CN101977193A - Method and system for safely downloading certificate - Google Patents
Method and system for safely downloading certificate Download PDFInfo
- Publication number
- CN101977193A CN101977193A CN2010105232613A CN201010523261A CN101977193A CN 101977193 A CN101977193 A CN 101977193A CN 2010105232613 A CN2010105232613 A CN 2010105232613A CN 201010523261 A CN201010523261 A CN 201010523261A CN 101977193 A CN101977193 A CN 101977193A
- Authority
- CN
- China
- Prior art keywords
- certificate
- signature
- birth certificate
- transaction
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000013475 authorization Methods 0.000 claims description 25
- 238000004364 calculation method Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 9
- 238000012795 verification Methods 0.000 claims description 7
- 230000001681 protective effect Effects 0.000 abstract 1
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 9
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 9
- 230000008569 process Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 2
- 230000008676 import Effects 0.000 description 2
- 230000014759 maintenance of location Effects 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Abstract
The invention discloses a method and a system for safely downloading a certificate, belonging to the field of information safety. The method for safely downloading a certificate comprises the following steps of: establishing a connection between intelligent key equipment and a client side; after the client side receives a request for downloading a certificate, issuing a command for generating a trading key pair; generating a trading public key and a trading private key by the intelligent key equipment with a generation algorithm, and signing the trading public key according to a locally stored protective private key; generating a certificate request data packet by the client side; acquiring a birth certificate and a trading public key signature, locally stored in the intelligent key equipment, by the client side and sending the birth certificate, the trading public key signature and the certificate request data packet to a service side; judging whether the received birth certificate is legal or not, if not, returning an error to the client side, if so, judging whether the trading public key signature is legal or not, if not, returning an error to the client side, and if so, signing and issuing the certificate and sending the certificate to the client side; and writing the certificate into the intelligent key equipment by the client side.
Description
Technical field
The invention belongs to information security field, relate in particular to a kind of method and system of secure download certificate.
Background technology
In the prior art, the user binds intelligent cipher key equipment and server at sales counter, it is the numbering that stores legal intelligent cipher key equipment in the server, when certificate was downloaded, whether the numbering of server contrast intelligent cipher key equipment was consistent with the numbering of preserving, unanimity, then allow certificate to download, inconsistent, then refuse the download of certificate, though can prevent effectively that to a certain extent the intelligent cipher key equipment of forgery that the user uses from carrying out the download of certificate.But authentication mode is single after all, still exist in theory and forge the possible of intelligent cipher key equipment, so, need reinforcement with the fail safe of guaranteeing that certificate is downloaded.
Summary of the invention
The invention provides a kind of method and system of secure download certificate, concrete technical scheme is as follows:
A kind of method of secure download certificate, described method comprises:
Intelligent cipher key equipment and client connect;
After described client receives the request of the downloadable authentication that the user submits to, issue to described intelligent cipher key equipment and to generate the right instruction of transaction key;
Described intelligent cipher key equipment generates transaction PKI and transaction private key according to built-in key schedule, and according to the protection private key of self storing described transaction PKI is signed, and obtains the public key signature of concluding the business;
The described client request data package that Generates Certificate;
Described client is obtained the birth certificate and the described transaction public key signature of described intelligent cipher key equipment self storage, and described birth certificate, described transaction public key signature and described certificate request packet are sent to service end;
Described service end judges whether the described birth certificate that receives is legal, if it is illegal, to the error message of described client return authentication, if legal, judge then whether described transaction public key signature is legal, if illegal, to the error message of described client return authentication, if legal, grant a certificate then, and described certificate sent to described client;
Described client is written to described certificate in the described intelligent cipher key equipment.
The Generate Certificate step of request data package of described client is specially:
Read the transaction public key information in the described intelligent cipher key equipment;
Generating one includes the packet of conclude the business public key information, user profile and certificate purposes information and sends it to described intelligent cipher key equipment;
Signature value after the transaction private key of reception in described intelligent cipher key equipment signed to described packet;
Described packet and the combination of described signature value are generated a digital certificate request packet.
Described method also comprises: described service end is verified described signature value with the transaction PKI that carries in the described certificate request packet after receiving described certificate request packet.
Described intelligent cipher key equipment is promptly signed to described transaction PKI according to the protection private key of self storing after generating the transaction PKI according to built-in key schedule;
Or
Described intelligent cipher key equipment is signed to described transaction PKI according to the protection private key of self storage after receiving the instruction that described transaction PKI is signed that described client issues.
Described intelligent cipher key equipment is signed to described transaction PKI according to the protection private key of self storing and is comprised:
Described intelligent cipher key equipment uses the protection private key of self storing that first data are signed, obtain the first data signature value, described first data comprise: additional data, transaction PKI first preset length part, the second data cryptographic Hash, and described second data comprise: described additional data and transaction PKI;
To protect PKI length, the described first data signature value and transaction PKI residue length partly to splice, obtain the public key signature of concluding the business.
Described additional data comprises described protection PKI length, birth certificate version, intelligent cipher key equipment shell number, key attribute.
Described birth certificate comprises: intelligent cipher key equipment type number, birth certificate version information, birth certificate timestamp, intelligent cipher key equipment shell number, protection PKI, one-level authorization key information, class origin card are signed and issued key information and birth certificate signature.
The trust starting point of described one-level authorization key during for the described intelligent cipher key equipment of authentication;
Described birth certificate is signed and issued key and is signed and issued by described one-level authorization key, is used for described birth certificate is signed.
Described one-level authorization key information comprises: authorization key version, mandate PKI;
Described birth certificate is signed and issued key information and comprised: birth certificate signs and issues the key version, sign and issue the signature that PKI and described birth certificate are signed and issued key information;
Wherein, the described birth certificate signature of signing and issuing key information is signed and is obtained by authorizing private key that described birth certificate is signed and issued key information.
Described service end is judged the birth certificate that receives legal comprising whether:
Described service end judges in the described birth certificate that receives whether birth certificate is signed and issued key information legal, if it is illegal, judge that then described birth certificate is illegal, if it is legal, judge then whether the birth certificate signature is legal in the described birth certificate, if legal, judges that then described birth certificate is legal, if illegal, judge that then described birth certificate is illegal.
Described service end judges in the described birth certificate that receives that birth certificate signs and issues key information legal comprising whether:
Described client is calculated according to the signature of authorizing PKI that described birth certificate is signed and issued key information in the one-level authorization key information in the described birth certificate, contrast described result of calculation whether with described birth certificate in birth certificate to sign and issue key information consistent, if it is consistent, it is legal that then described birth certificate is signed and issued key information, otherwise it is illegal that described birth certificate is signed and issued key information.
Describedly judge in the described birth certificate birth certificate signature legal comprising whether:
The PKI of signing and issuing that described service end is signed and issued in the key information according to birth certificate in the described birth certificate that receives calculates described birth certificate signature, whether contrast described result of calculation consistent with described birth certificate information, if it is consistent, then described birth certificate signature is legal, otherwise described birth certificate signature is illegal.
Describedly judge described transaction public key signature legal comprising whether:
The part of expression protection PKI length in the described transaction public key signature is removed;
According to the protection PKI in the described birth certificate that receives the first data signature value part described in the described transaction public key signature is calculated, obtained described first data;
Remove the additional data in described first data, the PKI first preset length part obtains concluding the business;
Transaction PKI residue length in described transaction PKI first preset length part and the described transaction public key signature partly spliced obtain described transaction PKI;
Go out second data according to described first data splicing, described second data are carried out Hash operation, the second data cryptographic Hash in operation result and described first data is compared, consistent, then described transaction public key signature is legal, inconsistent, and then described transaction public key signature is illegal.
