A kind of cloud platform mirror image method for preventing piracy based on HOTPTechnical field
The present invention relates to technical field, is a kind of cloud platform mirror image method for preventing piracy based on HOTP specifically.
Background technology
With the fast development of cloud computing industry, related cloud and cloud application are continued to bring out, and all kinds of cloud service products are openedBeginning pours into market.When cloud platform constructive direction enterprise's cloud user provides third party cloud service product, several features of cloud are shown:
1st, virtualize, without responsible hardware;
2nd, isolation or private network environment, can not activation line;
3rd, third party can not effectively count the use of cloud service product.Third party's interests how are protected to turn into urgent problem to be solved.
In cloud platform virtualized environment, mirror image is the data file for containing underlying Operating System and third party software,Cloud platform can be using mirror image as virtual machine startup disk, create virtual machine and simultaneously run the mistake that this process is exactly image instanceJourney, the virtual machine of operation are commonly referred to as image instance.Image instance can again be encapsulated and is mirrored into;Without the initial of instantiationMirror image be commonly referred to as foundation image.
In the case, common solution builds third-party authentication server in cloud platform, and this mode can not be veryGood solves the problems, such as:
1st, the authentication server of software form itself can not be protected effectively;
2nd, the authentication server installation and deployment cost of example, in hardware is too high, it is difficult to be accessed in different cloud environments, and produces dimensionThe problems such as shield and data record.
Mirror image feature is the binary data file of pure software, can be easy to be copied in cloud environment, be very difficult to controlSystem:
1st, foundation image is copied:
After foundation image consigns to cloud platform business by third party software producer, cloud platform business can again be copied to foundation imageOther cloud platform business are sold.
So the information that third party software producer can typically add platform business inside foundation image makes a distinction, it is similarGo to stamp watermark in film, while be more the constraint based on mutual trust and law.But because many privately owned cloud environments do not haveInternet connects, and can not accomplish the inspection of the information to platform business.
2nd, mirror-image copies are packaged into again after instantiating:
Packing is mirrored into image instance again after loading function license, is gone to create example to a certain extent again with new mirror imageThe step of can is around function license loading.
Although third party software producer can do some logical process by the public difference of cloud platform running example, thanSuch as the MAC Address of record instance, the MAC Address of network is relatively unique, such as record instance in a platform environmentCpu type afterwards, memory size etc., these mode platform commercial cities can relatively easily simulation one and initial running example be completeExactly the same environment.Platform business can also be with dilatation, the demand such as migration, it is desirable to which software goes differentiation in inspection.
3rd, traditional approach hardware protection is not supported:
Cloud platform business does not support typically third party software producer that one believable hardware server is placed into cloud platform inner loopIn border, be also inconvenient to insert and map this kind of dongle protections of USB, the pattern of this hardware protection does not meet the concept of cloud yet.
4th, the network closure of cloud:
A large amount of private clounds or Intranet are that no internet connects;Even if public cloud has internet to connect with private cloundEnvironment there is also strict Network Isolation and networking rule;This also results in software application and is difficult to connect directly to third party softwareThe authentication server of producer.
The content of the invention
It is an object of the invention to provide a kind of cloud platform mirror image method for preventing piracy based on HOTP, effectively prevent from disposingThe problem of virtual machine instance mirror image in cloud environment is used by any copy piracy, improves intellectual property protection ability.
The present invention is achieved through the following technical solutions:A kind of cloud platform mirror image method for preventing piracy based on HOTP, specific bagInclude following steps:
Step S1:The service software provided by cloud platform makes mirror image and the hard coded platform trademark and symmetrical in mirror imageEncrypt KEY;
Step S2:The mirror image that user is supplied to cloud platform in cloud platform selection mirror image provider, creates an example;
Step S3:Parameter VALUE and the authentication URL finally asked are generated according to step S2;
Step S4:Authentication URL, authentication server is accessed under networked mode or off-line mode;
Step S5:Authentication server receives the symmetric cryptography KEY in step S1, searches MAC notes corresponding with symmetric cryptography KEYRecord, is verified;
Step S6:When step S5 is verified, PIN code and local PIN schools are verified in authentication server recording-related information, generationTest code;
Step S7:To the checking PIN code that is generated in step S6 compared with local PIN check codes:
If verifying, PIN code is identical with local PIN check codes:Service will normally start, and COUNT is revised as COUNT+1 in example;
If checking PIN code differs with local PIN check codes:Service not actuated.
