CN101977193B - Method and system for safely downloading certificate - Google Patents
Method and system for safely downloading certificate Download PDFInfo
- Publication number
- CN101977193B CN101977193B CN2010105232613A CN201010523261A CN101977193B CN 101977193 B CN101977193 B CN 101977193B CN 2010105232613 A CN2010105232613 A CN 2010105232613A CN 201010523261 A CN201010523261 A CN 201010523261A CN 101977193 B CN101977193 B CN 101977193B
- Authority
- CN
- China
- Prior art keywords
- certificate
- birth certificate
- key
- signature
- transaction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000013475 authorization Methods 0.000 claims description 25
- 238000003860 storage Methods 0.000 claims description 14
- 238000004364 calculation method Methods 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 2
- 230000001681 protective effect Effects 0.000 abstract description 3
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 9
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 2
- 230000014759 maintenance of location Effects 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Abstract
The invention discloses a method and a system for safely downloading a certificate, belonging to the field of information safety. The method for safely downloading a certificate comprises the following steps of: establishing a connection between intelligent key equipment and a client side; after the client side receives a request for downloading a certificate, issuing a command for generating a trading key pair; generating a trading public key and a trading private key by the intelligent key equipment with a generation algorithm, and signing the trading public key according to a locally stored protective private key; generating a certificate request data packet by the client side; acquiring a birth certificate and a trading public key signature, locally stored in the intelligent key equipment, by the client side and sending the birth certificate, the trading public key signature and the certificate request data packet to a service side; judging whether the received birth certificate is legal or not, if not, returning an error to the client side, if so, judging whether the trading public key signature is legal or not, if not, returning an error to the client side, and if so, signing and issuing the certificate and sending the certificate to the client side; and writing the certificate into the intelligent key equipment by the client side.
Description
Technical field
The invention belongs to information security field, relate in particular to a kind of method and system of secure download certificate.
Background technology
In prior art, the user binds intelligent cipher key equipment and server at sales counter, it is the numbering that stores legal intelligent cipher key equipment in server, when certificate was downloaded, whether the numbering of server contrast intelligent cipher key equipment was consistent with the numbering of preserving, consistent, allow certificate to download, inconsistent, refuse the download of certificate, although can prevent effectively that to a certain extent the intelligent cipher key equipment of forgery that the user uses from carrying out the download of certificate.But authentication mode is single after all, in theory or existentially forgeable intelligent cipher key equipment possible, so, need reinforcement the fail safe of guaranteeing that certificate is downloaded.
Summary of the invention
The invention provides a kind of method and system of secure download certificate, concrete technical scheme is as follows:
A kind of method of secure download certificate, described method comprises:
Intelligent cipher key equipment and client connect;
Described client after the request of the downloadable authentication of user's submission, issues and generates the right instruction of transaction key to described intelligent cipher key equipment;
Described intelligent cipher key equipment generates transaction PKI and transaction private key according to built-in key schedule, and according to the protection private key of self storing, described transaction PKI is signed, and obtains the public key signature of concluding the business;
The described client request data package that Generates Certificate;
Described client is obtained birth certificate and the described transaction public key signature of described intelligent cipher key equipment self storage, and with described birth certificate, described transaction public key signature and described certificate request Packet Generation to service end;
Whether the described birth certificate that described service end judgement receives is legal, if illegal, to the error message of described client return authentication,, if legal, judge whether described transaction public key signature is legal, if illegal, to the error message of described client return authentication, if legal, grant a certificate, and described certificate is sent to described client;
Described client is written to described certificate in described intelligent cipher key equipment.
The Generate Certificate step of request data package of described client is specially:
Read the transaction public key information in described intelligent cipher key equipment;
Generating one includes the packet of conclude the business public key information, user profile and certificate purposes information and sends it to described intelligent cipher key equipment;
The signature value of reception after the transaction private key in described intelligent cipher key equipment is signed to described packet;
With described packet and digital certificate request packet of described signature value combination producing.
Described method also comprises: described service end after receiving described certificate request packet, is verified described signature value with the transaction PKI that carries in described certificate request packet.
Described intelligent cipher key equipment after the key schedule according to built-in generates the transaction PKI, is namely signed to described transaction PKI according to the protection private key of self storing;
Or
Described intelligent cipher key equipment after receiving the instruction that described transaction PKI is signed that described client issues, is signed to described transaction PKI according to the protection private key of self storage.
Described intelligent cipher key equipment is signed and is comprised described transaction PKI according to the protection private key of self storage:
Described intelligent cipher key equipment uses the protection private key of self storing to sign to the first data, obtain the first data signature value, described the first data comprise: additional data, transaction PKI the first preset length part, the second data cryptographic Hash, and described the second data comprise: described additional data and transaction PKI;
To protect PKI length, described the first data signature value and transaction PKI residue length partly to splice, obtain the public key signature of concluding the business.
Described additional data comprises described protection PKI length, birth certificate version, intelligent cipher key equipment shell number, key attribute.
Described birth certificate comprises: intelligent cipher key equipment type number, birth certificate version information, birth certificate timestamp, intelligent cipher key equipment shell number, protection PKI, one-level authorization key information, class origin signed certificate are sent out key information and birth certificate signature.
Trust starting point when described one-level authorization key is the described intelligent cipher key equipment of authentication;
Described birth certificate is signed and issued key and is signed and issued by described one-level authorization key, is used for described birth certificate is signed.
Described one-level authorization key information comprises: authorization key version, mandate PKI;
Described birth certificate is signed and issued key information and comprised: birth certificate signs and issues the key version, sign and issue PKI and described birth certificate signs and issues the signature of key information;
Wherein, the described birth certificate signature of signing and issuing key information is signed and is obtained by authorizing private key to sign and issue key information to described birth certificate.
Whether the birth certificate that the judgement of described service end receives legal comprising:
In the described birth certificate that the judgement of described service end receives, whether birth certificate to sign and issue key information legal, if illegal, judge that described birth certificate is illegal, if legal, judge in described birth certificate, whether the birth certificate signature is legal,, if legal, judges that described birth certificate is legal,, if illegal, judge that described birth certificate is illegal.
In the described birth certificate that the judgement of described service end receives, birth certificate is signed and issued key information legal comprising whether:
Described client is calculated according to the signature of authorizing PKI to sign and issue key information to described birth certificate in one-level authorization key information in described birth certificate, contrast described result of calculation whether with described birth certificate in birth certificate to sign and issue key information consistent, if consistent, to sign and issue key information legal for described birth certificate, otherwise it is illegal that described birth certificate is signed and issued key information.
