CN100486155C - Digital certificate signing server schooling method and system - Google Patents

Digital certificate signing server schooling method and system Download PDF

Info

Publication number
CN100486155C
CN100486155C CNB2004100273325A CN200410027332A CN100486155C CN 100486155 C CN100486155 C CN 100486155C CN B2004100273325 A CNB2004100273325 A CN B2004100273325A CN 200410027332 A CN200410027332 A CN 200410027332A CN 100486155 C CN100486155 C CN 100486155C
Authority
CN
China
Prior art keywords
module
machine
computing
digital certificate
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2004100273325A
Other languages
Chinese (zh)
Other versions
CN1585326A (en
Inventor
唐韶华
陈建超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South China University of Technology SCUT
Original Assignee
South China University of Technology SCUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South China University of Technology SCUT filed Critical South China University of Technology SCUT
Priority to CNB2004100273325A priority Critical patent/CN100486155C/en
Publication of CN1585326A publication Critical patent/CN1585326A/en
Application granted granted Critical
Publication of CN100486155C publication Critical patent/CN100486155C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Abstract

The system consists of a cipher key management module, an interface module, a calculation module and a communication module. The cipher management module runs off line and interacts with the calculation module by using manual method. The interface module and calculation module are connected via the communication module. The cluster method includes: cipher key division method, sub-key allocation method, the signature result algorithm, the multi-machine cooperation and the supervision method.