Further, in order to preferably realize the present invention, the step S1 specifically includes following steps:
The step S1, specifically includes following steps:
Step S11:Cloud platform business makes mirror image, platform trademark built in mirror image and symmetric cryptography KEY, each platform businessThe symmetric cryptography KEY of mark mark association is differed, and COUNT built in the mirror image is counted as 0;
Step S12:Mirror image provider registers platform trademark corresponding to mirror image in authentication server, establishes and adds with symmetricalClose KEY one-one relationships.
Further, in order to preferably realize the present invention, the step S2 is specifically referred to:
An example is created in the mirror image of cloud platform;Cloud platform will be used for the MAC Address of network connection to example transmission, with thisUnique mark MACs of the MAC as example in platform, example do not provide software service, and example COUNT is counted as 0.
In the present invention, user is supplied to the mirror image of cloud platform, one example of establishment in cloud platform selection mirror image provider.It is realWhen example creates, cloud platform can pass the MAC Address for network connection to example automatically, using this MAC as example in platformUnique identities, example do not provide software service, and example COUNT counts 0.
Further, in order to preferably realize the present invention, the step S3 is specifically referred to:
Step S31:Example starts service initialization procedures, and example unique mark MAC and COUNT count value is passed through into working standardGeneration encryption data section is encrypted using symmetric cryptography KEY as key for symmetric encipherment algorithm;
Step S32:Platform trademark and encryption data section are merged into generation parameter VALUE;
Step S33:Parameter VALUE generates the authentication URL finally asked together with the domain name addresses of authentication server.
Further, in order to preferably realize the present invention, the step S4 includes:
Authentication server is accessed under networked mode, i.e.,:When example is connected with internet is in networking state, example is by testingDemonstrate,prove URL addresses and access authentication server, checking use information is included in the URL;
Authentication server is accessed in disconnection mode, i.e.,:When example is in off-line state without internet connection, example will be verifiedURL generates Quick Response Code and shows or support that it is file to download, and scans Quick Response Code by the mobile phone for connecting networking, dereference is testedDemonstrate,prove server.
Further, in order to preferably realize the present invention, the step S5 specifically includes following steps:
Step S51:Authentication server takes out the parameter VALUE in authentication URL, and the platform trade mark split out in parameter VALUE is known;To in step S12, chartered platform trade mark knowledge is searched:
If known without corresponding platform trade mark, mistake is returned;
If finding effective platform trade mark to know, the one-to-one pass with symmetric cryptography KEY is known by the platform trade mark in step S12System gets symmetric cryptography KEY;
Encryption data section is symmetrically decrypted using symmetric cryptography KEY:
If decryption failure, returns to mistake;
If successful decryption, get COUNT and count and example unique mark MAC;
Step S52:Inside authentication server, it is provided with the platform business's record sheet counted with storage MAC Address and COUNT;Corresponding platform business's record sheet is known by platform trade mark, retrieval whether there is the record consistent with example unique mark MAC;
If there is identical MAC, continue next step;
Whether if there is no identical MAC, it is 0 to reexamine COUNT and count:It is when COUNT, which is counted, is equal to 0, example is uniqueMark MAC and COUNT counts 0 and is added to platform business's MAC record sheets;When COUNT, which is counted, is not equal to 0, failure is returned;
Step S53:The corresponding record consistent with example unique mark MAC is known by platform trade mark is got by step S52COUN in table, which is counted, is arranged to record sheet COUNT countings;The COUNT obtained after authentication URL is parsed is counted and record sheetCOUNT is counted and is compared;
If identical, continue in next step;
If COUNT count be equal to record sheet COUNT count+1, update platform business's record sheet, make record sheet COUNT count withCOUNT counts identical, continuation subsequent step;
If COUNT counts counts+1 not equal to record sheet COUNT, failure is returned.
