, tampering, etc., the host computer generates a target key based on a Random Number Generator (RNG), encrypts the second identifier with the target key to generate an encrypted identifier, the target key is a key generated by the host computer and used for encryption and decryption, and has uniqueness and confidentiality, the host computer sends the encrypted identifier and the target key back to the target device, and the target device receives and stores these information.

It can be understood that, in step S03, by receiving and storing the encrypted identifier and the target key, the device can perform continuous and effective authorization status detection in the subsequent operation process, so as to ensure validity and security of firmware usage, realize receiving and storing the encrypted identifier and the target key, and provide reliable basis for subsequent authorization status detection, thereby preventing illegal use of firmware.

In a possible implementation manner, in step S01, the target device is provided with a database, and if the host computer does not authorize the target device, the steps of responding to the encryption request initiated by the host computer further include steps a 01-a 03:

a01, detecting whether an encryption identifier and a target key are stored in a database;

It should be noted that, the target device starts an internal self-checking program, scans the database (for example, flash) in its storage system comprehensively, and detects whether the encryption identifier and the target key corresponding to the encryption identifier are stored in the database completely.

Step A02, under the condition that the encryption identifier and the target key are not stored in the database, judging that the authorization state of the target device is unauthorized;

It should be noted that, if the stored record of the encrypted identifier and the target key is not found in the scanning process of the database, the target device will determine that the authorization status is unauthorized according to the preset logic, which means that the target device has not passed through the legal encrypted authorization process, does not have the authorization permission required by the normal operation related functions, and the device will enter the restricted operation mode under the unauthorized status to refuse to execute any operation requiring authorization.

And step A03, when the encrypted identifier and the target key are stored in the database, decrypting the encrypted identifier by the target key to obtain a plaintext identifier, and when the plaintext identifier is inconsistent with the device identifier, determining that the authorization state of the target device is unauthorized.

It should be noted that, when the encryption identifier and the target key are explicitly stored in the database, the target device will call the decryption module, use the target key to decrypt the encryption identifier, obtain the plaintext identifier after decryption, compare the plaintext identifier obtained by decryption with the device identifier stored in the device itself, if they are inconsistent, the target device will determine that the self-authorization status is unauthorized, which means that although the device stores authorization information, the information is not actually matched with the device, there may be problems that the illegal authorization, the authorization information is tampered or wrongly configured, and the device will take corresponding security measures, such as locking the core function, sending an alarm signal, etc., so as to prevent the firmware from being illegally used.

In this embodiment, by determining whether the database of the target device stores complete authorization information (the encrypted identifier and the target key), if the database does not have the key information, the device can immediately determine that the device is in an unauthorized state, prevent the device from running possible illegal firmware, ensure that only legal firmware can be executed, effectively reduce the risks of embezzling and illegal using the firmware, protect the functional integrity and security of the device, decrypt the encrypted identifier stored in the database, and compare the decrypted plaintext identifier with the device identifier of the device itself, if the encrypted identifier and the target key are inconsistent, the authorization information may be tampered or forged, and the device is determined as in an unauthorized state, so that the authenticity and validity of the authorization information can be verified, thereby ensuring the validity and integrity of the authorization of the device.

In a possible implementation manner, in step a03, the target device further includes a main partition and a backup partition, and before the step of decrypting the encrypted identifier with the target key, steps a11 to a12 are further included:

Step A11, determining an error partition and a correct partition in the main partition and the backup partition under the condition that the encryption identifier in the main partition is inconsistent with the encryption identifier in the backup partition, and restoring the encryption identifier of the error partition by using the encryption identifier of the correct partition;

It should be noted that, the main partition is a main storage area of the target device, carries key data and programs required by the operation of the device, and includes authorization related information such as an encryption identifier and a target key, when the target device operates normally, the main partition is a main data read-write access area, so as to ensure that the device can quickly and efficiently acquire and process the authorization data, the backup partition is a redundant storage area set for dealing with risks such as damage, loss or tampering that may occur to the data of the main partition, the backup partition and the main partition keep data synchronization, and when the data of the main partition has a problem, reliable data recovery support can be provided, so that an authorization verification mechanism of the device is not affected.

