CN102571340A - Certificate authentication device as well as access method and certificate update method thereof - Google Patents
Certificate authentication device as well as access method and certificate update method thereof Download PDFInfo
- Publication number
- CN102571340A CN102571340A CN201010620431XA CN201010620431A CN102571340A CN 102571340 A CN102571340 A CN 102571340A CN 201010620431X A CN201010620431X A CN 201010620431XA CN 201010620431 A CN201010620431 A CN 201010620431A CN 102571340 A CN102571340 A CN 102571340A
- Authority
- CN
- China
- Prior art keywords
- mobilekey
- certificate
- control module
- module
- digital certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a certificate authentication device which comprises a normal storage module, a storage control module and an interface module, wherein the normal storage module is connected with the storage control module, and the storage control module and the interface module are connected. The certificate authentication device further comprises a safety storage module, an operation processing module and a safety control module, wherein the safety storage module is respectively connected with the operation processing module and the safety control module and used for storing private information for certificate authentication; the operation processing module is used for performing hardware acceleration on an encryption algorithm; and the safety control module is connected with the storage control module and used for scheduling the operation processing module to perform operation and controlling the safety storage module to perform data storage and output. The certificate authentication device disclosed by the invention can have a higher certificate authentication speed under the condition of ensuring the safety. The invention further discloses an access method and a certificate update method based on the certificate authentication device so as to realize the access of the certificate authentication device and the update of the certificate.
Description
Technical field
The present invention relates to the authentication techniques field, particularly the visit of certificate verification device and this device and certificate update method.
Background technology
USBKey is the certificate verification device of a kind of USB (USB) interface; Its built-in single-chip microcomputer or intelligent card chip; Certain memory space is arranged, can store user's private key and digital certificate, utilize the built-in public key algorithm of USBKey to realize authentication user identity.
It is more extensive that USBKey uses in the OA of present Web bank, government and VPN(Virtual Private Network).USBKey provides the environment of digital certificate in the terminal security storage; Having improved the efficient of authentication through the hardware co-processor processing operations, is present cert authentication better solution.
Rise along with mobile payment, mobile office; Certificate verification demand for portable terminal is more and more; Because a lot of portable terminals are not supported USB interface, and the USB interface power consumption is too big, most of portable terminals can't be born; Therefore, the present certificate verification mode of USBKey and be not suitable for portable terminal.
For the problem of the certificate verification that solves portable terminal, mainly take following two kinds of schemes at present:
One, soft certificate verification mode
This mode is directly to leave in digital certificate and private key on the mobile terminal device; Private key is by user's PIN (PIN) protection, and the computings such as generation, encryption and decryption and signature verification of the unsymmetrical key that needs in the certificate verification are realized by the software that carries on the portable terminal.
Two, Subscriber Identity Module (SIM) card mode
This mode is the hardware carrier of depositing SIM as digital certificate, and the computings such as generation, encryption and decryption and signature verification of the unsymmetrical key that needs in the certificate verification are realized by SIM.
The defective of scheme one:
Digital certificate and private key leave on the mobile terminal device, need deposit in the use in the internal memory (RAM) at terminal, and victim obtains easily, and fail safe is not high, does not meet national information safety relevant criterion.The computings such as generation, encryption and decryption and signature verification of the unsymmetrical key that needs in the certificate verification in addition, are realized that by software arithmetic speed is slow.With common intelligent machine is example; Dominant frequency is about 200M, and the key that generates a pair of 1024 RSA cryptographic algorithms is on average needing about tens seconds of time, compare the key that uses hardware to produce same length concerning 4 seconds average time; Have a long way to go, thereby influence authentication speed.
The defective of scheme two:
The SIM memory space is very little, and digital certificate and private key will influence the storage of other data if be kept on the SIM, such as the memory space that takies data such as address list.And the SIM traffic rate is very low, and what most of SIMs adopted is International Organization for Standardization 7816 interfaces, and with respect to the transmission rate of general memory card interface, gaps between their growth rates are bigger, thereby influence authentication speed.In addition, because SIM can not directly use on PC, the certificate verification mode on can't compatible current PC, its scope of application is limited.
Summary of the invention
The embodiment of the invention provides a kind of certificate verification device, when being used for portable terminal, can under the situation that guarantees fail safe, have higher certificate verification speed.
The embodiment of the invention provides a kind of access method of certificate verification device, can realize being used in the cert authenticate device visit of the private information of authentication.
The embodiment of the invention provides a kind of certificate update method of certificate verification device, the renewal of the certificate that can realize easily preserving in the cert authenticate device.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
A kind of certificate verification device comprises generic storage module, storage control module and interface module; Said generic storage module links to each other with storage control module, and said storage control module links to each other with interface module; This device also comprises:
Secure storage module links to each other respectively with calculation process module and safety control module, is used to store the private information that is used for certificate verification;
The calculation process module is used for carrying out hardware-accelerated to AES;
Safety control module links to each other with said storage control module, is used to dispatch said calculation process module and carries out computing, controls storage and output that said secure storage module carries out data.
Preferably, said secure storage module, calculation process module and safety control module are integrated in an individual chips.
Preferably, said secure storage module, calculation process module, safety control module and storage control module are integrated in an individual chips.
Preferably, said secure storage module and said generic storage module are integrated in an individual chips; Said calculation process module, safety control module and storage control module are integrated in another piece individual chips.
Preferably, said safety control module and said storage control module through serial ports, 7816 or the spi bus mode be connected.
A kind of access method based on above-mentioned certificate verification device, this method comprises:
When storage control module received the storage card write command through interface module, if the address of said write command appointment is predefined special address, the data of then said write command being carried sent safety control module to as order data;
Safety control module is resolved and is responded said order data, handles according to said order data instruction corresponding;
The response data that safety control module will obtain after will finishing dealing with is exported to storage control module;
Storage control module is recombinated to said response data.