Describedly judge in described birth certificate birth certificate signature legal comprising whether:
The PKI of signing and issuing that described service end is signed and issued in key information according to birth certificate in the described birth certificate that receives calculates described birth certificate signature, whether unanimously with described birth certificate information contrast described result of calculation, if consistent, described birth certificate signature is legal, otherwise described birth certificate signature is illegal.
Describedly judge described transaction public key signature legal comprising whether:
The part of expression protection PKI length in described transaction public key signature is removed;
According to the protection PKI in the described birth certificate that receives, the first data signature value part described in described transaction public key signature is calculated, obtained described the first data;
Remove the additional data in described the first data, PKI the first preset length part obtains concluding the business;
Transaction PKI residue length in described transaction PKI the first preset length part and described transaction public key signature is partly spliced and obtained described transaction PKI;
Splice the second data according to described the first data, described the second data are carried out Hash operation, the second data cryptographic Hash in operation result and described the first data is compared, unanimously, described transaction public key signature is legal, inconsistent, and described transaction public key signature is illegal.
A kind of system of secure download certificate, described system comprises: intelligent cipher key equipment, client and service end;
Intelligent cipher key equipment comprises:
Memory cell, be used for storage birth certificate, protection private key and certificate;
The key generation unit, be used for generating transaction PKI and transaction private key according to built-in key schedule;
Signature unit, be used for according to the protection private key of cell stores, the transaction PKI that the key generation unit generates being signed;
The certificate writing unit, be used for certificate is written to memory cell;
Transmitting element, be used for returning to certificate and transaction public key signature to client.
Client comprises:
Receiving element, be used for the request of the downloadable authentication of reception user input, and the certificate of described service end transmitting element transmission;
The certificate request generation unit, be used for when described receiving element receives the request of downloadable authentication, and request data package Generates Certificate;
The first interface unit, for the birth certificate that obtains intelligent cipher key equipment;
The second interface unit, for the transaction public key signature that obtains intelligent cipher key equipment;
Transmitting element, be used for sending to service end the transaction public key signature that certificate request packet that the certificate request generation unit generates, birth certificate that the first interface unit obtains and the second interface unit obtain;
Service end comprises:
Receiving element, be used for receiving birth certificate and the transaction public key signature that the client transmitting element sends;
The birth certificate authentication unit, whether legal for the birth certificate that the checking receiving element receives;
Transaction public key verifications unit, be used for after birth certificate authentication unit checking birth certificate is legal, and whether the transaction public key signature that the checking receiving element receives is legal;
The certificate issuance unit, be used for after transaction public key verifications unit checking transaction public key signature is legal grant a certificate;
Transmitting element, the certificate that is used for the certificate issuance unit is signed and issued sends to client.
Described signature unit comprises:
Signature blocks, be used for according to the protection private key of cell stores, the first data being signed, obtain the first data signature value, described the first data comprise: additional data, transaction PKI the first preset length part, the second data cryptographic Hash, and described the second data comprise: described additional data and transaction PKI;
Concatenation module, be used for protecting PKI length, described signature value and transaction PKI residue length partly to splice, and obtains the public key signature of concluding the business.
Described birth certificate authentication unit comprises:
The first judge module, be used for judging whether described birth certificate birth certificate is signed and issued key information legal;
The second judge module, be used for judging whether described birth certificate birth certificate signature is legal.
Describedly judge in described birth certificate that birth certificate signs and issues key information legal comprising whether:
The signature that described service end is signed and issued key information according to the mandate PKI in the one-level authorization key information in described birth certificate to described birth certificate calculates, contrast described result of calculation whether with described birth certificate in described birth certificate to sign and issue key information consistent, if consistent, to sign and issue key information legal for described birth certificate, otherwise it is illegal that described birth certificate is signed and issued key information.
Describedly judge in described birth certificate birth certificate signature legal comprising whether:
The PKI of signing and issuing that described service end is signed and issued in key information according to birth certificate described in the described birth certificate that receives calculates described birth certificate signature, whether unanimously with the described birth certificate information that receives contrast described result of calculation, if consistent, described birth certificate signature is legal, otherwise described birth certificate signature is illegal.
Described transaction public key verifications unit comprises:
The first processing module, be used for the part of described transaction public key signature expression protection PKI length is removed;
The first computing module, be used for according to the protection PKI of the described birth certificate that receives, the first data signature value part described in described transaction public key signature being calculated, and obtains described the first data;
The second processing module, for the additional data of removing described the first data, PKI the first preset length part obtains concluding the business;
The first concatenation module, be used for the transaction PKI that described the second processing module is obtained the first preset length part and partly splice with described transaction public key signature transaction PKI residue length, obtains described transaction PKI;
The second concatenation module, be used for splicing the second data according to described the first data;
The second computing module, be used for described the second data are carried out Hash operation;
The contrast module, the cryptographic Hash and described first data the second data cryptographic Hash that are used for described the second computing module is obtained compare, and consistent, described transaction public key signature is legal, inconsistent, and described transaction public key signature is illegal.
Beneficial effect: server is by the checking of the validity of the legitimacy to birth certificate, transaction public key signature, and the request that has guaranteed downloadable authentication is to be sent by legal intelligent cipher key equipment, thereby has guaranteed the fail safe that certificate is downloaded.
Description of drawings
The method flow diagram of a kind of secure download certificate that Fig. 1 provides for embodiment 1;
The system construction drawing of a kind of secure download certificate that Fig. 2 provides for embodiment 2.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, embodiment of the present invention is described further in detail below in conjunction with accompanying drawing.
Added the concept of intelligent cipher key equipment birth certificate in the method for the secure download certificate that the embodiment of the present invention provides; birth certificate is kept at intelligent cipher key equipment inside; be a string data of proof intelligent cipher key equipment legitimacy, comprise: the type number of intelligent cipher key equipment, birth certificate version information, birth certificate timestamp, shell number, protection PKI, one-level authorization key, birth certificate are signed and issued key information and birth certificate signature.Birth certificate shows as the form of TLV, (length represents not necessarily accurate, understands and gets final product according to the numerical value of reality in application) as shown in table 1:
Table 1
Particularly, the type number of intelligent cipher key equipment: formed by two ACSII codes, identify different intelligent cipher key equipments, simultaneously, also for the PKI of the corresponding manufacturer of easy-to-look-up birth certificate, for example: numbering 11, identifying this intelligent cipher key equipment by vendor A production, is without driving soft type;
The birth certificate version information: extended field, need to the TLV structure of birth certificate be adjusted as the later stage, can increase accordingly its version number, so that different processing modes is taked according to version number in backstage;
The birth certificate timestamp: refer to sign and issue the time of this birth certificate, for example " 20100618150100 ", represent 2010 06 month 15: 01: 00 on the 18th;
Shell number: being comprised of three parts, is respectively device code, hardware sequence number and check digit, and the coding rule of shell number can be self-defining; For example:
1, the reading format of shell number is: digital hardware sequence number (oneself provides manufacturer)+1 a bit check position, 2 device code+9, and totally 12, wherein, device code is specified by certificate supplier (as bank) is unified;
2, only deposit the hardware sequence number of 9 in intelligent cipher key equipment, device code and check bit can not leave in intelligent cipher key equipment;
3, the hardware sequence number of 9 that provides of manufacturer can be extra-large by flowing water, and number software modification function must not be provided;
4, check algorithm, for example use 2121 checking algorithms.