A kind of system of secure download certificate, described system comprises: intelligent cipher key equipment, client and service end;
Intelligent cipher key equipment comprises:
Memory cell is used to store birth certificate, protection private key and certificate;
The key generation unit is used for generating transaction PKI and transaction private key according to built-in key schedule;
Signature unit is used for according to the protection private key of cell stores the transaction PKI that the key generation unit generates being signed;
The certificate writing unit is used for certificate is written to memory cell;
Transmitting element is used for returning certificate and transaction public key signature to client.
Client comprises:
Receiving element is used to receive the request of the downloadable authentication of user's input, and the certificate that sends of described service end transmitting element;
The certificate request generation unit is used for when described receiving element receives the request of downloadable authentication, and request data package Generates Certificate;
First interface unit is used to obtain the birth certificate of intelligent cipher key equipment;
Second interface unit is used to obtain the transaction public key signature of intelligent cipher key equipment;
Transmitting element is used for sending the transaction public key signature that certificate request packet that the certificate request generation unit generates, birth certificate that first interface unit obtains and second interface unit obtain to service end;
Service end comprises:
Receiving element is used to receive birth certificate and the transaction public key signature that the client transmitting element sends;
The birth certificate authentication unit is used to verify whether the birth certificate that receiving element receives is legal;
Transaction public key verifications unit is used for after first authentication unit checking birth certificate is legal, and whether the transaction public key signature that the checking receiving element receives is legal;
The certificate issuance unit is used for after second authentication unit checking transaction public key signature is legal grant a certificate;
Transmitting element is used for the certificate that the certificate issuance unit is signed and issued is sent to client.
Described signature unit comprises:
Signature blocks, be used for first data being signed according to the protection private key of cell stores, obtain the first data signature value, described first data comprise: additional data, transaction PKI first preset length part, the second data cryptographic Hash, and described second data comprise: described additional data and transaction PKI;
Concatenation module is used for protection PKI length, described signature value and transaction PKI residue length are partly spliced, and obtains the public key signature of concluding the business.
Described birth certificate authentication unit comprises:
First judge module is used for judging whether described birth certificate birth certificate is signed and issued key information legal;
Second judge module is used for judging whether described birth certificate birth certificate signature is legal.
Describedly judge in the described birth certificate that birth certificate signs and issues key information legal comprising whether:
The signature that described service end is signed and issued key information according to the mandate PKI in the one-level authorization key information in the described birth certificate to described birth certificate calculates, contrast described result of calculation whether with described birth certificate in described birth certificate to sign and issue key information consistent, if it is consistent, it is legal that then described birth certificate is signed and issued key information, otherwise it is illegal that described birth certificate is signed and issued key information.
Describedly judge in the described birth certificate birth certificate signature legal comprising whether:
The PKI of signing and issuing that described service end is signed and issued in the key information according to birth certificate described in the described birth certificate that receives calculates described birth certificate signature, whether contrast described result of calculation consistent with the described birth certificate information that receives, if it is consistent, then described birth certificate signature is legal, otherwise described birth certificate signature is illegal.
Described transaction public key verifications unit comprises:
First processing module is used for the part of described transaction public key signature expression protection PKI length is removed;
First computing module is used for according to the protection PKI of the described birth certificate that receives the first data signature value part described in the described transaction public key signature being calculated, and obtains described first data;
Second processing module is used for removing the additional data of described first data, and the PKI first preset length part obtains concluding the business;
First concatenation module, transaction PKI first preset length part that is used for described second processing module is obtained is partly spliced with described transaction public key signature transaction PKI residue length, obtains described transaction PKI;
Second concatenation module is used for going out second data according to described first data splicing;
Second computing module is used for described second data are carried out Hash operation;
The contrast module, the cryptographic Hash and described first data, the second data cryptographic Hash that are used for described second computing module is obtained compare, unanimity, then described transaction public key signature is legal, inconsistent, and then described transaction public key signature is illegal.
Beneficial effect: server passes through the checking of the validity of the legitimacy to birth certificate, the public key signature of concluding the business, and the request that has guaranteed downloadable authentication is to be sent by legal intelligent cipher key equipment, thereby has guaranteed the fail safe that certificate is downloaded.
Description of drawings
The method flow diagram of a kind of secure download certificate that Fig. 1 provides for embodiment 1;
The system construction drawing of a kind of secure download certificate that Fig. 2 provides for embodiment 2.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, embodiment of the present invention is described further in detail below in conjunction with accompanying drawing.
The notion that has added the intelligent cipher key equipment birth certificate in the method for the secure download certificate that the embodiment of the invention provided; birth certificate is kept at intelligent cipher key equipment inside; be a string data of proof intelligent cipher key equipment legitimacy, comprise: the type number of intelligent cipher key equipment, birth certificate version information, birth certificate timestamp, shell number, protection PKI, one-level authorization key, birth certificate are signed and issued key information and birth certificate signature.Birth certificate shows as the form of TLV, (length is represented not necessarily accurate, and the numerical value understanding according to reality in the application gets final product) as shown in table 1:
Table 1
Particularly, the type number of intelligent cipher key equipment: form by two ACSII sign indicating numbers, identify different intelligent cipher key equipments, simultaneously, also search the PKI of the corresponding manufacturer of birth certificate for convenience, for example: numbering 11, identifying this intelligent cipher key equipment by vendor A production, is not have the soft type that drives;
The birth certificate version information: extended field, need the TLV structure of birth certificate be adjusted as the later stage, can increase its version number accordingly, so that different processing modes is taked according to version number in the backstage;
The birth certificate timestamp: refer to sign and issue the time of this birth certificate, for example " 20100618150100 " represent 2010 06 month 15: 01: 00 on the 18th;
Shell number: being made up of three parts, is respectively device code, hardware sequence number and check digit, and the coding rule of shell number can be self-defining; For example:
1, the reading format of shell number is: digital hardware sequence number (oneself provides manufacturer)+1 a bit check position, 2 device code+9, and totally 12, wherein, device code is specified by certificate supplier (as bank) is unified;
2, only deposit 9 hardware sequence number in the intelligent cipher key equipment, device code and check bit can not leave in the intelligent cipher key equipment;
3,9 the hardware sequence number that manufacturer provided can be extra-large by flowing water, and number software modification function must not be provided;
4, check algorithm for example uses 2121 checking algorithms.
Wherein, 2121 checking algorithms are as follows:
Shell number: 4580658811003057
x x x x x x x x x x x x x x x
2 1 2 1 2 1 2 1 2 1 2 1 2 1 2
8 5?16 0 12?5?16 8 2 1 0 0 6 0?10
8+5+1+6+0+1+2+5+1+6+8+2+1+0+0+6+0+1+0=53
Check digit 10-(53mod 10)=7
The protection PKI: generated by intelligent cipher key equipment, can not destroy, the corresponding relation of the shell of protection PKI and intelligent cipher key equipment number is kept in the server;
In addition, need to prove that intelligent cipher key equipment has also generated the protection private key when generating the protection PKI, this protection private key is kept at the inside of intelligent cipher key equipment.
The one-level authorization key: independently generated by each manufacturer, among the present invention, this one-level authorization key is that safety is legal as the trust starting point of authentication;
Birth certificate is signed and issued key: be used for birth certificate is signed, use the one-level authorization key that its public key information is signed to guarantee its validity;
Birth certificate signature: use birth certificate to sign and issue key (private key) to label 0001,0002,0003,0004,0005 and the signature of data, the birth certificate signature formula is as follows:
Particularly, birth certificate signature=RSASign birth certificate sign and issue private key (SHA (and the birth certificate supplier number || the birth certificate version information || the birth certificate timestamp || shell number || protection PKI N|| protection PKI E || one-level authorization key (PKI) information || birth certificate is signed and issued key (PKI) information)).