Preferably, this method further comprises:
When storage control module receives reading instruction of external application transmission through interface module; If the address of the said appointment that reads instruction is predefined special address, the said response data after then will recombinating feeds back to external application as the feedback data that reads instruction.
Preferably; It is said if the address of write command appointment is predefined special address; This method further comprises: said write command is carried out verification; If said write command verification is passed through, then continue to carry out the said data that write command is carried send safety control module to as order data step and subsequent step thereof.
Preferably, this method further comprises:
If the address of said write command appointment is not predefined special address, the data that perhaps said write command carries are through verification, and then storage control module data that said write command is carried send the generic storage module to as general data and store.
A kind of certificate update method based on above-mentioned certificate verification device, this method comprises:
After original digital certificate among the certificate verification device MobileKey lost efficacy, it is right that MobileKey produces new public affairs, private key according to the agreement that consults in advance with the CA of authentication center, sends the renewal request through the public key encryption of CA through the terminal of its connection to CA; Carry said new PKI in the said renewal request;
The private key that CA uses CA is deciphered the renewal request of the encryption of receiving; Utilize the new PKI that carries in the said renewal request to sign and issue new digital certificate again for MobileKey; Return and upgrade response, comprise the new digital certificate after the encryption in the said renewal response;
MobileKey replaces original failed digital certificate and original private key among the MobileKey with said new digital certificate and said new private key after receiving the renewal response that CA returns.
Preferably, further carry the MobileKey sign that is used for unique identification MobileKey identity, digital certificate and the session key that had lost efficacy in the said renewal request;
The MobileKey sign that comprises the encrypted private key that uses CA in the digital certificate of said inefficacy.
Preferably, after said CA deciphered the renewal request, this method further comprised:
Digital certificate according to said MobileKey sign and inefficacy judges whether said MobileKey is the validated user in the CA territory; If; Then continue to carry out the new PKI that carries in the said utilization renewal request and sign and issue the step and the subsequent step thereof of new digital certificate again, otherwise finish the certificate update flow process for MobileKey.
Preferably, said digital certificate according to said MobileKey sign and inefficacy judges that whether said MobileKey is the validated user in the CA territory, comprising:
Signature with CA in the PKI deciphering MobileKey digital certificate of CA; Recover the plaintext of MobileKey sign; And judge the MobileKey sign recover whether with renewal request that MobileKey sends in the MobileKey sign of carrying identical; Identical then is validated user in the CA territory, and difference then is not a validated user.
Preferably, further carry the CA digital signature in the said renewal request;
Said CA digital signature is meant that CA is to being kept at the data that obtain after the digital certificate serial number encryption that had lost efficacy among the MobileKey; The CA digital signature is the CA last time to sign and issue digital certificate to MobileKey; When promptly being kept at the digital certificate that had lost efficacy in the certificate verification device, send to MobileKey's.
Preferably, judge that according to said MobileKey sign and the digital certificate that lost efficacy said MobileKey is after the validated user in the CA territory, this method further comprises:
Judge according to the CA digital signature of carrying in the said renewal request whether this renewal request is that MobileKey sends; If; Then continue to carry out the new PKI that carries in the said utilization renewal request and sign and issue the step and the subsequent step thereof of new digital certificate again, otherwise finish the certificate update flow process for MobileKey.
Preferably, judge according to the CA digital signature of carrying in the said renewal request whether this renewal request is that MobileKey sends, and comprising:
Decipher said CA digital signature according to the PKI of CA; Recover the plaintext of the digital certificate sequence number that had lost efficacy; And judge that the certificate serial number that had lost efficacy recover is whether identical with the sequence number of the digital certificate that had lost efficacy that carries in the renewal request that MobileKey sends; If identical, then judging this renewal request is that MobileKey sends, and is not that MobileKey sends otherwise judge this renewal request.
Preferably, said returning upgraded response and comprised:
CA encrypts the said new digital certificate of signing and issuing again with the said session key that MobileKey sends; The private key that uses CA is encrypted the sequence number of the digital certificate newly signed and issued and is obtained new CA digital signature, re-uses the session key that MobileKey sends new CA digital signature is encrypted; Carry in the said renewal response after the encryption new digital certificate with encrypt after new CA digital signature.
Preferably, after MobileKey received the renewal response that CA returns, this method further comprised:
With said session key after to the encryption of carrying in the said renewal response new digital certificate and encrypt after new CA digital signature decipher; And continue to carry out the step with original failed digital certificate and original private key among said new digital certificate and the said new private key replacement MobileKey, and further the step of former CA digital signature is replaced in execution with said new CA digital signature.
Visible by above-mentioned technical scheme, this certificate verification device of the present invention, when being used for portable terminal, owing to use the carrier of hardware as security information such as private key and certificates, fail safe is far above soft certificate mode; Because adopt memory card interface, communication speed is far above the ISO7816 interface of SIM; In addition, because measured memory card interface, the scope of application is extensive, except that portable terminal, can also link to each other as the certificate carrier of PC platform through terminals such as equipment such as card reader and PC.
The access method of this certificate verification device of the present invention; Will be through predefined special address to the visit of the private information preserved in the certificate verification device of the present invention; Differentiate with visit general data, thus the visit of the private information in the realization cert authenticate device.
The certificate update method of this certificate verification device of the present invention can be communicated by letter with authentication center through the terminal equipment that the certificate verification device connects, and when guaranteeing fail safe, realizes online certificate update, thereby has simplified the certificate update process.
Description of drawings
Fig. 1 is existing memory card architecture sketch map;
Fig. 2 is the certificate verification apparatus structure sketch map of the embodiment of the invention one;
Fig. 3 is the certificate verification apparatus structure sketch map of the embodiment of the invention two;
Fig. 4 is the certificate verification apparatus structure sketch map of the embodiment of the invention three;
Fig. 5 is the certificate verification device access method flow chart of the embodiment of the invention;
Fig. 6 is the certificate update method flow diagram of the embodiment of the invention.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, to further explain of the present invention.