Additionally, it should be noted that, during the operation of the target device, the encrypted identifiers stored in the main partition and the backup partition are compared periodically or according to a specific trigger condition, if a difference exists between the main partition and the backup partition, the device starts a determination flow of the error partition and the correct partition, the determination is based on a CRC (Cyclic Redundancy Check, cyclic redundancy check code) check rule, and the principle of division and remainder is used to detect or check an error that may occur after data transmission or storage, once the correct partition is determined, the target device may use the correct encrypted identifier in the partition, and restore the encrypted identifier in the error partition through a data repair algorithm (such as overwriting, incremental updating, etc.), so as to ensure that the encrypted identifiers in the main partition and the backup partition remain consistent.

And step A12, determining an error partition and a correct partition in the main partition and the backup partition, and restoring the target key of the error partition by using the target key of the correct partition under the condition that the target key of the main partition is inconsistent with the target key of the backup partition.

It should be noted that, similar to the processing manner of the encryption identifier, the target device compares the target keys in the main partition and the backup partition, if an inconsistency is detected, the correct partition and the error partition are determined according to the CRC check rule, and the target key in the correct partition is used to restore the target key in the error partition, so as to ensure that the target keys in the main partition and the backup partition are identical.

Additionally, it should be noted that, after performing CRC check, for a successful check partition, a historical weight value of the successful check partition is added, for a failed check partition, a historical weight value of the failed check partition is reduced, the historical weight values of the main partition and the backup partition are written into a trusted database of the target device, and are respectively used as historical reliability records of the main partition and the backup partition, when the encryption identifiers in the main partition are inconsistent with the encryption identifiers in the backup partition, a difference value of the historical weight values of the main partition and the backup partition can be calculated, if the difference value exceeds a preset threshold (for example, 30%), a partition with a higher historical weight value is used as a correct partition, if the difference value does not exceed the preset threshold, a correct partition and an error partition are determined based on the result of CRC check, the encryption identifiers of the correct partition are used for restoring the encryption identifiers of the error partition, so that when comparing, the correct partition and the error partition can be directly determined based on the comparison of the historical weight values, and the tedious operation of CRC check is reduced.

In the embodiment, the encryption identifier and the target key in the main partition and the backup partition are checked and repaired to ensure that the encryption identifier and the target key in the main partition and the backup partition are consistent, so that the device can judge based on correct data when detecting the authorization state, the accuracy and the reliability of authorization verification are improved, when the data in the main partition or the backup partition is in a problem, the device can be restored through the correct data in the other partition, the normal operation of the device can be continued, the device fault caused by data damage is reduced, the consistency of key data in the main partition and the backup partition is maintained, and an attacker is prevented from bypassing an authorization verification mechanism by tampering with the data of one partition, thereby effectively protecting the safety and the legality of the firmware.

In a possible implementation manner, in step S01, the target device further stores a preset key, and the step of initiating the encryption challenge to the upper computer includes steps a 22-a 22:

step A21, generating a first random number, and encrypting the first random number by using a preset key to obtain a first ciphertext;

When an encryption challenge needs to be initiated, a random number generator is built in the target device, a first random number with high randomness is generated, meanwhile, a preset key stored in the device is utilized, the preset key is a key shared in advance between the target device and an upper computer and is used for encrypting and decrypting communication data, an AES (Advanced Encryption Standard ) algorithm is adopted as the preset key encryption algorithm, and encryption operation is carried out on the first random number to generate a first ciphertext.

And step A22, sending an opening challenge notice to the upper computer, wherein the opening challenge notice carries a first ciphertext, and calculating the challenge random number based on a preset challenge algorithm after the first ciphertext is decrypted by the upper computer.

It should be noted that, the target device sends the generated starting challenge notification to the upper computer, where the starting challenge notification is a message sent by the target device to the upper computer and is used for notifying the upper computer to start the encryption challenge flow, where the message carries a first ciphertext and is used to trigger the decryption and the challenge response flow of the upper computer, after the upper computer receives the starting challenge notification, the upper computer decrypts the first ciphertext by using a preset key that is negotiated or known in advance to obtain a first random number, and calculates the first random number based on a preset challenge algorithm (the algorithm may be a hash function, an encryption algorithm combination and the like agreed by the target device and the upper computer), so as to generate the challenge random number.

In addition, it should be noted that, when the target device generates the first ciphertext, the corresponding first timestamp is also obtained and sent to the upper computer, after the upper computer receives the first timestamp, it verifies whether the interval timestamp between the first timestamp and the second timestamp when received is within a preset valid window (for example, 30 seconds), and if not, it determines that the encryption challenge fails.