Be exemplified below:
RSASign(SHA(000100023532||000200023031||0003000e20100618150100||0004000c52XXXXXXXXXX||00050080...||00070003...||8008...||8009...))。
From the above, the shell of PKI (protection PKI, one-level authorization key (PKI), birth certificate are signed and issued key (PKI)) and intelligent cipher key equipment number has just constituted the main body of birth certificate, and uses higher level's key trusty that birth certificate is signed; In the certificate downloading process, intelligent cipher key equipment also can produce the transaction PKI, and uses the protection private key that the transaction PKI is signed.Server is after the request that receives downloadable authentication, will verify the legitimacy of birth certificate and the validity of transaction public key signature, and when both's checking is passed through, be that intelligent cipher key equipment is not forged, and the request of downloadable authentication is to be sent by legal intelligent cipher key equipment, thereby has guaranteed the fail safe that certificate is downloaded.Below will describe this process in detail.
Embodiment 1
Referring to Fig. 1, present embodiment provides a kind of method of secure download certificate, and detailed process is as follows:
101, intelligent cipher key equipment and client connect;
Preferably, client connects by CryptAcquireContext and the intelligent cipher key equipment that calls CSP (Cryptographic Service Provider, CSP) interface.
102, client receives the request of the downloadable authentication of user's submission, issues to intelligent cipher key equipment and generates the right instruction of transaction key;
103, intelligent cipher key equipment is receiving instruction back generation transaction PKI and transaction private key;
Need to prove that this transaction private key is used for Transaction Information is signed when concluding the business.
104, intelligent cipher key equipment is signed to the transaction PKI according to the protection private key of self storing, and obtains the public key signature of concluding the business;
Particularly, intelligent cipher key equipment is when dispatching from the factory, and is inner right with regard to having generated and preserved the protection key, promptly protects PKI and protection private key.
Preferably, intelligent cipher key equipment generate transaction key to the time, promptly the transaction PKI that generates is signed according to the protection private key of self storage;
Correspondingly, intelligent cipher key equipment when specifying transaction PKI to be signed in this signature command, is signed to the signature transaction PKI for the treatment of of appointment according to the protection private key of self storage after receiving the signature command that main frame issues; If, specify transaction PKI to be signed in the signature command that receives, then the transaction PKI of acquiescence to be signed according to the protection private key of self storing, this acquiescence transaction PKI is meant, repeatedly produces the transaction PKI of the PKCS#10 request up-to-date generation in back.
Particularly, according to the protection private key of self storage the transaction PKI is signed and is:
Intelligent cipher key equipment uses the protection private key of self storing that first data are signed, obtain the first data signature value, wherein, first data comprise: additional data, transaction PKI first preset length part, the second data cryptographic Hash, and second data comprise: additional data and transaction PKI;
Protection PKI length, the first data signature value that calculates and transaction PKI residue length are partly spliced, obtain the public key signature of concluding the business.
Particularly, the transaction PKI signed adopt the mode of PKCS#1, the equation expression of aforementioned calculation signature is as follows:
Transaction public key signature=HEADER||PrivateKeyCalculate (Data0) || the N remainder of transaction PKI || transaction PKI E;
PrivateKeyCalculate: expression uses protection key (private key) to calculate;
The length of HEADER:00 80 expression protection PKIs is 1024Bit, and the length of 01 00 expression protection PKIs is 2048Bit;
Preferably, the protection PKI adopts 1024Bit.
The first data Data0 content is specifically as shown in table 2:
Table 2
As shown in Table 2, additional data comprises: protection PKI length, birth certificate version, intelligent cipher key equipment shell number, key property set server random number;
Wherein, the HASH value is the cryptographic Hash of the second data DATA1, is specially: HASH=SHA (DATA1), preferably, the HASH algorithm adopts the SHA1 algorithm.
The content of the second data DATA1 is as shown in table 3:
Table 3
As shown in Table 3, second data comprise additional data and transaction PKI.
105, client Generate Certificate request data package;
Particularly, produce PKCS#10 (Public-Key Cryptography Standards) certificate request packet, comprising: public key information, user profile and some optional attribute information (as information such as certificate purposes);
Particularly, the step of Generate Certificate request data package is:
Read the transaction public key information in the intelligent cipher key equipment;
Generating one includes the packet of conclude the business public key information, user profile and certificate purposes information and sends it to intelligent cipher key equipment;
Signature value after the transaction private key of reception in intelligent cipher key equipment signed to described packet;
Described packet and the combination of described signature value are generated a digital certificate request packet.
Particularly, the user submits the request of downloadable authentication to by Web bank's certificate downloading page of client demonstration.
Preferably, client generates the PKCS#10 request by calling the rep order;
Particularly, the rep command context is as follows:
opensslreq[-inform?PEM|DER][-outform?PEM|DER][-in?filename][-passin?arg][-out?filename][-passout?arg][-text][-pubkey][-noout][-verify][-modulus][-new][-rand?file(s)][-newkeyrsa:bits][-newkey?dsa:file][-nodes][-key?filename][-keyform?PEM|DER][-keyout?filename][-[md5|sha1|md2|mdc2]][-config?filename][-subj?arg][-x509][-days?n][-set_serialn][-asn1-kludge][-newhdr][-extensions?section][-reqextssection][-utf8][-nameopt][-batch][-verbose][-engine?id]
Content to the rep order describes, and is as follows:
-inform PEM|DER: the form that is used to specify input is DER or PEM;
-outform PEM|DER: be used to specify output form be DER or PEM;
-in filename: the filename that is used to specify input;
-text: print certificate request or come self-signed certificate information with text formatting;
-new: be used to generate a certificate request, the prompting user is about the value of some fields, can check the field that acquiescence is inquired, maximum/little length restriction etc. by/usr/share/ssl/openssl.cnf; If it is designated that-key option does not have, then can generate a new private key automatically, be defaulted as 1024 bits;
-newkey: set up a new certificate request and a new private key, form is rsa:bits or dsa:filename; If the user does not know the private key file title that generates, acquiescence adopts privkey.pem, the request of Generating Certificate; If the user not the designated document output parameter format (out), then with certificate request file printout on screen, the file of the private key of generation can be specified with-Keyout;
-key: the private key of specifying input;
-keyform: specifying the form of key is PEM or DER, and acquiescence is PEM;
-keyout: be used for newly-established private key is outputed to specified file;
-nodes: represent that newly-established private key do not encrypt;
-md5|sha1: the digital digest algorithm that is used to specify use is md5 or sha1;
-config: specified configuration file, acquiescence are/usr/share/ssl/openssl.cnf;
-subj arg: be used to specify the user profile of the certificate request of generation, replace with designated parameter when perhaps handling certificate request; When Generating Certificate request, if do not specify this option, will point out the user to import each user profile, comprising: information such as name of the country, tissue if adopt this selection, then do not need the user to import user profile; For example :-subj/CN=chian/0U=test/0=abc/CN=forxy, attribute must be capitalized;
-x509: expression generates a certificate from signature, rather than a certificate request, unless use-set_serial option, sequence number is 0;
-days and-x509 option one reinstates, the term of validity of expression certificate, acquiescence is 30 days;
-set_serial and-x509 uses together, and the numbering of this certificate is set, and can be that 10 systems also can be the values (0x beginning) of 16 systems, can use the value of negative, but not advise using negative;
-utf8: the value of expression field is understood as the UTF8 coding, and acquiescence is the ASCII coding;
-batch: be non-interactive mode;
-verbose: be redundant mode.
