CN102420829A - Service data signature method, device, system and digital certification terminal - Google Patents

Service data signature method, device, system and digital certification terminal Download PDF

Info

Publication number
CN102420829A
CN102420829A CN2011104216618A CN201110421661A CN102420829A CN 102420829 A CN102420829 A CN 102420829A CN 2011104216618 A CN2011104216618 A CN 2011104216618A CN 201110421661 A CN201110421661 A CN 201110421661A CN 102420829 A CN102420829 A CN 102420829A
Authority
CN
China
Prior art keywords
digest algorithm
nontransaction
business datum
signature
professional
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011104216618A
Other languages
Chinese (zh)
Other versions
CN102420829B (en
Inventor
孟翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Watchdata Co ltd
Original Assignee
Beijing WatchData System Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing WatchData System Co Ltd filed Critical Beijing WatchData System Co Ltd
Priority to CN201110421661.8A priority Critical patent/CN102420829B/en
Publication of CN102420829A publication Critical patent/CN102420829A/en
Priority to BR102012032257A priority patent/BR102012032257A2/en
Application granted granted Critical
Publication of CN102420829B publication Critical patent/CN102420829B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention relates to the technical field of information security, in particular to a service data signature method, a service data signature device, a service data signature system and a digital certification terminal. The method comprises the following steps of: receiving service data which is transmitted through a non-trading service signature channel from a client; judging whether a digest algorithm format adopted by the service data belongs to a non-trading service digest algorithm format or not; and if the digest algorithm format adopted by the service data does not belong to the non-trading service digest algorithm format, denying signature, wherein the non-trading service digest algorithm format and a trading service digest algorithm format are different. By the service data signature method, the service data signature device, the service data signature system and the digital certification terminal in the embodiment of the invention, potential safety hazards can be relatively better eliminated, and the legality and security of signature data can be ensured.