In the embodiment, each authorization verification is based on different random numbers and encryption processes through an encryption challenge mechanism, an attacker cannot easily crack through a fixed mode or a known vulnerability, only an upper computer with a correct preset secret key and calculated according to a preset challenge algorithm can pass through the challenge, the security of the authorization verification is greatly improved, in the encryption challenge process, communication data between target equipment and the upper computer are transmitted in a ciphertext mode, the data are prevented from being stolen or tampered in the transmission process, the integrity and confidentiality of communication between the equipment and the upper computer are ensured, the firmware security of the equipment is further protected, normal communication and authorization verification can be carried out only through a legal authorized upper computer through a strict encryption challenge mechanism, and even if the attacker acquires part of information of the equipment, the attacker cannot pass through the encryption challenge, so that the use and illegal use of the firmware are effectively prevented.

In one possible implementation, in step S01, after the step of initiating the encryption challenge to the host computer, steps a31 to a32 are further included:

step A31, receiving a challenge result of the encryption challenge returned by the upper computer, wherein the challenge result comprises a first calculation result of a first random number generated by the upper computer on the basis of a preset challenge algorithm for the target equipment;

It should be noted that, the target device receives a challenge result returned by the upper computer, where the challenge result refers to a result (i.e., a first calculation result) obtained by the upper computer performing encryption operation on the first random number generated by the target device based on a preset challenge algorithm.

And step A32, calculating the first random number based on a preset challenge algorithm to obtain a second calculation result, verifying whether the first calculation result is consistent with the second calculation result, and judging that the encryption challenge is successful under the condition that the first calculation result is consistent with the second calculation result.

It should be noted that, the target device uses the same preset challenge algorithm to calculate the received first random number to obtain a second calculation result, compares the first calculation result with the second calculation result, if the two calculation results are consistent, then determines that the upper computer passes the challenge, and the encryption challenge is successful, otherwise, the encryption challenge fails.

In this embodiment, through the encryption challenge mechanism, not only the upper computer needs to verify the validity of the target device, but also the target device confirms the identity of the upper computer through verifying the challenge result returned by the upper computer, and the bidirectional authentication mechanism greatly enhances the identity authentication strength between the device and the upper computer, and each encryption challenge uses a new random number, so that the uniqueness and unpredictability of each challenge are ensured, and an attacker cannot bypass the authentication mechanism through a simple replay attack.

In the second embodiment of the present application, the same or similar content as in the first embodiment of the present application may be referred to the above description, and will not be repeated. On this basis, referring to fig. 3, in this embodiment, the device encryption authorization method applied to the host computer includes steps S11 to S13:

step S11, under the condition that the target equipment is not authorized, an encryption request is initiated to the target equipment, and an encryption challenge initiated by the target equipment is responded;

It should be noted that, the upper computer sends an encryption request message to the target device through a standardized communication protocol (such as TCP/IP or serial port protocol), the target device generates a first random number (such as 128-bit random number) after receiving the request, encrypts the first random number by using a preset key to obtain a first ciphertext, and sends an opening challenge notification to the upper computer, wherein the opening challenge notification carries the first ciphertext, the upper computer extracts the first ciphertext after receiving the opening challenge notification, invokes the preset key to decrypt the first ciphertext, calculates the decrypted first ciphertext based on a preset challenge algorithm to obtain a first calculation result, and returns the first calculation result to the target device.

Step S12, under the condition that the encryption challenge is successful, a first identifier sent by target equipment is received, wherein the first identifier is obtained by encrypting the equipment identifier by the target equipment, and the equipment identifier is stored in the target equipment;

After the target device receives the first calculation result, the target device calculates the first random number based on a preset challenge algorithm to obtain a second calculation result, verifies whether the first calculation result is consistent with the second calculation result, determines that the encryption challenge is successful when the first calculation result is consistent with the second calculation result, encrypts the device identifier to obtain a first identifier, and the upper computer receives the first identifier returned by the target device.

And S13, decrypting the first identifier to obtain a second identifier, generating a target key, encrypting the second identifier based on the target key to obtain an encrypted identifier, and transmitting the encrypted identifier and the target key to the target device so as to encrypt and authorize the target device.