For example: call the req order and set up a private key and generate a certificate request, then the rep order is as follows:
openssl?genrsa-out?key.pem?1024openssl?req-new-key?key.pem-out?req.pem
The?same?but?just?using?req:
For example: call CSR (certificate request) file that req order generates a PEM form, newly set up a private key, RSA Algorithm, 1024bit, and newly-generated private key saved as file key.pem, then rep orders as follows:
openssl?req-newkey?rsa:1024-keyout?key.pem-out?req.pem
Generate?a?self?signed?root?certificate:
106, client is obtained the birth certificate of intelligent cipher key equipment;
Particularly, client is obtained the birth certificate that the birth certificate interface obtains intelligent cipher key equipment by calling;
Particularly, obtaining the birth certificate interface comprises: management DLL interface cdecl GetIDValue and control invokes interface HRESULT GetIDValue;
Wherein, interface cdecl GetIDValue is defined as follows:
int__cdecl?GetIDValue(char*strMediaID,char*strBirthID,int*nStrBirthID);
Parameter declaration is as follows:
StrMediaID: input parameter is the shell of intelligent cipher key equipment number.
StrBirthID: output parameter is used for exporting shell number and is the pairing birth certificate information of strMediaID.
NStrBirthID: output parameter.When strBirthID is NULL, the space that the strBirthID that nStrBirthID returns should open up; When strBirthID had value, what return was the physical length of strBirthID.
Like this, client just can obtain specifying the birth certificate of the intelligent cipher key equipment of shell number by calling interface cdecl GetIDValue.
Wherein, interface HRESULT GetIDValue is defined as follows:
HRESULT?GetIDValue([IN]BSTR?bstrType,[IN]BSTRbstrShellNum,[OUT,retval]BSTR*bstrID);
Parameter declaration:
BstrType: input parameter, intelligent cipher key equipment type number.
BstrShellNum: input parameter, expression intelligent cipher key equipment shell number.With similar " 52xxxxxxxxxx " form input.
BstrID: output parameter is used for exporting shell and number is the birth certificate information of bstrShellNum correspondence to be the Base64 form of birth certificate.
Like this, client just can have been obtained the birth certificate of the intelligent cipher key equipment of specifying shell number by calling the control invokes interface.
107, after client receives the birth certificate information that intelligent cipher key equipment returns, obtain the transaction public key signature;
Particularly, client is obtained transaction public key signature interface and is obtained the transaction public key signature by calling;
Particularly, transaction public key signature interface comprises: management DLL interface cdeclGetPubKeySignValue and control invokes interface HRESULT GetPubKeySignValue;
Wherein, interface cdecl GetPubKeySignValue is defined as follows:
int__cdecl?GetPubKeySignValue(char*strMediaID,char*strSign,int*nStrSign);
Parameter declaration:
StrMediaID: input parameter, expression intelligent cipher key equipment shell number.With similar " 52xxxxxxxxxx " form input.
StrSign: output parameter, the protection private key of expression birth certificate is to transaction public key signature value.
NStrSign: output parameter.When strSign is NULL, this value representation should be the space size that strSign opens up; When strSign has value, the size of this value representation strSign reality.
Like this, client just can obtain protecting in the intelligent cipher key equipment private key to having concluded the business public key signature by calling interface cdecl GetPubKeySignValue.
Interface HRESULT GetPubKeySignValue is defined as follows:
HRESULT?GetPubKeySignValue([IN]BSTR?bstrType;[IN]BSTRbstrShellNum,[OUT,retval]BSTR*bstrSign)
Parameter declaration:
BstrType: input parameter, expression intelligent cipher key equipment type.
BstrShellNum: input parameter, expression intelligent cipher key equipment shell number.With similar " 52xxxxxxxxxx " form input.
BstrSign: output parameter, the private key of expression birth certificate is to the signature value of bPubKey.
Like this, client just can obtain protecting in the intelligent cipher key equipment private key to having concluded the business public key signature by calling interface HRESULT GetPubKeySignValue.
108, client sends to server with birth certificate, transaction public key signature and the PKCS#10 certificate request packet that obtains;
Further, client can be packed transaction public key signature, birth certificate and the PKCS#10 request data package obtained, and the result that will pack sends to server.
Need to prove that service end is also used the PKI that carries in the described certificate request packet described signature value is verified after receiving PKCS#10 certificate request packet, checking is passed through, continue to carry out following operation, otherwise, to the information of client return authentication mistake.
109, server judges whether the birth certificate that receives is legal, if legal, carries out 110, otherwise, carry out 113;
When birth certificate is described, mention: the one-level authorization key is as the starting point of trusting in the intelligent cipher key equipment birth certificate, and sign and issue the generation birth certificate and sign and issue key information, this birth certificate is signed and issued key and is used for birth certificate is signed, wherein, birth certificate is signed and issued key information and is comprised the key version, signs and issues the signature that PKI and birth certificate are signed and issued key, and the signature that this birth certificate is signed and issued key is to use one-level authorization key (private key) birth certificate to be signed and issued the signature (as described in Table 1) of key information; Hence one can see that, when whether the checking birth certificate is legal, needs the checking birth certificate sign and issue the legitimacy of the signature and the birth certificate signature of key; Specific as follows:
Particularly, whether the server authentication birth certificate is signed and issued the signature of key legal, comprise: the signature of birth certificate being signed and issued key with the one-level authorization key (PKI) in the birth certificate calculates, and compare signing and issuing key information in result of calculation and the birth certificate, unanimity thinks that then it is legal that birth certificate is signed and issued key, and promptly birth certificate is legal, otherwise birth certificate is illegal.
Particularly, whether server authentication birth certificate signature is legal, comprising: with the PKI of signing and issuing in the birth certificate birth certificate signature is calculated, and result of calculation and birth certificate information are compared, and unanimity, then legal, otherwise, illegal.
Coded representation is as follows:
int?VerifyBirthCert(string?birthCert)
Parameter declaration:
BirthCert: birth certificate
110, the transaction public key signature that receives of server authentication if the verification passes, carries out 111, if authentication failed carries out 113;
Particularly, the part of expression protection PKI length in the described transaction public key signature is removed;
According to the protection PKI in the described birth certificate that receives the value part (PrivateKeyCalculate (Data0)) of signing described in the described transaction public key signature is calculated, obtained described first data;
Remove the additional data in described first data, the PKI first preset length part obtains concluding the business;
Transaction PKI residue length is partly spliced and is obtained described transaction PKI in transaction PKI first preset length part that obtains described and the described transaction public key signature;
Go out second data according to described first data splicing, described second data are carried out Hash operation, the second data cryptographic Hash in operation result and described first data is compared, consistent, then described transaction public key signature is legal, inconsistent, and then described transaction public key signature is illegal.
Coded representation is as follows:
struct?RstVfy
{int?rst;
string?random;
string?n;
stirng?e;
}
RstVfy?VerifyTransSign(string?signedText)
Parameter declaration:
ProtectKey: protection PKI;
TradeKey: transaction public key information;
SignedText: the signature that uses the protection private key that the transaction PKI is carried out.
111, server response certificate download request, grant a certificate, and certificate sent to client;
112, client is written to certificate in the intelligent cipher key equipment;
113, the server refusal is carried out the certificate download request, and returns the information of transaction public key signature authentication failed to client.
In the invention process, server passes through the checking of the validity of the legitimacy to birth certificate, the public key signature of concluding the business, and the request that has guaranteed downloadable authentication is to be sent by legal intelligent cipher key equipment, thereby has guaranteed the fail safe that certificate is downloaded.