Description

The methods, devices and systems and the digital authenticating terminal of business datum signature
Technical field
The present invention relates to field of information security technology, relate in particular to the methods, devices and systems and the digital authenticating terminal of business datum signature.
Background technology
USB_Key is as personal identification and digital signature terminal, in field extensive uses such as Net silver, E-Government.
In the last few years; Flourish along with Net silver market; Occurred in the industry that tailor, that have greater security for the Net silver Secure Transaction, have the USB_Key product of button Presentation Function or key-press and voice function, and the use that has obtained most of banks is promoted.At present, the second generation Net silver USB_Key on the market is on the basis of generation USB_Key, through people in process of exchange for checking operations such as display message and button, to increase the fail safe of transaction.
Detailed process is when handling transaction business: client is initiated a transaction business, sends the transaction data original text to bank server and USB_Key respectively; After USB_Key receives the transaction data original text, sensitive information is presented on the display screen of key and waits for that the user confirms; After the user confirmed, USB_Key carried out the data summarization computing to the transaction data original text and with private key operation result is signed; The result that will sign then returns to client.Meanwhile, the bank server end adopts the digest algorithm that uses among the USB_Key, and transaction initial data original text is carried out the data summarization computing.Client receives the signature result that USB_Key returns, and this signature result and the public key information that from USB_Key, reads are together issued server end.Server end utilizes the PKI of USB_Key, and the signed data that client transmits is tested label, the result who tests the deciphering that will use public-key in the process of label with self before the digest algorithm result calculated compare, if unanimity, then Transaction Success; Inconsistent, then Fail Transaction, refusal is handled should business.
But in operations such as the signature that carries out some nontransaction business such as certificate download, system login, the convenience for the client uses does not need the user to carry out button operation by force.The detailed process of nontransaction business is: client is initiated once nontransaction business; Send nontransaction data original text to server; Client is carried out computing through digest algorithm to this nontransaction data original text simultaneously; Then calculated result is carried out data according to the summary specific format and fill, and send to USB_Key.USB_Key directly carries out private key signature to these nontransaction data, and the result that will sign returns to client.After this server carries out the test label process identical with the transaction business situation.
In the prior art; The assailant can initiate transaction to the signature flow process of nontransaction business easily and attack; For example in attack process, the assailant serves as client and forges the transaction data original text, and the transaction data original text of forging is sent to bank server; Simultaneously with the digest algorithm that is adopted among the USB_Key to the computing that makes an abstract of this forgery transaction data original text, and the operation result of will making a summary sends to the signature passage of the nontransaction business among the USB_Key.USB_Key signs to these data according to nontransaction flow process, and the result that will sign returns to the assailant.At this moment, the assailant issues server end with signature result and PKI that USB_Key returns according to the form of transaction business, and server is tested and signed correctly success attack.
Therefore, there is potential safety hazard in the process of using USB_Key to carry out online transaction in the prior art, is attacked probably, can't guarantee the legitimacy and the fail safe of signed data.
Summary of the invention
The embodiment of the invention provides a kind of methods, devices and systems and digital authenticating terminal of business datum signature, can eliminate safe hidden trouble preferably, guarantees the legitimacy and the fail safe of signed data.
The embodiment of the invention provides a kind of method of business datum signature, comprising:
The digital authenticating terminal receives the business datum that client is sent through nontransaction professional signature passage;
Judge whether the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form;
When the digest algorithm form that adopts when said business datum did not belong to nontransaction professional digest algorithm form, then refusal was signed;
Wherein, said nontransaction professional digest algorithm form and transaction business digest algorithm form are inequality.
Accordingly, the embodiment of the invention provides a kind of device of business datum signature, comprising:
Receiver module is used to receive the business datum that client is sent through nontransaction professional signature passage;
Judge module is used to judge whether the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form;
Signature blocks is used for when digest algorithm form that said business datum adopts does not belong to nontransaction professional digest algorithm form, and then refusal is signed; Wherein, said nontransaction professional digest algorithm form and transaction business digest algorithm form are inequality.
Accordingly, the embodiment of the invention provides a kind of digital authenticating terminal, comprising: the device of above-mentioned business datum signature.
Accordingly, the embodiment of the invention provides a kind of system of business datum signature, client, digital authenticating terminal USB_Key;
Said client is used for business datum is sent to said USB_Key through nontransaction professional signature passage;
Said USB_Key is used to receive the business datum that client is sent through nontransaction professional signature passage; Judge whether the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form; When the digest algorithm form that adopts when said business datum did not belong to nontransaction professional digest algorithm form, then refusal was signed; Wherein, said nontransaction professional digest algorithm form and transaction business digest algorithm form are inequality.
The embodiment of the invention provides the methods, devices and systems and the digital authenticating terminal of business datum signature, is used for the digital authenticating terminal and receives the business datum that client is sent through nontransaction professional signature passage; Judge whether the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form; When the digest algorithm form that adopts when said business datum did not belong to nontransaction professional digest algorithm form, then refusal was signed; Wherein, said nontransaction professional digest algorithm form and transaction business digest algorithm form are inequality.Methods, devices and systems and digital authenticating terminal that the business datum of using the embodiment of the invention to provide is signed; Be the transaction data data summarization algorithm different in advance with nontransaction data configuration; Make that USB_Key can be according to the digest algorithm form of business datum employing; Judge whether the current business data belong to nontransaction data, if belong to, then it is signed and return client.Simultaneously, server is similarly the transaction data data summarization algorithm different with nontransaction data configuration, and identical with the configuration among the USB_Key.Adopt the digest algorithm computing of transaction business as the assailant; When sending to USB_Key through nontransaction professional signature passage; Can't obtain the signature of USB_Key, avoid the assailant to obtain to sign and afterwards obtained the affirmation of transaction business, improve safety of data and reliability at server.When the assailant adopted the digest algorithm computing of nontransaction business, though can obtain the signature of USB_Key, because the digest algorithm that disposes in the server is identical with USB_Key, so it can't use the checking of transaction business form through server.To sum up, when the USB_Key that uses the embodiment of the invention to provide carries out online transaction, there is not potential safety hazard, can guarantees the legitimacy and the fail safe of signed data preferably.