Description

Digital certificate is signed and issued the server cluster method and system
Technical field
The present invention relates to network information security technology, relate in particular to a kind of digital certificate and sign and issue the server cluster method and system.
Background technology
Digital signature is to realize an important technology of the network information security, its Fundamentals of Mathematics are asymmetric cryptographic algorithms, be that information publisher on the network utilizes asymmetric arithmetic to produce a signature to information, and on the network other people utilize asymmetric cryptographic algorithm can verify this signature, but do not forge this signature.Thereby realized on the network non repudiation of information, unforgeable and be based upon these two qualitative other network security relevant natures.
Digital certificate is signed and issued by the CA of certification authority, the characteristics of the service that is provided according to the CA server and the characteristics of itself, and the CA server must satisfy some performance requirements when realizing signing and issuing the basic function of digital certificate.It at first is the highly confidential property that will realize the CA private key, the confidentiality of CA private key has been guaranteed the validity of the certificate that it is signed and issued, in case reveal, others will lose faith in the certificate that it is signed and issued, all it certificate signed and issued all will cancel so, thereby has caused great loss and future trouble.Next is high speed and big throughput that the CA server calculates generally, Digital Signature Algorithm generally all needs bigger amount of calculation, need finish by a large amount of big integer arithmetics, while is along with digital certificate popularizes, increasing user applies for certificate to CA, according to such characteristics and actual demand, the CA server must improve the speed of grant a certificate as much as possible.Be the robustness of CA server itself at last, CA has become the basis and the core of the network information security gradually, and service must be stablized, be provided reliably to the CA server for a long time.
Current many commercial CA servers all are based on asymmetric cryptographic algorithm and sign and issue digital certificate.The asymmetric arithmetic that for example a lot of CA are adopted is a RSA Algorithm, and its basic operation is big integer Montgomery Algorithm.These CA are that the whole private key data of CA is left on the machine when realizing, finish the whole Montgomery Algorithm that produces signature by this machine again.Certainly some spare machines can be equipped with also, but its structure of these spare machines is fully the same with master machine, also be to deposit complete private key and carry out whole Montgomery Algorithm, and do not have inevitable organic connections between spare machine and the master machine, only when breaking down, master machine temporarily substitutes its work by spare machine.Obviously such structure can not satisfy above-mentioned private key confidentiality about the CA server, big throughput, robustness requirement fully.
Also there are at present some researcher's researchs to finish the computing that produces digital signature by the multimachine cooperation way, its result of study has also met above-mentioned one or more about the CA performance requirement to a certain extent, but they do not have to come algorithm for design and planning system at the characteristics of CA server clearly.In the middle of these researchs, representational is that Chinese patent application number is 01136019.4 " a kind of safe digital signature method and system ", this scheme is based upon on the basis of RSA Algorithm, in fact is divided into innovative digital signature method and two parts of a software and hardware system that are based upon on this method.The digital signature method of this scheme is picked at random N mutually different several d i, d iRestriction be the figure place of its binary form the chances are key d binary form figure place 1/4th.Then extract t from this N number (1≤t≤N) number is formed one group, extracts altogether at every turn Individual different group, every group is designated as (d J1, d J2..., d Jt), and try to achieve a c for every group of number j, c j = d - Σ k = 1 t d jk , Thereby form new Group number (d J1, d J2..., d Jt, c j).For every group of number, if be that index carries out Montgomery Algorithm to M with the number in the group respectively, so to t+1 Montgomery Algorithm result (S k) carry out t modular multiplication again and just can get to the end signature result, i.e. S.This principle is shown in following derivation:
S = M d mod n
= M c j + d j 1 + d j 2 + . . . + d jt mod n
= ( ( M c j mod n ) × ( M d j 1 mod n ) × . . . × ( M d jt mod n ) ) mod n
= ( S 1 × S 2 × . . . × S t + 1 ) mod n
The digital signature method of this scheme that Here it is is promptly done d earlier
Figure C200410027332D00055
Component is separated, and each group has the t+1 number, utilizes arbitrary group of number to calculate S concurrently k, just merge S at last.
The core of this scheme is made up of two class machines, and a class is a N platform computing machine, and its work is to utilize d in the component skill by cooperation JkPart is calculated S k, and by network S kSend to synthesizer, another kind of is some synthesizers, and its work is the c that utilizes in the component skill jPart is calculated S k, and carry out final union operation, at last S is sent to suitable recipient.According to the division of labor of machine, every computing machine assignment is to N d iIn one, every synthesizer is assigned to several c jWhen a task arrives, that d that the computing machine of each energy operate as normal all is assigned to oneself iCalculate a S kAnd send to synthesizer, and in a single day each synthesizer finds t S oneself receiving kCertain c that is assigned to oneself jBe the same decomposition that belongs to d, then utilize c jCalculate S kAnd merge S, thereby declaration is signed successfully.
This system has realized the confidentiality of private key to a certain extent, owing to consider the problem of arithmetic speed, d iBe very little number, in a single day the assailant has cracked synthesizer and has obtained c j, he just can be t d so iAnd be used as a very little number, this cost that cracks is more much smaller than the cost that directly cracks d.Because c jBasically be one with the number of d at the same order of magnitude, according to the implementation of large module power multiplication on computer software, synthesizer is asked S kTime be the same substantially with directly asking the time of S by d, reach the problem of the amount of gulping down greatly so this system solves the arithmetic speed of digital signature.This system neither be very thorough for the solution of robustness problem, this system configuration complexity, except two types above-mentioned machine, the auxiliary machinery that also has other, every type machine all occurs the possibility of fault, what deserves to be mentioned is in addition this system do not have real realization (N, the t) safety of scheme, even have t platform computing machine normally calculating and sending send S kCan merge S at last, also will see the situation of synthesizer, if promptly have a d with this t iThe c of coupling jThat synthesizer just broken down, whole system has still been failed.Last this system only considers some problems of the signature on the universal significance, does not consider that the CA server signs and issues the technical problem of the involved every aspect of the whole process of digital certificate.Though so this scheme is obtaining certain achievement aspect the multimachine concurrent operation of expanding digital endorsement method and realization digital signature, the CA server that distance is set up out a commercialization also has certain distance.