The present invention mainly is the embedded module that is used for certificate verification in the storage card of standard interface; Preserve security information and accomplish the certificate verification process through hardware; Thereby can under the situation that guarantees fail safe, improve the speed of certificate verification, and have the bigger scope of application.This certificate verification device of the present invention can be described as MobileKey.
Fig. 1 is existing memory card architecture sketch map, and is as shown in Figure 1, comprises generic storage module 101, storage control module 102 and interface module 103;
Wherein generic storage module 101 is used to store general data, is generally realized by flash memory (FLASH) chip; Storage control module 102 links to each other respectively with generic storage module 101 and interface module 103, is used for generic storage module 101 is carried out data write control etc., is generally realized by an individual chips; Interface module 103 is used for transceive data, can adopt safe digital card (SD)/multimedia card (MMC)/memory stick standard interfaces such as (Memory Stick) to realize.
In the specific embodiment of the invention, be used for the module of certificate verification below will in existing memory card architecture, increasing:
Secure storage module is used to store the private information that is used for certificate verification, the corresponding private key information of digital certificate, digital certificate for example, and the information that key seed etc. can not be revealed is not used in the storage of general data.
The calculation process module is used for AES is carried out hardware-accelerated, for example can be RSA (a kind of AES) computing accelerating engine, randomizer, AES (a kind of AES) computation engine etc., and is different and different according to the concrete AES that uses.
Safety control module is used to dispatch the calculation process module and carries out storage and the output etc. that data are carried out in computing, control secure storage module.
Above-mentioned three modules are physically; Can be by an independently chip realization; For example intelligent card chip, special-purpose association's process chip etc.; And be connected through serial ports, ISO7816, Serial Peripheral Interface (SPI) bus modes such as (SPI) with storage control module, also can above-mentioned three modules be integrated in the chip at existing other modules places, for example will above-mentioned three modules all be integrated in storage control module and belong to chip; Perhaps secure storage module is integrated in the FLASH chip at generic storage module place, calculation process module and safety control module are integrated in storage control module place chip.
Fig. 2 is the certificate verification apparatus structure sketch map of the embodiment of the invention one, and as shown in Figure 2, this device comprises: generic storage module 201, storage control module 202; With interface module 203; Secure storage module 204, calculation process module 205, and safety control module 206.
Wherein, the function and the annexation of generic storage module 201, storage control module 202 and interface module 203 are identical with existing storage card, repeat no more.Secure storage module 204 links to each other respectively with calculation process module 205 and safety control module 206; Safety control module 206 also links to each other with storage control module 202; Secure storage module 204 and calculation process module 205 and safety control module 206 are integrated in one independently in the safe processing chip; And generic storage module 201 realizes that by the FLASH chip storage control module 202 is realized by controller chip.
Fig. 3 is the certificate verification apparatus structure sketch map of the embodiment of the invention two, and as shown in Figure 3, this device comprises: generic storage module 301, storage control module 302; With interface module 303; Secure storage module 304, calculation process module 305, and safety control module 306.
Wherein, the function of each module is identical with annexation, repeats no more.The difference of itself and embodiment one is that secure storage module 304, calculation process module 305 and safety control module 306 are integrated in the controller chip with storage control module 302.
Fig. 4 is the certificate verification apparatus structure sketch map of the embodiment of the invention three, and as shown in Figure 4, this device comprises: generic storage module 401, storage control module 402; With interface module 403; Secure storage module 404, calculation process module 405, and safety control module 406.
Wherein, the function of each module is identical with annexation, repeats no more.The difference of itself and embodiment one, two is that secure storage module 404 and generic storage module 401 are integrated in the FLASH chip, and calculation process module 405 and safety control module 406 are integrated in the controller chip with storage control module 402.
Certainly, for certificate verification device of the present invention, because the function of generic storage module and certificate verification are irrelevant, so be not necessary.In addition, be not limited to above-mentioned three embodiment, secure storage module, calculation process module and safety control module physically also can perhaps be integrated in any chip in the existing storage card respectively through independently chip realization among the present invention.
For above-mentioned certificate verification device; Owing to be the application of extended certificate authentication on the interface of memory card; And the storage card agreement of standard is not supported the visit to the module that is used for certificate verification in blocking; If can not realize the visit to the module that is used for certificate verification, then the verification process of certificate verification and certificate update process etc. can't realize.To this, we have designed the method that is used for the module of certificate verification in the mode access card through shared address, and concrete steps are as shown in Figure 5, comprising:
Step 501 defines special address in advance.
This special address can be some addresses or a certain sector address scope, specifically can decide as required.Because storage card belongs to External memory equipment; Can only operate through the write or read instruction, and specify the address of concrete write or read in the write or read instruction, therefore can be through the special address of definition; When receiving the write or read instruction; Through the address of appointment in the decision instruction, distinguishing external application is that existing generic storage module is carried out read-write operation in the cert authenticate device, the operation of still module that is used for certificate verification among the present invention being carried out.
Step 502 is confirmed order data according to special address.
In external application needs access card during data, when for example the storage control module in the controller chip receives the write command that external application sends through interface module, judge whether the address of appointment in the write command is predefined special address.If special address, the validity of the data that then further verification write command carries, validity check is actually for security consideration; Prevent that instruction from being distorted midway, in general can adopt verification and mode to carry out verification, perhaps adopt AES etc.; Concrete method of calibration can be used existing any method of calibration, repeats no more here, certainly; If not high, also can not carry out verification here for security requirement; If verification is not passed through, the data of then write command being carried store the generic storage module into as general data.If verification is passed through, then send safety control module to as order data; In addition, if not special address, the data of then directly write command being carried store the generic storage module into as general data.
Step 503 is carried out handled according to said order data.
When safety control module receives order data; Resolve and respond this order data and handle accordingly; What comprise in the order data is that external application is to each is used for the operational order of the module of certificate verification among the present invention; For example can be to call the calculation process module private information of preserving in the secure storage module to be encrypted, generated operations such as key, perhaps secure storage module carried out storage of private information data etc.After safety control module response command data were finished dealing with, the response data that obtains after the response command data are handled was exported to storage control module.