Description of drawings
Fig. 1 is the system configuration sketch map of business datum signature in the embodiment of the invention;
Fig. 2 is the method flow sketch map of business datum signature in the embodiment of the invention;
Fig. 3 is the method flow sketch map of business datum signature in another embodiment of the present invention;
Fig. 4 is the device sketch map of business datum signature in the embodiment of the invention.
Embodiment
At length set forth to the main realization principle of embodiment of the invention technical scheme, embodiment and to the beneficial effect that should be able to reach below in conjunction with each accompanying drawing.
In order to solve the problem that prior art exists, the embodiment of the invention provides a kind of system of business datum signature, and is as shown in Figure 1, comprising: client 101 and digital authenticating terminal USB_Key 102;
This client 101 is used for the signature passage of business datum through nontransaction business sent to USB_Key 102;
This USB_Key 102 is used to receive the business datum that client 101 is sent through nontransaction professional signature passage; Judge whether the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form; When the digest algorithm form that adopts when said business datum did not belong to nontransaction professional digest algorithm form, then refusal was signed; Wherein, said nontransaction professional digest algorithm form and transaction business digest algorithm form are inequality.
Preferable, this system also comprises server 103;
Wherein, said client 101 when being used for that also business datum sent to said USB_Key 102 through nontransaction professional signature passage, sends to said server 103 with said business datum original text; Receive the signature result that said USB_Key 102 returns; Said signature result and the PKI that from said USB_Key 102, reads are sent to said server 103;
Said USB_Key 102 also is used to receive the said business datum of said client 101 through the signature passage transmission of nontransaction business; When the digest algorithm form that adopts when said business datum belongs to the nontransaction professional digest algorithm form that presets, said business datum is signed, and the result that will sign returns said client 101;
Said server 103; When being used to judge the business datum original text that said business datum original text is nontransaction business; Adopt the digest algorithm of nontransaction business; Said business datum original text to receiving carries out the data summarization computing, obtains the benchmark service data that form belongs to nontransaction professional digest algorithm form; Receive signature result and PKI that said client is sent, said signature result is deciphered, current business data and said benchmark service data that deciphering obtains are compared, if unanimity is then confirmed processing, if inconsistent then refusal is handled;
Wherein, be provided with identical transaction business digest algorithm form and nontransaction professional digest algorithm form in advance among said server 103 and the said USB_Key 102; Said transaction business digest algorithm form and said nontransaction professional digest algorithm form are inequality.
Preferable, client 101 also is used for adopting belonging to nontransaction professional digest algorithm the business datum original text being carried out the data summarization computing, and the business datum that computing is obtained sends to USB_Key 102.
Preferable, server 103 comprises: trading server 1031 and nontransaction server 1032;
This trading server 1031 is used to receive the business datum original text of the transaction business that said client 101 sends, and the said business datum original text that receives is carried out the data summarization computing, obtains the benchmark service data that form belongs to transaction business digest algorithm form; Receive signature result and PKI that said client 101 is sent, said signature result is deciphered, current business data and said benchmark service data that deciphering obtains are compared, if unanimity is then confirmed processing, if inconsistent then refusal is handled;
This nontransaction server 1032; Be used to receive the business datum original text of the nontransaction business that said client 101 sends; Said business datum original text to receiving carries out the data summarization computing, obtains the benchmark service data that form belongs to nontransaction professional digest algorithm form; Receive signature result and PKI that said client 101 is sent, said signature result is deciphered, current business data and said benchmark service data that deciphering obtains are compared, if unanimity is then confirmed processing, if inconsistent then refusal is handled.
Above-mentioned trading server 1031 can lay respectively at the different location with nontransaction server 1032, only carries out function separately, and for example, for transaction business, client and trading server 1031 send communication; For nontransaction business, client and nontransaction server 1032 send communication.
Concrete; After digital authenticating terminal USB_Key 102 receives the business datum of client transmission; Passage according to this business datum of transmission; Determining this business datum, to belong to transaction business still be nontransaction business, when for example USB_Key 102 receives this business datum through the trading signature passage, confirms that it belongs to transaction business; When USB_Key 102 receives this business datum through nontransaction signature passage, confirm that it belongs to nontransaction business.
For nontransaction business; This client 101 need be to the computing of the advanced line data summary of business datum original text; Again the business datum that obtains after the computing is carried out data according to the specific format of the data summarization algorithm of its use and fill, then this business datum is sent to USB_Key 102.Data summarization algorithm commonly used at present has SHA1 digest algorithm, SHA256 digest algorithm, MD5 digest algorithm etc.Adopt different digest algorithms to the data computing of making a summary; The result who obtains is also different; Like the result who obtains after the computing of MD5 digest algorithm is 16 bytes; The byte that obtains after the computing of SHA1 digest algorithm is 20 bytes, and the result who obtains after the computing of SHA256 digest algorithm is 32 bytes, and data summaries operation result is carried out before the digital signature; Need the operation result of every kind of digest algorithm be filled to 128 or 256 through different data filling modes, concrete figure place of filling is relevant with type, the figure place of data summarization computing.Owing to according to different digest algorithms differentiations operation result is filled to different-format, thereby obtains the business datum of different-format, therefore can confirm which kind of digest algorithm it adopts through the form of judging business datum.The digest algorithm of the use of telling is including, but not limited to digest algorithms such as appeal SHA1, SHA256, MD5 in this patent.
Identical transaction business digest algorithm form and nontransaction professional digest algorithm form have been preset in this USB_Key 102 and the server 103; And this transaction business digest algorithm form and nontransaction professional digest algorithm form are inequality, and the form of the business datum that the form of the business datum that for example obtains through SHA1 digest algorithm and SHA256 digest algorithm belongs to transaction business digest algorithm form, obtain through MD5 digest algorithm etc. is nontransaction professional digest algorithm form.Like this, USB_Key 102 judges whether the digest algorithm form that this business datum adopts belongs to nontransaction professional digest algorithm form after receiving the business datum of client 101 through the signature passage transmission of nontransaction business; If do not belong to nontransaction professional digest algorithm form, then refusal is signed; When the digest algorithm form that adopts when business datum belongs to the nontransaction professional digest algorithm form that presets, business datum is signed, and the result that will sign returns client 101.Simultaneously; Client 101 is sent the business datum original text to server 103; Server 103 is judged when the business datum original text is the business datum original text of nontransaction business; The digest algorithm that employing belongs to nontransaction business carries out the data summarization computing to the business datum original text that receives, and obtains to belong to the benchmark service data of nontransaction professional digest algorithm form; Judge when the business datum original text is the business datum original text of transaction business, adopt the digest algorithm that belongs to transaction business that the business datum original text that receives is carried out the data summarization computing, obtain to belong to the benchmark service data of transaction business digest algorithm form.Certainly, this server 103 can comprise trading server and nontransaction server, handles transaction business and nontransaction business respectively.