According to current technical research present situation, the market demand and development trend, be badly in need of research and set up the complete CA server system of a cover, can consider intactly and realize that the CA server signs and issues the involved key technology requirement of digital certificate, confidentiality, the CA that can take into account and satisfy the CA private key sign and issue digital certificate high speed on the whole, the robustness of the server of the amount of gulping down, and CA greatly.
Summary of the invention
The objective of the invention is to overcome the deficiency of existing CA server, a kind of simple framework that possesses is provided, and realize the high speed and the CA server cluster method and system of this three aspects performance of height robustness of the amount of gulping down, system's operation greatly of highly confidential property, the digital signature computing of CA private key by the close coordination of multimachine, it can be as a CA server on the function, the service of signing and issuing digital certificate externally is provided, and as a group system, its all system units are coordinated all highly automatedly mutually, realize three above-mentioned aspect performances.
In order to realize the foregoing invention purpose, the technical solution used in the present invention is as follows:
A kind of digital certificate is signed and issued server cluster system, form by interface module, communication module, computing module and key management module, described interface module is connected with the request of signing and issuing of outside digital certificate by communication module, and be connected with computing module by communication module, described key management module is mutual by manual mode and computing module; A kind of digital certificate is signed and issued the server cluster method, comprises key dividing method, sub-key distribution method, signature computational methods and to sign and issue multimachine cooperation and the method for supervising that digital certificate is a common objective as a result.
In the technique scheme, described communication module is made up of group of switches, and group of switches is divided into external switch group and inner exchanging unit, and group of switches can be selected suitable switch quantity according to the actual scale of system; Interface module is made up of a sets of computer, can select the computer of right quantity as required, can select two computers generally speaking, wherein one as main interface machine (hereinafter to be referred as " master machine "), other is as backup interface machine (hereinafter to be referred as " spare machine "), be used for backup and realize other miscellaneous function, every computer all is furnished with two cards of throwing the net in this computer set, one is used to connect external switch group, another is used to connect the inner exchanging unit, interface module is connected with the request of signing and issuing of outside digital certificate by external switch group, and be connected with computing module by the inner exchanging unit, have only the main interface machine works under the normal condition, the backup interface machine is by the state of network real-time monitoring master machine, if find master machine cisco unity malfunction, then take over the IP address of master machine, and take over the work of master machine, if recover normal after master machine breaks down again, then take over back IP address and work there from spare machine; Computing module also is made up of a sets of computer, computer set is also selected the computer of varying number as required, but this number of computers is all many usually, and every computer all is connected with the inner exchanging unit of communication module, and the working method of computing module is divided into serial mode and parallel schema; Key management module is made up of one or two computers, and key management module all adopts the unit of off-line operation.
In the technique scheme, the key dividing method is to select an integer K identical with the number of computers of computing module, the private cipher key D of CA is cut apart, thereby obtained K sub-key (D i, i),
Try to achieve D iAlgorithm be expressed as follows:
Input: D, K
Output: K D i
D′=D,MASK=0;
for(i=1,i<=K,i++)
{
MASK=2^L 1-1;
D i=D′|MASK;
D′=D′>>L i
}
Wherein, L and L iAll are integers, satisfy: 2 LD 〉=2 L-1, L 1=L/K+L%K, L i=L/K (i=2 ..., K);
The sub-key distribution method is: select a positive integer t who is not more than K, t is the quantity of the assigned subcipher group of every computer in the computing module,
If i+t≤K is then from (d i, i) the individual sub-encryption key distribution of Kai Shi t is given the i platform computer S of computing module i,
If i+t〉K, then from (d i, i) the individual sub-key of Kai Shi K-(i+t-2) and from (d 1, 1) and i+2t-K-2 the sub-encryption key distribution of beginning gives the i platform computer S of computing module i
Signature computational methods as a result is: for plaintext M to be signed, iterative computation goes out M iAnd C iUnder mould N meaning, a calculating K C again iCompany take advantage of.
Calculate M iAnd C iAlgorithm as follows:
Input: M I-1, (D i, i), L i
Output: C i, M i,
C i=1,M i=M i-1,D′=D i,h=L 1
for(h=L i,h>0,h=h-1)
{
if(D′&?1)
C 1=C i×M 1
M i = M i 2
}
Wherein, i ∈ 1,2 ..., k}, M 0=M
The algorithm that calculates C is: ( &Pi; i = 1 k C i ) mod N = C ;
The multimachine cooperation with method for supervising is: interface module receives outside digital certificate and signs and issues request, authentication information is sent to computing module by communication module to be handled, obtain behind the signature result digital certificate to be sent to the requestor from computing module by communication module again, interface module is a primary processor with a computer, other computer is used to back up the data of primary processor, and takes over primary processor work when primary processor breaks down; Key management module goes out K group sub-key according to key dividing method calculated off-line, and sub-key is sent to every computer of computing module according to the sub-key distribution method; Computing module obtains the digital certificate of interface module and signs and issues solicited message, and calculates M according to the sub-key that every computer distributed iAnd C i, calculate C by coordination at last, and be uploaded to interface module.