Step 504 is fed back the data after handling.
After storage control module obtains the response data of safety control module feedback, reorganize the concrete response data of using, and leave in the inner buffer area of storage control module.Because it is different with the needed data format of external application in storage card, to handle the form that obtains data; Therefore storage control module need be sealed response data greatly again and dress up the needed data format of external program here, so that the reading of external application.In addition, because storage card is passive equipment, external application can only obtain data through reading instruction.When the storage card that therefore receives the applications transmission when storage control module through interface module reads instruction; Need to judge whether the address of the appointment that reads instruction is predefined special address; If special address; And storage control module has been accomplished the reorganization of response data, and the feedback data that the good response data of then will recombinating reads instruction as storage card feeds back to applications through interface module.
In said process, external application sends read write command to special address, can adopt dual mode to realize, a kind of is the reading and writing data that the application programming interfaces (API) that directly utilize system carry out physical address; Another kind is the file that read-write has covered this sector, through the read-write to certain data block of file, realizes carrying out through file system the reading and writing data of physical address.In addition, external application can be used as the read write command data designated for the concrete application function instruction of the module of authentication and is carried in the read write command.
Pass through said method; External application can be realized the visit to the module that is used for certificate verification in the storage card; The concrete technical staff in this area is according to this access method; Can realize the process of concrete certificate verification and since the present invention not the cert verification process improve, therefore realize specifically that through certificate verification device of the present invention the process of certificate verification has just repeated no more here.
In order to improve MobileKey fail safe in use; Authentication center (CA) can be provided with the term of validity to this digital certificate when giving MobileKey distribute digital certificate; In case crossed the term of validity; It is invalid that this digital certificate will become, and MobileKey can't pass through when carrying out authentication with mobile terminal device.Therefore, in order to guarantee the normal use of MobileKey, CA need upgrade the digital certificate of MobileKey.
Because MobileKey can't be directly communicated by letter with CA foundation, and MobileKey mostly is in off-line state, thereby makes updating digital certificate relatively more difficult.A kind of possible method is regularly to the place of CA appointment the MobileKey digital certificate is upgraded by the user, but this updating digital certificate process to be comparatively loaded down with trivial details, and can to bring inconvenience to the user.
In view of this, the invention provides a kind of MobileKey digital certificate updating method, simplified the updating digital certificate process of MobileKey.
MobileKey among the present invention can carry out updating digital certificate with online mode through the terminal; Promptly let MobileKey when being connected with the terminal; Utilize the data interface channel between terminal and the CA,, accomplish the renewal of MobileKey digital certificate like WLAN, GPRS etc.MobileKey earlier according to the agreement that consults with CA in advance produce public, private key is right; Initiate the updating digital certificate request to CA; After CA receives the request of renewal, again for MobileKey signs and issues digital certificate, afterwards; Digital certificate and private key that MobileKey lost efficacy with digital certificate of signing and issuing again and private key replacement are accomplished whole renewal process.
The typical application of carrying out the certificate update process when being connected with portable terminal with MobileKey below is that example is elaborated, and certainly, when MobileKey was connected with PC other-ends such as (PC), the process of certificate update also was identical.
At first; Need store in the MobileKey can unique identification MobileKey identity private informations such as MobileKey sign, MobileKey digital certificate and CA digital certificate; Wherein, The PKI that includes CA in the CA digital certificate, corresponding, preserve the private key of the corresponding CA of CA digital certificate among the CA.
As shown in Figure 6, the updating digital certificate process may further comprise the steps:
Step 601: when the MobileKey digital certificate lost efficacy, MobileKey started the certificate update process, earlier according to the agreement that consults with CA in advance produce new public affairs, private key to and session key, the portable terminal through its connection sends the request of renewal to CA.
Upgrade the new PKI, CA digital signature and the session key that carry following solicited message: MobileKey sign, the MobileKey digital certificate that lost efficacy in the request, produce according to the agreement that consults with CA in advance; For the purpose of the safe transmission of information, solicited message must be encrypted with the PKI of CA.
Wherein, the MobileKey sign that comprises the encrypted private key that uses CA in the MobileKey digital certificate of inefficacy.MobileKey sign and the MobileKey digital certificate that lost efficacy are to be used to let CA judge whether MobileKey is the validated user in the CA territory; If it is not high for security requirement; Can omit and judge whether MobileKey is the step of the validated user in the CA territory, at this moment upgrade the MobileKey digital certificate that also can not carry the MobileKey sign in the request and lose efficacy.
The CA digital signature is meant with the private key of CA and some information is encrypted and the data that obtain; For example be that CA is to being kept at the data that obtain after the MobileKey digital certificate serial number encryption that had lost efficacy in the certificate verification device in the present embodiment; Certainly, any information that other has uniqueness can be carried out cryptographic operation and obtained the CA digital signature.The CA digital signature is that CA sends to MobileKey when signing and issuing digital certificate for MobileKey; Be when the CA last time signing and issuing MobileKey digital certificate (being kept at the MobileKey digital certificate that had lost efficacy in the certificate verification device), to send to MobileKey's to MobileKey.
In addition, the CA digital signature can not be placed in the MobileKey digital certificate and send, and that is to say, the CA digital signature can not disclose.The CA digital signature is provided with for preventing portable terminal deception CA; Be kept in the MobileKey; Portable terminal can't obtain, and, because portable terminal does not have the private key of CA; Can't forge the CA digital signature, so portable terminal also just can't be forged MobileKey and asks to cheat CA to the renewal that CA sends.
And session key is for preventing that portable terminal deception MobileKey is provided with; Because session key only transmits between MobileKey and CA; Portable terminal is not known the session key of CA and MobileKey; Therefore, portable terminal can't be deciphered response message, also can't cheat MobileKey through forging response message.
