[go: up one dir, main page]

TWI866830B - System, hardware device, and method for software authorization, and computer program product implementing the method - Google Patents

System, hardware device, and method for software authorization, and computer program product implementing the method Download PDF

Info

Publication number
TWI866830B
TWI866830B TW113112563A TW113112563A TWI866830B TW I866830 B TWI866830 B TW I866830B TW 113112563 A TW113112563 A TW 113112563A TW 113112563 A TW113112563 A TW 113112563A TW I866830 B TWI866830 B TW I866830B
Authority
TW
Taiwan
Prior art keywords
authorization
management platform
hardware device
software
key
Prior art date
Application number
TW113112563A
Other languages
Chinese (zh)
Other versions
TW202540882A (en
Inventor
葉信育
吳建興
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW113112563A priority Critical patent/TWI866830B/en
Application granted granted Critical
Publication of TWI866830B publication Critical patent/TWI866830B/en
Publication of TW202540882A publication Critical patent/TW202540882A/en

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

A system, a hardware device, and a method for software authorization, and a computer program product implementing the method are disclosed. The method includes: generating authorization content in response to a software authorization request from a user end; activating a hardware device having an identification serial number so that the hardware device generates a pair of secure element public key and secure element private key; obtaining the secure element public key and the identification serial number from the hardware device to store the secure element public key and the identification serial number in pairs in an internal database; causing a key storage and cryptographic operation device to generate a pair of management platform public key and management platform private key; signing the authorized content and the secure element platform public key obtained from the hardware device using the management platform private key to generate an authorization signature; and writing the authorization signature and the management platform public key to the hardware device.

Description

用於軟體授權之系統、硬體裝置、方法以及執行該方法之電腦程式產品 System, hardware device, method for software licensing, and computer program product for executing the method

本案係有關於軟體保護技術,詳而言之,係有關於一種用於軟體授權之系統、硬體裝置、方法以及執行該方法之電腦程式產品。 This case is about software protection technology, specifically, a system, hardware device, method for software authorization, and a computer program product for executing the method.

軟體,例如各種程式語言、系統軟體、應用軟體等,可儲存於硬碟、光碟、或USB隨身碟等電腦可讀取紀錄媒體,而隨著網路的普及,軟體亦可在網路上直接傳輸提供。軟體載入到電腦後即可於電腦上執行,是以,對於軟體之保護及授權甚為重要。 Software, such as various programming languages, system software, and application software, can be stored on computer-readable recording media such as hard disks, optical disks, or USB flash drives. With the popularization of the Internet, software can also be directly transmitted and provided on the Internet. After the software is loaded into the computer, it can be executed on the computer. Therefore, the protection and authorization of software is very important.

現有技術中可針對不同的授權對象客製化軟體檔案內容,故即使軟體被複製到其他裝置,由於並非原本的授權對象,使得軟體檔案無法運行,惟此可能增加軟體開發業者或提供者的成本;又,現有技術中可對軟體進行加密以傳輸至軟體訂閱者進行解密安裝,藉此保護軟體的傳輸,惟加密過程是否會影響軟體本身功能仍有待商榷。 The existing technology can customize the content of software files for different authorized objects. Therefore, even if the software is copied to other devices, the software files cannot be run because they are not the original authorized objects. However, this may increase the cost of software developers or providers. In addition, the existing technology can encrypt the software and transmit it to the software subscriber for decryption and installation, thereby protecting the transmission of the software. However, whether the encryption process will affect the function of the software itself remains to be discussed.

因此,如何在不對軟體特別加密保護也不客製化軟體內容的情況下,提供一種軟體授權機制,為目前尚待解決的問題。 Therefore, how to provide a software authorization mechanism without special encryption protection for the software or customizing the software content is a problem that has yet to be solved.

為了解決上述問題及其他問題,本案揭示一種用於軟體授權之系統、硬體裝置、方法以及執行該方法之電腦程式產品。 To solve the above problems and other problems, this case discloses a system, hardware device, method and computer program product for executing the method for software authorization.

一種用於軟體授權之系統係包括:管理平台對外模組,用於啟用具有識別序號之一硬體裝置以令該硬體裝置產生一對安全元件公鑰和安全元件私鑰進而取得該安全元件公鑰和該識別序號,並且響應於一使用者端之軟體授權申請,該管理平台對外模組產生與該軟體授權申請相應的授權內容;金鑰儲存與密碼運算裝置,用於產生一對管理平台公鑰和管理平台私鑰,以利用該管理平台私鑰對該管理平台對外模組所產生之該授權內容和所取得之該安全元件公鑰進行簽章,進而產生簽章值;管理平台內部模組,係將該管理平台對外模組所產生之該授權內容和所取得之該安全元件公鑰、及該金鑰儲存與密碼運算裝置所產生之該簽章值封裝成授權簽章,以供該管理平台對外模組將該授權簽章和該管理平台公鑰寫入該硬體裝置中;以及內部資料庫,用於供該管理平台內部模組將該管理平台對外模組所取得之該硬體裝置的該安全元件公鑰和該識別序號成對地儲存於該內部資料庫中。 A system for software authorization includes: a management platform external module, which is used to activate a hardware device with an identification serial number so that the hardware device generates a pair of security element public key and security element private key to obtain the security element public key and the identification serial number, and in response to a software authorization application from a user end, the management platform external module generates authorization content corresponding to the software authorization application; a key storage and cryptographic calculation device, which is used to generate a pair of management platform public key and management platform private key, so as to use the management platform private key to the authorization content generated by the management platform external module and the obtained The security element public key is signed to generate a signature value; the management platform internal module encapsulates the authorization content generated by the management platform external module, the obtained security element public key, and the signature value generated by the key storage and cryptographic calculation device into an authorization signature, so that the management platform external module can write the authorization signature and the management platform public key into the hardware device; and the internal database is used for the management platform internal module to store the security element public key and the identification serial number of the hardware device obtained by the management platform external module in pairs in the internal database.

於一實施例中,響應於該使用者端之更新授權申請,該管理平台對外模組產生新授權內容,並且自該使用者端的該硬體裝置取得該識別序號,由該管理平台內部模組根據該識別序號自該內部資料庫取得與該識別序號成對的該安全元件公鑰,供該金鑰儲存與密碼運算裝置利用該管理平台私鑰對該安全 元件公鑰和該新授權內容進行簽章以產生新簽章值,從而該管理平台內部模組將該新授權內容和該新簽章值封裝成新授權簽章,該金鑰儲存與密碼運算裝置利用該管理平台私鑰和該安全元件公鑰產生安全密鑰,以利用該安全密鑰對該新授權簽章產生驗證碼,由該管理平台對外模組將該新授權簽章和該驗證碼傳送至該使用者端的該硬體裝置。 In one embodiment, in response to the user's request for an updated authorization, the management platform generates new authorization content through an external module, and obtains the identification number from the hardware device of the user. The management platform internal module obtains the public key of the security element paired with the identification number from the internal database according to the identification number, so that the key storage and cryptographic computing device can use the management platform private key to compare the public key of the security element and the new authorization. The content is signed to generate a new signature value, so that the internal module of the management platform encapsulates the new authorized content and the new signature value into a new authorized signature, and the key storage and cryptographic computing device uses the private key of the management platform and the public key of the security element to generate a security key, so as to use the security key to generate a verification code for the new authorized signature, and the external module of the management platform transmits the new authorized signature and the verification code to the hardware device of the user end.

一種用於軟體授權之硬體裝置,係包括:金鑰與密鑰產生模組,係組構成經一軟體授權管理平台啟用而產生一對安全元件公鑰和安全元件私鑰;資料儲存區,係儲存有由該軟體授權管理平台所寫入之授權簽章和管理平台公鑰,其中,該授權簽章包含由該軟體授權管理平台所產生之與一軟體相應的授權內容、由該軟體授權管理平台自該硬體裝置所取得之安全元件公鑰、及由該軟體授權管理平台利用管理平台私鑰對該授權內容和該安全元件公鑰進行簽章所產生之簽章值;其中,當該硬體裝置與該軟體安裝於一使用者端,內建於該軟體中的該管理平台公鑰對該硬體裝置中的該授權簽章進行驗證,以於該授權簽章驗證成功後,在該使用者端根據該授權簽章中的該授權內容執行該軟體。 A hardware device for software authorization includes: a key and secret key generation module, which is configured to generate a pair of security element public key and security element private key after being activated by a software authorization management platform; a data storage area, which stores an authorization signature written by the software authorization management platform and a management platform public key, wherein the authorization signature includes authorization content corresponding to a software generated by the software authorization management platform, and the software authorization management platform generates a pair of security element public key and a security element private key from the hardware device; The obtained security element public key, and the signature value generated by the software authorization management platform using the management platform private key to sign the authorization content and the security element public key; wherein, when the hardware device and the software are installed on a user end, the management platform public key built into the software verifies the authorization signature in the hardware device, so that after the authorization signature verification is successful, the software is executed on the user end according to the authorization content in the authorization signature.