Wherein, 2121 checking algorithms are as follows:
Shell number: 4580658811003057
x?x?x?x?x?x?x?x?x?x?x?x?x?x?x
2?1?2?1?2?1?2?1?2?1?2?1?2?1?2
8?5?16?0?12?5?16?8?2?1?0?0?6?0?10
8+5+1+6+0+1+2+5+1+6+8+2+1+0+0+6+0+1+0=53
Check digit 10-(53mod10)=7
The protection PKI: generated by intelligent cipher key equipment, can not destroy, the corresponding relation of the shell of protection PKI and intelligent cipher key equipment number is kept in server;
In addition, need to prove, intelligent cipher key equipment has also generated the protection private key when generating the protection PKI, and this protection private key is kept at the inside of intelligent cipher key equipment.
The one-level authorization key: independently generated by each manufacturer, in the present invention, this one-level authorization key, as the trust starting point of authentication, is that safety is legal;
Birth certificate is signed and issued key: be used for birth certificate is signed, use the one-level authorization key to sign to guarantee its validity to its public key information;
Birth certificate signature: use birth certificate to sign and issue key (private key) to label 0001,0002,0003,0004,0005 and the signature of data, the birth certificate signature formula is as follows:
Particularly, birth certificate signature=RSASign birth certificate sign and issue private key (SHA (and the birth certificate supplier number || the birth certificate version information || the birth certificate timestamp || shell number || protection PKI N|| protection PKI E|| one-level authorization key (PKI) information || birth certificate is signed and issued key (PKI) information)).
Be exemplified below:
RSASign(SHA(000100023532||000200023031||0003000e20100618150100||0004000c52XXXXXXXXXX||00050080...||00070003...||8008...||8009...))。
From the above, PKI (protection PKI, one-level authorization key (PKI), birth certificate are signed and issued key (PKI)) and the shell number of intelligent cipher key equipment have just formed the main body of birth certificate, and use higher level's key trusty to sign to birth certificate; In the certificate downloading process, intelligent cipher key equipment also can produce the transaction PKI, and uses the protection private key to sign to the transaction PKI.Server is after the request that receives downloadable authentication, will verify the legitimacy of birth certificate and the validity of transaction public key signature, and when both being verified, be that intelligent cipher key equipment is not forged, and the request of downloadable authentication is to be sent by legal intelligent cipher key equipment, thereby has guaranteed the fail safe that certificate is downloaded.Below will describe this process in detail.
Embodiment 1
Referring to Fig. 1, the present embodiment provides a kind of method of secure download certificate, and detailed process is as follows:
101, intelligent cipher key equipment and client connect;
Preferably, client connects by CryptAcquireContext and the intelligent cipher key equipment that calls CSP (Cryptographic Service Provider, CSP) interface.
102, client, to the request of the downloadable authentication of user's submission, issues and generates the right instruction of transaction key to intelligent cipher key equipment;
103, intelligent cipher key equipment generates transaction PKI and transaction private key after receiving instruction;
Need to prove, this transaction private key when concluding the business, is used for Transaction Information is signed.
104, intelligent cipher key equipment is signed to the transaction PKI according to the protection private key of self storing, and obtains the public key signature of concluding the business;
Particularly, intelligent cipher key equipment is when dispatching from the factory, and inside just generates and preserve Protective Key pair, namely protects PKI and protection private key.
Preferably, intelligent cipher key equipment generate transaction key to the time, namely according to the protection private key of self storage, the transaction PKI that generates is signed;
Correspondingly, intelligent cipher key equipment after receiving the signature command that main frame issues, when specifying wait the transaction PKI of signing in this signature command, is signed to the signature transaction PKI for the treatment of of appointment according to the protection private key of self storage; If, do not specify transaction PKI to be signed in the signature command that receives, according to the protection private key of self storing, the transaction PKI of acquiescence to be signed, this acquiescence transaction PKI refers to, repeatedly produces the transaction PKI of the rear up-to-date generation of PKCS#10 request.
Particularly, according to the protection private key of self storage, the transaction PKI is signed and is:
Intelligent cipher key equipment uses the protection private key of self storing to sign to the first data, obtain the first data signature value, wherein, the first data comprise: additional data, transaction PKI the first preset length part, the second data cryptographic Hash, and the second data comprise: additional data and transaction PKI;
Protection PKI length, the first data signature value that calculates and transaction PKI residue length are partly spliced, obtain the public key signature of concluding the business.
Particularly, the transaction PKI is signed and adopted the mode of PKCS#1, the equation expression of above-mentioned compute signature is as follows:
Transaction public key signature=HEADER||PrivateKeyCalculate (Data0) || the N remainder of transaction PKI || transaction PKI E;
PrivateKeyCalculate: expression uses Protective Key (private key) to calculate;
HEADER:0080 represents that protecting the length of PKI is 1024Bit, and the length of 0100 expression protection PKI is 2048Bit;
Preferably, the protection PKI adopts 1024Bit.
The first data Data0 content is specifically as shown in table 2:
Table 2
As shown in Table 2, additional data comprises: protection PKI length, birth certificate version, intelligent cipher key equipment shell number, key property set server random number;
Wherein, the HASH value is the cryptographic Hash of the second data DATA1, is specially: HASH=SHA (DATA1), preferably, the HASH algorithm adopts the SHA1 algorithm.
The content of the second data DATA1 is as shown in table 3:
Table 3
As shown in Table 3, the second data comprise additional data and transaction PKI.
105, client Generate Certificate request data package;
Particularly, produce PKCS#10 (Public-Key Cryptography Standards) certificate request packet, comprising: public key information, user profile and some optional attribute information (as information such as certificate purposes);
Particularly, the step of Generate Certificate request data package is:
Read the transaction public key information in intelligent cipher key equipment;
Generating one includes the packet of conclude the business public key information, user profile and certificate purposes information and sends it to intelligent cipher key equipment;
The signature value of reception after the transaction private key in intelligent cipher key equipment is signed to described packet;
With described packet and digital certificate request packet of described signature value combination producing.