In the updating digital certificate process, CA digital signature and session key can use simultaneously, that is to say, in upgrading request, carry CA digital signature and session key simultaneously; Can only use the CA digital signature yet or only use session key, when not using the CA digital signature, CA need not send the operation of CA digital signature when signing and issuing new digital certificate for MobileKey; Certainly,, can not use yet, can guarantee higher fail safe to communicating by letter with encrypting between MobileKey and the CA yet through the CA digital certificate if not high to the security requirement of the man-in-the-middle attack that possibly occur.Below to using CA digital signature and session key simultaneously and setting forth in detail with the situation of the public key encryption solicited message of CA.
Step 602:CA judges whether MobileKey is the validated user in the CA territory, and promptly CA at first deciphers the solicited message of receiving with the private key of CA after receiving the renewal request that MobileKey sends; Recover solicited message expressly; Then, with the signature of CA in the PKI deciphering MobileKey digital certificate of CA, recover the plaintext of MobileKey sign; And judge the MobileKey sign recover whether with renewal request that MobileKey sends in the MobileKey sign of carrying identical; If identical, explain that then this MobileKey is the validated user in the CA territory, continue execution in step 603; If different, explain that then this MobileKey is not the validated user in the CA territory, the CA termination is communicated by letter the i.e. processing of process ends with this MobileKey's.
Step 603:CA judges according to upgrading the CA digital signature of carrying in the request whether this renewal request is that MobileKey sends, if then execution in step 604; Otherwise CA stops session, the i.e. processing of process ends.
Particularly; CA recovers the plaintext of MobileKey certificate serial number with the PKI deciphering CA digital signature of self, and judge the MobileKey certificate serial number that recovers whether with renewal request that MobileKey sends in sequence number in the MobileKey digital certificate that carries identical; If it is identical; Explaining that then this renewal request is that MobileKey sends, is the CA digital signature because have only MobileKey just to have CA to the signature of MobileKey certificate serial number, and execution in step 604 then; If different, explain that then this renewal request is not that MobileKey sends, CA stops session, process ends.
Do not carry the CA digital signature if upgrade in the request, so, after in step 602, judging this MobileKey and being the validated user in the CA territory, directly execution in step 604, need not execution in step 603.
Step 604:CA utilize to upgrade the MobileKey that carries in the request and signs and issues new digital certificate according to the new PKI that the agreement that consults with CA in advance produces again for MobileKey; And encrypt with the digital certificate that the session key counterweight that MobileKey sends is is newly signed and issued; The private key that uses CA is encrypted the sequence number of the digital certificate newly signed and issued and is obtained new CA digital signature, re-uses the session key that MobileKey sends new CA digital signature is encrypted; Then, return to MobileKey through portable terminal and to upgrade response, the response message of carrying in this renewals response comprises new digital certificate and the new CA digital signature after the encryption after the encryption; If do not use session key, then need not the new digital certificate newly signed and issued and new CA digital signature are encrypted, upgrade and carry the new digital certificate newly signed and issued and the plaintext of CA digital signature in the response.
After step 605:MobileKey receives the renewal response that CA returns; Decipher response message with session key; Recover the new digital certificate of MobileKey, and replace original failed digital certificate and private key among the MobileKey with new digital certificate with according to the private key that the agreement that consults with CA in advance produces; Replace former CA digital signature with new CA digital signature.
So far, whole updating digital certificate process finishes.This certificate update method can be carried out updating digital certificate with online mode through portable terminal; In the fail safe that guarantees renewal process; Can make the updating digital certificate process of MobileKey be able to simplify; The user need not regularly to the place of CA appointment the MobileKey digital certificate to be upgraded, and has made things convenient for the user to a great extent.
Claims (18)
1. a certificate verification device comprises generic storage module, storage control module and interface module; Said generic storage module links to each other with storage control module, and said storage control module links to each other with interface module; It is characterized in that this device also comprises:
Secure storage module links to each other respectively with calculation process module and safety control module, is used to store the private information that is used for certificate verification;
The calculation process module is used for carrying out hardware-accelerated to AES;
Safety control module links to each other with said storage control module, is used to dispatch said calculation process module and carries out computing, controls storage and output that said secure storage module carries out data.
2. certificate verification device as claimed in claim 1 is characterized in that, said secure storage module, calculation process module and safety control module are integrated in an individual chips.
3. certificate verification device as claimed in claim 1 is characterized in that, said secure storage module, calculation process module, safety control module and storage control module are integrated in an individual chips.
4. certificate verification device as claimed in claim 1 is characterized in that, said secure storage module and said generic storage module are integrated in an individual chips; Said calculation process module, safety control module and storage control module are integrated in another piece individual chips.
5. said like the described certificate verification device of each claim in the claim 1~4; It is characterized in that said safety control module is connected through serial ports, the ISO7816 of International Standards Organization or serial peripheral equipment interface SPI bus mode with said storage control module.
6. the access method based on the described certificate verification device of claim 1 is characterized in that, this method comprises:
When storage control module received the storage card write command through interface module, if the address of said write command appointment is predefined special address, the data of then said write command being carried sent safety control module to as order data;
Safety control module is resolved and is responded said order data, handles according to said order data instruction corresponding;
The response data that safety control module will obtain after will finishing dealing with is exported to storage control module;
Storage control module is recombinated to said response data.
7. access method as claimed in claim 6 is characterized in that, this method further comprises:
When storage control module receives reading instruction of external application transmission through interface module; If the address of the said appointment that reads instruction is predefined special address, the said response data after then will recombinating feeds back to external application as the feedback data that reads instruction.
8. like claim 6 or 7 described access methods; It is characterized in that; It is said if the address of write command appointment is predefined special address; This method further comprises: said write command is carried out verification, if said write command verification is passed through, then continue to carry out the said data that write command is carried send safety control module to as order data step and subsequent step thereof.
9. access method as claimed in claim 8 is characterized in that, this method further comprises:
If the address of said write command appointment is not predefined special address, the data that perhaps said write command carries are through verification, and then storage control module data that said write command is carried send the generic storage module to as general data and store.