於一實施例中,於該硬體裝置接收由該軟體授權管理平台所傳來之新授權簽章及驗證碼時,該金鑰與密鑰產生模組利用該安全元件私鑰和該管理平台公鑰產生一安全密鑰,以利用該安全密鑰對該驗證碼進行驗證,進而於該驗證碼驗證成功後,以該新授權簽章替換該硬體裝置中的該授權簽章。 In one embodiment, when the hardware device receives a new authorization signature and verification code from the software authorization management platform, the key and key generation module generates a security key using the security element private key and the management platform public key to verify the verification code using the security key, and then replaces the authorization signature in the hardware device with the new authorization signature after the verification code is successfully verified.

於一實施例中,該軟體於該使用者端執行至關鍵位置時產生一隨機資料,其中,當該硬體裝置接收到由該軟體利用該授權簽章內的該安全元件公鑰所加密的該隨機資料後,利用該硬體裝置的該安全元件私鑰進行解密以進行驗證,而於驗證成功後,繼續執行該軟體。 In one embodiment, the software generates a random data when the user terminal executes to a critical position, wherein, when the hardware device receives the random data encrypted by the software using the security element public key in the authorization signature, it uses the security element private key of the hardware device to decrypt for verification, and after the verification is successful, the software continues to execute.

於另一實施例中,該軟體於該使用者端執行至關鍵位置時產生一隨機資料,其中,當該硬體裝置接收到由該軟體傳來之該隨機資料後,利用該硬體裝置的該安全元件私鑰進行簽章以回傳,供該軟體利用該授權簽章內的該安全元件公鑰進行驗證,而於驗證成功後,繼續執行該軟體。 In another embodiment, the software generates a random data when the user terminal executes to a critical position, wherein, after the hardware device receives the random data transmitted by the software, it uses the private key of the secure element of the hardware device to sign and return it, so that the software can use the public key of the secure element in the authorization signature to verify, and after the verification is successful, continue to execute the software.

一種用於軟體授權之方法,係包括:響應於使用者端之軟體授權申請,產生授權內容;啟用具有識別序號之硬體裝置以令該硬體裝置產生一對安全元件公鑰和安全元件私鑰;自該硬體裝置取得該安全元件公鑰和該識別序號;令金鑰儲存與密碼運算裝置產生一對管理平台公鑰和管理平台私鑰;利用該管理平台私鑰對該授權內容和自該硬體裝置取得的該安全元件公鑰進行簽章,以產生授權簽章;將該授權簽章和該管理平台公鑰寫入硬體裝置,以供該硬體裝置安裝於該使用者端時,使得該使用者端的軟體依據該硬體裝置內的該授權內容在該使用者端運行;以及將該安全元件公鑰和該識別序號成對地儲存於內部資料庫。 A method for software authorization includes: generating authorization content in response to a software authorization application from a user end; activating a hardware device with an identification serial number to cause the hardware device to generate a pair of a security element public key and a security element private key; obtaining the security element public key and the identification serial number from the hardware device; causing a key storage and cryptographic operation device to generate a pair of a management platform public key and a management platform private key; and using the management platform private key to The authorization content and the public key of the security element obtained from the hardware device are signed by the key to generate an authorization signature; the authorization signature and the public key of the management platform are written into the hardware device so that when the hardware device is installed on the user end, the software of the user end can be run on the user end according to the authorization content in the hardware device; and the public key of the security element and the identification serial number are stored in pairs in the internal database.

於一實施例中,所述用於軟體授權之方法更包括:響應於該使用者端之更新授權申請,產生新授權內容;取得該使用者端的該硬體裝置的該識別序號,以根據該識別序號自該內部資料庫取得與該識別序號成對的該安全元件公鑰;利用該管理平台私鑰對該新授權內容和自該內部資料庫取得的該安全元件公鑰進行簽章,進而產生新授權簽章;利用該管理平台私鑰和自該內部資料庫取得的該安全元件公鑰產生安全密鑰,以利用該安全密鑰對該新授權簽章產生驗證碼;以及將該新授權簽章和該驗證碼傳送至該使用者端的該硬體裝置,以供該硬體裝置利用該硬體裝置內的該安全元件私鑰和該管理平台公鑰對該驗證碼進行驗證。 In one embodiment, the method for software authorization further includes: generating new authorization content in response to the user end's authorization update application; obtaining the identification serial number of the hardware device of the user end to obtain the security element public key paired with the identification serial number from the internal database according to the identification serial number; using the management platform private key to sign the new authorization content and the security element public key obtained from the internal database; The system generates a new authorization signature by using the management platform private key and the security element public key obtained from the internal database to generate a security key, and generates a verification code for the new authorization signature by using the security key; and transmits the new authorization signature and the verification code to the hardware device of the user end, so that the hardware device can verify the verification code by using the security element private key and the management platform public key in the hardware device.

於一實施例中,於該硬體裝置安裝至該使用者端時,該使用者端所安裝之軟體利用內建於其中的該管理平台公鑰,對該硬體裝置內的該授權簽章進行驗證,以於驗證成功後,取得該授權簽章中的該授權內容,使得該軟體於該使用者端根據該授權內容運行。 In one embodiment, when the hardware device is installed on the user end, the software installed on the user end uses the management platform public key built therein to verify the authorization signature in the hardware device, and after successful verification, obtains the authorization content in the authorization signature, so that the software runs on the user end according to the authorization content.

於一實施例中,該軟體於該使用者端根據該授權內容運行關鍵點位置時,產生隨機資料,進而利用該隨機資料、該授權簽章內的安全元件公鑰、及該硬體裝置內的安全元件私鑰進行驗證,以於驗證成功時,繼續執行該軟體。 In one embodiment, the software generates random data when the user terminal runs the key point position according to the authorization content, and then uses the random data, the security element public key in the authorization signature, and the security element private key in the hardware device for verification, so that when the verification is successful, the software continues to run.

一種電腦程式產品,經電腦載入以執行上述方法。 A computer program product loaded into a computer to execute the above method.

一種電腦可讀取記錄媒體,儲存有指令,並可利用計算設備或電腦透過處理器及/或記憶體執行電腦可讀取記錄媒體,以於執行電腦可讀取記錄媒體時執行上述方法。 A computer-readable recording medium stores instructions, and the computer-readable recording medium can be executed by a computing device or a computer through a processor and/or a memory to execute the above method when executing the computer-readable recording medium.

換言之,本案用於軟體授權之系統、硬體裝置、方法以及執行該方法之電腦程式產品係以硬體裝置作為軟體使用合法性、軟體授權認證以及更新軟體授權的驗證機制,能適用於離線狀態下確認軟體使用合法性的驗證,以及於連線狀態下進行更新軟體授權,藉此達到軟體保護與授權使用,避免軟體被非法使用。 In other words, the system, hardware device, method and computer program product for executing the method used in this case for software authorization use hardware devices as verification mechanisms for the legality of software use, software authorization authentication and software authorization update. They can be applied to the verification of the legality of software use in an offline state, and to update software authorization in an online state, thereby achieving software protection and authorized use, and preventing the software from being used illegally.