Embodiment 2
Present embodiment provides a kind of system of secure download certificate, referring to Fig. 2, comprising: intelligent cipher key equipment 20, client 21 and service end 22; Wherein, each functions of the equipments is as follows:
Intelligent cipher key equipment 20 comprises:
Memory cell 200 is used to store birth certificate, protection private key and certificate, and wherein, birth certificate and protection private key all generate when intelligent cipher key equipment dispatches from the factory and preserve;
Particularly, birth certificate comprises: type number, birth certificate version information, birth certificate timestamp, shell number, protection PKI, one-level authorization key, birth certificate are signed and issued key information and birth certificate signature, wherein, the every explanation of relevant birth certificate just repeats no more referring to the related description among the embodiment 1 herein;
Need to prove that when intelligent cipher key equipment generated the protection private key before dispatching from the factory, also generating simultaneously had the protection PKI;
Key generation unit 201 is used for generating transaction PKI and transaction private key;
Need to prove, the private key of concluding the business in addition that key generation unit 201 generates when generating the transaction PKI, this transaction private key is used for Transaction Information is signed when concluding the business.
Signature unit 202 is used for according to the protection private key of memory cell 200 storages the transaction PKI that key generation unit 201 generates being signed, and obtains the public key signature of concluding the business;
Particularly, signature unit 202 comprises:
Signature blocks 2020; be used for first data being signed according to the protection private key of memory cell 200 storages; obtain the signature value; first data comprise: additional data, transaction PKI first preset length part, the second data cryptographic Hash; described second data comprise: additional data and transaction PKI; the related description among the embodiment 1 is participated in the detailed description of relevant first data and second data, just repeats no more herein.
Concatenation module 2021, the signature value and the transaction PKI residue length that are used for protection PKI length, signature blocks 2020 are calculated are partly spliced, and obtain the public key signature of concluding the business.
Certificate writing unit 203, the certificate that is used for downloading is written to memory cell;
Transmitting element 204 is used for returning certificate and transaction public key signature to client 21.
Client 21 comprises:
Receiving element 210 is used to receive the request of the downloadable authentication of user's input, and the certificate signed and issued of service end 22;
Certificate request generation unit 211 is used for when receiving element 210 receives the request of downloadable authentication, and the request of Generating Certificate particularly, is used to generate the PKCS#10 certificate request;
Particularly, the PKCS#10 certificate request comprises: transaction PKI, user profile and some optional attribute information;
First interface unit 212 is used to obtain the birth certificate of intelligent cipher key equipment;
Particularly, first interface unit 212 is management DLL interface cdecl GetIDValue or control invokes interface HRESULT GetIDValue;
Wherein, the explanation of relevant management DLL interface cdecl GetIDValue or control invokes interface HRESULT GetIDValue just repeats no more referring to the associated description among the embodiment 1 herein;
Second interface unit 213 is used to obtain the transaction public key signature of intelligent key;
Particularly, second interface unit 213 is management DLL interface cdeclGetPubKeySignValue or control invokes interface HRESULT GetPubKeySignValue;
Wherein, the explanation of relevant management DLL interface cdecl GetPubKeySignValue or control invokes interface HRESULT GetPubKeySignValue just repeats no more referring to the related description among the embodiment 1 herein;
Transmitting element 214 is used for sending the transaction public key signature that certificate request packet that certificate request generation units 211 generate, birth certificate that first interface unit 212 is obtained and second interface unit 213 obtain to service end 22;
Service end 22 comprises:
Receiving element 220 is used to receive certificate request packet, birth certificate and the transaction public key signature that client transmitting element 214 sends;
Birth certificate authentication unit 221 is used to verify whether the birth certificate that receiving element 220 receives is legal;
Specifically comprise:
First judge module 2210 is used for judging whether birth certificate is signed and issued key information legal;
Particularly, whether the server authentication birth certificate is signed and issued key information legal, comprise: the signature of birth certificate being signed and issued key information according to the mandate PKI in the one-level authorization key information in the described birth certificate calculates, comparison between calculation results whether with birth certificate in birth certificate to sign and issue key information consistent, if it is consistent, then to sign and issue key information legal for birth certificate, otherwise it is illegal that birth certificate is signed and issued key information.
Second judge module 2211 is used for judging whether birth certificate birth certificate signature is legal;
Particularly, whether service end checking birth certificate signature is legal, comprise: the PKI of signing and issuing in the key information according to birth certificate in the birth certificate that receives of signing and issuing calculates the birth certificate signature, whether comparison between calculation results is consistent with the birth certificate information that receives, if it is consistent, then the birth certificate signature is legal, otherwise the birth certificate signature is illegal.
Transaction public key verifications unit 222 is used for after birth certificate authentication unit 211 checking birth certificate information are legal, and whether the transaction public key signature that checking receiving element 220 receives is legal;
Specifically comprise:
First processing module 2220 is used for the part of transaction public key signature expression protection PKI length is removed;
First computing module 2221 is used for according to the protection PKI of the birth certificate that receives signature value part in the transaction public key signature being calculated, and obtains first data;
Second processing module 2222 is used for removing the additional data of first data, and the PKI first preset length part obtains concluding the business;
First concatenation module 2223, transaction PKI first preset length part that is used for second processing module is obtained is partly spliced with transaction public key signature transaction PKI residue length, obtain the PKI of concluding the business, this transaction PKI is the real transaction PKI that generates in the intelligent cipher key equipment;
Second concatenation module 2224 is used for going out second data according to first data splicing;
Second computing module 2225 adopts the hash algorithm identical with the second data cryptographic Hash algorithm in first data that second data are carried out Hash operation;
Contrast module 2226, the cryptographic Hash and first data, the second data cryptographic Hash that are used for second computing module is obtained compare, unanimity, the public key signature of then concluding the business is legal, inconsistent, and the public key signature of then concluding the business is illegal.
Certificate issuance unit 223 is used for after transaction public key verifications unit 222 checking transaction public key signature information are legal grant a certificate;
Transmitting element 224 is used for the certificate that certificate issuance unit 223 is signed and issued is sent to client;
Server passes through the checking of the validity of the legitimacy to birth certificate, the public key signature of concluding the business, and the request that has guaranteed downloadable authentication is to be sent by legal intelligent cipher key equipment, thereby has guaranteed the fail safe that certificate is downloaded.
The above; only be the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion by described protection range with claim.
Claims (19)
1. the method for a secure download certificate is characterized in that, described method comprises:
Intelligent cipher key equipment and client connect;
After described client receives the request of the downloadable authentication that the user submits to, issue to described intelligent cipher key equipment and to generate the right instruction of transaction key;
Described intelligent cipher key equipment generates transaction PKI and transaction private key according to built-in key schedule, and according to the protection private key of self storing described transaction PKI is signed, and obtains the public key signature of concluding the business;
The described client request data package that Generates Certificate;
Described client is obtained the birth certificate and the described transaction public key signature of described intelligent cipher key equipment self storage, and described birth certificate, described transaction public key signature and described certificate request packet are sent to service end;
Described service end judges whether the described birth certificate that receives is legal, if it is illegal, to the error message of described client return authentication, if legal, judge then whether described transaction public key signature is legal, if illegal, to the error message of described client return authentication, if legal, grant a certificate then, and described certificate sent to described client;
Described client is written to described certificate in the described intelligent cipher key equipment.
2. method according to claim 1 is characterized in that, the Generate Certificate step of request data package of described client is specially:
Read the transaction public key information in the described intelligent cipher key equipment;
Generating one includes the packet of conclude the business public key information, user profile and certificate purposes information and sends it to described intelligent cipher key equipment;
Signature value after the transaction private key of reception in described intelligent cipher key equipment signed to described packet;
Described packet and the combination of described signature value are generated a digital certificate request packet.
3. method according to claim 2 is characterized in that, described method also comprises: described service end is verified described signature value with the transaction PKI that carries in the described certificate request packet after receiving described certificate request packet.
4. method according to claim 1 is characterized in that, described intelligent cipher key equipment is promptly signed to described transaction PKI according to the protection private key of self storing after generating the transaction PKI according to built-in key schedule;
Or
Described intelligent cipher key equipment is signed to described transaction PKI according to the protection private key of self storage after receiving the instruction that described transaction PKI is signed that described client issues.