Particularly, Web bank's certificate downloading page of showing by client of user is submitted the request of downloadable authentication to.
Preferably, client generates the PKCS#10 request by calling the rep order;
Particularly, the rep command context is as follows:
openssl?req[-inform?PEM|DER][-outform?PEM|DER][-in?filename][-passin?arg][-out?filename][-passout?arg][-text][-pubkey][-noout][-verify][-modulus][-new][-rand?file(s)][-newkey?rsa:bits][-newkey?dsa:file][-nodes][-key?filename][-keyform?PEM|DER][-keyout?filename][-[md5|sha1|md2|mdc2]][-config?filename][-subj?arg][-x509][-days?n][-set_serial?n][-asn1-kludge][-newhdr][-extensions?section][-reqexts?section][-utf8][-nameopt][-batch][-verbose][-engine?id]
Content to the rep order describes, and is as follows:
-inform PEM|DER: the form that is used to specify input is DER or PEM;
-outform PEM|DER: be used to specify output form be DER or PEM;
-in filename: the filename that is used to specify input;
-text: with text formatting, print certificate request or carry out self-signed certificate information;
-new: be used for to generate a certificate request, the prompting user is about the value of some fields, can check the field that acquiescence is inquired, maximum/little length restriction etc. by/usr/share/ssl/openssl.cnf; If it is designated that-key option does not have, can automatically generate a new private key, be defaulted as 1024 bits;
-newkey: set up a new certificate request and a new private key, form is rsa:bits or dsa:filename; If the user does not know the private key file that generates title, acquiescence adopts privkey.pem, the request of Generating Certificate; If the user not the designated document output parameter format (out), with certificate request file printout on screen, the file of the private key of generation can be specified with-Keyout;
-key: the private key of specifying input;
-keyform: specifying the form of key is PEM or DER, and acquiescence is PEM;
-keyout: be used for newly-established private key is outputed to specified file;
-nodes: represent that newly-established private key do not encrypt;
-md5|sha1: the digital digest algorithm that is used to specify use is md5 or sha1;
-config: specified configuration file, acquiescence are/usr/share/ssl/openssl.cnf;
-subj arg: be used to specify the user profile of the certificate request of generation, replace with designated parameter while perhaps processing certificate request; While Generating Certificate request,, if do not specify this option, will point out the user to input each user profile, comprising: the information such as name of the country, tissue, if adopt this selection, do not need the user to input user profile; For example :-subj/CN=chian/OU=test/O=abc/CN=forxy, attribute must be capitalized;
-x509: expression generates a certificate from signature, rather than a certificate request, unless use-set_serial option, sequence number is 0;
-days and-x509 option one reinstates, the term of validity of expression certificate, acquiescence is 30 days;
-set_serial and-x509 uses together, and the numbering of this certificate is set, and can be that 10 systems can be also the values (0x beginning) of 16 systems, can use the value of negative, but not advise using negative;
-utf8: the value of expression field is understood as the UTF8 coding, and acquiescence is the ASCII coding;
-batch: be non-interactive mode;
-verbose: be redundant mode.
For example: call the req order and set up a private key and generate a certificate request, the rep order is as follows:
openssl?genrsa-out?key.pem1024
openssl?req-new-key?key.pem-out?req.pem
The?same?but?just?us?ing?req:
For example: call the req order and generate CSR (certificate request) file of a PEM form, newly set up a private key, RSA Algorithm, 1024bit, and newly-generated private key is saved as file key.pem, the rep order is as follows:
openssl?req-newkey?rsa:1024-keyout?key.pem-out?req.pem
Generate?a?self?s?igned?root?certificate:
106, client is obtained the birth certificate of intelligent cipher key equipment;
Particularly, client is obtained the birth certificate interface and is obtained the birth certificate of intelligent cipher key equipment by calling;
Particularly, obtaining the birth certificate interface comprises: management DLL interface cdecl Get IDValue and control calling interface HRESULT GetIDValue;
Wherein, interface cdecl GetIDValue is defined as follows:
int__cdecl?GetIDValue(char*strMediaID,char*strBirthID,int*nStrBirthID);
Parameter declaration is as follows:
StrMediaID: input parameter is the shell number of intelligent cipher key equipment.
StrBirthID: output parameter is used for exporting shell number and is the corresponding birth certificate information of strMediaID.
NStrBirthID: output parameter.When strBirthID is NULL, the space that the strBirthID that nStrBirthID returns should open up; When strBirthID had value, what return was the physical length of strBirthID.
Like this, client just can obtain specifying the birth certificate of the intelligent cipher key equipment of shell number by calling interface cdecl GetIDValue.
Wherein, interface HRESULT GetIDValue is defined as follows:
HRESULT?GetIDValue([IN]BSTR?bstrType,[IN]BSTR?bstrShellNum,[OUT,retval]BSTR*bstrID);
Parameter declaration:
BstrType: input parameter, intelligent cipher key equipment type number.
BstrShellNum: input parameter, expression intelligent cipher key equipment shell number.With similar " 52xxxxxxxxxx " form input.
BstrID: output parameter, be used for exporting shell number and be birth certificate information corresponding to bstrShellNum, be the Base64 form of birth certificate.
Like this, client just can have been obtained the birth certificate of the intelligent cipher key equipment of specifying shell number by calling the control calling interface.
107, after the birth certificate information that client returns to intelligent cipher key equipment, obtain the transaction public key signature;
Particularly, client is obtained transaction public key signature interface and is obtained the transaction public key signature by calling;
Particularly, transaction public key signature interface comprises: management DLL interface cdecl GetPubKeySignValue and control calling interface HRESULT GetPubKeySignValue;
Wherein, interface cdecl GetPubKeySignValue is defined as follows:
int__cdecl?GetPubKeySignValue(char*strMediaID,char*strSign,int*nStrSign);
Parameter declaration:
StrMedia ID: input parameter, expression intelligent cipher key equipment shell number.With similar " 52xxxxxxxxxx " form input.
StrSign: output parameter, the protection private key of expression birth certificate is to transaction public key signature value.
NStrSign: output parameter.When strSign is NULL, this value representation should be the space size that strSign opens up; When strSign has value, the size of this value representation strSign reality.
Like this, client just can obtain in intelligent cipher key equipment protecting private key to having concluded the business public key signature by calling interface cdecl GetPubKeySignValue.
Interface HRESULT GetPubKeySignValue is defined as follows:
HRESULT?GetPubKeySignValue([IN]BSTR?bstrType;[IN]BSTR?bstrShellNum,[OUT,retval]BSTR*bstrSign)
Parameter declaration:
BstrType: input parameter, expression intelligent cipher key equipment type.