此外,當軟體執行時,藉由驗證從硬體裝置取得的授權簽章,以確認軟體授權的來源及授權內容的完整,俾使軟體後續的執行得依授權內容提供相對的服務;當有更新軟體授權的需求時,軟體授權管理平台透過與硬體裝置共享的安全密鑰,對新授權簽章產生驗證碼,將新授權簽章連同驗證碼傳送到硬體裝置,硬體裝置檢查驗證碼無誤後,即可更新授權簽章。 In addition, when the software is running, the authorization signature obtained from the hardware device is verified to confirm the source of the software authorization and the integrity of the authorization content, so that the subsequent execution of the software can provide corresponding services according to the authorization content; when there is a need to update the software authorization, the software authorization management platform generates a verification code for the new authorization signature through the security key shared with the hardware device, and transmits the new authorization signature together with the verification code to the hardware device. After the hardware device checks the verification code and finds it correct, it can update the authorization signature.

10:使用者端 10: User side

11:軟體 11: Software

20:硬體裝置 20: Hardware Devices

201:識別序號 201: Identification number

21:金鑰與密鑰產生模組 21: Key and secret key generation module

211:安全元件公鑰 211:Secure Element Public Key

212:安全元件私鑰 212:Secure Element Private Key

22:資料儲存區 22: Data storage area

30:軟體授權管理平台 30: Software Authorization Management Platform

31:金鑰儲存與密碼運算裝置 31: Key storage and password calculation device

311:管理平台公鑰 311: Management platform public key

312:管理平台私鑰 312: Management platform private key

313:安全密鑰 313: Security key

314:簽章值 314:Signature value

314’:新簽章值 314’: New signature value

315:驗證碼 315: Verification code

32:管理平台內部模組 32: Management platform internal modules

33:內部資料庫 33: Internal database

34:管理平台對外模組 34: Management platform external module

35:授權簽章 35: Authorization signature

351:授權內容 351: Authorized content

35’:新授權簽章 35’: New authorization signature

351’:新授權內容 351’: New licensed content

S201~S209:步驟 S201~S209: Steps

S301~S307:步驟 S301~S307: Steps

S401~S405:步驟 S401~S405: Steps

圖1A為本案之用於軟體授權之系統及硬體裝置之一實施例的方塊示意圖。 FIG1A is a block diagram of an embodiment of the system and hardware device used for software authorization in the present case.

圖1B為本案之用於軟體授權之系統及硬體裝置之另一實施例的方塊示意圖。 FIG1B is a block diagram of another embodiment of the system and hardware device for software authorization in the present case.

圖2為本案之用於軟體授權之方法之一實施例的流程示意圖。 Figure 2 is a flowchart of an embodiment of the method for software authorization in this case.

圖3為本案之用於軟體授權之方法之於使用者端執行軟體的實施例的流程示意圖。 Figure 3 is a flowchart of an implementation example of the method for software authorization in this case when executing software on the user side.

圖4為本案之用於軟體授權之方法之另一實施例的流程示意圖。 Figure 4 is a flowchart of another embodiment of the method for software authorization in this case.

以下藉由特定的實施例說明本案之實施方式,熟習此項技藝之人士可由本文所揭示之內容輕易地瞭解本案之其他優點及功效。本說明書所附圖式所繪示之結構、比值、大小等均僅用於配合說明書所揭示之內容,以供熟悉此技藝之人士之瞭解與閱讀,非用於限定本案可實施之限定條件,故任何修飾、改變或調整,在不影響本案所能產生之功效及所能達成之目的下,均應仍落在本案所揭示之技術內容得能涵蓋之範圍內。 The following specific examples are used to illustrate the implementation of this case. People familiar with this technology can easily understand the other advantages and effects of this case from the content disclosed in this article. The structures, ratios, sizes, etc. shown in the attached figures of this manual are only used to match the content disclosed in the manual for people familiar with this technology to understand and read, and are not used to limit the conditions under which this case can be implemented. Therefore, any modification, change or adjustment should still fall within the scope of the technical content disclosed in this case without affecting the effects and purposes that can be achieved by this case.

於本文中所用之術語「包括」、「包含」、「具有」、「含有」或其任何其他變體都旨在涵蓋非排他性的包含。除非另有說明,單數形式的措辭,如「一」、「一個」、「該」也適用於複數形式,而「或」、「及/或」等措辭可互換使用。 As used herein, the terms "include", "comprising", "having", "containing" or any other variations thereof are intended to cover a non-exclusive inclusion. Unless otherwise indicated, singular forms such as "a", "an", "the" may also be used in the plural, and "or", "and/or" and the like may be used interchangeably.

請參閱圖1A和圖1B,其說明本案之用於軟體授權之系統及硬體裝置之實施例。如圖1A和圖1B所示,軟體授權管理平台30,即為本文所稱之用於軟體授權的系統,包含金鑰儲存與密碼運算裝置31、管理平台內部模組32、內部資料庫33、管理平台對外模組34。又如圖1A和圖1B所示,硬體裝置20包含金鑰與密鑰產生模組21、資料儲存區22。 Please refer to Figures 1A and 1B, which illustrate the implementation of the system and hardware device for software authorization in this case. As shown in Figures 1A and 1B, the software authorization management platform 30, which is the system for software authorization referred to in this article, includes a key storage and password calculation device 31, a management platform internal module 32, an internal database 33, and a management platform external module 34. As shown in Figures 1A and 1B, the hardware device 20 includes a key and key generation module 21 and a data storage area 22.

須說明的是,軟體授權管理平台30中之模組可為軟體、硬體或韌體;若為硬體,則可為具有資料處理與運算能力之處理單元、處理器、或電腦主機;若為軟體或韌體,則可包括處理單元、處理器、電腦或電腦主機可執行之指令,且可安裝於同一硬體裝置或分布於不同的複數硬體裝置。硬體裝置20可例如晶片(chip)、智慧卡或USB Token裝置。 It should be noted that the module in the software authorization management platform 30 can be software, hardware or firmware; if it is hardware, it can be a processing unit, processor, or computer host with data processing and computing capabilities; if it is software or firmware, it can include instructions that can be executed by a processing unit, processor, computer or computer host, and can be installed on the same hardware device or distributed on different multiple hardware devices. The hardware device 20 can be, for example, a chip, a smart card or a USB Token device.

管理平台對外模組34用於啟用具有識別序號201之硬體裝置20,以令硬體裝置20的金鑰與密鑰產生模組21產生一對安全元件公鑰211和安全元件私鑰212,管理平台對外模組34再取回硬體裝置20的安全元件公鑰211和識別序號201以傳至管理平台內部模組32。此外,管理平台對外模組34能夠響應於使用者端10之一軟體授權申請,以產生與軟體11相關的授權內容351。 The management platform external module 34 is used to activate the hardware device 20 with the identification serial number 201, so that the key and secret key generation module 21 of the hardware device 20 generates a pair of security element public key 211 and security element private key 212. The management platform external module 34 then retrieves the security element public key 211 and the identification serial number 201 of the hardware device 20 to transmit to the management platform internal module 32. In addition, the management platform external module 34 can respond to a software authorization application of the user terminal 10 to generate authorization content 351 related to the software 11.

金鑰儲存與密碼運算裝置31用於產生一對管理平台公鑰311和管理平台私鑰312,以利用管理平台私鑰312對管理平台對外模組34所產生之授權內容以及所取得之安全元件公鑰211進行簽章,進而產生簽章值314。 The key storage and cryptographic computing device 31 is used to generate a pair of management platform public key 311 and management platform private key 312, so as to use the management platform private key 312 to sign the authorization content generated by the management platform external module 34 and the obtained security element public key 211, thereby generating a signature value 314.

管理平台內部模組32用於將管理平台對外模組34所產生之授權內容351、管理平台對外模組34所取得之安全元件公鑰211、及金鑰儲存與密碼運算裝置31所產生之簽章值314封裝成授權簽章35,以供管理平台對外模組34將授權簽章35和管理平台公鑰311寫入硬體裝置20的資料儲存區22中。 The management platform internal module 32 is used to encapsulate the authorization content 351 generated by the management platform external module 34, the security element public key 211 obtained by the management platform external module 34, and the signature value 314 generated by the key storage and cryptographic calculation device 31 into an authorization signature 35, so that the management platform external module 34 can write the authorization signature 35 and the management platform public key 311 into the data storage area 22 of the hardware device 20.

內部資料庫33用於供管理平台內部模組32將硬體裝置20的安全元件公鑰211和識別序號201成對地儲存在內部資料庫33中。 The internal database 33 is used for the management platform internal module 32 to store the security element public key 211 and identification serial number 201 of the hardware device 20 in pairs in the internal database 33.