In the technique scheme, related signature algorithm is a RSA Algorithm, and described key is a private key.Key dividing method and sub-key distribution method are finished on key management module, in the sub-key distribution method, the span of integer t is the integer that is not less than 2K/3 and is not more than K, key management module bundle encryption key distribution is given computing module, signature computational methods is as a result realized that by computing module the mode of operation of described computing module is divided into serial mode and parallel schema.
Serial mode and parallel schema are expressed as follows:
1, under the serial computing pattern, computing machine is in order to calculate C i, initiatively do not calculate M I-1, but wait for M I-1Just utilize (d after the appearance i, i) and M I-1Calculate C iAnd M i, in computing module, broadcast C then iAnd M i
Under the serial computing pattern, interface machine is to K C 1Calculation task in the computing machine of operate as normal, carry out rigid distribution, allocation strategy statement is as follows:
(A) each C iAll there is a computing machine to be responsible for calculating, and only calculates by a computing machine;
(B) as far as possible evenly a current K C iDistribute to the computing machine of all operate as normal;
(C) C that allows the computing machine of every operate as normal be responsible for calculate in history iNumber balance as far as possible.
Under the serial computing pattern, the calculation task that computing machine is assigned to according to oneself is always from little target C down iBegin to calculate.
2, under the parallel computation pattern, computing machine is in order to calculate C iIf, M I-1Also not occur, then initiatively calculate M I-1, utilize (d then i, i) and M I-1Calculate C iAnd M i, in computing module, broadcast C at last iAnd M i
Under the parallel computation pattern, interface machine is not to K C iCalculating carry out rigid distribution, and computing machine S jAdopt following calculative strategy:
(A) if j+t≤K, according to subscript order computation C from small to large i
(B) if j+t〉K, then earlier from C jBeginning, the individual C of calculating K-(j+t-2) i, again from C 1J+2t-K-2 C calculated in beginning i
Under the parallel computation pattern, computing machine is calculating C iBefore, all check C earlier iWhether calculated, if then do not calculate it by other machines; Calculate C iAll to check afterwards and whether collect K different C i, if, then calculate C, notify this task of other computing machines to finish then, and C is sent to interface module.Computing machine one receives the notice that certain subtask has been finished, and then stops all relevant calculating of this task.
The sub-key distribution method allows every computing machine of computing module obtain t two tuples, and also the modulus N of signature process needs, L, K distribute to every computing machine simultaneously.
Operation principle of the present invention is:
Interface module is accepted to coordinate the certificate issuance work of this internal system from the certificate issuance request outside the system, and last digital certificate through signature is issued the requestor.Comprise following step:
(1) acceptance certificate is signed and issued request
(2) coding certificate and calculate plaintext M
(3) send a RSA signature processor active task to computing module
(4) receive the C as a result that computing module returns
(5) digital certificate after client is returned signature.
Simultaneously, interface module also will be finished following auxiliary work:
(A) supervisory control system load, if the long-time overload of system then orders computing module to enter the serial computing pattern, otherwise, then order computing module to enter the parallel computation pattern;
(B) state of each computer of monitoring computing module can not be finished the computing of RSA signature if computing module is current, then returns information to client.
The foundation that can the judgement computing module finish the computing of RSA signature is: if from the computing machine of current energy operate as normal, can accumulate K mutually different two tuple (D i, i), then computing module can be finished the computing of RSA signature, otherwise can not.
For a signature processor active task, every computing machine in the computing module all receives M, then by coordinating to calculate K C i, and merge C, at last C is returned to interface module.
The present invention compared with prior art has following effect:
1, system is by after the simple configuration, and its running need not manual intervention, and the co-ordination fully automatically of each system unit realizes signing and issuing the function of digital certificate;
2, interface module of the present invention, computing module, communication module all have backup functionality, system's energy self-monitoring, in case some parts breaks down in the system, can adjust work allocation automatically, shield these local faults, go down thereby continue running, when can't continue to operate down, system can give a warning automatically again because too many parts break down in system;
3, the present invention is left the private key of CA on the key management module of off-line operation, so the private key of CA has the confidentiality of height, and the assigned just parton key of private key of every computer of computing module, even, guaranteed the fail safe of private key so any minority machine that the assailant cracks among the machine group can not obtain private key;
4, among the present invention, computing module has serial and parallel two kinds of mode of operations, the system that makes can be oneself adjusting to big throughput mode of operation when service request is too much, under this pattern, for single signature calculation task, its needed time and traditional one-of-a-kind system basically identical, but on the whole, the throughput of system is N a times of traditional single cpu mode, and the value of the N computing machine quantity with system basically is consistent; System can be the mode of operation of oneself adjusting to quick response when service request is few, and under this pattern, for single signature calculation task, the needed time will be less than traditional needed time of single cpu mode compute signature, and this ratio is near 2/3;
5, simple and reasonable for structure, the safety of group system, system only is made up of scheduling machine and computing machine two class machines, the scheduling machine does not have any secret information about CA, and it also plays the effect of isolating exterior network and internal work environment, further improves security of system;
6, the expansion of system is simple, can expand easily on three modules.
Description of drawings
Fig. 1 is the enforcement structural representation that a kind of digital certificate of the present invention is signed and issued server cluster system;