Further, in order to preferably realize the present invention, the step S6 specifically includes following steps:
Step S61:Use HOTP algorithm generation 6-8 position checking PIN codes;
Checking PIN code=the HOTP (symmetric cryptography KEY+ examples unique mark MAC, record sheet COUNT counting);
Expansion represents:Truncate (HMAC-SHA-1 (symmetric cryptography KEY+ examples unique mark MAC, record sheet COUNT metersNumber));
Step S62:Online directly URL is returned, offline display checking PIN code content;
When example is connected with internet is in networking state, example accesses authentication server by authentication URL address, directly logicalCross http protocol response and return to checking PIN code to example;URL, which is accessed, to be referred generally to carry out using http protocol agreement by browserInteraction.
When example is in off-line state without internet connection, cloud platform scans Quick Response Code by connecting the mobile phone of networking,Authentication server is accessed indirectly by authentication URL, is responded by http protocol and returns to checking PIN code to mobile phone, user can be so as toVictory reads generation 6-8 positions checking PIN code;In the page input 6-8 position checking PIN codes of example.
Further, in order to preferably realize the present invention, the step S7 is specifically referred to:
Example gets the checking PIN code of authentication server return from step S62;With step S61 with same HOTP in exampleFunction fashion generates local PIN check codes:Compare checking PIN code and local PIN check codes;
The local PIN check codes=HOTP (symmetric cryptography KEY+ example unique marks MAC, COUNT counting);
If verify that PIN code is identical with local PIN check codes:Service is normal to be started, and COUNT count updates are COUNT+ in example1 value;
If checking PIN code differs with local PIN check codes:Service not actuated.
The present invention compared with prior art, has advantages below and beneficial effect:
(1)The effective virtual machine instance mirror image prevented from being deployed in cloud environment of the invention is asked by what any copy piracy usedTopic;
(2)The present invention is effectively improved for intellectual property protection ability.
Brief description of the drawings
Fig. 1 is the workflow schematic diagram of the present invention;
Fig. 2 is step S11 of the present invention workflow diagram;
Fig. 3 is the workflow diagram of step 2 in the present invention;
Fig. 4 is the workflow diagram of step 3 in the present invention;
Fig. 5 is the workflow diagram of step 4 in the present invention;
Fig. 6 is the workflow diagram of step S51 in the present invention;
Fig. 7 is the workflow diagram of step S52 in the present invention;
Fig. 8 is the workflow diagram of step S53 in the present invention;
Fig. 9 is the workflow diagram of step S62 in the present invention.
Embodiment
Embodiments of the invention are described below in detail, in the present invention, unless otherwise clearly defined and limited, termThe term such as " installation ", " connected ", " connection ", " fixation " should be interpreted broadly, for example, it may be being fixedly connected or canDismantling connection, or be integrally connected;Can be mechanical connection or electrical connection;Can be joined directly together, can also pass throughIntermediary is indirectly connected, and can be the connection of two element internals.For the ordinary skill in the art, Ke YigenUnderstand the concrete meaning of above-mentioned term in the present invention according to concrete condition.
The present invention is described in further detail with reference to embodiment, but the implementation of the present invention is not limited to this.
Embodiment 1:
The present invention is achieved through the following technical solutions, as shown in Fig. 1-Fig. 9, a kind of anti-piracy side of cloud platform mirror image based on HOTPMethod, specifically include following steps:
Step S1:The service software provided by cloud platform makes mirror image and the hard coded platform trademark and symmetrical in mirror imageEncrypt KEY;
Step S2:The mirror image that user is supplied to cloud platform in cloud platform selection mirror image provider, creates an example;
Step S3:Parameter VALUE and the authentication URL finally asked are generated according to step S2;
Step S4:Authentication URL, authentication server is accessed under networked mode or off-line mode;
Step S5:Authentication server receives the symmetric cryptography KEY in step S1, searches MAC notes corresponding with symmetric cryptography KEYRecord, is verified;
Step S6:When step S5 is verified, PIN code and local PIN schools are verified in authentication server recording-related information, generationTest code;
Step S7:To the checking PIN code that is generated in step S6 compared with local PIN check codes:
If verifying, PIN code is identical with local PIN check codes:Service will normally start, and COUNT is revised as COUNT+1 in example;
If checking PIN code differs with local PIN check codes:Service not actuated.