當使用者端10提出首次的軟體授權申請時,如圖1A所示,管理平台對外模組34針對使用者端10的該軟體授權申請產生相應的授權內容351以配給硬體裝置20,而配給前先啟用硬體裝置20。 When the user terminal 10 submits the first software license application, as shown in FIG1A , the management platform external module 34 generates corresponding authorization content 351 for the software license application of the user terminal 10 to allocate to the hardware device 20, and activates the hardware device 20 before allocation.

在一實施例中,硬體裝置20為一種具備密碼運算功能、金鑰產生功能及私鑰不得匯出等特性之不拘硬體形式的裝置,其內建的金鑰與密鑰產生模組21能產生非對稱式金鑰對,即安全元件公鑰211和安全元件私鑰212,其中安全元件私鑰212具有私密性,無法以任何方式匯出。 In one embodiment, the hardware device 20 is a device of any hardware form that has cryptographic functions, key generation functions, and the characteristics that the private key cannot be exported. Its built-in key and key generation module 21 can generate an asymmetric key pair, namely, a security element public key 211 and a security element private key 212, wherein the security element private key 212 is private and cannot be exported in any way.

之後,管理平台對外模組34取得安全元件公鑰211和識別序號201並連同產生的授權內容351一同傳至管理平台內部模組32請求進行授權簽章作業。接著,管理平台內部模組32將安全元件公鑰211和授權內容351傳至金鑰儲存與密碼運算裝置31,則金鑰儲存與密碼運算裝置31利用管理平台私鑰312對安全元件公鑰211和授權內容351等資料進行數位簽章運算以產生簽章值314,管理平台內部模組32再將安全元件公鑰211、授權內容351和簽章值314封裝成授權簽章35,由管理平台對外模組34將授權簽章35和管理平台公鑰311寫回硬體裝置20內的資料儲存區22。最後,管理平台內部模組32將安全元件公鑰211和安全元件識別序號201儲存於內部資料庫33中。 Afterwards, the management platform external module 34 obtains the security element public key 211 and the identification serial number 201 and transmits them together with the generated authorization content 351 to the management platform internal module 32 to request an authorization signature operation. Next, the management platform internal module 32 transmits the security element public key 211 and the authorization content 351 to the key storage and cryptographic calculation device 31, and the key storage and cryptographic calculation device 31 uses the management platform private key 312 to perform a digital signature operation on the security element public key 211 and the authorization content 351 to generate a signature value 314. The management platform internal module 32 then packages the security element public key 211, the authorization content 351 and the signature value 314 into an authorization signature 35, and the management platform external module 34 writes the authorization signature 35 and the management platform public key 311 back to the data storage area 22 in the hardware device 20. Finally, the management platform internal module 32 stores the security element public key 211 and the security element identification serial number 201 in the internal database 33.

硬體裝置20被寫入完成後,即寄送給使用者,如圖1B所示,使用者可自行從軟體授權管理平台30或另外的伺服器來下載取得授權的軟體11,再將這軟體11和硬體裝置20安裝於使用者端10執行環境中,當執行授權的軟體11時,授權的軟體11會透過傳輸介面讀取硬體裝置20內的授權簽章35,並 透過軟體11內建的管理平台公鑰311驗證授權簽章35的正確性,若驗證失敗則授權的軟體11停止運行,若驗證成功,則藉由該簽章所取得的授權內容351來提供相對的服務。 After the hardware device 20 is written, it is sent to the user, as shown in Figure 1B. The user can download the authorized software 11 from the software authorization management platform 30 or another server, and then install the software 11 and the hardware device 20 in the user terminal 10 execution environment. When the authorized software 11 is executed, the authorized software 11 will read the authorization signature 35 in the hardware device 20 through the transmission interface, and verify the correctness of the authorization signature 35 through the management platform public key 311 built into the software 11. If the verification fails, the authorized software 11 stops running. If the verification succeeds, the corresponding service is provided through the authorization content 351 obtained by the signature.

另外,當使用者端10提出更新授權申請時,管理平台對外模組34可透過線上讀取自使用者端10的硬體裝置20取得識別序號201,連同針對該更新授權申請所產生之新授權內容351’一同傳至管理平台內部模組32請求進行授權簽章作業。之後,該管理平台內部模組32根據識別序號201自內部資料庫33取得與識別序號201成對的安全元件公鑰211,以將安全元件公鑰211和新授權內容351’傳至金鑰儲存與密碼運算裝置31,供金鑰儲存與密碼運算裝置31利用管理平台私鑰312對安全元件公鑰211和新授權內容351’進行簽章以產生新簽章值314’。接著,管理平台內部模組32將新授權內容351’和新簽章值314’封裝成新授權簽章35’,金鑰儲存與密碼運算裝置31再利用管理平台私鑰312和安全元件公鑰211推導出與硬體裝置20共享的安全密鑰313,以利用安全密鑰313對新授權簽章35’進行運算以產生驗證碼315。最後,該管理平台對外模組34將新授權簽章35’和驗證碼315透過線上傳送至使用者端10的硬體裝置20。 In addition, when the user terminal 10 submits an application for updating the authorization, the management platform external module 34 can obtain the identification number 201 from the hardware device 20 of the user terminal 10 through online reading, and transmit it together with the new authorization content 351' generated for the application for updating the authorization to the management platform internal module 32 to request an authorization signature operation. Afterwards, the internal module 32 of the management platform obtains the security element public key 211 paired with the identification number 201 from the internal database 33 according to the identification number 201, and transmits the security element public key 211 and the new authorization content 351' to the key storage and cryptographic computing device 31, so that the key storage and cryptographic computing device 31 can use the management platform private key 312 to sign the security element public key 211 and the new authorization content 351' to generate a new signature value 314'. Next, the management platform internal module 32 encapsulates the new authorization content 351' and the new signature value 314' into a new authorization signature 35', and the key storage and cryptographic calculation device 31 then uses the management platform private key 312 and the security element public key 211 to derive the security key 313 shared with the hardware device 20, and uses the security key 313 to calculate the new authorization signature 35' to generate the verification code 315. Finally, the management platform external module 34 transmits the new authorization signature 35' and the verification code 315 to the hardware device 20 of the user end 10 online.

硬體裝置20收到新授權簽章35’與驗證碼315後,金鑰與密鑰產生模組21利用與金鑰儲存與密碼運算裝置31相同的演算法,以安全元件私鑰212和資料儲存區22內存的管理平台公鑰311,推導出安全密鑰213,此安全密鑰213與金鑰儲存與密碼運算裝置31推導出的安全密鑰313會是相同,硬體裝置20以此安全密鑰213檢查驗證碼315是否正確,若無誤即可以新授權簽章35’進行更新硬體裝置20的授權簽章35。 After the hardware device 20 receives the new authorization signature 35' and the verification code 315, the key and key generation module 21 uses the same algorithm as the key storage and cryptographic computing device 31 to derive the security key 213 using the security element private key 212 and the management platform public key 311 stored in the data storage area 22. This security key 213 is the same as the security key 313 derived by the key storage and cryptographic computing device 31. The hardware device 20 uses this security key 213 to check whether the verification code 315 is correct. If it is correct, the authorization signature 35 of the hardware device 20 can be updated with the new authorization signature 35'.

另外,為避免授權簽章35被複製使用,或是授權簽章35驗證成功後硬體裝置20被移至其他地方使用,每當授權的軟體11執行至關鍵點位置時(例如執行至關鍵功能或重要函式時),會隨機產生一串亂數資料,並運用以下兩種方式之一來卻確保硬體裝置20存在且與授權簽章35內的安全元件公鑰211具有關聯性,其中所述關鍵點位置可採固定模式或隨機非固定模式。 In addition, to prevent the authorization signature 35 from being copied and used, or the hardware device 20 from being moved to another place for use after the authorization signature 35 is successfully verified, whenever the authorized software 11 is executed to a critical point (for example, when executing a critical function or an important function), a string of random data will be randomly generated, and one of the following two methods will be used to ensure that the hardware device 20 exists and is associated with the security element public key 211 in the authorization signature 35, where the critical point position can adopt a fixed mode or a random non-fixed mode.