5. method according to claim 1 is characterized in that, described intelligent cipher key equipment is signed to described transaction PKI according to the protection private key of self storing and comprised:
Described intelligent cipher key equipment uses the protection private key of self storing that first data are signed, obtain the first data signature value, described first data comprise: additional data, transaction PKI first preset length part, the second data cryptographic Hash, and described second data comprise: described additional data and transaction PKI;
To protect PKI length, the described first data signature value and transaction PKI residue length partly to splice, obtain the public key signature of concluding the business.
6. method according to claim 5 is characterized in that, described additional data comprises described protection PKI length, birth certificate version, intelligent cipher key equipment shell number, key attribute.
7. method according to claim 1; it is characterized in that described birth certificate comprises: intelligent cipher key equipment type number, birth certificate version information, birth certificate timestamp, intelligent cipher key equipment shell number, protection PKI, one-level authorization key information, class origin card are signed and issued key information and birth certificate signature.
8. method according to claim 7 is characterized in that, the trust starting point of described one-level authorization key during for the described intelligent cipher key equipment of authentication;
Described birth certificate is signed and issued key and is signed and issued by described one-level authorization key, is used for described birth certificate is signed.
9. method according to claim 8 is characterized in that, described one-level authorization key information comprises: authorization key version, mandate PKI;
Described birth certificate is signed and issued key information and comprised: birth certificate signs and issues the key version, sign and issue the signature that PKI and described birth certificate are signed and issued key information;
Wherein, the described birth certificate signature of signing and issuing key information is signed and is obtained by authorizing private key that described birth certificate is signed and issued key information.
10. method according to claim 9 is characterized in that, described service end is judged the birth certificate that receives legal comprising whether:
Described service end judges in the described birth certificate that receives whether birth certificate is signed and issued key information legal, if it is illegal, judge that then described birth certificate is illegal, if it is legal, judge then whether the birth certificate signature is legal in the described birth certificate, if legal, judges that then described birth certificate is legal, if illegal, judge that then described birth certificate is illegal.
11. method according to claim 10 is characterized in that, described service end judges in the described birth certificate that receives that birth certificate signs and issues key information legal comprising whether:
Described client is calculated according to the signature of authorizing PKI that described birth certificate is signed and issued key information in the one-level authorization key information in the described birth certificate, contrast described result of calculation whether with described birth certificate in birth certificate to sign and issue key information consistent, if it is consistent, it is legal that then described birth certificate is signed and issued key information, otherwise it is illegal that described birth certificate is signed and issued key information.
12. method according to claim 10 is characterized in that, describedly judges in the described birth certificate birth certificate signature legal comprising whether:
The PKI of signing and issuing that described service end is signed and issued in the key information according to birth certificate in the described birth certificate that receives calculates described birth certificate signature, whether contrast described result of calculation consistent with described birth certificate information, if it is consistent, then described birth certificate signature is legal, otherwise described birth certificate signature is illegal.
13. method according to claim 5 is characterized in that, describedly judges described transaction public key signature legal comprising whether:
The part of expression protection PKI length in the described transaction public key signature is removed;
According to the protection PKI in the described birth certificate that receives the first data signature value part described in the described transaction public key signature is calculated, obtained described first data;
Remove the additional data in described first data, the PKI first preset length part obtains concluding the business;
Transaction PKI residue length in described transaction PKI first preset length part and the described transaction public key signature partly spliced obtain described transaction PKI;
Go out second data according to described first data splicing, described second data are carried out Hash operation, the second data cryptographic Hash in operation result and described first data is compared, consistent, then described transaction public key signature is legal, inconsistent, and then described transaction public key signature is illegal.
14. the system of a secure download certificate is characterized in that, described system comprises: intelligent cipher key equipment, client and service end;
Intelligent cipher key equipment comprises:
Memory cell is used to store birth certificate, protection private key and certificate;
The key generation unit is used for generating transaction PKI and transaction private key according to built-in key schedule;
Signature unit is used for according to the protection private key of cell stores the transaction PKI that the key generation unit generates being signed;
The certificate writing unit is used for certificate is written to memory cell;
Transmitting element is used for returning certificate and transaction public key signature to client.
Client comprises:
Receiving element is used to receive the request of the downloadable authentication of user's input, and the certificate that sends of described service end transmitting element;
The certificate request generation unit is used for when described receiving element receives the request of downloadable authentication, and request data package Generates Certificate;
First interface unit is used to obtain the birth certificate of intelligent cipher key equipment;
Second interface unit is used to obtain the transaction public key signature of intelligent cipher key equipment;
Transmitting element is used for sending the transaction public key signature that certificate request packet that the certificate request generation unit generates, birth certificate that first interface unit obtains and second interface unit obtain to service end;
Service end comprises:
Receiving element is used to receive birth certificate and the transaction public key signature that the client transmitting element sends;
The birth certificate authentication unit is used to verify whether the birth certificate that receiving element receives is legal;
Transaction public key verifications unit is used for after first authentication unit checking birth certificate is legal, and whether the transaction public key signature that the checking receiving element receives is legal;
The certificate issuance unit is used for after second authentication unit checking transaction public key signature is legal grant a certificate;
Transmitting element is used for the certificate that the certificate issuance unit is signed and issued is sent to client.
15. system according to claim 14 is characterized in that, described signature unit comprises:
Signature blocks, be used for first data being signed according to the protection private key of cell stores, obtain the first data signature value, described first data comprise: additional data, transaction PKI first preset length part, the second data cryptographic Hash, and described second data comprise: described additional data and transaction PKI;
Concatenation module is used for protection PKI length, described signature value and transaction PKI residue length are partly spliced, and obtains the public key signature of concluding the business.
16. system according to claim 14 is characterized in that, described birth certificate authentication unit comprises:
First judge module is used for judging whether described birth certificate birth certificate is signed and issued key information legal;
Second judge module is used for judging whether described birth certificate birth certificate signature is legal.
17. system according to claim 16 is characterized in that, describedly judges in the described birth certificate that birth certificate signs and issues key information legal comprising whether:
The signature that described service end is signed and issued key information according to the mandate PKI in the one-level authorization key information in the described birth certificate to described birth certificate calculates, contrast described result of calculation whether with described birth certificate in described birth certificate to sign and issue key information consistent, if it is consistent, it is legal that then described birth certificate is signed and issued key information, otherwise it is illegal that described birth certificate is signed and issued key information.
18. system according to claim 16 is characterized in that, describedly judges in the described birth certificate birth certificate signature legal comprising whether:
The PKI of signing and issuing that described service end is signed and issued in the key information according to birth certificate described in the described birth certificate that receives calculates described birth certificate signature, whether contrast described result of calculation consistent with the described birth certificate information that receives, if it is consistent, then described birth certificate signature is legal, otherwise described birth certificate signature is illegal.