It should be noted that, the upper computer decrypts the first identifier by using the preset key to obtain the second identifier, and at the same time, generates the target key (for example, by combining the PBKDF2 algorithm with the device ID derivative key), encrypts the second identifier by using the target key to form an encrypted identifier, sends the encrypted identifier and the target key to the target device through the secure channel (for example, TLS), and the target device completes the authorization after decrypting by using the target key.

In this embodiment, through interaction between the encryption challenge and the response, it is ensured that only the authorized upper computer can establish secure communication connection with the target device, only the encryption challenge is successful, and the subsequent authorization process is continued, which greatly increases difficulty in illegally acquiring device authorization by an attacker, effectively protects unique identification information of the device, prevents the attacker from performing illegal operation through the device identifier, and through the encryption authorization process, the target device can normally work only after receiving the legal encryption identifier and the target key, even if the attacker acquires the firmware code of the device, the attacker cannot operate the device because of no legal authorization information, thereby effectively preventing theft and illegal use of firmware, protecting intellectual property of a device manufacturer and interests of a user, establishing a secure communication mechanism in the whole encryption authorization process, ensuring that communication between the upper computer and the target device is encrypted and reliable, reducing risks of device failure and data leakage caused by attack, and improving reliability and stability of the system.

In a possible implementation manner, in step S13, the upper computer is provided with a random number generating module, and the step of generating the target key includes steps B01 to B03:

step B01, generating random binary data corresponding to a preset key length parameter through a random number generation module;

It should be noted that, by invoking the random number generation module, the upper computer generates original random binary data based on a preset key length parameter, where the random number generation module (RNG module) may be implemented by hardware, for example, a dedicated hardware random number generator based on a physical entropy source (such as thermal noise and oscillator phase jitter), that is, TRNG (True Random Number Generator ), or may be implemented by software, for example, an encrypted secure random number generator based on a pseudo random number generation algorithm (such as AES-ctr_drbg), that is, a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator, cryptographically secure pseudo random number generator), where the preset key length parameter defines a bit length (such as 128 bits and 256 bits) of a target key, and the random binary data is required to conform to a key specification supported by the target device, and the original bit stream composed of 0 and 1 is not subjected to any formatting.

Step B02, performing format verification on the random binary data, removing the random binary data which does not accord with the preset key specification, and generating standardized key original data;

it should be noted that, the format verification is performed on the random binary data, to verify whether the random binary data meets the preset key specification, which may be, for example:

1. the length accords with the length parameter of a preset key;

2. the entropy value reaches a safety threshold (for example, the minimum entropy is more than or equal to 0.99);

3. Excluding weak key patterns such as all 0 or all 1;

And eliminating data which does not accord with the preset key specification, generating standardized key original data, wherein the standardized key original data is random binary data passing through format verification, and can be directly used for subsequent key conversion.

And step B03, converting the standardized key original data into a character string format to obtain the target key.

It should be noted that, the standardized key original data is converted into a character string format, the character string format is a standardized representation form of the key, so that the storage and transmission are convenient, and common coding modes include hexadecimal character strings (each 4-bit binary number is mapped into 1-bit hexadecimal character), base64 coding (binary data is converted into 64-bit character set), and the like, and finally, a target key is generated for encrypting an identifier or authorizing equipment.

In the embodiment, binary data is generated based on the random number generation module, the defect of predictability of a software pseudo-random algorithm is eliminated, the unpredictability of a key is remarkably improved, threats such as violent cracking and replay attack are resisted, random data which does not meet the safety requirements is removed through preset key specifications, the key is ensured to meet the input requirements of an encryption module, encryption failure or equipment abnormality caused by format errors is avoided, the binary key is converted into a storable character string format, the storage and transmission limitation of an embedded system is adapted, the compatibility of the key and the existing authorization system is enhanced, and cross-platform safety interaction is supported.

For exemplary purposes, please refer to fig. 4 and 5, fig. 4 provides an overall flowchart, and fig. 5 provides an authorization timing diagram to facilitate understanding of the technical concept or technical principle of the present application.