方式一:軟體11利用授權簽章35內的安全元件公鑰211對亂數資料進行加密運算,將加密後的結果傳給硬體裝置20進行解密並取得解密後的結果,比對該亂數資料與解密後的結果是否相同;方式二:軟體11將亂數資料傳給硬體裝置20以供利用安全元件私鑰212進行簽章運算並取得簽章值,軟體11再以授權簽章35內的安全元件公鑰211來驗證前述簽章值。 Method 1: Software 11 uses the secure element public key 211 in the authorization signature 35 to perform encryption calculation on random data, transmits the encrypted result to the hardware device 20 for decryption and obtains the decrypted result, and compares the random data with the decrypted result to see if they are the same; Method 2: Software 11 transmits the random data to the hardware device 20 for signature calculation using the secure element private key 212 and obtains the signature value, and then Software 11 uses the secure element public key 211 in the authorization signature 35 to verify the aforementioned signature value.

藉此,根據上述用於軟體授權之系統及硬體裝置之實施例配合圖1A和1B所示可知,本案係先建立軟體授權管理平台30、硬體裝置20和授權簽章35三者間彼此對應關係,亦即,軟體授權管理平台30針對來自使用者端10的軟體授權申請產生授權內容並配給硬體裝置20,配給前先啟用硬體裝置內建的非對稱式金鑰產生功能,並取得安全元件公鑰211,最後軟體授權管理平台30利用管理平台私鑰312對安全元件公鑰211以及授權內容351等資料進行簽章,以將授權簽章35和管理平台公鑰311寫回硬體裝置20內。之後,於使用者端10執行軟體11時,驗證授權簽章35與軟體授權管理平台30的對應關係,亦即,軟體11先讀取硬體裝置20內存的授權簽章35,以軟體11中的管理平台公鑰311來驗證授權簽章35,以確認授權簽章35的合法性,驗證無誤後軟體11再依據授權內容351來提供服務。另外,於使用者端10執行軟體時,驗證授權簽章35與硬體裝置20的對應關係,亦即,利用授權簽章35內包含的安全元件公鑰211來驗證硬體裝置20內存的 安全元件私鑰212,確認雙方的公私鑰具有成對關係,若硬體裝置20不存在或是驗證失敗,即立刻停止軟體運作。 Thus, according to the above-mentioned implementation example of the system and hardware device for software authorization in conjunction with Figures 1A and 1B, the present case first establishes a corresponding relationship between the software authorization management platform 30, the hardware device 20 and the authorization signature 35, that is, the software authorization management platform 30 generates authorization content for the software authorization application from the user terminal 10 and distributes it to the hardware device 20. Before distribution, the built-in asymmetric key generation function of the hardware device is enabled, and the security element public key 211 is obtained. Finally, the software authorization management platform 30 uses the management platform private key 312 to sign the security element public key 211 and the authorization content 351 and other data to write the authorization signature 35 and the management platform public key 311 back to the hardware device 20. Afterwards, when the software 11 is executed on the user terminal 10, the corresponding relationship between the authorization signature 35 and the software authorization management platform 30 is verified, that is, the software 11 first reads the authorization signature 35 stored in the hardware device 20, and uses the management platform public key 311 in the software 11 to verify the authorization signature 35 to confirm the legitimacy of the authorization signature 35. After the verification is correct, the software 11 provides services based on the authorization content 351. In addition, when the software is executed on the user end 10, the corresponding relationship between the authorization signature 35 and the hardware device 20 is verified, that is, the security element public key 211 contained in the authorization signature 35 is used to verify the security element private key 212 stored in the hardware device 20 to confirm that the public and private keys of both parties have a paired relationship. If the hardware device 20 does not exist or the verification fails, the software operation is stopped immediately.

請參閱圖2,其為本案之用於軟體授權之方法之一實施例的流程示意圖。如圖2所示,方法包括步驟S301~S307,具體實施時可由圖1A和1B所示的軟體授權管理平台30所執行。 Please refer to Figure 2, which is a flowchart of an embodiment of the method for software authorization in this case. As shown in Figure 2, the method includes steps S301~S307, which can be executed by the software authorization management platform 30 shown in Figures 1A and 1B during specific implementation.

於步驟S301,響應於使用者端之軟體授權申請,產生對應於該軟體授權申請並相應於軟體之授權內容。 In step S301, in response to the software license application from the user, the license content corresponding to the software license application and corresponding to the software is generated.

於步驟S302,啟用具有識別序號之硬體裝置以令硬體裝置產生一對安全元件公鑰和安全元件私鑰。 In step S302, the hardware device with the identification serial number is activated to enable the hardware device to generate a pair of security element public key and security element private key.

於步驟S303,取得硬體裝置的安全元件公鑰和識別序號。 In step S303, obtain the security element public key and identification serial number of the hardware device.

於步驟S304,令金鑰儲存與密碼運算裝置產生一對管理平台公鑰和管理平台私鑰。 In step S304, the key storage and cryptographic calculation device generates a pair of management platform public key and management platform private key.

於步驟S305,利用管理平台私鑰對安全元件公鑰和授權內容進行簽章,以產生授權簽章。藉此,建立軟體授權管理平台與授權簽章之間的關聯性。 In step S305, the management platform private key is used to sign the security element public key and the authorization content to generate an authorization signature. In this way, the association between the software authorization management platform and the authorization signature is established.

於步驟S306,將授權簽章和管理平台公鑰寫入硬體裝置。藉此,建立硬體裝置與授權簽章之間的關聯性。 In step S306, the authorization signature and the management platform public key are written into the hardware device. In this way, the association between the hardware device and the authorization signature is established.

於步驟S307,將硬體裝置的安全元件公鑰和識別序號成對地儲存於內部資料庫。 In step S307, the public key and identification number of the hardware device's security element are stored in pairs in the internal database.

請參閱圖3,其為本案之用於軟體授權之方法之於使用者端執行軟體的實施例的流程示意圖。如圖3所示,方法包括步驟S201~S209,具體實施時可由圖1A和1B所示的使用者端10所執行。 Please refer to Figure 3, which is a flowchart of an implementation example of the method for software authorization in this case for executing software on a user end. As shown in Figure 3, the method includes steps S201 to S209, which can be specifically implemented by the user end 10 shown in Figures 1A and 1B.

於步驟S201,於使用者端安裝軟體及硬體裝置。 In step S201, software and hardware devices are installed on the user end.

於步驟S202,執行軟體以利用內建於軟體的管理平台公鑰對硬體裝置內的授權簽章進行驗證。藉此,驗證授權簽章與軟體授權管理平台之間的關聯性。 In step S202, the software is executed to verify the authorization signature in the hardware device using the management platform public key built into the software. In this way, the association between the authorization signature and the software authorization management platform is verified.

於步驟S203,判斷授權簽章是否驗證成功,例如若授權內容被竄改,驗證結果將會失敗;於步驟S204,軟體依授權內容執行。其中,授權簽章可保護授權內容的完整性以避免授權內容遭到竄改,而授權內容乃針對使用者端的軟體授權申請所產生,故授權簽章驗證成功後,軟體可依硬體裝置內的授權內容來提供服務。若驗證不成功,則進至步驟S209,結束執行軟體。 In step S203, it is determined whether the authorization signature is successfully verified. For example, if the authorization content is tampered with, the verification result will fail; in step S204, the software is executed according to the authorization content. Among them, the authorization signature can protect the integrity of the authorization content to prevent the authorization content from being tampered with, and the authorization content is generated for the software authorization application of the user end. Therefore, after the authorization signature is successfully verified, the software can provide services according to the authorization content in the hardware device. If the verification is unsuccessful, proceed to step S209 to end the execution of the software.

於步驟S205,當執行軟體至關鍵點位置時,產生隨機資料;於步驟S206,利用隨機資料、授權簽章內的安全元件公鑰、硬體裝置內的安全元件私鑰進行驗證。藉此,可驗證授權簽章與硬體裝置之間的關聯性,避免授權簽章被複製使用。 In step S205, when the software is executed to the key point, random data is generated; in step S206, random data, the public key of the security element in the authorization signature, and the private key of the security element in the hardware device are used for verification. In this way, the association between the authorization signature and the hardware device can be verified to prevent the authorization signature from being copied and used.