Fig. 2 is the module relation diagram of interface machine software systems;
Fig. 3 is the schematic flow sheet that the interface module software systems are signed and issued a digital certificate;
Fig. 4 is the schematic flow sheet that the computing module software systems are calculated a signature.
Embodiment
The present invention is described further below in conjunction with accompanying drawing, system construction drawing of the present invention is seen accompanying drawing 1, comprise following parts: the sub-key computing machine of an off-line operation, an interface module of forming by main interface machine and backup interface machine, a computing module of forming by K platform computing machine.These machines can be served as by common computer.Interface machine is accepted external service request person's certificate request data by logic channel 1, at last the digital certificate through the CA signature is returned to service requester by logic channel 2.Logic channel 1 can be embodied as two different tcp ports respectively with logic channel 2.Two interface machine are by logic channel 3 exchange messages and the mutual state of monitoring the other side, logic channel 3 can be implemented as a tcp port, be that every interface machine is all opened same tcp port, just remove to connect this tcp port of the other side when needing to send information or monitoring the other side state then to the other side.Interface machine sends data by logic channel 4 all computing machines in computing module, and logic channel 4 can be implemented as a udp port that allows to send broadcast data packet.To the interface machine return data, logic channel 5 can be implemented as a udp port that allows to send broadcast data packet to computing machine by logic channel 5.Machine in the computing module is by logic channel 6 mutual swap datas, and logic channel 6 can be implemented as a udp port that allows to send broadcast data packet.The sub-key computing machine is got in touch by the process of an off-line and the machine in the computing module, promptly in system initialization, by the subkey data file of encrypting on system manager's bundle cipher key calculation machine by bearer configuration such as floppy disks to each computing machine.In addition, interface machine can also can be opened a logic channel (TCP or udp port) and independently monitor in addition by the state of logic channel 4 supervisory control comuter devices.Its protocol type of above-mentioned various logical channels can not be simultaneously identical with port numbers.
System at first finishes the calculating and the distribution of sub-key, and this function is finished under operating personnel's assistance by the sub-key computing machine of off-line.The operating process of taking is as follows:
1, chooses parametric t.Under the prerequisite that K determines, t is one and is not less than 1 integer that also is not more than K.T represents the number of the sub-key that a computing machine can obtain, and big t can improve the robustness of system, but has reduced fail safe, and little t is just opposite to the influence of system.Generally be that to get t be the integer that is not less than 2K/3 in suggestion.
2, calculate K one's share of expenses for a joint undertaking key by the key dividing method.
3, according to the sub-key distribution method sub-key of distributing to a computing machine is write in the file of an encryption, also write into simultaneously and calculate C iNeeded supplementary, for example modulus n.Obtain K file like this corresponding to K platform computing machine.
4, by manually i file configuration to i platform computing machine.
After system finished initial configuration, the authentication request of digital certificate was finished by interface module and computing module cooperation.The work and the execution mode thereof of interface module are as follows:
1, interface machine requires external service request person to open a fixing tcp port, so that interface machine returns to the requestor to the digital certificate after signing.
2, interface module is under normal circumstances finished by the main interface machine.The backup interface machine is monitored the state of main interface machine in real time by heartbeat mechanism, breaks down in case find the main interface machine, then takes over the work of main interface machine fully by the mode of IP spoofing, and is normal up to the main interface mechanical recovery.Though so-called IP spoofing is meant that a machine reality does not dispose certain IP address, but by the mode that sends the ARP bag tell this network segment machine (comprising gateway) it have this IP address, the packet that sends to this IP address so all can be sent on this machine in this network segment.After the backup interface machine adapter work, continue on the one hand to be responsible for finishing the task that original main interface machine receives, on the other hand, handle new service request.
3, the main interface machine whenever receives a complete service request, earlier this request is sent to spare machine and backups, and then tell that the requestor should ask to be accepted.The main interface machine tells this task of spare machine to finish earlier after checking out a digital certificate, and then connection request person's fixedly tcp port, returns this digital certificate.In this process, the work of spare machine is: whenever receive the backup bag that master machine sends, then be saved in the request list earlier; Finish prompting bag time when receiving a service, then the corresponding project of deletion in request list.In case spare machine is taken over the work of master machine like this, just one by one takes out data and handle from request list.
4, the interface machine system is made up of plurality of modules, as shown in Figure 2.These modules comprise Network Interface Module, main control module, certificate coding module, the mutual monitoring module of master-spare machine, the master-mutual backup module of spare machine data, signature task management module, system loading monitoring module, computing module monitoring module, shared data module.
The shared data module is the data center of system, and the shared data of record comprises: uncompleted digital certificate is signed and issued the mode of operation of task, computing module, the real-time status of each computing machine.These data are revised by part of module, and are read by other modules.
Network Interface Module is opened a fixing tcp port, waits for and receive service request then circularly.This module independent operating.Its passes to main control module to certificate request information of receiving, and when receiving the digital certificate that main control module sends, connection request person's fixedly tcp port sends certificate in the past.The certificate request that Network Interface Module receives must be with the form coding of PKCS#10, and sending the certificate format that goes back X.509 is.