After client 101 receives the signature result that USB_Key 102 returns, this signature result and the PKI that from USB_Key 102, reads are sent to server 103 (can be nontransaction server) together.Server 103 receives signature result and the PKI that client 101 is sent, and uses this PKI that the signature result is deciphered, and current business data and benchmark service data that deciphering obtains is compared, if unanimity is then confirmed to handle; If inconsistent, then refusal is handled.
For transaction business, after USB_Key 102 receives the business datum original text of client 101 transmissions, sensitive information is shown to display screen waits for that the user confirms.Treat that the user confirms that the back use belongs to the transaction business digest algorithm, carries out computing and signature to the business datum original text.Client 101 is sent the business datum original text to server 103 (can be trading server) simultaneously; Server 103 adopts the digest algorithm that belongs to transaction business that the business datum original text that receives is carried out the data summarization computing, obtains to belong to the benchmark service data of nontransaction professional digest algorithm form.Preset identical transaction business digest algorithm form and nontransaction professional digest algorithm form in USB_Key 102 and the server 103, and this transaction business digest algorithm form and nontransaction professional digest algorithm form zero lap.After client 101 receives the signature result that USB_Key 102 returns, this signature result and the PKI that from USB_Key 102, reads are sent to server 103 together.Server 103 receives signature result and the PKI that client 101 is sent, and uses this PKI that the signature result is deciphered, and current business data and benchmark service data that deciphering obtains is compared, if unanimity is then confirmed to handle; If inconsistent, then refusal is handled.
Pass through foregoing description; Can find out that the system that the business datum of using the embodiment of the invention to provide is signed is through be the transaction data data summarization algorithm different with nontransaction data configuration in advance; Make that USB_Key can be according to the digest algorithm form of business datum employing; Judge whether the current business data belong to nontransaction data, if belong to, then it is signed and return client.Simultaneously, server is similarly the transaction data data summarization algorithm different with nontransaction data configuration, and identical with the configuration among the USB_Key.Adopt the digest algorithm computing of transaction business as the assailant; When sending to USB_Key through nontransaction professional signature passage; Can't obtain the signature of USB_Key, avoid the assailant to obtain to sign and afterwards obtained the affirmation of transaction business, improve safety of data and reliability at server.When the assailant adopted the digest algorithm computing of nontransaction business, though can obtain the signature of USB_Key, because the digest algorithm that disposes in the server is identical with USB_Key, so it can't be through the checking of server.To sum up, when the system that uses the embodiment of the invention to provide carries out online transaction, there is not potential safety hazard, can guarantees the legitimacy and the fail safe of signed data preferably.
Based on same inventive concept, the embodiment of the invention also provides a kind of method of business datum signature, and as shown in Figure 2, this method comprises:
Step 201, digital authenticating terminal receive the business datum that client is sent through nontransaction professional signature passage;
Step 202, judge whether the digest algorithm form that business datum adopts belongs to nontransaction professional digest algorithm form;
When step 203, the digest algorithm form that adopts when business datum did not belong to nontransaction professional digest algorithm form, then refusal was signed; Wherein, nontransaction professional digest algorithm form and transaction business digest algorithm form are inequality.
Concrete, the form of result of calculation that will carry out the various digest algorithms of digest calculations in advance is divided into transaction business digest algorithm form and the nontransaction professional digest algorithm form that presets, and both zero laps.The nontransaction professional digest algorithm of customer end adopted carries out the data summarization computing to the business datum original text, obtains to belong to the business datum of nontransaction professional digest algorithm form, then this business datum is sent to individual digital authentication terminal USB_Key.
Hold at digital authenticating terminal USB_Key: USB_Key receives after the business datum of client through the signature passage transmission of nontransaction business, judges whether the digest algorithm form that this business datum adopts belongs to nontransaction professional digest algorithm form; If do not belong to nontransaction professional digest algorithm form, then refusal is signed; If belong to nontransaction professional digest algorithm form, this business datum is signed, and the result that will sign returns client.
In client: client sends to server with the business datum original text; Behind the signature result that reception USB_Key returns, the PKI of signing the result and in USB_Key, read is sent to server;
At server end: server is judged when the business datum original text is the business datum original text of nontransaction business; The digest algorithm that employing belongs to nontransaction business carries out the data summarization computing to the business datum original text that receives, and obtains to belong to the benchmark service data of nontransaction professional digest algorithm form; Receive signature result and PKI that client is sent, the result deciphers to this signature, current business data and benchmark service data that deciphering obtains is compared, if unanimity is then confirmed to handle; If inconsistent then refusal is handled.Wherein, server can be judged the type of this business datum original text through carrying this business datum original text call instruction, and also can break through other modes the type of this business datum original text.
When this server comprised trading server and nontransaction server, this trading server was only handled transaction business, and nontransaction server is only handled nontransaction business.
When the assailant forges transaction data, the transaction data of this forgery is sent to trading server on the one hand, on the other hand the transaction data of this forgery is carried out digest calculations and form business datum, send to USB_Key through nontransaction signature passage and sign.After USB_Key receives business datum, judge whether the form of this business datum belongs to the digest algorithm form of nontransaction business, if belong to then it is signed, and turn back to client; If do not belong to then refusal signature.Because trading server has all disposed identical transaction business digest algorithm form and nontransaction professional digest algorithm form with USB_Key, and transaction business digest algorithm form and nontransaction professional digest algorithm form zero lap.After trading server receives the transaction data of forgery, use the transaction business digest algorithm to carry out digest calculations, obtain the benchmark service data that form belongs to transaction business digest algorithm form.Like this, even the transaction data of forging has passed through the signature of USB_Key, also can't be through the checking of trading server.