10. certificate update method based on the described certificate verification device of claim 1 is characterized in that this method comprises:
After original digital certificate among the certificate verification device MobileKey lost efficacy, it is right that MobileKey produces new public affairs, private key according to the agreement that consults in advance with the CA of authentication center, sends the renewal request through the public key encryption of CA through the terminal of its connection to CA; Carry said new PKI in the said renewal request;
The private key that CA uses CA is deciphered the renewal request of the encryption of receiving; Utilize the new PKI that carries in the said renewal request to sign and issue new digital certificate again for MobileKey; Return and upgrade response, comprise the new digital certificate after the encryption in the said renewal response;
MobileKey replaces original failed digital certificate and original private key among the MobileKey with said new digital certificate and said new private key after receiving the renewal response that CA returns.
11. certificate update method as claimed in claim 10 is characterized in that, further carries the MobileKey sign that is used for unique identification MobileKey identity, digital certificate and the session key that had lost efficacy in the said renewal request;
The MobileKey sign that comprises the encrypted private key that uses CA in the digital certificate of said inefficacy.
12. certificate update method as claimed in claim 11 is characterized in that, after said CA deciphered the renewal request, this method further comprised:
Digital certificate according to said MobileKey sign and inefficacy judges whether said MobileKey is the validated user in the CA territory; If; Then continue to carry out the new PKI that carries in the said utilization renewal request and sign and issue the step and the subsequent step thereof of new digital certificate again, otherwise finish the certificate update flow process for MobileKey.
13. certificate update method as claimed in claim 12 is characterized in that, said digital certificate according to said MobileKey sign and inefficacy judges that whether said MobileKey is the validated user in the CA territory, comprising:
Signature with CA in the PKI deciphering MobileKey digital certificate of CA; Recover the plaintext of MobileKey sign; And judge the MobileKey sign recover whether with renewal request that MobileKey sends in the MobileKey sign of carrying identical; Identical then is validated user in the CA territory, and difference then is not a validated user.
14. certificate update method as claimed in claim 12 is characterized in that, further carries the CA digital signature in the said renewal request;
Said CA digital signature is meant that CA is to being kept at the data that obtain after the digital certificate serial number encryption that had lost efficacy among the MobileKey; The CA digital signature is the CA last time to sign and issue digital certificate to MobileKey; When promptly being kept at the digital certificate that had lost efficacy in the certificate verification device, send to MobileKey's.
15. certificate update method as claimed in claim 14 is characterized in that, judges that according to said MobileKey sign and the digital certificate that lost efficacy said MobileKey is after the validated user in the CA territory, this method further comprises:
Judge according to the CA digital signature of carrying in the said renewal request whether this renewal request is that MobileKey sends; If; Then continue to carry out the new PKI that carries in the said utilization renewal request and sign and issue the step and the subsequent step thereof of new digital certificate again, otherwise finish the certificate update flow process for MobileKey.
16. certificate update method as claimed in claim 15 is characterized in that, judges according to the CA digital signature of carrying in the said renewal request whether this renewal request is that MobileKey sends, and comprising:
Decipher said CA digital signature according to the PKI of CA; Recover the plaintext of the digital certificate sequence number that had lost efficacy; And judge that the certificate serial number that had lost efficacy recover is whether identical with the sequence number of the digital certificate that had lost efficacy that carries in the renewal request that MobileKey sends; If identical, then judging this renewal request is that MobileKey sends, and is not that MobileKey sends otherwise judge this renewal request.
17. certificate update method as claimed in claim 15 is characterized in that, said returning upgraded response and comprised:
CA encrypts the said new digital certificate of signing and issuing again with the said session key that MobileKey sends; The private key that uses CA is encrypted the sequence number of the digital certificate newly signed and issued and is obtained new CA digital signature, re-uses the session key that MobileKey sends new CA digital signature is encrypted; Carry in the said renewal response after the encryption new digital certificate with encrypt after new CA digital signature.
18. certificate update method as claimed in claim 17 is characterized in that, after MobileKey received the renewal response that CA returns, this method further comprised:
With said session key after to the encryption of carrying in the said renewal response new digital certificate and encrypt after new CA digital signature decipher; And continue to carry out the step with original failed digital certificate and original private key among said new digital certificate and the said new private key replacement MobileKey, and further the step of former CA digital signature is replaced in execution with said new CA digital signature.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010620431XA CN102571340A (en) | 2010-12-23 | 2010-12-23 | Certificate authentication device as well as access method and certificate update method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010620431XA CN102571340A (en) | 2010-12-23 | 2010-12-23 | Certificate authentication device as well as access method and certificate update method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102571340A true CN102571340A (en) | 2012-07-11 |