The other parts of the present embodiment are same as the previously described embodiments, therefore repeat no more.
Embodiment 2:
The present embodiment does further optimization on the basis of above-described embodiment, as shown in fig. 7, heretofore described step S52 hasBody refers to:Inside authentication server, platform business's record sheet is a two-dimensional structure table, stores MAC Address and COUNT metersNumber, shaped like:
Id identify count
0 00:2d:00:00:12:03 5
1 00:2D:00:00:13:01 0
2 00:2d:00:00:14:02 3
Corresponding platform business's record sheet is known by platform trade mark, retrieval whether there is the note consistent with example unique mark MACRecord;
If there is identical MAC, continue next step;
Whether if there is no identical MAC, it is 0 to reexamine COUNT and count:It is when COUNT, which is counted, is equal to 0, example is uniqueMark MAC and COUNT counts 0 and is added to platform business's MAC record sheets;When COUNT, which is counted, is not equal to 0, failure is returned;
The other parts of the present embodiment are same as the previously described embodiments, therefore repeat no more.
Embodiment 3:
The present embodiment does further optimization on the basis of above-described embodiment, as shown in figure 1, the checking PIN in the step S61Code=HOTP (symmetric cryptography KEY+ examples unique mark MAC, record sheet COUNT counting);
Expansion represents:Truncate (HMAC-SHA-1 (symmetric cryptography KEY+ examples unique mark MAC, record sheet COUNT metersNumber)).
The other parts of the present embodiment are same as the previously described embodiments, therefore repeat no more.
Embodiment 4:
The present embodiment does further optimization on the basis of above-described embodiment, as shown in figure 1, the step S7 is specifically referred to:
Local PIN check codes are generated with same HOTP function fashions with step S61 in example:The local PIN check codes=HOTP (symmetric cryptography KEY+ example unique marks MAC, COUNT counting).
The other parts of the present embodiment are same as the previously described embodiments, therefore repeat no more.
Embodiment 5:
As shown in Fig. 1-Fig. 9, a kind of 1. cloud platform mirror image method for preventing piracy based on HOTP, it is characterised in that:Specifically include withLower step:
Step S1:The service software provided by cloud platform makes mirror image and the hard coded platform trademark and symmetrical in mirror imageEncrypt KEY;Specifically include following steps:
Step S11:Cloud platform business makes mirror image, platform trademark built in mirror image and symmetric cryptography KEY, each platform businessThe symmetric cryptography KEY of mark mark association is differed, and COUNT built in the mirror image is counted as 0;
Step S12:Mirror image provider registers platform trademark corresponding to mirror image in authentication server, establishes and adds with symmetricalClose KEY one-one relationships.
Step S2:The mirror image that user is supplied to cloud platform in cloud platform selection mirror image provider, creates an example;SpecificallyRefer to:
The mirror image that user is supplied to cloud platform in cloud platform selection mirror image provider, creates an example.When example creates, Yun PingPlatform can pass the MAC Address for network connection to example automatically, the unique identities using this MAC as example in platform, exampleSoftware service is not provided, and example COUNT counts 0.
Step S3:Parameter VALUE and the authentication URL finally asked are generated according to step S2;Specifically refer to:
Step S31:Example starts service initialization procedures, and example unique mark MAC and COUNT count value is passed through into working standardGeneration encryption data section is encrypted using symmetric cryptography KEY as key for symmetric encipherment algorithm;
Step S32:Platform trademark and encryption data section are merged into generation parameter VALUE;
Step S33:Parameter VALUE generates the authentication URL finally asked together with the domain name addresses of authentication server.
Step S4:Authentication URL, authentication server is accessed under networked mode or off-line mode;The step S4 includes:
Authentication server is accessed under networked mode, i.e.,:When example is connected with internet is in networking state, example is by testingDemonstrate,prove URL addresses and access authentication server, checking use information is included in the URL;
Authentication server is accessed in disconnection mode, i.e.,:When example is in off-line state without internet connection, example will be verifiedURL generates Quick Response Code and shows or support that it is file to download, and scans Quick Response Code by the mobile phone for connecting networking, dereference is testedDemonstrate,prove server.