The mutual monitoring module of master-spare machine is realized heartbeat monitor mechanism and IP spoofing mechanism.This module independent operating.This is mainly for backup, it is the backup interface machine is monitored the main interface machine on one's own initiative in real time by heartbeat mechanism state, break down in case find the main interface machine, then take over the work of main interface machine fully by the mode of IP spoofing, normal up to the main interface mechanical recovery.
The mutual backup module of master-spare machine data is realized the fault-tolerance of task level.The main interface machine whenever receives a service request, then relevant data is sent to the backup interface machine and backups, and sends a relevant backup of packet notice spare machine deletion then when this task is finished again.
Load monitoring module independent operating is responsible for the supervisory control system load, and changes the mode of operation of computing module according to the light and heavy degree of load.For the supervisory control system load, need provide two parameters to this module, one is memory span L, one is the threshold value t that is not more than L.Whether the each new task of system log (SYSLOG) has uncompleted task when arriving, and counts from new task, only writes down up-to-date L time.Suppose that current mode of operation is the concurrent working pattern, if up-to-date L record the inside, system has abortive number of times to arrive t, and then system changes the work in series pattern over to.Conversely, suppose the current work in series pattern that is in, if up-to-date L record the inside, it is 0 that there is abortive number of times in system, and then system changes the concurrent working pattern over to.
Computing module monitoring module independent operating, the state of responsible each computing machine of monitoring.This module is every the state of very short all computing machines of time sweep, and up-to-date state recording is got off.
The certificate coding module is responsible for the coding of the information in the certificate request, and adds the information of this CA; Then calculate in the certificate by the HASH value of signature section, and this HASH value is done format handle, form the last plaintext M that participates in the RSA Algorithm computing; Call signature task management module according to this M value then, and the signature that returns as a result C be encoded in the certificate; Be combined into complete digital certificate at last.
Signature task management module is the interface of interface module and computing module, and it at first receives M value to be signed; Then determine according to the state of current computer device whether computing module can finish signature,, then determine the division of labor and the coodination modes of each computing machine again in conjunction with the mode of operation of current computing module if can finish signature; Then M and division of labor harmony messages are broadcast in the computing module, and wait for that computing machine broadcasts the operation result C value of returning, it starts a chronograph mechanism, if do not receive operation result in official hour, then abandons this task.Can computing module be finished to sign to ascribe to and find the different sub-key of K part in the computing machine of current operate as normal, if can find, then can finish signature, otherwise can not.If the current concurrent working pattern that is in tells that then computing machine calculates according to parallel schema, need not stipulate other the division of labor.If the work in series pattern then starts a division of labor algorithm, a calculating K C iThe division of labor of calculating in computing machine of value all is broadcast to computing module to mode of operation, division of labor information and M value then.
Main control module is responsible for coordinating, scheduling.When its work arrives since a task, it at first receives the complete solicited message that Network Interface Module sends over, then this information is write in the shared data module, then call the mutual backup module of master-spare machine data and carry out data backup, then call coding module and generate digital certificate, last informing network interface module returns to external request person to digital certificate.
The work and the execution mode thereof of computing module are as follows, its flow chart as shown in Figure 4:
1, computing module is made up of K platform computing machine, the complete isomorphism of the software and hardware of every computing machine.Every computing machine is read the state of the information initializing oneself in the sub-key file when starting, write the numbering (1 to K) of understanding this machine in the sub-key file, and the sub-key quantity, numbering and the occurrence that oneself are assigned to also comprise other supplementarys.
2, the computing machine system is made up of five modules, and they are: and Network Interface Module, computing module, shared data module between the Network Interface Module of interface machine, nucleus module, computing machine.And the Network Interface Module of interface machine is responsible for and interface machine between data transmit-receive work; Network Interface Module between computing machine be responsible for and other computing machines between data transmit-receive work; The shared data module is divided two kinds of data, and a kind of is sub-key information, and this information is read in internal memory initialized the time, use by computing module later on, to calculate, another kind of information is a signature task list, and each list item is represented a uncompleted signature task; The work of nucleus module is exactly when receiving a signature task, adds a list item in the signature task list, and the data of this list item of initialization, comprises C is set to 1 earlier, M 0Be set to the M value, other C iAnd M iBe initialized as 0, significant information is also done corresponding setting, it calls computing module and begins to carry out this task according to these initialization informations then, and nucleus module also can receive two kinds of packets from Network Interface Module between computing machine in addition, and a kind of is partial results (C iAnd M i) packet, for this packet, it calls computing module and carries out joint account and relevant registration, and another kind is that task is finished packet, to this packet, its own signature task list of directly revising, this task is set to " finishing "; The work of computing module is exactly to calculate according to the indication of a list item in the signature task list, and finding that can merge last signature notifies other computing machines in the C as a result, returns C to interface machine, computing module also is responsible for merging the partial results that other computing machines send over, partial results C of the every acquisition of computing module under the calling of nucleus module i, all can check all K different C iWhether all obtain, if then carry out following operation: merge last signature as a result C, notify calculating that other computing machines finish this task, return C to interface machine.