Family
ID=46415882
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010620431XA Pending CN102571340A (en) | 2010-12-23 | 2010-12-23 | Certificate authentication device as well as access method and certificate update method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102571340A (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102868526A (en) * | 2012-08-17 | 2013-01-09 | 上海华申智能卡应用系统有限公司 | Method and system for protecting smart card or universal serial bus (USB) key |
| CN104053149A (en) * | 2013-03-12 | 2014-09-17 | 电信科学技术研究院 | Method and system for realizing security mechanism of vehicle networking equipment |
| CN105357012A (en) * | 2015-10-26 | 2016-02-24 | 上海易码信息科技有限公司 | Authentication method for mobile application not depending on local private key |
| CN105812136A (en) * | 2014-12-30 | 2016-07-27 | 北京握奇智能科技有限公司 | Update method, update system and security authentication device |
| CN106372547A (en) * | 2016-08-30 | 2017-02-01 | 李明 | Method and system for reading resident document card information and device for reading resident document card |
| CN106899568A (en) * | 2016-10-10 | 2017-06-27 | 中国移动通信有限公司研究院 | The method and apparatus that a kind of Service Ticket of internet of things equipment updates |
| CN107864041A (en) * | 2017-12-14 | 2018-03-30 | 上海格尔软件股份有限公司 | One kind failure certificate data seamlessly transits guard method |
| CN107995200A (en) * | 2017-12-07 | 2018-05-04 | 深圳市优友互联有限公司 | A kind of certificate issuance method, identity identifying method and system based on smart card |
| CN108123917A (en) * | 2016-11-29 | 2018-06-05 | 中国移动通信有限公司研究院 | A kind of newer method and apparatus of the Service Ticket of internet-of-things terminal |
| CN108270568A (en) * | 2016-12-31 | 2018-07-10 | 普天信息技术有限公司 | A kind of mobile digital certificate device and its update method |
| CN109412811A (en) * | 2018-08-01 | 2019-03-01 | 中国银联股份有限公司 | The method for issuing certification certificate and obtaining certification certificate |
| CN110263526A (en) * | 2019-06-13 | 2019-09-20 | 惠州市德赛西威汽车电子股份有限公司 | A kind of producing line certificate injected system and its method |
| CN110602066A (en) * | 2019-08-29 | 2019-12-20 | 苏州浪潮智能科技有限公司 | Certificate verification terminal, method and device |
| CN110719301A (en) * | 2019-11-19 | 2020-01-21 | 武汉思普崚技术有限公司 | Attack defense method and system for flow adaptive scheduling |
| CN111241605A (en) * | 2019-12-31 | 2020-06-05 | 航天信息股份有限公司 | Safety storage device and method based on tax digital certificate |
| WO2020259519A1 (en) * | 2019-06-27 | 2020-12-30 | 华为技术有限公司 | Certificate update method and related device |
| CN113239410A (en) * | 2021-07-12 | 2021-08-10 | 中关村芯海择优科技有限公司 | Terminal certificate updating method, terminal and computer readable storage medium |
| CN113490892A (en) * | 2019-03-14 | 2021-10-08 | 欧姆龙株式会社 | Control device and control system |
| CN115021917A (en) * | 2022-06-24 | 2022-09-06 | 浪潮卓数大数据产业发展有限公司 | Security verification method, system, device and medium based on certificate |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201122439Y (en) * | 2007-08-22 | 2008-09-24 | 北京华大恒泰科技有限责任公司 | Enciphering flash memory disk |
| CN201150068Y (en) * | 2007-08-23 | 2008-11-12 | 北京飞天诚信科技有限公司 | Multifunctional information safety equipment |
| CN101317362A (en) * | 2006-04-07 | 2008-12-03 | 华为技术有限公司 | Information safety authentication method and system |
| EP2009839A1 (en) * | 2006-04-07 | 2008-12-31 | Huawei Technologies Co Ltd | A method and system for information security authentication |
| CN101593380A (en) * | 2008-05-28 | 2009-12-02 | 北京飞天诚信科技有限公司 | A kind of gate control system and authentication method that generates and verify based on dynamic password |
| JP2010117885A (en) * | 2008-11-13 | 2010-05-27 | Mitsubishi Electric Corp | Access control device, access control method for access control device and access control program |
| CN101777978A (en) * | 2008-11-24 | 2010-07-14 | 华为终端有限公司 | Method and system based on wireless terminal for applying digital certificate and wireless terminal |
-
2010
- 2010-12-23 CN CN201010620431XA patent/CN102571340A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101317362A (en) * | 2006-04-07 | 2008-12-03 | 华为技术有限公司 | Information safety authentication method and system |
| EP2009839A1 (en) * | 2006-04-07 | 2008-12-31 | Huawei Technologies Co Ltd | A method and system for information security authentication |
| CN201122439Y (en) * | 2007-08-22 | 2008-09-24 | 北京华大恒泰科技有限责任公司 | Enciphering flash memory disk |
| CN201150068Y (en) * | 2007-08-23 | 2008-11-12 | 北京飞天诚信科技有限公司 | Multifunctional information safety equipment |
| CN101593380A (en) * | 2008-05-28 | 2009-12-02 | 北京飞天诚信科技有限公司 | A kind of gate control system and authentication method that generates and verify based on dynamic password |
| JP2010117885A (en) * | 2008-11-13 | 2010-05-27 | Mitsubishi Electric Corp | Access control device, access control method for access control device and access control program |
| CN101777978A (en) * | 2008-11-24 | 2010-07-14 | 华为终端有限公司 | Method and system based on wireless terminal for applying digital certificate and wireless terminal |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102868526B (en) * | 2012-08-17 | 2015-06-10 | 上海华申智能卡应用系统有限公司 | Method and system for protecting smart card or universal serial bus (USB) key |
| CN102868526A (en) * | 2012-08-17 | 2013-01-09 | 上海华申智能卡应用系统有限公司 | Method and system for protecting smart card or universal serial bus (USB) key |
| CN104053149B (en) * | 2013-03-12 | 2017-11-14 | 电信科学技术研究院 | A kind of method and system for the security mechanism for realizing car networking equipment |
| CN104053149A (en) * | 2013-03-12 | 2014-09-17 | 电信科学技术研究院 | Method and system for realizing security mechanism of vehicle networking equipment |
| CN105812136A (en) * | 2014-12-30 | 2016-07-27 | 北京握奇智能科技有限公司 | Update method, update system and security authentication device |
| CN105357012A (en) * | 2015-10-26 | 2016-02-24 | 上海易码信息科技有限公司 | Authentication method for mobile application not depending on local private key |
| CN106372547A (en) * | 2016-08-30 | 2017-02-01 | 李明 | Method and system for reading resident document card information and device for reading resident document card |