Preferable, after digital authenticating terminal refusal was signed, warning message was sent to said server in the digital authenticating terminal; And/or digital authenticating starting terminal lock function.Concrete; Send warning message to server; Carry the unique identification information of equipment of unique identification information and/or the running client of this equipment in this warning message; Said server is confirmed assailant's position and/or identity according to this warning message, also can send lock command to this equipment simultaneously.And, after this equipment refusal signature, confirm under attackly, start lock function automatically, make this equipment failure.
The method that the business datum that through specific embodiment the embodiment of the invention is provided is below signed is elaborated, and is as shown in Figure 3, during the USB_Key processing service data, may further comprise the steps:
Step 301, USB_Key receive the business datum that client is sent;
Step 302, judge whether this business datum gets transmission channel is the trading signature passage, if then execution in step 303; Otherwise, execution in step 305;
Step 303, resolve this business datum, show sensitive information, wait for that the user confirms;
Whether step 304, judges confirm operation, if then execution in step 306; Otherwise continue execution in step 303;
Step 305, judge whether the digest algorithm form that this business datum adopts belongs to nontransaction professional digest algorithm form; If then execution in step 306; Otherwise, the refusal signature;
Step 306, this business datum is signed and returned the signature result to client.
Then, client signature result that will receive and the PKI that from USB_Key, reads send to server together.Server parses is somebody's turn to do the signature result, and judges whether to confirm to handle according to analysis result, and detailed process repeats no more at this referring to the description of the foregoing description.
Pass through foregoing description; Can find out that the method that the business datum of using the embodiment of the invention to provide is signed is through be the transaction data data summarization algorithm different with nontransaction data configuration in advance; Make that USB_Key can be according to the digest algorithm form of business datum employing; Judge whether the current business data belong to nontransaction data, if belong to, then it is signed and return client.Simultaneously, server is similarly the transaction data data summarization algorithm different with nontransaction data configuration, and identical with the configuration among the USB_Key.Adopt the digest algorithm computing of transaction business as the assailant; When sending to USB_Key through nontransaction professional signature passage; Can't obtain the signature of USB_Key, avoid the assailant to obtain to sign and afterwards obtained the affirmation of transaction business, improve safety of data and reliability at server.When the assailant adopted the digest algorithm computing of nontransaction business, though can obtain the signature of USB_Key, because the digest algorithm that disposes in the server is identical with USB_Key, so it can't be through the checking of server.To sum up, when the method for using the embodiment of the invention to provide is carried out online transaction, there is not potential safety hazard, can guarantees the legitimacy and the fail safe of signed data preferably.
Based on same inventive concept, the embodiment of the invention also provides a kind of device of business datum signature, and is as shown in Figure 4, comprising:
Receiver module 401 is used to receive the business datum that client is sent through nontransaction professional signature passage;
Judge module 402 is used to judge whether the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form;
Signature blocks 403 is used for when digest algorithm form that said business datum adopts does not belong to nontransaction professional digest algorithm form, and then refusal is signed; Wherein, said nontransaction professional digest algorithm form and transaction business digest algorithm form are inequality.
Preferable, judge module 402 judges that the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form, then notifies said signature blocks 403; 403 pairs of said business datums of said signature blocks are signed, and the result that will sign turns back to client.
Preferable, also comprise: processing module 404, be used for said signature blocks 403 refusal signatures after, send warning message to server; And/or startup lock function.
Based on same inventive concept, the embodiment of the invention also provides a kind of digital authenticating terminal, like USB_Key, comprising: the device of above-mentioned business datum signature.
Pass through foregoing description; Can find out that methods, devices and systems and digital authenticating terminal that the business datum of using the embodiment of the invention to provide is signed are the transaction data data summarization algorithm different with nontransaction data configuration in advance; Make that USB_Key can be according to the digest algorithm form of business datum employing; Judge whether the current business data belong to nontransaction data, if belong to, then it is signed and return client.Simultaneously, server is similarly the transaction data data summarization algorithm different with nontransaction data configuration, and identical with the configuration among the USB_Key.Adopt the digest algorithm computing of transaction business as the assailant; When sending to USB_Key through nontransaction professional signature passage; Can't obtain the signature of USB_Key, avoid the assailant to obtain to sign and afterwards obtained the affirmation of transaction business, improve safety of data and reliability at server.When the assailant adopted the digest algorithm computing of nontransaction business, though can obtain the signature of USB_Key, because the digest algorithm that disposes in the server is identical with USB_Key, so it can't be through the checking of server.To sum up, when the USB_Key that uses the embodiment of the invention to provide carries out online transaction, there is not potential safety hazard, can guarantees the legitimacy and the fail safe of signed data preferably.
Those skilled in the art should understand that embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt the form of the embodiment of complete hardware embodiment, complete software implementation example or combination software and hardware aspect.And the present invention can be employed in the form that one or more computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) that wherein include computer usable program code go up the computer program of implementing.
The present invention is that reference is described according to the flow chart and/or the block diagram of method, equipment (system) and the computer program of the embodiment of the invention.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or the block diagram and/or square frame and flow chart and/or the block diagram and/or the combination of square frame.Can provide these computer program instructions to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, make the instruction of carrying out through the processor of computer or other programmable data processing device produce to be used for the device of the function that is implemented in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame appointments.
These computer program instructions also can be stored in ability vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work; Make the instruction that is stored in this computer-readable memory produce the manufacture that comprises command device, this command device is implemented in the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
These computer program instructions also can be loaded on computer or other programmable data processing device; Make on computer or other programmable devices and to carry out the sequence of operations step producing computer implemented processing, thereby the instruction of on computer or other programmable devices, carrying out is provided for being implemented in the step of the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
Although described the preferred embodiments of the present invention, in a single day those skilled in the art get the basic inventive concept could of cicada, then can make other change and modification to these embodiment.So accompanying claims is intended to be interpreted as all changes and the modification that comprises preferred embodiment and fall into the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.