於步驟S207,判斷驗證是否成功。於一實施例中,軟體利用安全元件公鑰對一隨機資料加密以傳送至硬體裝置,以供硬體裝置解密後回傳,若解密結果與該隨機資料相符則驗證成功,進至步驟S208,繼續執行軟體;若不相符則進至進至步驟S209,結束執行軟體。 In step S207, it is determined whether the verification is successful. In one embodiment, the software uses the public key of the security element to encrypt a random data and transmit it to the hardware device for the hardware device to decrypt and return. If the decryption result matches the random data, the verification is successful, and the process proceeds to step S208 to continue executing the software; if it does not match, the process proceeds to step S209 to terminate the execution of the software.

於一實施例中,將隨機資料傳至硬體裝置,以供硬體裝置利用安全元件私鑰進行簽章後回傳,軟體再以安全元件公鑰來驗證,若驗證成功則進至步驟S208,繼續執行軟體;若驗證不成功則進至步驟S209,結束執行軟體。 In one embodiment, random data is transmitted to a hardware device, which then signs the data using a private key of a security element and transmits the data back. The software then verifies the data using a public key of a security element. If the verification is successful, the software proceeds to step S208 and continues to execute the software. If the verification is unsuccessful, the software proceeds to step S209 and terminates the execution of the software.

請參閱圖4,其為本案之用於軟體授權之方法之另一實施例的流程示意圖。如圖4所示,方法包括步驟S401~S405,具體實施時可由圖1A和1B所示的軟體授權管理平台30所執行。 Please refer to Figure 4, which is a flowchart of another embodiment of the method for software authorization in this case. As shown in Figure 4, the method includes steps S401~S405, which can be executed by the software authorization management platform 30 shown in Figures 1A and 1B during specific implementation.

於步驟S401,響應於使用者端之更新授權申請產生新授權內容。 In step S401, new authorization content is generated in response to the user's authorization update application.

於步驟S402,取得使用者端的硬體裝置的識別序號,以根據識別序號自內部資料庫取得與其成對的安全元件公鑰。 In step S402, the identification serial number of the hardware device on the user side is obtained, so as to obtain the security element public key paired with it from the internal database according to the identification serial number.

於步驟S403,利用管理平台私鑰對安全元件公鑰和新授權內容進行簽章。 In step S403, the management platform private key is used to sign the security element public key and the new authorization content.

於步驟S404,利用管理平台私鑰和安全元件公鑰產生安全密鑰,以利用安全密鑰對新授權簽章產生驗證碼。對此,藉由驗證碼,可避免授權簽章被任意竄改或移花接木。 In step S404, a security key is generated using the management platform private key and the security element public key, and a verification code is generated for the new authorization signature using the security key. In this regard, the verification code can prevent the authorization signature from being arbitrarily altered or replaced.

於步驟S405,將新授權簽章和驗證碼傳送至使用者端的硬體裝置。 In step S405, the new authorization signature and verification code are sent to the user's hardware device.

於使用者端,硬體裝置收到新授權簽章與驗證碼後,利用安全元件私鑰和管理平台公鑰推導出安全密鑰,以此安全密鑰檢查該驗證碼是否正確,若無誤即可以該新授權簽章進行更新。藉此,硬體裝置利用與軟體授權平台相同的演算法推導出與軟體授權平台相同的安全密鑰來驗證該驗證碼,由於該驗證碼與硬體裝置之間有關連性,故無需擔心授權簽章和驗證碼被複製或竄改。 On the user side, after the hardware device receives the new authorization signature and verification code, it uses the private key of the security element and the public key of the management platform to derive the security key, and uses this security key to check whether the verification code is correct. If it is correct, the new authorization signature can be updated. In this way, the hardware device uses the same algorithm as the software authorization platform to derive the same security key as the software authorization platform to verify the verification code. Since the verification code is related to the hardware device, there is no need to worry about the authorization signature and verification code being copied or tampered with.

另外,本案提供一種電腦程式產品,經由電腦載入程式後執行上述一個或多個方法,如步驟S301~S307、S401~S405。電腦程式(產品)除可儲存於記錄媒體外,亦可在網路上直接傳輸提供,即電腦程式(產品)係為載有電腦可讀取之程式且不限外在形式之物,所述電腦包括但不限於具有處理器之電子裝置。 In addition, this case provides a computer program product, which executes one or more of the above methods after the program is loaded into the computer, such as steps S301~S307, S401~S405. In addition to being stored in a recording medium, the computer program (product) can also be directly transmitted and provided on the Internet, that is, the computer program (product) is a thing that carries a computer-readable program and is not limited to an external form. The computer includes but is not limited to an electronic device with a processor.

此外,本案還提供一種電腦可讀取記錄媒體,係應用於具有處理器及/或記憶體之計算設備或電腦中,且電腦可讀取記錄媒體儲存有指令,並可 利用計算設備或電腦透過處理器及/或記憶體執行電腦可讀取記錄媒體,以於執行電腦可讀取記錄媒體時執行上述方法及/或內容。所述電腦可讀取紀錄媒體(例如硬碟、軟碟、光碟、USB隨身碟)係儲存有該電腦程式(產品)。在一實施例中,該電腦可讀取記錄媒體係非暫態(non-transitory)的電腦可讀取記錄儲存媒體。 In addition, the present invention also provides a computer-readable recording medium, which is applied to a computing device or a computer having a processor and/or a memory, and the computer-readable recording medium stores instructions, and can be used to execute the computer-readable recording medium through the processor and/or the memory by the computing device or the computer, so as to execute the above-mentioned method and/or content when executing the computer-readable recording medium. The computer-readable recording medium (such as a hard disk, a floppy disk, an optical disk, a USB flash drive) stores the computer program (product). In one embodiment, the computer-readable recording medium is a non-transitory computer-readable recording storage medium.

綜上所述,藉由本案用於軟體授權之系統、硬體裝置、方法以及執行該方法之電腦程式產品,透過軟體授權管理平台提供給軟體使用者的硬體裝置,確保使用軟體合法性之保護方法,當軟體執行時從硬體裝置取得授權簽章,並以軟體中內建的授權管理平台公鑰驗證授權簽章,以確認軟體授權的來源及授權內容的完整,使軟體得依授權內容提供使用者相對的服務,無須依不同使用者客製化軟體功能。 In summary, the system, hardware device, method and computer program product for executing the method used in this case for software authorization provide the hardware device of the software user through the software authorization management platform to ensure the legality of the software. When the software is executed, the authorization signature is obtained from the hardware device, and the authorization signature is verified with the public key of the authorization management platform built into the software to confirm the source of the software authorization and the integrity of the authorization content, so that the software can provide users with relative services according to the authorization content, without the need to customize the software functions according to different users.

此外,當軟體授權管理平台收到現有使用者提出更新授權請求時,軟體授權管理平台以本身的管理平台私鑰和硬體裝置的安全元件公鑰推導出與硬體裝置共享的安全密鑰,以此安全密鑰對新授權簽章產生驗證碼並一併傳送到硬體裝置,硬體裝置再以本身的安全元件私鑰和軟體授權管理平台的管理平台公鑰推導出與軟體授權管理平台相同的安全密鑰,以此安全密鑰檢查驗證碼無誤後,即可以新授權簽章進行更新。 In addition, when the software authorization management platform receives an authorization update request from an existing user, the software authorization management platform uses its own management platform private key and the hardware device's security element public key to derive a security key shared with the hardware device. This security key is used to generate a verification code for the new authorization signature and is sent to the hardware device. The hardware device then uses its own security element private key and the software authorization management platform's management platform public key to derive the same security key as the software authorization management platform. After checking the verification code with this security key and confirming that it is correct, the new authorization signature can be updated.

因此,藉由軟體授權管理平台、硬體裝置和授權簽章三者間彼此對應關係,以及安全元件私鑰無法複製的特性,有心人士即使複製授權簽章,沒有對應的硬體裝置仍無法使用軟體,因此可以有效地保護軟體的合法使用,軟體本身無須特別加密保護。 Therefore, through the correspondence between the software authorization management platform, hardware devices and authorization signatures, and the fact that the private key of the security element cannot be copied, even if someone copies the authorization signature, the software cannot be used without the corresponding hardware device. Therefore, the legal use of the software can be effectively protected, and the software itself does not need to be specially encrypted for protection.