In fig. 4, firstly, the encryption identifier and the target key of the target device in the main partition and the target partition are acquired, whether the data (including the encryption identifier and the target key) in the main partition and the target partition are wrong or not is judged, when the encryption identifier of only one partition is wrong, whether the encryption identifier of the main partition is wrong or not is judged, when the encryption identifier of the main partition is wrong, the encryption identifier of the backup partition is used for restoring the encryption identifier of the main partition, when the encryption identifier of the backup partition is wrong, the encryption identifier of the main partition is used for restoring the encryption identifier of the backup partition, when the target key of only one partition is wrong, whether the target key of the main partition is wrong or not is judged, when the target key of the main partition is wrong, the target key of the backup partition is used for restoring the target key of the main partition, and when the target key of the backup partition is wrong, the target key of the main partition is used for restoring the target key of the backup partition. After the initialization step is finished, the device encryption authorization operation is carried out, the target device is authorized, the device encryption authorization detection is carried out after the completion, whether the target device is authorized or not is judged, the global authorized identification is added under the condition that the target device is authorized, the light effect of the target device is updated to be the default light effect, the global unauthorized identification is added under the condition that the target device is not authorized, and the light effect of the target device is updated to be the unauthorized light effect.

In fig. 5, the upper computer initiates an authorization state query request to the target device, after the target device returns to the authorization state, the upper computer initiates an encryption request, the target device generates a first random number after receiving the encryption request, encrypts the first random number with a preset key, initiates an encryption challenge to the upper computer, sends the first random number to encrypt the challenge, decrypts the first random number with the preset key to obtain the first random number, calculates the first random number based on a preset challenge algorithm to obtain a first calculation result and returns the first calculation result, sends the first calculation result to respond to the challenge, verifies the first calculation result with the preset key, returns an encrypted device identifier to the upper computer after verification is successful, the upper computer generates a target key, decrypts the encrypted device identifier to obtain a second identifier, encrypts the second identifier with a new key to obtain an encryption identifier, sends the encryption identifier and the target key to the target device, the target device stores the encryption identifier and the target key, decrypts the encryption identifier with the target key, compares the decrypted encryption identifier with the device identifier, and indicates that the authorization state of the target device passes verification, and if the comparison is consistent, otherwise, the authorization state of the target device fails is verified to the authorization state, and the target device is not authorized to pass through the authorization state.

It should be noted that the foregoing examples are only for understanding the present application, and do not limit the encryption and authorization method of the device of the present application, and more forms of simple transformation based on the technical concept are all within the scope of the present application.

The present application also provides a device encryption and authorization system, which includes a target device 10 and an upper computer 20, wherein the target device 10 stores a device identifier, please refer to fig. 6, the device encryption and authorization system includes:

The target device 10 is configured to, in response to an encryption request initiated by the host computer 20, initiate an encryption challenge to the host computer 20 when the host computer 20 does not authorize the target device 10;

in case that the encryption challenge is successful, encrypting the device identifier to obtain a first identifier and transmitting the first identifier to the upper computer 20;

The encrypted identifier and the target key sent by the upper computer 20 are received and stored to obtain the encryption authorization of the upper computer 20, wherein the encrypted identifier is generated by encrypting a second identifier by the target key generated by the upper computer 20, and the second identifier is obtained by decrypting the first identifier by the upper computer 20.

The upper computer 20 is configured to initiate an encryption request to the target device 10, and respond to an encryption challenge initiated by the target device 10, without authorizing the target device 10;

receiving a first identifier sent by the target device 10 under the condition that the encryption challenge is successful, wherein the first identifier is obtained by encrypting the device identifier by the target device 10, and the device identifier is stored in the target device 10;

decrypting the first identifier to obtain a second identifier, generating a target key, encrypting the second identifier based on the target key to obtain an encrypted identifier, and transmitting the encrypted identifier and the target key to the target device 10 to perform encryption authorization on the target device 10.

Optionally, the target device 10 is provided with a database, the target device 10 being further configured to:

detecting whether an encryption identifier and a target key are stored in a database;

in the case where the encrypted identifier and the target key are not stored in the database, it is determined that the authorized state of the target device 10 is unauthorized;

When the encrypted identifier and the target key are stored in the database, the encrypted identifier is decrypted by the target key to obtain a plaintext identifier, and when the plaintext identifier does not match the device identifier, the authorization status of the target device 10 is determined to be unauthorized.

Optionally, the target device 10 further comprises a main partition and a backup partition, and the target device 10 is further configured to:

Under the condition that the encryption identifier in the main partition is inconsistent with the encryption identifier in the backup partition, determining an error partition and a correct partition in the main partition and the backup partition, and restoring the encryption identifier of the error partition by using the encryption identifier of the correct partition;

Optionally, the target device 10 further stores a preset key, and the target device 10 is further configured to:

Generating a first random number, and encrypting the first random number by using a preset key to obtain a first ciphertext;

And sending an opening challenge notification to the upper computer 20, wherein the opening challenge notification carries a first ciphertext, and the first ciphertext is calculated based on a preset challenge algorithm to obtain a challenge random number after being decrypted by the upper computer 20.