Claims (11)

1. the method for business datum signature is characterized in that this method comprises:
The digital authenticating terminal receives the business datum that client is sent through nontransaction professional signature passage;
Judge whether the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form;
When the digest algorithm form that adopts when said business datum did not belong to nontransaction professional digest algorithm form, then refusal was signed;
Wherein, said nontransaction professional digest algorithm form and transaction business digest algorithm form are inequality.
2. the method for claim 1 is characterized in that, said digital authenticating terminal receives before the business datum of client through the transmission of nontransaction professional signature passage, also comprises:
Customer end adopted belongs to nontransaction professional digest algorithm the business datum original text is carried out the data summarization computing, obtains to belong to the business datum of nontransaction professional digest algorithm form.
3. the method for claim 1 is characterized in that, also comprises:
When the digest algorithm form that adopts when said business datum belonged to nontransaction professional digest algorithm form, signed to said business datum in the digital authenticating terminal, and the result that will sign returns said client.
4. method as claimed in claim 3 is characterized in that, also comprises:
Client sends to server with said business datum original text, receives the signature result that digital authenticating terminal USB Key returns, and said signature result and PKI are sent to server;
When server is judged the business datum original text that said business datum original text is nontransaction business; The digest algorithm that employing belongs to nontransaction business carries out the data summarization computing to the said business datum original text that receives, and obtains to belong to the benchmark service data of nontransaction professional digest algorithm form; Receive signature result and PKI that said client is sent, said signature result is deciphered, current business data and said benchmark service data that deciphering obtains are compared, if unanimity is then confirmed processing, if inconsistent then refusal is handled;
Wherein, be provided with identical transaction business digest algorithm form and nontransaction professional digest algorithm form in advance among said server and the said USB Key.
5. the method for claim 1 is characterized in that, said refusal also comprises after signing:
Said digital authenticating terminal to server sends warning message; And/or,
Said digital authenticating starting terminal lock function.
6. the device of a business datum signature is characterized in that, comprising:
Receiver module is used to receive the business datum that client is sent through nontransaction professional signature passage;
Judge module is used to judge whether the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form;
Signature blocks is used for when digest algorithm form that said business datum adopts does not belong to nontransaction professional digest algorithm form, and then refusal is signed; Wherein, said nontransaction professional digest algorithm form and transaction business digest algorithm form are inequality.
7. device as claimed in claim 6 is characterized in that, said judge module judges that the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form, then notifies said signature blocks; Said signature blocks is signed to said business datum, and the result that will sign turns back to client.
8. device as claimed in claim 6 is characterized in that, also comprises:
Processing module, be used for said signature blocks refusal signature after, send warning message to server; And/or startup lock function.
9. a digital authenticating terminal is characterized in that, comprising: like the device of arbitrary described business datum signature among the claim 6-8.
10. the system of a business datum signature is characterized in that, comprising: client and digital authenticating terminal USB_Key;
Said client is used for business datum is sent to said USB_Key through nontransaction professional signature passage;
Said USB_Key is used to receive the business datum that client is sent through nontransaction professional signature passage; Judge whether the digest algorithm form that said business datum adopts belongs to nontransaction professional digest algorithm form; When the digest algorithm form that adopts when said business datum did not belong to nontransaction professional digest algorithm form, then refusal was signed; Wherein, said nontransaction professional digest algorithm form and transaction business digest algorithm form are inequality.
11. system as claimed in claim 10 is characterized in that, also comprises: server;
Said client when being used for that also business datum sent to said USB_Key through nontransaction professional signature passage, sends to said server with said business datum original text; Receive the signature result that said USB_Key returns; Said signature result and the PKI that from said USB_Key, reads are sent to said server;
Said USB_Key also is used to receive the said business datum of said client through the signature passage transmission of nontransaction business; When the digest algorithm form that adopts when said business datum belongs to the nontransaction professional digest algorithm form that presets, said business datum is signed, and the result that will sign returns said client;
Said server; When being used to judge the business datum original text that said business datum original text is nontransaction business; Adopt the digest algorithm of nontransaction business; Said business datum original text to receiving carries out the data summarization computing, obtains the benchmark service data that form belongs to nontransaction professional digest algorithm form; Receive signature result and PKI that said client is sent, said signature result is deciphered, current business data and said benchmark service data that deciphering obtains are compared, if unanimity is then confirmed processing, if inconsistent then refusal is handled;
Wherein, be provided with identical transaction business digest algorithm form and nontransaction professional digest algorithm form in advance among said server and the said USB_Key.
CN201110421661.8A 2011-12-15 2011-12-15 Service data signature method, device, system and digital certification terminal Expired - Fee Related CN102420829B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110421661.8A CN102420829B (en) 2011-12-15 2011-12-15 Service data signature method, device, system and digital certification terminal
BR102012032257A BR102012032257A2 (en) 2011-12-15 2012-12-17 METHOD, DEVICE AND SYSTEM FOR MAKING TRAFFIC DATA AND DIGITAL AUTHENTICATION TERMINAL