Step S5:Authentication server receives the symmetric cryptography KEY in step S1, searches MAC corresponding with symmetric cryptography KEYRecord, is verified;Specifically include following steps:
Step S51:Authentication server takes out the parameter VALUE in authentication URL, and the platform trade mark split out in parameter VALUE is known;To in step S12, chartered platform trade mark knowledge is searched:
If known without corresponding platform trade mark, mistake is returned;
If finding effective platform trade mark to know, the one-to-one pass with symmetric cryptography KEY is known by the platform trade mark in step S12System gets symmetric cryptography KEY;
Encryption data section is symmetrically decrypted using symmetric cryptography KEY:
If decryption failure, returns to mistake;
If successful decryption, get COUNT and count and example unique mark MAC;
Step S52:Inside authentication server, platform business's record sheet is a two-dimensional structure table, store MAC Address andCOUNT is counted, shaped like:
Id identify count
0 00:2d:00:00:12:03 5
1 00:2D:00:00:13:01 0
2 00:2d:00:00:14:02 3
Corresponding platform business's record sheet is known by platform trade mark, retrieval whether there is the note consistent with example unique mark MACRecord;
If there is identical MAC, continue next step;
Whether if there is no identical MAC, it is 0 to reexamine COUNT and count:It is when COUNT, which is counted, is equal to 0, example is uniqueMark MAC and COUNT counts 0 and is added to platform business's MAC record sheets;When COUNT, which is counted, is not equal to 0, failure is returned;
Step S53:The corresponding record consistent with example unique mark MAC is known by platform trade mark is got by step S52COUN in table, which is counted, is arranged to record sheet COUNT countings;The COUNT obtained after authentication URL is parsed is counted and record sheetCOUNT is counted and is compared;
If identical, continue in next step;
If COUNT count be equal to record sheet COUNT count+1, update platform business's record sheet, make record sheet COUNT count withCOUNT counts identical, continuation subsequent step;
If COUNT counts counts+1 not equal to record sheet COUNT, failure is returned.
Step S6:When step S5 is verified, PIN code and local are verified in authentication server recording-related information, generationPIN check codes;Specifically include following steps:
Step S61:Use HOTP algorithm generation 6-8 position checking PIN codes;
Checking PIN code=the HOTP (symmetric cryptography KEY+ examples unique mark MAC, record sheet COUNT counting);
Expansion represents:Truncate (HMAC-SHA-1 (symmetric cryptography KEY+ examples unique mark MAC, record sheet COUNT metersNumber)).
Step S62:Online directly URL is returned, offline display checking PIN code content;
When example is connected with internet is in networking state, example accesses authentication server by authentication URL address, directly logicalCross http protocol response and return to checking PIN code to example;
When example is in off-line state without internet connection, cloud platform scans Quick Response Code by connecting the mobile phone of networking, indirectlyAuthentication server is accessed by authentication URL, responds to return by http protocol and verifies that PIN code can be with convenient reading to mobile phone, userGet generation 6-8 positions checking PIN code;In the page input 6-8 position checking PIN codes of example.
Step S7:To the checking PIN code that is generated in step S6 compared with local PIN check codes:
If verifying, PIN code is identical with local PIN check codes:Service will normally start, and COUNT is revised as COUNT+1 in example;
If checking PIN code differs with local PIN check codes:Service not actuated.
The step S7 is specifically referred to:
Example gets the checking PIN code of authentication server return from step S62;With step S61 with same HOTP in exampleFunction fashion generates local PIN check codes:Compare checking PIN code and local PIN check codes;
If verify that PIN code is identical with local PIN check codes:Service is normal to be started, and COUNT count updates are COUNT+ in example1 value;
If checking PIN code differs with local PIN check codes:Service not actuated.
By above-mentioned improvement, the effective virtual machine instance mirror image for preventing from being deployed in cloud environment of the present invention is arbitrarily copiedThe problem of piracy uses, improve intellectual property protection ability.
The other parts of the present embodiment are same as the previously described embodiments, therefore repeat no more.