Claims (2)

1, a kind of digital certificate is signed and issued server cluster system, it is characterized in that forming by interface module, communication module, computing module, described interface module is connected by the authentication requester of communication module with the outside, and be connected with computing module by communication module, described computing module is mutual with outside key management module; Described communication module is made up of group of switches, described group of switches is divided into external switch group and inner exchanging unit, interface module is connected by the authentication requester of external switch group with the outside, and be connected with computing module by the inner exchanging unit, send authentication information to computing module; Described interface module is made up of a sets of computer, every computer all is furnished with two cards of throwing the net in this computer set, one is used to connect external switch group, another is used to connect the inner exchanging unit, described computing module is made up of a sets of computer, and every computer all is connected with the inner exchanging unit of communication module, every computer is all mutual with the key management module of outside, the key information that utilizes key management module to provide calculates encryption, form digital certificate and send to interface module, digital certificate is sent to outside authentication requester by interface module by the inner exchanging unit.
2, a kind of digital certificate according to claim 1 is signed and issued server cluster system, it is characterized in that described key management module is made up of one or two computers.
CNB2004100273325A 2004-05-26 2004-05-26 Digital certificate signing server schooling method and system Expired - Fee Related CN100486155C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100273325A CN100486155C (en) 2004-05-26 2004-05-26 Digital certificate signing server schooling method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100273325A CN100486155C (en) 2004-05-26 2004-05-26 Digital certificate signing server schooling method and system