上述實施例僅例示性說明本案之功效,而非用於限制本案,任何熟習此項技藝之人士均可在不違背本案之精神及範疇下對上述該些實施態樣進行修飾與改變。因此本案之權利保護範圍,應如後述之申請專利範圍所列。 The above embodiments are only illustrative of the effects of this case, and are not intended to limit this case. Anyone familiar with this technology can modify and change the above embodiments without violating the spirit and scope of this case. Therefore, the scope of protection of this case should be as listed in the scope of the patent application described below.

S301~S307:步驟 S301~S307: Steps

Claims (11)

一種用於軟體授權之系統,係包括: A system for software licensing, comprising: 管理平台對外模組,用於啟用具有識別序號之一硬體裝置以令該硬體裝置產生一對安全元件公鑰和安全元件私鑰進而取得該安全元件公鑰和該識別序號,並且響應於一使用者端之軟體授權申請,以由該管理平台對外模組產生與該軟體授權申請相應的授權內容; The management platform external module is used to activate a hardware device with an identification serial number to enable the hardware device to generate a pair of security element public key and security element private key to obtain the security element public key and the identification serial number, and respond to a software authorization application from a user end, so that the management platform external module generates authorization content corresponding to the software authorization application; 金鑰儲存與密碼運算裝置,用於產生一對管理平台公鑰和管理平台私鑰,以利用該管理平台私鑰對該管理平台對外模組所產生之該授權內容和所取得之該安全元件公鑰進行簽章,進而產生簽章值; The key storage and cryptographic operation device is used to generate a pair of management platform public keys and management platform private keys, so as to use the management platform private key to sign the authorization content generated by the management platform external module and the obtained security element public key, thereby generating a signature value; 管理平台內部模組,係將該管理平台對外模組所產生之該授權內容和所取得之該安全元件公鑰、及該金鑰儲存與密碼運算裝置所產生之該簽章值封裝成授權簽章,以供該管理平台對外模組將該授權簽章和該管理平台公鑰寫入該硬體裝置中;以及 The management platform internal module encapsulates the authorization content generated by the management platform external module, the obtained security element public key, and the signature value generated by the key storage and cryptographic operation device into an authorization signature, so that the management platform external module can write the authorization signature and the management platform public key into the hardware device; and 內部資料庫,用於供該管理平台內部模組將該管理平台對外模組所取得之該硬體裝置的該安全元件公鑰和該識別序號成對地儲存於該內部資料庫中。 The internal database is used for the internal module of the management platform to store the public key of the security element and the identification serial number of the hardware device obtained by the external module of the management platform in pairs in the internal database. 如請求項1所述之系統,其中,響應於該使用者端之更新授權申請時,係由該管理平台對外模組產生新授權內容,並且自該使用者端的該硬體裝置取得該識別序號,再由該管理平台內部模組根據該識別序號自該內部資料庫取得與該識別序號成對的該安全元件公鑰,俾供該金鑰儲存與密碼運算裝置利用該管理平台私鑰對該安全元件公鑰和該新授權內容進行簽章以產生新簽章值,從而由該管理平台內部模組將該新授權內容和該新簽章值封裝成新授權簽章,以供該金鑰儲存與密碼運算裝置利用該管理平台私鑰和該安全元件公鑰產 生安全密鑰,俾利用該安全密鑰對該新授權簽章產生驗證碼,再由該管理平台對外模組將該新授權簽章和該驗證碼傳送至該使用者端的該硬體裝置。 The system as described in claim 1, wherein, in response to the user's request for an updated authorization, the management platform external module generates new authorization content and obtains the identification serial number from the hardware device of the user, and then the management platform internal module obtains the security element public key paired with the identification serial number from the internal database according to the identification serial number, so that the key storage and cryptographic computing device uses the management platform private key to compare the security element public key and the security element public key. The new authorization content is signed to generate a new signature value, and the internal module of the management platform encapsulates the new authorization content and the new signature value into a new authorization signature, so that the key storage and cryptographic computing device uses the private key of the management platform and the public key of the security element to generate a security key, so as to use the security key to generate a verification code for the new authorization signature, and then the external module of the management platform transmits the new authorization signature and the verification code to the hardware device of the user end. 一種用於軟體授權之硬體裝置,係包括: A hardware device for software authorization includes: 金鑰與密鑰產生模組,係組構成經一軟體授權管理平台啟用而產生一對安全元件公鑰和安全元件私鑰; The key and secret key generation module is composed of a pair of security element public key and security element private key generated by a software authorization management platform; 資料儲存區,係儲存有由該軟體授權管理平台所寫入之授權簽章和管理平台公鑰,其中,該授權簽章包含由該軟體授權管理平台所產生之與一軟體授權申請相應的授權內容、由該軟體授權管理平台自該硬體裝置所取得之安全元件公鑰、及由該軟體授權管理平台利用管理平台私鑰對該授權內容和該安全元件公鑰進行簽章所產生之簽章值; The data storage area stores the authorization signature written by the software authorization management platform and the management platform public key, wherein the authorization signature includes the authorization content corresponding to a software authorization application generated by the software authorization management platform, the security element public key obtained by the software authorization management platform from the hardware device, and the signature value generated by the software authorization management platform using the management platform private key to sign the authorization content and the security element public key; 其中,當該硬體裝置與該軟體安裝於一使用者端時,係由內建於該軟體中的該管理平台公鑰對該硬體裝置中的該授權簽章進行驗證,以於該授權簽章驗證成功後,在該使用者端根據該授權簽章中的該授權內容執行該軟體。 When the hardware device and the software are installed on a user terminal, the management platform public key built into the software verifies the authorization signature in the hardware device, so that after the authorization signature is successfully verified, the software is executed on the user terminal according to the authorization content in the authorization signature. 如請求項3所述之硬體裝置,其中,於該硬體裝置接收由該軟體授權管理平台所傳來之新授權簽章及驗證碼時,由該金鑰與密鑰產生模組利用該安全元件私鑰和該管理平台公鑰產生一安全密鑰,以利用該安全密鑰對該驗證碼進行驗證,進而於該驗證碼驗證成功後,以該新授權簽章替換該硬體裝置中的該授權簽章。 The hardware device as described in claim 3, wherein when the hardware device receives a new authorization signature and a verification code transmitted by the software authorization management platform, the key and key generation module generates a security key using the security element private key and the management platform public key, and uses the security key to verify the verification code, and then replaces the authorization signature in the hardware device with the new authorization signature after the verification code is successfully verified. 如請求項3所述之硬體裝置,其中,該軟體於該使用者端執行至關鍵位置時產生一隨機資料,其中,當該硬體裝置接收到由該軟體利用該授權簽章內的該安全元件公鑰所加密的該隨機資料後,係由該硬體裝置的該安全元件私鑰進行解密以進行驗證,以於驗證成功後,繼續執行該軟體。 The hardware device as described in claim 3, wherein the software generates a random data when the user terminal executes to a critical position, wherein when the hardware device receives the random data encrypted by the software using the security element public key in the authorization signature, the security element private key of the hardware device is used to decrypt the data for verification, and the software continues to execute after the verification is successful. 如請求項3所述之硬體裝置,其中,該軟體於該使用者端執行至關鍵位置時係產生一隨機資料,其中,當該硬體裝置接收到由該軟體傳來之該隨機資料後,係由該硬體裝置的該安全元件私鑰進行簽章以回傳,俾供該軟體利用該授權簽章內的該安全元件公鑰進行驗證,以於驗證成功後,繼續執行該軟體。 The hardware device as described in claim 3, wherein the software generates a random data when the software is executed at the critical position on the user end, wherein when the hardware device receives the random data transmitted by the software, the hardware device signs the data with the private key of the security element of the hardware device and transmits the signature back, so that the software can use the public key of the security element in the authorization signature for verification, and continue to execute the software after the verification is successful. 一種用於軟體授權之方法,係包括: A method for software licensing comprises: 響應於使用者端之軟體授權申請,產生授權內容; Respond to the software license application from the user and generate the license content; 啟用具有識別序號之硬體裝置以令該硬體裝置產生一對安全元件公鑰和安全元件私鑰; Activate a hardware device with an identification serial number to enable the hardware device to generate a pair of a security element public key and a security element private key; 自該硬體裝置取得該安全元件公鑰和該識別序號; Obtain the security element public key and the identification serial number from the hardware device; 令金鑰儲存與密碼運算裝置產生一對管理平台公鑰和管理平台私鑰; The key storage and password calculation device generates a pair of management platform public key and management platform private key; 利用該管理平台私鑰對該授權內容和自該硬體裝置取得的該安全元件公鑰進行簽章,以產生授權簽章; Use the management platform private key to sign the authorization content and the security element public key obtained from the hardware device to generate an authorization signature; 將該授權簽章和該管理平台公鑰寫入硬體裝置,以供該硬體裝置安裝於該使用者端時,令該使用者端的軟體依據該硬體裝置內的該授權內容在該使用者端運行;以及 Writing the authorization signature and the management platform public key into the hardware device so that when the hardware device is installed on the user end, the software on the user end can run on the user end according to the authorization content in the hardware device; and 將該安全元件公鑰和該識別序號成對地儲存於內部資料庫。 The security element public key and the identification serial number are stored in pairs in the internal database. 如請求項7所述之方法,更包括: The method as described in claim 7 further includes: 響應於該使用者端之更新授權申請,產生新授權內容; In response to the user's request for updated authorization, new authorization content is generated; 取得該使用者端的該硬體裝置的該識別序號,以根據該識別序號自該內部資料庫取得與該識別序號成對的該安全元件公鑰; Obtain the identification serial number of the hardware device of the user end, and obtain the security element public key paired with the identification serial number from the internal database according to the identification serial number; 利用該管理平台私鑰對該新授權內容和自該內部資料庫取得的該安全元件公鑰進行簽章,進而產生新授權簽章; Use the management platform private key to sign the new authorization content and the security element public key obtained from the internal database to generate a new authorization signature; 利用該管理平台私鑰和自該內部資料庫取得的該安全元件公鑰產生安全密鑰,以利用該安全密鑰對該新授權簽章產生驗證碼;以及 Generate a security key using the management platform private key and the security element public key obtained from the internal database, and use the security key to generate a verification code for the new authorization signature; and 將該新授權簽章和該驗證碼傳送至該使用者端的該硬體裝置,以供該硬體裝置利用該硬體裝置內的該安全元件私鑰和該管理平台公鑰對該驗證碼進行驗證。 The new authorization signature and the verification code are transmitted to the hardware device of the user end, so that the hardware device can verify the verification code using the private key of the security element and the public key of the management platform in the hardware device. 如請求項7所述之方法,其中,於該硬體裝置安裝至該使用者端時,由該使用者端所安裝之軟體利用內建於其中的該管理平台公鑰,對該硬體裝置內的該授權簽章進行驗證,以於驗證成功後,取得該授權簽章中的該授權內容,以供該軟體於該使用者端根據該授權內容運行。 The method as described in claim 7, wherein when the hardware device is installed on the user terminal, the software installed by the user terminal uses the management platform public key built therein to verify the authorization signature in the hardware device, and after successful verification, obtains the authorization content in the authorization signature, so that the software can run on the user terminal according to the authorization content. 如請求項9所述之方法,其中,該軟體於該使用者端根據該授權內容運行關鍵點位置時,係產生隨機資料,再利用該隨機資料、該授權簽章內的安全元件公鑰、及該硬體裝置內的安全元件私鑰進行驗證,以於驗證成功時,繼續執行該軟體。 The method as described in claim 9, wherein the software generates random data when the user terminal runs the key point according to the authorization content, and then uses the random data, the security element public key in the authorization signature, and the security element private key in the hardware device for verification, so as to continue to execute the software when the verification is successful. 一種電腦程式產品,經電腦載入後以執行如請求項7所述之方法。 A computer program product which, when loaded into a computer, executes the method as described in claim 7.
TW113112563A 2024-04-02 2024-04-02 System, hardware device, and method for software authorization, and computer program product implementing the method TWI866830B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW113112563A TWI866830B (en) 2024-04-02 2024-04-02 System, hardware device, and method for software authorization, and computer program product implementing the method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW113112563A TWI866830B (en) 2024-04-02 2024-04-02 System, hardware device, and method for software authorization, and computer program product implementing the method