Embodiment 6:
Software vendors XX companies issue foundation image fort machine V1.0 give cloud platform business's company A, and company A internal control causes basisMirror image leaks, and cloud platform business B departments use foundation image in the case where being authorized without XX companies.
XX companies and cloud platform business's company A have signed management agreement, the annual right to use for only authorizing 500 examples of total amount.
After the user of cloud platform business B companies creates example by foundation image, example needs the method by HOTPStart service to verify, transmit the cloud platform business A of crucial 3 key elements information.The authentication servers of XX companies record one it is newExample, the available example warrant quantity of cloud platform business's company A reduce 1.
Cloud platform business B companies have used 200 mandates after some months, and cloud platform business's company A has used 300 mandates,Cloud platform business's company A is connected to feedback and finds that new example can not be created, and is linked up with XX companies and finds leakage problem.XX companies cooperateThe example aspects mark of 500 mandates is made a distinction, stops the example activation service to unknown B companies.The non-cloud of XX companiesPlatform business company A issues new platform trade mark and knows mirror image again, and the mirror image no longer known to original platform trade mark extends the right to use againMandate.
Cloud platform business company A also recognizes oneself to need strict control foundation image, and it is flat that the leakage of mirror image can influence oneselfThe user of platform uses.
XX companies and cloud platform business company A leak source, the certification source to identifying non-company A HOTP to find outRedirect to information gathering page, by warning on the B platforms user, to protect it to be continuing with, collect B platform business information andEvidence.
The other parts of the present embodiment are same as the previously described embodiments, therefore repeat no more.
Embodiment 7:
Software vendors XX companies issue foundation image fort machine V1.0 give cloud platform business B companies.Cloud platform business B companies are in order to illegalSpeculate, create an example and activate function license, then this example is remake mirror image.Pass through complete simulative exampleO&M state, allow user on platform to use around function admission process is activated in example, permitted so as to collect platform user purchaseCan expense.Before HOTP method is not added, software vendors XX companies can not know the behavior of this infringement interests, especiallyBe network it is completely isolated in the case of.
Add after HOTP method, different user is differentiated and creates an instance X, instance Y, this 2 examples on platformInitial state is all based on the mirror image remake, and original state is consistent.Instance X, the initial COUNT of instance Y is for exampleIt is that COUNT5 can be in the service in first pass HOTP deactivation examples.
User's open and close example of instance X is multiple, and the COUNT of instance X and authentication server, which is counted, all to be changed to for exampleCOUNT10, and instance Y user was not turned off, example counts or COUNT5;When next time the user of instance Y closes exampleWhen being again started up service, instance Y is verified by COUNT5 and authentication server COUNT10, can not be by.NamelyWith the continuation used, differentiation can become larger, while authentication server remains the final running status of example.
When having a new user to create example Z again on platform, the COUNT5 also in initial conditions come is created that,It can not equally use.
(This case also has similar situation to be solved also by HOTP modes, and part cloud platform business is because allow user to make by oneselfMirror image is simultaneously exported, and homemade example mirror image is exported to other environment and is continuing with by user).
The other parts of the present embodiment are same as the previously described embodiments, therefore repeat no more.
Embodiment 5:
Software vendors XX companies issue foundation image fort machine V1.0 give cloud platform business C companies, and mirror image includes the license of acquiescence(ForUser-friendly and platform charging, user import feature need not permit again).
When disbursement and sattlement is carried out with software vendors XX companies, cloud platform business C companies reduce real for cloud platform business C companiesBorder sales volume.Before HOTP method is not added, software vendors XX companies can not know the behavior of this infringement interests, especiallyBe network it is completely isolated in the case of.
In the case of HOTP method, software vendors XX companies can according to corresponding to cloud platform business C companies activation amount,Activationary time carrys out metrology platform sales situation, and foundation, the credible base as cooperation are provided to disbursement and sattlement.
The other parts of the present embodiment are same as the previously described embodiments, therefore repeat no more.
It is described above, be only presently preferred embodiments of the present invention, any formal limitation not done to the present invention, it is every according toAny simply modification, the equivalent variations made according to the technical spirit of the present invention to above example, each fall within the protection of the present inventionWithin the scope of.