BstrShellNum: input parameter, expression intelligent cipher key equipment shell number.With similar " 52xxxxxxxxxx " form input.
BstrSign: output parameter, the signature value of the private key of expression birth certificate to bPubKey.
Like this, client just can obtain in intelligent cipher key equipment protecting private key to having concluded the business public key signature by calling interface HRESULT GetPubKeySignValue.
108, the client birth certificate that will obtain, transaction public key signature and PKCS#10 certificate request Packet Generation are to server;
Further, client can be packed transaction public key signature, birth certificate and the PKCS#10 request data package obtained, and the result of packing sends to server.
Need to prove, service end after receiving PKCS#10 certificate request packet, also can be verified described signature value with the PKI that carries in described certificate request packet, be verified, continue to carry out following operation, otherwise, to the information of client return authentication mistake.
109, server judges whether the birth certificate that receives is legal,, if legal, carries out 110, otherwise, carry out 113;
When birth certificate is described, mention: in the intelligent cipher key equipment birth certificate, the one-level authorization key is as the starting point of trusting, and sign and issue generation birth signed certificate and send out key information, this birth certificate is signed and issued key and is used for birth certificate is signed, wherein, birth certificate is signed and issued key information and is comprised the key version, signs and issues PKI and birth certificate and sign and issue the signature of key, and the signature that this birth certificate is signed and issued key is to use one-level authorization key (private key) birth certificate to be signed and issued the signature (as described in Table 1) of key information; Hence one can see that, when whether the checking birth certificate is legal, needs checking birth signed certificate send out the legitimacy of signature and the birth certificate signature of key; Specific as follows:
Particularly, whether the server authentication birth certificate is signed and issued the signature of key legal, comprise: with the signature that the one-level authorization key (PKI) in birth certificate is signed and issued key to birth certificate, calculate, and with signing and issuing key information in result of calculation and birth certificate, compare, unanimously, think that it is legal that birth certificate is signed and issued key, namely birth certificate is legal, otherwise birth certificate is illegal.
Particularly, whether server authentication birth certificate signature is legal, comprising: with the PKI of signing and issuing in birth certificate, the birth certificate signature is calculated, and result of calculation and birth certificate information are compared, and consistent, legal, otherwise, illegal.
Coded representation is as follows:
int?VerifyBirthCert(string?birthCert)
Parameter declaration:
BirthCert: birth certificate
110, the transaction public key signature that receives of server authentication, if the verification passes, carry out 111, if authentication failed carries out 113;
Particularly, the part of expression protection PKI length in described transaction public key signature is removed;
According to the protection PKI in the described birth certificate that receives, the value part (PrivateKeyCalculate (Data0)) of signing described in described transaction public key signature is calculated, obtained described the first data;
Remove the additional data in described the first data, PKI the first preset length part obtains concluding the business;
Transaction PKI residue length in the described transaction PKI that obtains the first preset length part and described transaction public key signature is partly spliced and obtained described transaction PKI;
Splice the second data according to described the first data, described the second data are carried out Hash operation, the second data cryptographic Hash in operation result and described the first data is compared, unanimously, described transaction public key signature is legal, inconsistent, and described transaction public key signature is illegal.
Coded representation is as follows:
Parameter declaration:
ProtectKey: protection PKI;
TradeKey: transaction public key information;
SignedText: the signature that uses the protection private key to carry out the transaction PKI.
111, the request of server response certificate download, grant a certificate, and certificate is sent to client;
112, client is written to certificate in intelligent cipher key equipment;
113, the server refusal is carried out the request that certificate is downloaded, and returns to the information of transaction public key signature authentication failed to client.
In the invention process, server is by the checking of the validity of the legitimacy to birth certificate, transaction public key signature, and the request that has guaranteed downloadable authentication is to be sent by legal intelligent cipher key equipment, thereby has guaranteed the fail safe that certificate is downloaded.
Embodiment 2
The present embodiment provides a kind of system of secure download certificate,, referring to Fig. 2, comprising: intelligent cipher key equipment 20, client 21 and service end 22; Wherein, each functions of the equipments are as follows:
Intelligent cipher key equipment 20 comprises:
Memory cell 200, be used for storage birth certificate, protection private key and certificate, and wherein, birth certificate and protection private key all generate and preserve when intelligent cipher key equipment dispatches from the factory;
Particularly, birth certificate comprises: type number, birth certificate version information, birth certificate timestamp, shell number, protection PKI, one-level authorization key, birth certificate are signed and issued key information and birth certificate signature, wherein, the every explanation of relevant birth certificate, referring to the related description in embodiment 1, just repeats no more herein;
Need to prove, when intelligent cipher key equipment generates the protection private key before dispatching from the factory, also generate the protection PKI is arranged simultaneously;
Key generation unit 201, be used for generating transaction PKI and transaction private key;
Need to prove, key generation unit 201 generates when generating the transaction PKI the private key of concluding the business in addition, this transaction private key when concluding the business, are used for Transaction Information is signed.
Signature unit 202, be used for according to the protection private key of memory cell 200 storages, the transaction PKI that key generation unit 201 generates being signed, and obtains the public key signature of concluding the business;
Particularly, signature unit 202 comprises:
Signature blocks 2020; be used for according to the protection private key of memory cell 200 storages, the first data being signed; obtain the signature value; the first data comprise: additional data, transaction PKI the first preset length part, the second data cryptographic Hash; described the second data comprise: additional data and transaction PKI; the related description in embodiment 1 is participated in the detailed description of relevant the first data and the second data, just repeats no more herein.
Concatenation module 2021, be used for protecting signature value and the transaction PKI residue length that PKI length, signature blocks 2020 calculate partly to splice, and obtains the public key signature of concluding the business.
Certificate writing unit 203, the certificate that is used for downloading is written to memory cell;
Transmitting element 204, be used for returning to certificate and transaction public key signature to client 21.