19. system according to claim 14 is characterized in that, described transaction public key verifications unit comprises:
First processing module is used for the part of described transaction public key signature expression protection PKI length is removed;
First computing module is used for according to the protection PKI of the described birth certificate that receives the first data signature value part described in the described transaction public key signature being calculated, and obtains described first data;
Second processing module is used for removing the additional data of described first data, and the PKI first preset length part obtains concluding the business;
First concatenation module, transaction PKI first preset length part that is used for described second processing module is obtained is partly spliced with described transaction public key signature transaction PKI residue length, obtains described transaction PKI;
Second concatenation module is used for going out second data according to described first data splicing;
Second computing module is used for described second data are carried out Hash operation;
The contrast module, the cryptographic Hash and described first data, the second data cryptographic Hash that are used for described second computing module is obtained compare, unanimity, then described transaction public key signature is legal, inconsistent, and then described transaction public key signature is illegal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105232613A CN101977193B (en) | 2010-10-28 | 2010-10-28 | Method and system for safely downloading certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105232613A CN101977193B (en) | 2010-10-28 | 2010-10-28 | Method and system for safely downloading certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101977193A true CN101977193A (en) | 2011-02-16 |
| CN101977193B CN101977193B (en) | 2013-11-13 |
Family
ID=43577038
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105232613A Active CN101977193B (en) | 2010-10-28 | 2010-10-28 | Method and system for safely downloading certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101977193B (en) |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102761420A (en) * | 2012-08-08 | 2012-10-31 | 飞天诚信科技股份有限公司 | Security certification method |
| CN102932343A (en) * | 2012-10-26 | 2013-02-13 | 飞天诚信科技股份有限公司 | Method and device for downloading digital certificate |
| CN103078746A (en) * | 2013-02-07 | 2013-05-01 | 飞天诚信科技股份有限公司 | Generation method for data packet |
| CN103516524A (en) * | 2013-10-21 | 2014-01-15 | 北京旋极信息技术股份有限公司 | Security authentication method and system |
| CN104348792A (en) * | 2013-07-30 | 2015-02-11 | 阿里巴巴集团控股有限公司 | Data processing method, device and system |
| CN104836671A (en) * | 2015-05-15 | 2015-08-12 | 安一恒通(北京)科技有限公司 | Inspection method and inspection device for adding digital certificate |
| CN105141420A (en) * | 2015-07-29 | 2015-12-09 | 飞天诚信科技股份有限公司 | Method, device and server for securely introducing and issuing certificates |
| CN106411504A (en) * | 2015-07-31 | 2017-02-15 | 腾讯科技(深圳)有限公司 | Data encryption system, method and apparatus |
| CN106603238A (en) * | 2015-10-20 | 2017-04-26 | 飞天诚信科技股份有限公司 | Multi-digital-certificate issuing system and equipment, and working methods thereof |
| CN107612697A (en) * | 2017-10-20 | 2018-01-19 | 阿里巴巴集团控股有限公司 | Applying digital certificate method and apparatus |
| CN107864038A (en) * | 2017-10-25 | 2018-03-30 | 中国平安人寿保险股份有限公司 | Certificate management method, device, equipment and computer-readable recording medium |
| CN107948182A (en) * | 2017-12-06 | 2018-04-20 | 上海格尔安全科技有限公司 | A kind of WEB application configuration file tamper resistant method based on PKI |
| CN108900305A (en) * | 2018-06-28 | 2018-11-27 | 公安部第三研究所 | More certificate issuances and verification method based on intelligent and safe chip |
| CN108989325A (en) * | 2018-08-03 | 2018-12-11 | 华数传媒网络有限公司 | Encryption communication method, apparatus and system |
| CN109039597A (en) * | 2017-06-08 | 2018-12-18 | 佳能株式会社 | Information processing unit, the control method and storage medium for controlling information processing unit |
| CN109150548A (en) * | 2015-12-01 | 2019-01-04 | 神州融安科技(北京)有限公司 | A kind of digital certificate signature, sign test method and system, digital certificate system |
| CN109886011A (en) * | 2018-12-28 | 2019-06-14 | 北京思源互联科技有限公司 | A kind of safety protecting method and device |
| CN109981278A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团辽宁有限公司 | Applying digital certificate method, system, subscriber identification card, equipment and medium |
| CN110138562A (en) * | 2018-02-09 | 2019-08-16 | 腾讯科技(北京)有限公司 | The certificate issuance method, apparatus and system of smart machine |
| CN111414638A (en) * | 2020-04-23 | 2020-07-14 | 飞天诚信科技股份有限公司 | Method and device for realizing distinguishing key generation mode |
| CN111641502A (en) * | 2020-06-01 | 2020-09-08 | 中国农业银行股份有限公司 | Electronic certificate downloading method and device based on super counter |
| CN111953496A (en) * | 2015-12-21 | 2020-11-17 | 万事达卡国际股份有限公司 | Method and system for blockchain variants using digital signatures |
| CN112487391A (en) * | 2020-11-27 | 2021-03-12 | 交通银行股份有限公司 | Certificate pre-planting system and method thereof |
| CN112529574A (en) * | 2020-11-19 | 2021-03-19 | 北京握奇智能科技有限公司 | Protection method for certificate of intelligent password equipment and intelligent password equipment |
| CN113676330A (en) * | 2021-08-10 | 2021-11-19 | 上海瓶钵信息科技有限公司 | Digital certificate application system and method based on secondary key |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2002330834A1 (en) * | 2002-08-30 | 2004-04-23 | Agency For Science, Technology And Research | Public key cryptography and a framework therefor |
| CN101340285A (en) * | 2007-07-05 | 2009-01-07 | 杭州中正生物认证技术有限公司 | Method and system for identity authentication by finger print USBkey |
| CN101527633A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | System and method for intelligent key devices to obtain digital certificates |
| CN101527714A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | Method, device and system for accreditation |
| CN101527630A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | Method, server and system for manufacturing certificate remotely |
-
2010
- 2010-10-28 CN CN2010105232613A patent/CN101977193B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2002330834A1 (en) * | 2002-08-30 | 2004-04-23 | Agency For Science, Technology And Research | Public key cryptography and a framework therefor |
| CN101340285A (en) * | 2007-07-05 | 2009-01-07 | 杭州中正生物认证技术有限公司 | Method and system for identity authentication by finger print USBkey |
| CN101527633A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | System and method for intelligent key devices to obtain digital certificates |
| CN101527714A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | Method, device and system for accreditation |
| CN101527630A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | Method, server and system for manufacturing certificate remotely |
Non-Patent Citations (1)
| Title |
|---|
| 张燕燕: "《电子商务中证书认证系统的设计与实现》", 《中国优秀硕士学位论文全文数据库》, no. 3, 15 September 2007 (2007-09-15) * |
Cited By (44)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102761420A (en) * | 2012-08-08 | 2012-10-31 | 飞天诚信科技股份有限公司 | Security certification method |
| CN102761420B (en) * | 2012-08-08 | 2014-10-29 | 飞天诚信科技股份有限公司 | Security certification method |
| CN102932343A (en) * | 2012-10-26 | 2013-02-13 | 飞天诚信科技股份有限公司 | Method and device for downloading digital certificate |
| CN102932343B (en) * | 2012-10-26 | 2015-01-14 | 飞天诚信科技股份有限公司 | Method and device for downloading digital certificate |
| CN103078746A (en) * | 2013-02-07 | 2013-05-01 | 飞天诚信科技股份有限公司 | Generation method for data packet |
| CN103078746B (en) * | 2013-02-07 | 2015-06-17 | 飞天诚信科技股份有限公司 | Generation method for data packet |
| CN104348792B (en) * | 2013-07-30 | 2018-06-19 | 阿里巴巴集团控股有限公司 | Data processing method, device and system |
| CN104348792A (en) * | 2013-07-30 | 2015-02-11 | 阿里巴巴集团控股有限公司 | Data processing method, device and system |