Publications (2)

Publication Number Publication Date
CN1585326A CN1585326A (en) 2005-02-23
CN100486155C true CN100486155C (en) 2009-05-06

Family

ID=34601302

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100273325A Expired - Fee Related CN100486155C (en) 2004-05-26 2004-05-26 Digital certificate signing server schooling method and system

Country Status (1)

Country Link
CN (1) CN100486155C (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7509489B2 (en) * 2005-03-11 2009-03-24 Microsoft Corporation Format-agnostic system and method for issuing certificates
CN101699893B (en) * 2009-11-10 2012-09-05 广州杰赛科技股份有限公司 Method for changing states of authentication service entities of certificate server cluster
CN107277043A (en) * 2017-07-21 2017-10-20 携程旅游信息技术(上海)有限公司 Network admittance control system based on cluster service
CN109992953A (en) * 2019-02-18 2019-07-09 深圳壹账通智能科技有限公司 Digital certificate on block chain signs and issues, verification method, equipment, system and medium
CN111800261A (en) * 2020-06-29 2020-10-20 格尔软件股份有限公司 Multi-node key management method and device
CN117176347B (en) * 2023-11-02 2024-02-06 深圳市亲邻科技有限公司 Mobile application certificate verification method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1126015A (en) * 1993-06-22 1996-07-03 艾利森电话股份有限公司 Mobile Slave switch
CN1357838A (en) * 2000-12-05 2002-07-10 宫平 Physical isolation and centralized control system of network
CN1411203A (en) * 2001-09-28 2003-04-16 中国科学院研究生院 Safety digital signature method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1126015A (en) * 1993-06-22 1996-07-03 艾利森电话股份有限公司 Mobile Slave switch
CN1357838A (en) * 2000-12-05 2002-07-10 宫平 Physical isolation and centralized control system of network
CN1411203A (en) * 2001-09-28 2003-04-16 中国科学院研究生院 Safety digital signature method and system

Also Published As

Publication number Publication date
CN1585326A (en) 2005-02-23

Similar Documents

Publication Publication Date Title
CN109558517B (en) Multi-party secure election system based on block chain
Khan et al. An efficient and provably secure certificateless key-encapsulated signcryption scheme for flying ad-hoc network
CN110059494B (en) Privacy protection method for block chain transaction data and block chain system
Zhang et al. A privacy-preserving voting protocol on blockchain
US10579974B1 (en) Systems, methods, and program products for a distributed digital asset network with rapid transaction settlements
US11403605B1 (en) Systems, methods, and program products for a distributed digital asset network with rapid transaction settlements
WO2018209542A1 (en) Consensus method for decentralized domain name system
Joaquim et al. REVS–a robust electronic voting system
Cai et al. Towards private, robust, and verifiable crowdsensing systems via public blockchains
Li et al. Anonymous and verifiable reputation system for E-commerce platforms based on blockchain
CN110120868B (en) Smart power grid safety data aggregation method and system based on block chain technology
CN108494581A (en) The controller distributed information log generation method and device of SDN network
CN107895111A (en) Internet of things equipment supply chain trust systems management method, computer program, computer
CN112311772A (en) Hyperridge-based cross-domain certificate management system and method
Graf et al. Accountability in a permissioned blockchain: Formal analysis of hyperledger fabric
CN101442482B (en) Method and system for building distributed computing network based on feedback propagation
CN114255034A (en) Electronic voting method capable of verifying fairness based on block chain
CN113127910B (en) Controllable anonymous voting system based on block chain and decentralization traceable attribute signature
Damgård et al. Client/server tradeoffs for online elections
CN100486155C (en) Digital certificate signing server schooling method and system
Li et al. Toward decentralized fair data trading based on blockchain
Gennaro Achieving independence efficiently and securely
Schoenmakers Fully auditable electronic secret-ballot elections
Ye et al. A Coercion-Resistant E-Voting System Based on Blockchain Technology
Khazaei et al. A rigorous security analysis of a decentralized electronic voting protocol in the universal composability framework

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090506

Termination date: 20160526