Client 21 comprises:
Receiving element 210, be used for the request of the downloadable authentication of reception user input, reaches the certificate that service end 22 is signed and issued;
Certificate request generation unit 211, be used for when receiving element 210 receives the request of downloadable authentication, and the request of Generating Certificate particularly, is used for generating the PKCS#10 certificate request;
Particularly, the PKCS#10 certificate request comprises: transaction PKI, user profile and some optional attribute information;
First interface unit 212, for the birth certificate that obtains intelligent cipher key equipment;
Particularly, first interface unit 212 is management DLL interface cdecl GetIDValue or control calling interface HRESULT GetIDValue;
Wherein, the explanation of relevant management DLL interface cdecl GetIDValue or control calling interface HRESULT GetIDValue, referring to the associated description in embodiment 1, just repeats no more herein;
The second interface unit 213, for the transaction public key signature that obtains intelligent key;
Particularly, the second interface unit 213 is management DLL interface cdecl GetPubKeySignValue or control calling interface HRESULT GetPubKeySignValue;
Wherein, the explanation of relevant management DLL interface cdecl GetPubKeySignValue or control calling interface HRESULT GetPubKeySignValue, referring to the related description in embodiment 1, just repeats no more herein;
Transmitting element 214, be used for sending to service end 22 the transaction public key signature that certificate request packet that certificate request generation units 211 generate, birth certificate that first interface unit 212 obtains and the second interface unit 213 obtain;
Service end 22 comprises:
Receiving element 220, be used for receiving certificate request packet, birth certificate and the transaction public key signature that client transmitting element 214 sends;
Birth certificate authentication unit 221, whether legal for the birth certificate that checking receiving element 220 receives;
Specifically comprise:
The first judge module 2210, be used for judging whether birth certificate is signed and issued key information legal;
Particularly, whether the server authentication birth certificate is signed and issued key information legal, comprise: the signature of birth certificate being signed and issued key information according to the mandate PKI in the one-level authorization key information in described birth certificate calculates, comparison between calculation results whether with birth certificate in birth certificate to sign and issue key information consistent, if consistent, to sign and issue key information legal for birth certificate, otherwise it is illegal that birth certificate is signed and issued key information.
The second judge module 2211, be used for judging whether birth certificate birth certificate signature is legal;
Particularly, whether service end checking birth signed certificate name is legal, comprise: the PKI of signing and issuing of signing and issuing in key information according to birth certificate in the birth certificate that receives calculates the birth certificate signature, whether comparison between calculation results is consistent with the birth certificate information that receives, if consistent, the birth certificate signature is legal, otherwise the birth certificate signature is illegal.
Transaction public key verifications unit 222, be used for after birth certificate authentication unit 211 checking birth certificate information are legal, and whether the transaction public key signature that checking receiving element 220 receives is legal;
Specifically comprise:
The first processing module 2220, the public key signature expression that is used for concluding the business protects the part of PKI length to remove;
The first computing module 2221, be used for according to the protection PKI of the birth certificate that receives, signature value part in the transaction public key signature being calculated, and obtains the first data;
The second processing module 2222, for the additional data of removing the first data, PKI the first preset length part obtains concluding the business;
The first concatenation module 2223, being used for the transaction PKI that the second processing module is obtained the first preset length part partly splices with transaction public key signature transaction PKI residue length, obtain the PKI of concluding the business, this transaction PKI is the real transaction PKI that generates in intelligent cipher key equipment;
The second concatenation module 2224, be used for splicing the second data according to the first data;
The second computing module 2225, adopt the hash algorithm identical with the second data cryptographic Hash algorithm in the first data to carry out Hash operation to the second data;
Contrast module 2226, the cryptographic Hash and first data the second data cryptographic Hash that are used for the second computing module is obtained compare, and consistent, the public key signature of concluding the business is legal, inconsistent, and the public key signature of concluding the business is illegal.
Certificate issuance unit 223, be used for after transaction public key verifications unit 222 checking transaction public key signature information are legal grant a certificate;
Transmitting element 224, the certificate that is used for certificate issuance unit 223 is signed and issued sends to client;
Server is by the checking of the validity of the legitimacy to birth certificate, transaction public key signature, and the request that has guaranteed downloadable authentication is to be sent by legal intelligent cipher key equipment, thereby has guaranteed the fail safe that certificate is downloaded.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited to this, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion by described protection range with claim.
Claims (14)
1. the method for a secure download certificate, is characterized in that, described method comprises:
Intelligent cipher key equipment and client connect;
Described client after the request of the downloadable authentication of user's submission, issues and generates the right instruction of transaction key to described intelligent cipher key equipment;
Described intelligent cipher key equipment generates transaction PKI and transaction private key according to built-in key schedule, and according to the protection private key of self storing, described transaction PKI is signed, and obtains the public key signature of concluding the business;
The described client request data package that Generates Certificate;
Described client is obtained birth certificate and the described transaction public key signature of described intelligent cipher key equipment self storage, and with described birth certificate, described transaction public key signature and described certificate request Packet Generation to service end, wherein, described birth certificate comprises that intelligent cipher key equipment type number, birth certificate version information, birth certificate timestamp, intelligent cipher key equipment shell number, protection PKI, one-level authorization key information, birth certificate sign and issue key information and birth certificate signature;
whether the described birth certificate that described service end judgement receives is legal, if illegal, to the error message of described client return authentication, if legal, judge whether described transaction public key signature is legal, if illegal, to the error message of described client return authentication, if legal, grant a certificate, and described certificate is sent to described client, wherein, whether the birth certificate that the judgement of described service end receives legal comprising: in the described birth certificate that described service end judgement receives, whether birth certificate to sign and issue key information legal, if illegal, judge that described birth certificate is illegal, if legal, judge in described birth certificate, whether the birth certificate signature is legal, if legal, judge that described birth certificate is legal, if illegal, judge that described birth certificate is illegal,
Described client is written to described certificate in described intelligent cipher key equipment.
2. method according to claim 1, is characterized in that, the Generate Certificate step of request data package of described client is specially:
Read the transaction public key information in described intelligent cipher key equipment;
Generating one includes the packet of conclude the business public key information, user profile and certificate purposes information and sends it to described intelligent cipher key equipment;
The signature value of reception after the transaction private key in described intelligent cipher key equipment is signed to described packet;
With described packet and digital certificate request packet of described signature value combination producing.
3. method according to claim 2, is characterized in that, described method also comprises: described service end after receiving described certificate request packet, is verified described signature value with the transaction PKI that carries in described certificate request packet.
4. method according to claim 1, is characterized in that, described intelligent cipher key equipment after the key schedule according to built-in generates the transaction PKI, is namely signed to described transaction PKI according to the protection private key of self storing;
Or
Described intelligent cipher key equipment after receiving the instruction that described transaction PKI is signed that described client issues, is signed to described transaction PKI according to the protection private key of self storage.
5. method according to claim 1, is characterized in that, described intelligent cipher key equipment is signed and comprised described transaction PKI according to the protection private key of self storage:
Described intelligent cipher key equipment uses the protection private key of self storing to sign to the first data, obtain the first data signature value, described the first data comprise: additional data, transaction PKI the first preset length part, the second data cryptographic Hash, and described the second data comprise: described additional data and transaction PKI;
To protect PKI length, described the first data signature value and transaction PKI residue length partly to splice, obtain the public key signature of concluding the business.