| CN103516524A (en) * | 2013-10-21 | 2014-01-15 | 北京旋极信息技术股份有限公司 | Security authentication method and system |
| CN104836671A (en) * | 2015-05-15 | 2015-08-12 | 安一恒通(北京)科技有限公司 | Inspection method and inspection device for adding digital certificate |
| CN105141420A (en) * | 2015-07-29 | 2015-12-09 | 飞天诚信科技股份有限公司 | Method, device and server for securely introducing and issuing certificates |
| CN105141420B (en) * | 2015-07-29 | 2018-09-25 | 飞天诚信科技股份有限公司 | A kind of importing, the method for grant a certificate, equipment and server safely |
| CN106411504A (en) * | 2015-07-31 | 2017-02-15 | 腾讯科技(深圳)有限公司 | Data encryption system, method and apparatus |
| CN106411504B (en) * | 2015-07-31 | 2020-10-09 | 腾讯科技(深圳)有限公司 | Data encryption system, method and device |
| CN106603238B (en) * | 2015-10-20 | 2019-06-18 | 飞天诚信科技股份有限公司 | A kind of multi-digital certificate signs and issues system, certificate management end, issue apparatus and its working method |
| CN106603238A (en) * | 2015-10-20 | 2017-04-26 | 飞天诚信科技股份有限公司 | Multi-digital-certificate issuing system and equipment, and working methods thereof |
| CN109150548B (en) * | 2015-12-01 | 2021-10-08 | 神州融安科技(北京)有限公司 | Digital certificate signing and signature checking method and system and digital certificate system |
| CN109150548A (en) * | 2015-12-01 | 2019-01-04 | 神州融安科技(北京)有限公司 | A kind of digital certificate signature, sign test method and system, digital certificate system |
| CN111953496B (en) * | 2015-12-21 | 2024-04-02 | 万事达卡国际股份有限公司 | Method and system for blockchain modification using digital signatures |
| CN111953496A (en) * | 2015-12-21 | 2020-11-17 | 万事达卡国际股份有限公司 | Method and system for blockchain variants using digital signatures |
| US11212116B2 (en) | 2017-06-08 | 2021-12-28 | Canon Kabushiki Kaisha | Information processing apparatus, control method for controlling information processing apparatus, and storage medium |
| CN109039597A (en) * | 2017-06-08 | 2018-12-18 | 佳能株式会社 | Information processing unit, the control method and storage medium for controlling information processing unit |
| CN107612697A (en) * | 2017-10-20 | 2018-01-19 | 阿里巴巴集团控股有限公司 | Applying digital certificate method and apparatus |
| US11106775B2 (en) | 2017-10-20 | 2021-08-31 | Advanced New Technologies Co., Ltd. | Digital certificate application |
| CN107612697B (en) * | 2017-10-20 | 2020-04-14 | 阿里巴巴集团控股有限公司 | Digital certificate application method and device |
| US11106776B2 (en) | 2017-10-20 | 2021-08-31 | Advanced New Technologies Co., Ltd. | Digital certificate application |
| CN107864038A (en) * | 2017-10-25 | 2018-03-30 | 中国平安人寿保险股份有限公司 | Certificate management method, device, equipment and computer-readable recording medium |
| CN107948182B (en) * | 2017-12-06 | 2021-03-19 | 上海格尔安全科技有限公司 | WEB application configuration file tamper-proof method based on PKI |
| CN107948182A (en) * | 2017-12-06 | 2018-04-20 | 上海格尔安全科技有限公司 | A kind of WEB application configuration file tamper resistant method based on PKI |
| CN109981278A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团辽宁有限公司 | Applying digital certificate method, system, subscriber identification card, equipment and medium |
| CN110138562A (en) * | 2018-02-09 | 2019-08-16 | 腾讯科技(北京)有限公司 | The certificate issuance method, apparatus and system of smart machine |
| CN110138562B (en) * | 2018-02-09 | 2023-05-26 | 腾讯科技(北京)有限公司 | Certificate issuing method, device and system of intelligent equipment |
| CN108900305B (en) * | 2018-06-28 | 2021-06-04 | 公安部第三研究所 | Multi-certificate issuing and verifying method based on intelligent security chip |
| CN108900305A (en) * | 2018-06-28 | 2018-11-27 | 公安部第三研究所 | More certificate issuances and verification method based on intelligent and safe chip |
| CN108989325A (en) * | 2018-08-03 | 2018-12-11 | 华数传媒网络有限公司 | Encryption communication method, apparatus and system |
| CN109886011A (en) * | 2018-12-28 | 2019-06-14 | 北京思源互联科技有限公司 | A kind of safety protecting method and device |
| CN109886011B (en) * | 2018-12-28 | 2021-02-12 | 北京思源理想控股集团有限公司 | Safety protection method and device |
| CN111414638B (en) * | 2020-04-23 | 2023-03-24 | 飞天诚信科技股份有限公司 | Method and device for realizing distinguishing key generation mode |
| CN111414638A (en) * | 2020-04-23 | 2020-07-14 | 飞天诚信科技股份有限公司 | Method and device for realizing distinguishing key generation mode |
| CN111641502A (en) * | 2020-06-01 | 2020-09-08 | 中国农业银行股份有限公司 | Electronic certificate downloading method and device based on super counter |
| CN112529574A (en) * | 2020-11-19 | 2021-03-19 | 北京握奇智能科技有限公司 | Protection method for certificate of intelligent password equipment and intelligent password equipment |
| CN112487391A (en) * | 2020-11-27 | 2021-03-12 | 交通银行股份有限公司 | Certificate pre-planting system and method thereof |
| CN113676330A (en) * | 2021-08-10 | 2021-11-19 | 上海瓶钵信息科技有限公司 | Digital certificate application system and method based on secondary key |
| CN113676330B (en) * | 2021-08-10 | 2023-08-01 | 上海瓶钵信息科技有限公司 | Digital certificate application system and method based on secondary secret key |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101977193B (en) | 2013-11-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101977193B (en) | Method and system for safely downloading certificate | |
| CN103905207B (en) | Method and system for unifying APK signature | |
| US11888974B1 (en) | Secret sharing information management and security system | |
| JP3858527B2 (en) | Data generation apparatus, data verification apparatus and method | |
| EP2999156B1 (en) | Device authenticity determination system and device authenticity determination method | |
| CN104537293B (en) | Authenticating device and system | |
| CN102594558B (en) | Anonymous digital certificate system and verification method of trustable computing environment | |
| EP2302834B1 (en) | System and method for providing credentials | |
| CN107786550B (en) | A kind of safety communicating method of self-service device, safe communication system and self-service device | |
| US8522014B2 (en) | Method and system for storing a key in a remote security module | |
| CA3164765A1 (en) | Secure communication method and device based on identity authentication | |
| CN106341493A (en) | Entity rights oriented digitalized electronic contract signing method | |
| CN105635049A (en) | Anti-counterfeit tax control method and device based on client identifier password | |
| CN111131278A (en) | Data processing method and device, computer storage medium and electronic equipment | |
| US20130039495A1 (en) | Secure key management | |
| CN107888379A (en) | A kind of method of secure connection, POS terminal and code keypad | |
| CN106790045A (en) | One kind is based on cloud environment distributed virtual machine broker architecture and data integrity support method | |
| CN108011719A (en) | A kind of endorsement method, device and digital signature system | |
| CN109039656A (en) | SM9 Combination with Digital endorsement method, device and computer equipment | |
| CN105281910A (en) | Internet of things lock with CA digital certificate serving as network access identity identifier and network access identity identification method | |
| CN104012036A (en) | Combined digital certificate | |
| CN113536329A (en) | Electronic device for cryptographic communication and cryptographic communication system | |
| CN111654371A (en) | Trusted computing-based hybrid encryption secure data transmission method | |
| CN101639957A (en) | Method and terminal for realizing loading or unloading as well as banking system | |
| CN104735064A (en) | Safety revocation and updating method for identification in identification password system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 17th floor, building B, Huizhi building, No.9, Xueqing Road, Haidian District, Beijing 100085 Patentee after: Feitian Technologies Co.,Ltd. Country or region after: China Address before: 100085 17th floor, block B, Huizhi building, No.9 Xueqing Road, Haidian District, Beijing Patentee before: Feitian Technologies Co.,Ltd. Country or region before: China |