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110421661.8A CN102420829B (en) 2011-12-15 2011-12-15 Service data signature method, device, system and digital certification terminal

Publications (2)

Publication Number Publication Date
CN102420829A true CN102420829A (en) 2012-04-18
CN102420829B CN102420829B (en) 2014-07-02

Family

ID=45945064

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110421661.8A Expired - Fee Related CN102420829B (en) 2011-12-15 2011-12-15 Service data signature method, device, system and digital certification terminal

Country Status (2)

Country Link
CN (1) CN102420829B (en)
BR (1) BR102012032257A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106611311A (en) * 2015-10-23 2017-05-03 镇江金软计算机科技有限责任公司 Network payment implementation method
CN106712937A (en) * 2016-12-22 2017-05-24 北京海泰方圆科技股份有限公司 Data signature method, device and system
CN111291415A (en) * 2020-03-12 2020-06-16 北京阿尔山金融科技有限公司 Data storage method and device and business system server

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5671279A (en) * 1995-11-13 1997-09-23 Netscape Communications Corporation Electronic commerce using a secure courier system
TW424371B (en) * 1999-02-26 2001-03-01 Qic Systems Corp Group signature method for group message transmission in unsafe communication channel
US20050246778A1 (en) * 2004-04-23 2005-11-03 Viacheslav Usov Transparent encryption and access control for mass-storage devices
US20060155995A1 (en) * 2004-11-09 2006-07-13 Telefonaktiebolaget Lm Ericsson (Publ) Secure network/service access
CN1988444A (en) * 2005-12-23 2007-06-27 北京握奇数据系统有限公司 Digital signature device for confirming needed signature data and its method for confirming data
CN101482962A (en) * 2009-02-26 2009-07-15 北控易码通(北京)科技有限公司 Service data processing terminal and service data processing method
CN101610150A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 Third party's digital signature method and data transmission system
CN101651713A (en) * 2009-09-18 2010-02-17 北京握奇数据系统有限公司 Smart card network data transmitting method and device
CN101820346A (en) * 2010-05-04 2010-09-01 北京飞天诚信科技有限公司 Secure digital signature method
CN101997864A (en) * 2009-08-27 2011-03-30 上海中信信息发展股份有限公司 System architecture for realizing electronic document packaging and constructing method thereof
CN102035654A (en) * 2010-12-29 2011-04-27 北京握奇数据系统有限公司 Identity authentication method, identity authentication equipment, server and identity authentication-based encryption method