Optionally, the target device 10 is further configured to:

Receiving a challenge result of the encryption challenge returned by the upper computer 20, wherein the challenge result comprises a first calculation result of a first random number generated by the upper computer 20 on the basis of a preset challenge algorithm for the target device 10;

Optionally, the upper computer 20 is further configured to:

In the event that the target device 10 is not authorized, initiating an encryption request to the target device 10 in response to an encryption challenge initiated by the target device 10;

Optionally, the upper computer 20 is provided with a random number generation module, and the upper computer 20 is further configured to:

performing format verification on the random binary data, removing the random binary data which does not accord with the preset key specification, and generating standardized key original data;

And converting the standardized key original data into a character string format to obtain the target key.

The device encryption and authorization device provided by the application can solve the technical problems of effectively preventing the firmware from being stolen and illegally used by adopting the device encryption and authorization method in the embodiment. Compared with the prior art, the device encryption and authorization device has the same beneficial effects as the device encryption and authorization method provided by the embodiment, and other technical features in the device encryption and authorization device are the same as the features disclosed by the method of the embodiment, and are not repeated herein.

The application provides electronic equipment, which comprises at least one processor and a memory in communication connection with the at least one processor, wherein the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor so that the at least one processor can execute the equipment encryption authorization method in the first embodiment.

Referring now to fig. 7, a schematic diagram of an electronic device suitable for use in implementing embodiments of the present application is shown. Electronic devices in embodiments of the present application may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, PADs (Portable Application Description: tablet computers), and the like, as well as stationary terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 7 is only an example and should not be construed as limiting the functionality and scope of use of the embodiments of the application.

As shown in fig. 7, the electronic device may include a processing means 1001 (e.g., a central processing unit, a graphics processor, etc.) which may perform various appropriate actions and processes according to a program stored in a read only memory 1002 or a program loaded from a storage means 1003 into a random access memory 1004. In the random access memory 1004, various programs and data necessary for the operation of the electronic device are also stored. The processing device 1001, the read only memory 1002, and the random access memory 1004 are connected to each other by a bus 1005. An input/output interface 1006 is also connected to the bus. In general, a system including an input device 1007 including, for example, a touch screen, a touch pad, a keyboard, a mouse, etc., an output device 1008 including, for example, a Liquid crystal display (LCD: liquid CRYSTAL DISPLAY), a speaker, a vibrator, etc., a storage device 1003 including, for example, a magnetic tape, a hard disk, etc., and a communication device 1009 may be connected to the input/output interface 1006. The communication means 1009 may allow the electronic device to communicate with other devices wirelessly or by wire to exchange data. While electronic devices having various systems are shown in the figures, it should be understood that not all of the illustrated systems are required to be implemented or provided. More or fewer systems may alternatively be implemented or provided.

In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via a communication device, or installed from the storage device 1003, or installed from the read only memory 1002. The above-described functions defined in the method of the disclosed embodiment of the application are performed when the computer program is executed by the processing device 1001.

The electronic equipment provided by the application adopts the equipment encryption and authorization method in the embodiment, so that the technical problem of how to effectively prevent the firmware from being stolen and illegally used can be solved. Compared with the prior art, the electronic device provided by the application has the same beneficial effects as the device encryption and authorization method provided by the embodiment, and other technical features in the electronic device are the same as the features disclosed by the method of the previous embodiment, and are not repeated herein.

It is to be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof. In the description of the above embodiments, particular features, structures, materials, or characteristics may be combined in any suitable manner in any one or more embodiments or examples.

The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

The present application provides a computer-readable storage medium having computer-readable program instructions (i.e., a computer program) stored thereon for performing the device encryption authorization method in the above-described embodiments.

The computer readable storage medium provided by the present application may be, for example, a USB flash disk, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system or device, or a combination of any of the foregoing. More specific examples of a computer-readable storage medium may include, but are not limited to, an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access Memory (RAM: random Access Memory), a Read-Only Memory (ROM), an erasable programmable Read-Only Memory (EPROM: erasable Programmable Read Only Memory or flash Memory), an optical fiber, a portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this embodiment, the computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to electrical wiring, fiber optic cable, RF (Radio Frequency) and the like, or any suitable combination of the foregoing.