6. method according to claim 5, is characterized in that, described additional data comprises described protection PKI length, birth certificate version, intelligent cipher key equipment shell number, key attribute.
7. method according to claim 1, is characterized in that, the trust starting point when described one-level authorization key is the described intelligent cipher key equipment of authentication;
Described birth certificate is signed and issued key and is signed and issued by described one-level authorization key, is used for described birth certificate is signed.
8. method according to claim 7, is characterized in that, described one-level authorization key information comprises: authorization key version, mandate PKI;
Described birth certificate is signed and issued key information and comprised: birth certificate signs and issues the key version, sign and issue PKI and described birth certificate signs and issues the signature of key information;
Wherein, the described birth certificate signature of signing and issuing key information is signed and is obtained by authorizing private key to sign and issue key information to described birth certificate.
9. method according to claim 1, is characterized in that, in the described birth certificate that the judgement of described service end receives, birth certificate is signed and issued key information legal comprising whether:
Described service end is calculated according to the signature of authorizing PKI to sign and issue key information to described birth certificate in one-level authorization key information in described birth certificate, contrast described result of calculation whether with described birth certificate in birth certificate to sign and issue key information consistent, if consistent, to sign and issue key information legal for described birth certificate, otherwise it is illegal that described birth certificate is signed and issued key information.
10. method according to claim 1, is characterized in that, describedly judges in described birth certificate birth certificate signature legal comprising whether:
The PKI of signing and issuing that described service end is signed and issued in key information according to birth certificate in the described birth certificate that receives calculates described birth certificate signature, whether unanimously with described birth certificate information contrast described result of calculation, if consistent, described birth certificate signature is legal, otherwise described birth certificate signature is illegal.
11. the system of a secure download certificate, is characterized in that, described system comprises: intelligent cipher key equipment, client and service end;
Intelligent cipher key equipment comprises:
Memory cell, be used for storage birth certificate, protection private key and certificate;
The key generation unit, be used for generating transaction PKI and transaction private key according to built-in key schedule;
Signature unit, be used for according to the protection private key of cell stores, the transaction PKI that the key generation unit generates being signed;
The certificate writing unit, be used for certificate is written to memory cell;
Transmitting element, be used for returning to certificate and transaction public key signature to client;
Client comprises:
Receiving element, be used for the request of the downloadable authentication of reception user input, and the certificate of described service end transmitting element transmission;
The certificate request generation unit, be used for when described receiving element receives the request of downloadable authentication, and request data package Generates Certificate;
The first interface unit, for the birth certificate that obtains intelligent cipher key equipment;
The second interface unit, for the transaction public key signature that obtains intelligent cipher key equipment;
Transmitting element, be used for sending to service end the transaction public key signature that certificate request packet that the certificate request generation unit generates, birth certificate that the first interface unit obtains and the second interface unit obtain;
Service end comprises:
Receiving element, be used for receiving birth certificate and the transaction public key signature that the client transmitting element sends;
The birth certificate authentication unit, whether legal for the birth certificate that the checking receiving element receives;
Wherein, described birth certificate authentication unit comprises:
The first judge module, be used for judging whether described birth certificate birth certificate is signed and issued key information legal;
The second judge module, be used for judging whether described birth certificate birth certificate signature is legal;
Transaction public key verifications unit, be used for after birth certificate authentication unit checking birth certificate is legal, and whether the transaction public key signature that the checking receiving element receives is legal;
The certificate issuance unit, be used for after transaction public key verifications unit checking transaction public key signature is legal grant a certificate;
Transmitting element, the certificate that is used for the certificate issuance unit is signed and issued sends to client.
12. system according to claim 11, is characterized in that, described signature unit comprises:
Signature blocks, be used for according to the protection private key of cell stores, the first data being signed, obtain the first data signature value, described the first data comprise: additional data, transaction PKI the first preset length part, the second data cryptographic Hash, and described the second data comprise: described additional data and transaction PKI;
Concatenation module, be used for protecting PKI length, described signature value and transaction PKI residue length partly to splice, and obtains the public key signature of concluding the business.
13. system according to claim 11, is characterized in that, describedly judges in described birth certificate that birth certificate signs and issues key information legal comprising whether:
The signature that described service end is signed and issued key information according to the mandate PKI in the one-level authorization key information in described birth certificate to described birth certificate calculates, contrast described result of calculation whether with described birth certificate in described birth certificate to sign and issue key information consistent, if consistent, to sign and issue key information legal for described birth certificate, otherwise it is illegal that described birth certificate is signed and issued key information.
14. system according to claim 11, is characterized in that, describedly judges in described birth certificate birth certificate signature legal comprising whether:
The PKI of signing and issuing that described service end is signed and issued in key information according to birth certificate described in the described birth certificate that receives calculates described birth certificate signature, whether unanimously with the described birth certificate information that receives contrast described result of calculation, if consistent, described birth certificate signature is legal, otherwise described birth certificate signature is illegal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105232613A CN101977193B (en) | 2010-10-28 | 2010-10-28 | Method and system for safely downloading certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105232613A CN101977193B (en) | 2010-10-28 | 2010-10-28 | Method and system for safely downloading certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101977193A CN101977193A (en) | 2011-02-16 |
| CN101977193B true CN101977193B (en) | 2013-11-13 |
Family
ID=43577038
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105232613A Active CN101977193B (en) | 2010-10-28 | 2010-10-28 | Method and system for safely downloading certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101977193B (en) |