| CN106899568A (en) * | 2016-10-10 | 2017-06-27 | 中国移动通信有限公司研究院 | The method and apparatus that a kind of Service Ticket of internet of things equipment updates |
| CN108123917A (en) * | 2016-11-29 | 2018-06-05 | 中国移动通信有限公司研究院 | A kind of newer method and apparatus of the Service Ticket of internet-of-things terminal |
| CN108123917B (en) * | 2016-11-29 | 2021-07-23 | 中国移动通信有限公司研究院 | Method and equipment for updating authentication voucher of terminal of Internet of things |
| CN108270568A (en) * | 2016-12-31 | 2018-07-10 | 普天信息技术有限公司 | A kind of mobile digital certificate device and its update method |
| CN107995200A (en) * | 2017-12-07 | 2018-05-04 | 深圳市优友互联有限公司 | A kind of certificate issuance method, identity identifying method and system based on smart card |
| CN107864041A (en) * | 2017-12-14 | 2018-03-30 | 上海格尔软件股份有限公司 | One kind failure certificate data seamlessly transits guard method |
| CN107864041B (en) * | 2017-12-14 | 2020-10-09 | 格尔软件股份有限公司 | Certificate failure data smooth transition protection method |
| CN109412811A (en) * | 2018-08-01 | 2019-03-01 | 中国银联股份有限公司 | The method for issuing certification certificate and obtaining certification certificate |
| CN109412811B (en) * | 2018-08-01 | 2021-09-14 | 中国银联股份有限公司 | Method for issuing authentication certificate and acquiring authentication certificate |
| CN113490892A (en) * | 2019-03-14 | 2021-10-08 | 欧姆龙株式会社 | Control device and control system |
| CN110263526A (en) * | 2019-06-13 | 2019-09-20 | 惠州市德赛西威汽车电子股份有限公司 | A kind of producing line certificate injected system and its method |
| CN110263526B (en) * | 2019-06-13 | 2023-08-18 | 惠州市德赛西威汽车电子股份有限公司 | Production line certificate injection system and method thereof |
| WO2020259519A1 (en) * | 2019-06-27 | 2020-12-30 | 华为技术有限公司 | Certificate update method and related device |
| CN110602066A (en) * | 2019-08-29 | 2019-12-20 | 苏州浪潮智能科技有限公司 | Certificate verification terminal, method and device |
| CN110719301A (en) * | 2019-11-19 | 2020-01-21 | 武汉思普崚技术有限公司 | Attack defense method and system for flow adaptive scheduling |
| CN111241605A (en) * | 2019-12-31 | 2020-06-05 | 航天信息股份有限公司 | Safety storage device and method based on tax digital certificate |
| CN113239410A (en) * | 2021-07-12 | 2021-08-10 | 中关村芯海择优科技有限公司 | Terminal certificate updating method, terminal and computer readable storage medium |
| CN113239410B (en) * | 2021-07-12 | 2021-12-03 | 中关村芯海择优科技有限公司 | Terminal certificate updating method, terminal and computer readable storage medium |
| CN115021917A (en) * | 2022-06-24 | 2022-09-06 | 浪潮卓数大数据产业发展有限公司 | Security verification method, system, device and medium based on certificate |
| CN115021917B (en) * | 2022-06-24 | 2024-05-10 | 浪潮卓数大数据产业发展有限公司 | Certificate-based security verification method, system, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102571340A (en) | Certificate authentication device as well as access method and certificate update method thereof | |
| CN101729493B (en) | Method and system for distributing key | |
| CN102315942B (en) | Security terminal with Bluetooth and communication method thereof of security terminal and client end | |
| US8762720B2 (en) | Method of mutual authentication between a communication interface and a host processor of an NFC chipset | |
| CN101131756B (en) | Security authentication system, device and method for electric cash charge of mobile paying device | |
| CN101527630B (en) | Method, server and system for manufacturing certificate remotely | |
| CN101777978B (en) | Method and system based on wireless terminal for applying digital certificate and wireless terminal | |
| CN107820238B (en) | SIM card, blockchain application security module, client and security operation method thereof | |
| CN101729244B (en) | Method and system for distributing key | |
| CN101339597B (en) | Method, system and equipment for upgrading read-write machine firmware | |
| CN106527673A (en) | Method and apparatus for binding wearable device, and electronic payment method and apparatus | |
| CN101986641A (en) | Trusted computing platform chip applicable to mobile communication equipment and authentication method thereof | |
| CN101527714B (en) | Method, device and system for accreditation | |
| CN105427106B (en) | Authorization processing method and payment processing method of electronic cash data and virtual card | |
| CN110381075B (en) | Block chain-based equipment identity authentication method and device | |
| CN110266474A (en) | Key sending method, apparatus and system | |
| CN102523095A (en) | User digital certificate remote update method with intelligent card protection function | |
| CN102667800A (en) | Method for securely interacting with a security element | |
| CN102236939B (en) | Access method for radio frequency communication with low-frequency magnetic communication | |
| CN106789024A (en) | A kind of remote de-locking method, device and system | |
| CN108270568A (en) | A kind of mobile digital certificate device and its update method | |
| CN101944216A (en) | Two-factor online transaction safety authentication method and system | |
| CN108768669A (en) | Based on ASIC trusted remote memory switching cards and its method for interchanging data | |
| CN105635164B (en) | The method and apparatus of safety certification | |
| CN109756451B (en) | Information interaction method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: PUTIAN IT TECH INST CO., LTD. Free format text: FORMER OWNER: CHINA POTEVIO CO., LTD. Effective date: 20130306 Owner name: CHINA POTEVIO CO., LTD. Free format text: FORMER OWNER: PUTIAN IT TECH INST CO., LTD. Effective date: 20130304 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20130306 Address after: 100080 Beijing, Haidian, North Street, No. two, No. 6, No. Applicant after: PETEVIO INSTITUTE OF TECHNOLOGY Co.,Ltd. Address before: 100080, No. two, 2 street, Zhongguancun science and Technology Park, Beijing, Haidian District Applicant before: CHINA POTEVIO CO.,LTD. Effective date of registration: 20130304 Address after: 100080, No. two, 2 street, Zhongguancun science and Technology Park, Beijing, Haidian District Applicant after: CHINA POTEVIO CO.,LTD. Address before: 100080 Beijing, Haidian, North Street, No. two, No. 6, No. Applicant before: PETEVIO INSTITUTE OF TECHNOLOGY Co.,Ltd. |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120711 |