The computer readable storage medium may be included in the electronic device or may exist alone without being incorporated into the electronic device.

The computer readable storage medium carries one or more programs, when the one or more programs are executed by the electronic device, the device encryption authorization device is applied to the target device, the target device stores a device identifier, the device encryption authorization device can respond to an encryption request initiated by the upper computer and initiate an encryption challenge to the upper computer under the condition that the upper computer does not authorize the target device, the device identifier is encrypted to obtain a first identifier and sent to the upper computer under the condition that the encryption challenge is successful, the encryption identifier and a target key sent by the upper computer are received and stored to obtain encryption authorization of the upper computer, the second identifier is generated by encrypting the second identifier by the target key generated by the upper computer, the second identifier is obtained by decrypting the first identifier by the upper computer, the device encryption authorization device is applied to the upper computer, the device encryption challenge initiated by the target device can be responded under the condition that the target device is not authorized, the first identifier sent by the target device is received under the condition that the encryption challenge is successful, the first identifier sent by the target device is sent by the target device, the target device is received and sent to the target device, the second identifier is decrypted by the target device, the target device is obtained by encrypting the target device, the second identifier is obtained by encrypting the target device, and the target key is encrypted to obtain the target key, and the target key is encrypted, and the target device is encrypted.

Computer program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of remote computers, the remote computer may be connected to the user's computer through any kind of network, including a local area network (LAN: local Area Network) or a wide area network (WAN: wide Area Network), or may be connected to an external computer (for example, through the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The modules involved in the embodiments of the present application may be implemented in software or in hardware. Wherein the name of the module does not constitute a limitation of the unit itself in some cases.

The readable storage medium provided by the application is a computer readable storage medium, and the computer readable storage medium stores computer readable program instructions (namely computer programs) for executing the device encryption authorization method, so that the technical problem of how to effectively prevent the firmware from being stolen and illegally used can be solved. Compared with the prior art, the beneficial effects of the computer readable storage medium provided by the application are the same as those of the device encryption authorization method provided by the above embodiment, and are not described herein.

The application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of a device encryption authorization method as described above.

The computer program product provided by the application can solve the technical problem of how to effectively prevent the firmware from being stolen and illegally used. Compared with the prior art, the beneficial effects of the computer program product provided by the application are the same as those of the device encryption and authorization method provided by the above embodiment, and are not described herein.

The foregoing description is only a partial embodiment of the present application, and is not intended to limit the scope of the present application, and all the equivalent structural changes made by the description and the accompanying drawings under the technical concept of the present application, or the direct/indirect application in other related technical fields are included in the scope of the present application.

Claims

1. A device encryption authorization method, applied to a target device, the target device storing a device identifier, the device encryption authorization method comprising:

2. The device encryption authorization method according to claim 1, wherein the target device is provided with a database, and the step of responding to the encryption request initiated by the host computer further comprises, in a case where the host computer does not authorize the target device:

3. The device encryption authorization method according to claim 2, wherein the target device further comprises a primary partition and a backup partition, the step of decrypting the encrypted identifier with the target key further comprising, prior to:

4. The device encryption authorization method according to claim 1, wherein the target device further stores a preset key, and the step of initiating an encryption challenge to the host computer includes:

5. The device encryption authorization method according to claim 4, wherein the step of initiating an encryption challenge to the host computer further comprises:

6. The device encryption and authorization method is characterized by being applied to an upper computer, and comprises the following steps:

7. The device encryption authorization method according to claim 6, wherein the upper computer is provided with a random number generation module, and the step of generating the target key includes:

8. A device encryption authorization system, comprising a target device and a host computer, the target device storing a device identifier, the device encryption authorization system comprising:

Receiving and storing an encryption identifier and a target key sent by the upper computer to obtain encryption authorization of the upper computer, wherein the encryption identifier is generated by encrypting a second identifier by the target key generated by the upper computer, and the second identifier is obtained by decrypting the first identifier by the upper computer;

9. A storage medium, characterized in that the storage medium is a computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the device encryption authorization method according to any one of claims 1 to 7.

10. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor, implements the steps of the device encryption authorization method according to any one of claims 1 to 7.