Publications (2)

Publication Number Publication Date
TWI866830B true TWI866830B (en) 2024-12-11
TW202540882A TW202540882A (en) 2025-10-16

Family

ID=94769473

Family Applications (1)

Application Number Title Priority Date Filing Date
TW113112563A TWI866830B (en) 2024-04-02 2024-04-02 System, hardware device, and method for software authorization, and computer program product implementing the method

Country Status (1)

Country Link
TW (1) TWI866830B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210028941A1 (en) * 2019-07-23 2021-01-28 Cyberark Software Ltd. Verification of client identities based on non-distributed data
TW202245436A (en) * 2021-04-16 2022-11-16 南韓商三星電子股份有限公司 Method of generating signature of message, message authentication method and encryption device
US20220405373A1 (en) * 2021-06-16 2022-12-22 Fisher-Rosemount Systems, Inc. Security Services in a Software Defined Control System
TW202311998A (en) * 2021-09-10 2023-03-16 美商萬國商業機器公司 Securely distributing a root key for a hardware security module
TWI811178B (en) * 2023-02-04 2023-08-01 長茂科技股份有限公司 Cybersecurity method and system based on multiparty and multifactor dynamic strong encryption authentication
US20240104194A1 (en) * 2020-12-17 2024-03-28 Tages Method for associating an executable software program with a computing platform

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210028941A1 (en) * 2019-07-23 2021-01-28 Cyberark Software Ltd. Verification of client identities based on non-distributed data
US20240104194A1 (en) * 2020-12-17 2024-03-28 Tages Method for associating an executable software program with a computing platform
TW202245436A (en) * 2021-04-16 2022-11-16 南韓商三星電子股份有限公司 Method of generating signature of message, message authentication method and encryption device
US20220405373A1 (en) * 2021-06-16 2022-12-22 Fisher-Rosemount Systems, Inc. Security Services in a Software Defined Control System
TW202311998A (en) * 2021-09-10 2023-03-16 美商萬國商業機器公司 Securely distributing a root key for a hardware security module
TWI811178B (en) * 2023-02-04 2023-08-01 長茂科技股份有限公司 Cybersecurity method and system based on multiparty and multifactor dynamic strong encryption authentication

Also Published As

Publication number Publication date
TW202540882A (en) 2025-10-16

Similar Documents

Publication Publication Date Title
CN113168476B (en) Personalized Cryptographically Secure Access Control in Operating Systems
JP4913871B2 (en) Upgrade memory cards with security mechanisms to prevent copying of secure content and applications
JP6595822B2 (en) Information processing apparatus and control method thereof
CN101443774B (en) Method and system for optimized integrity verification procedures
CN1327357C (en) Systems and methods for verification
JP4278327B2 (en) Computer platform and operation method thereof
CN101174295B (en) Off-line DRM authentication method and system
JP4067985B2 (en) Application authentication system and device
JP4746233B2 (en) Trusted computing platforms that limit the use of data
CN101894224B (en) Protecting content on client platforms
US20050060568A1 (en) Controlling access to data
US20060288232A1 (en) Method and apparatus for using an external security device to secure data in a database
US20090276829A1 (en) System for copying protected data from one secured storage device to another via a third party
US20090276474A1 (en) Method for copying protected data from one secured storage device to another via a third party
JP6072091B2 (en) Secure access method and secure access device for application programs
KR20070001893A (en) Tamper-Resisted Trusted Virtual Machines
CN113434853A (en) Method for burning firmware to storage device and controller
US20080086613A1 (en) Methods and systems for command-flow continuity application-authentication
US20060015860A1 (en) System and method for storing attributes in a file for processing an operating system
US20190044709A1 (en) Incorporating software date information into a key exchange protocol to reduce software tampering
US7568102B2 (en) System and method for authorizing the use of stored information in an operating system
US11455379B2 (en) Control system and method thereof for secure manufacturing
CN116561734A (en) A verification method, device, computer and computer configuration system
TWI866830B (en) System, hardware device, and method for software authorization, and computer program product implementing the method
KR20150072007A (en) Method for accessing temper-proof device and apparatus enabling of the method