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5671279A (en) * 1995-11-13 1997-09-23 Netscape Communications Corporation Electronic commerce using a secure courier system
TW424371B (en) * 1999-02-26 2001-03-01 Qic Systems Corp Group signature method for group message transmission in unsafe communication channel
US20050246778A1 (en) * 2004-04-23 2005-11-03 Viacheslav Usov Transparent encryption and access control for mass-storage devices
US20060155995A1 (en) * 2004-11-09 2006-07-13 Telefonaktiebolaget Lm Ericsson (Publ) Secure network/service access
CN1988444A (en) * 2005-12-23 2007-06-27 北京握奇数据系统有限公司 Digital signature device for confirming needed signature data and its method for confirming data
CN101482962A (en) * 2009-02-26 2009-07-15 北控易码通(北京)科技有限公司 Service data processing terminal and service data processing method
CN101610150A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 Third party's digital signature method and data transmission system
CN101997864A (en) * 2009-08-27 2011-03-30 上海中信信息发展股份有限公司 System architecture for realizing electronic document packaging and constructing method thereof
CN101651713A (en) * 2009-09-18 2010-02-17 北京握奇数据系统有限公司 Smart card network data transmitting method and device
CN101820346A (en) * 2010-05-04 2010-09-01 北京飞天诚信科技有限公司 Secure digital signature method
CN102035654A (en) * 2010-12-29 2011-04-27 北京握奇数据系统有限公司 Identity authentication method, identity authentication equipment, server and identity authentication-based encryption method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
《中国优秀硕士学位论文全文数据库 信息科技辑》 20070915 张伟丽 《网上银行客户端可信签名环境研究》 I139-91 1-11 , 第3期 *
《中国优秀硕士学位论文全文数据库 信息科技辑》 20110312 王永生 《PKI数字签名在电子政务中的应用研究》 I136-160 1-11 , 第6期 *
张伟丽: "《网上银行客户端可信签名环境研究》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
王永生: "《PKI数字签名在电子政务中的应用研究》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106611311A (en) * 2015-10-23 2017-05-03 镇江金软计算机科技有限责任公司 Network payment implementation method
CN106712937A (en) * 2016-12-22 2017-05-24 北京海泰方圆科技股份有限公司 Data signature method, device and system
CN111291415A (en) * 2020-03-12 2020-06-16 北京阿尔山金融科技有限公司 Data storage method and device and business system server

Also Published As

Publication number Publication date
CN102420829B (en) 2014-07-02
BR102012032257A2 (en) 2013-11-26

Similar Documents

Publication Publication Date Title
CN109472166B (en) Electronic signature method, device, equipment and medium
CN108768970B (en) Binding method of intelligent equipment, identity authentication platform and storage medium
CN109600223B (en) Verification method, activation method, device, equipment and storage medium
CN104618116B (en) A kind of cooperative digital signature system and its method
CN103067402B (en) The generation method and system of digital certificate
CN110621014B (en) Vehicle-mounted equipment, program upgrading method thereof and server
CN109992949B (en) Equipment authentication method, over-the-air card writing method and equipment authentication device
CN109471865A (en) A kind of off-line data management method, system, server and storage medium
CN105512576A (en) Method for secure storage of data and electronic equipment
CN106611310B (en) Data processing method, wearable electronic device and system
CN105007279A (en) Authentication method and authentication system
EP2518671A1 (en) Method and mobile terminal for realizing network payment
CN106779705B (en) Dynamic payment method and system
CN104917807A (en) Resource transfer method, apparatus and system
CN106411520B (en) Method, device and system for processing virtual resource data
CN102546172A (en) Access control method of intelligent card, intelligent card, terminal and system
CN112248844A (en) Charging starting method of charging pile, intelligent terminal and charging system
CN110620763A (en) Mobile identity authentication method and system based on mobile terminal APP
US20200233947A1 (en) System and method for facilitating authentication via a short-range wireless token
CN102420829B (en) Service data signature method, device, system and digital certification terminal
CN103592927A (en) Method for binding product server and service function through license
CN112862484A (en) Secure payment method and device based on multi-terminal interaction
CN112150151B (en) Secure payment method, apparatus, electronic device and storage medium
CN115567297A (en) Cross-site request data processing method and device
CN113051585B (en) Data verification method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100015 Beijing city Chaoyang District Dongzhimen West eight Street No. 2 room Wanhong Yan Dong Business Garden

Patentee after: BEIJING WATCHDATA Co.,Ltd.

Address before: 100015 Beijing city Chaoyang District Dongzhimen West eight Street No. 2 room Wanhong Yan Dong Business Garden

Patentee before: BEIJING WATCH DATA SYSTEM Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140702

Termination date: 20211215