Families Citing this family (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102761420B (en) * | 2012-08-08 | 2014-10-29 | 飞天诚信科技股份有限公司 | Security certification method |
| CN102932343B (en) * | 2012-10-26 | 2015-01-14 | 飞天诚信科技股份有限公司 | Method and device for downloading digital certificate |
| CN103078746B (en) * | 2013-02-07 | 2015-06-17 | 飞天诚信科技股份有限公司 | Generation method for data packet |
| CN104348792B (en) * | 2013-07-30 | 2018-06-19 | 阿里巴巴集团控股有限公司 | Data processing method, device and system |
| CN103516524A (en) * | 2013-10-21 | 2014-01-15 | 北京旋极信息技术股份有限公司 | Security authentication method and system |
| CN104836671B (en) * | 2015-05-15 | 2018-05-22 | 安一恒通(北京)科技有限公司 | The inspection method and check device of the addition of digital certificate |
| CN105141420B (en) * | 2015-07-29 | 2018-09-25 | 飞天诚信科技股份有限公司 | A kind of importing, the method for grant a certificate, equipment and server safely |
| CN106411504B (en) * | 2015-07-31 | 2020-10-09 | 腾讯科技(深圳)有限公司 | Data encryption system, method and device |
| CN106603238B (en) * | 2015-10-20 | 2019-06-18 | 飞天诚信科技股份有限公司 | A kind of multi-digital certificate signs and issues system, certificate management end, issue apparatus and its working method |
| CN105429760B (en) * | 2015-12-01 | 2018-12-14 | 神州融安科技(北京)有限公司 | A kind of auth method and system of the digital certificate based on TEE |
| US9948467B2 (en) * | 2015-12-21 | 2018-04-17 | Mastercard International Incorporated | Method and system for blockchain variant using digital signatures |
| JP7158830B2 (en) * | 2017-06-08 | 2022-10-24 | キヤノン株式会社 | Information processing device, control method for information processing device, and program |
| CN107612697B (en) | 2017-10-20 | 2020-04-14 | 阿里巴巴集团控股有限公司 | Digital certificate application method and device |
| CN107864038B (en) * | 2017-10-25 | 2020-08-04 | 中国平安人寿保险股份有限公司 | Certificate management method, device, equipment and computer readable storage medium |
| CN107948182B (en) * | 2017-12-06 | 2021-03-19 | 上海格尔安全科技有限公司 | WEB application configuration file tamper-proof method based on PKI |
| CN109981278B (en) * | 2017-12-28 | 2022-09-13 | 中国移动通信集团辽宁有限公司 | Digital certificate application method, system, user identification card, device and medium |
| CN110138562B (en) * | 2018-02-09 | 2023-05-26 | 腾讯科技(北京)有限公司 | Certificate issuing method, device and system of intelligent equipment |
| CN108900305B (en) * | 2018-06-28 | 2021-06-04 | 公安部第三研究所 | Multi-certificate issuing and verifying method based on intelligent security chip |
| CN108989325A (en) * | 2018-08-03 | 2018-12-11 | 华数传媒网络有限公司 | Encryption communication method, apparatus and system |
| CN109886011B (en) * | 2018-12-28 | 2021-02-12 | 北京思源理想控股集团有限公司 | Safety protection method and device |
| CN111414638B (en) * | 2020-04-23 | 2023-03-24 | 飞天诚信科技股份有限公司 | Method and device for realizing distinguishing key generation mode |
| CN111641502B (en) * | 2020-06-01 | 2023-08-04 | 中国农业银行股份有限公司 | Electronic certificate downloading method and device based on super counter |
| CN112529574A (en) * | 2020-11-19 | 2021-03-19 | 北京握奇智能科技有限公司 | Protection method for certificate of intelligent password equipment and intelligent password equipment |
| CN112487391A (en) * | 2020-11-27 | 2021-03-12 | 交通银行股份有限公司 | Certificate pre-planting system and method thereof |
| CN113676330B (en) * | 2021-08-10 | 2023-08-01 | 上海瓶钵信息科技有限公司 | Digital certificate application system and method based on secondary secret key |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2002330834A1 (en) * | 2002-08-30 | 2004-04-23 | Agency For Science, Technology And Research | Public key cryptography and a framework therefor |
| CN101340285A (en) * | 2007-07-05 | 2009-01-07 | 杭州中正生物认证技术有限公司 | Method and system for identity authentication by finger print USBkey |
| CN101527633A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | System and method for intelligent key devices to obtain digital certificates |
| CN101527714A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | Method, device and system for accreditation |
| CN101527630A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | Method, server and system for manufacturing certificate remotely |
-
2010
- 2010-10-28 CN CN2010105232613A patent/CN101977193B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2002330834A1 (en) * | 2002-08-30 | 2004-04-23 | Agency For Science, Technology And Research | Public key cryptography and a framework therefor |
| CN101340285A (en) * | 2007-07-05 | 2009-01-07 | 杭州中正生物认证技术有限公司 | Method and system for identity authentication by finger print USBkey |
| CN101527633A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | System and method for intelligent key devices to obtain digital certificates |
| CN101527714A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | Method, device and system for accreditation |
| CN101527630A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | Method, server and system for manufacturing certificate remotely |
Non-Patent Citations (2)
| Title |
|---|
| 《电子商务中证书认证系统的设计与实现》;张燕燕;《中国优秀硕士学位论文全文数据库》;20070915(第3期);全文 * |
| 张燕燕.《电子商务中证书认证系统的设计与实现》.《中国优秀硕士学位论文全文数据库》.2007,(第3期),全文. |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101977193A (en) | 2011-02-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101977193B (en) | Method and system for safely downloading certificate | |
| JP3858527B2 (en) | Data generation apparatus, data verification apparatus and method | |
| CN102594558B (en) | Anonymous digital certificate system and verification method of trustable computing environment | |
| CN104537293B (en) | Authenticating device and system | |
| JP3674869B2 (en) | Recovery when the root key is in danger | |
| CN111131278B (en) | Data processing method and device, computer storage medium and electronic equipment | |
| CN109743176B (en) | POS terminal certificate updating method, server and POS terminal | |
| EP2302834B1 (en) | System and method for providing credentials | |
| CN107786550B (en) | A kind of safety communicating method of self-service device, safe communication system and self-service device | |
| US8522014B2 (en) | Method and system for storing a key in a remote security module | |
| JP5136012B2 (en) | Data sending method | |
| CN103269266B (en) | The safety certifying method of dynamic password and system | |
| US20160080153A1 (en) | Device authenticity determination system and device authenticity determination method | |
| CN101409619A (en) | Flash memory card and method for implementing virtual special network key exchange | |
| CN109560931A (en) | A kind of equipment remote upgrade method based on no Certification system | |
| CN106790045A (en) | One kind is based on cloud environment distributed virtual machine broker architecture and data integrity support method | |
| CN104735064A (en) | Safety revocation and updating method for identification in identification password system | |
| KR20140071775A (en) | Cryptography key management system and method thereof | |
| JP2008506293A (en) | How to provide digital authentication functionality | |
| Moriarty et al. | Pkcs# 12: Personal information exchange syntax v1. 1 | |
| US7437559B2 (en) | Electronic message authentication | |
| CN113221074A (en) | Offline authorization method | |
| CN111369332A (en) | Data processing method and device based on block chain | |
| Schmidt et al. | How Little is Enough? Implementation and Evaluation of a Lightweight Secure Firmware Update Process for the Internet of Things. | |
| CN110704852B (en) | Encryption system for RTOS system program image file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 17th floor, building B, Huizhi building, No.9, Xueqing Road, Haidian District, Beijing 100085 Patentee after: Feitian Technologies Co.,Ltd. Country or region after: China Address before: 100085 17th floor, block B, Huizhi building, No.9 Xueqing Road, Haidian District, Beijing Patentee before: Feitian Technologies Co.,Ltd. Country or region before: China |
|
| CP03 | Change of name, title or address |