CN107483191A - A kind of SM2 algorithm secret keys segmentation signature system and method - Google Patents
A kind of SM2 algorithm secret keys segmentation signature system and method Download PDFInfo
- Publication number
- CN107483191A CN107483191A CN201710701512.4A CN201710701512A CN107483191A CN 107483191 A CN107483191 A CN 107483191A CN 201710701512 A CN201710701512 A CN 201710701512A CN 107483191 A CN107483191 A CN 107483191A
- Authority
- CN
- China
- Prior art keywords
- mobile device
- clouds
- key
- signature
- cryptographic service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000011218 segmentation Effects 0.000 title claims abstract description 13
- 238000012795 verification Methods 0.000 claims abstract description 6
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 238000001629 sign test Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 6
- 230000008569 process Effects 0.000 abstract description 4
- 230000001010 compromised effect Effects 0.000 abstract description 2
- 238000013461 design Methods 0.000 abstract description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013478 data encryption standard Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Abstract
The present invention relates to field of information security technology, specific design key signature method and technology field, more particularly to a kind of SM2 algorithm secret keys segmentation signature system and method.Its system architecture includes mobile device, high in the clouds cryptographic service and third party CA centers, and described mobile device and high in the clouds cryptographic service each produce random number, and complete the legitimate verification of SM2 keys in mobile device one end, confirm generation SM2 keys;Described mobile device and high in the clouds cryptographic service each completes a part for SM2 algorithm digital signature, and finally generates digital signature in mobile device one end;A kind of SM2 algorithm secret keys segmentation endorsement method of the present invention; realize the signature algorithm based on SM2 Secret splittings; digital signature is completed by mobile device and high in the clouds jointly, ensure that signature process key is not compromised, and the key safety of mobile device end can be effectively protected.
Description
Technical field
The present invention relates to field of information security technology, specific design key signature method and technology field are more particularly to a kind of
SM2 algorithm secret keys split signature system and method.
Background technology
In recent years, network safety event takes place frequently, network attack from information leakage, fund steal, telecommunication fraud and fishing
The personal event such as fishnet station, rises to the security incident of the whole society, can influence our life, influence servicing, being social for government
Stable even social safety.Cryptographic technique is the core technology of the network information security, under the overall situation of internet globalization, state
Production cryptographic technique has consequence in National Security Strategy, is the basis for realizing that national network information independence is controllable, can
To be widely used in the Industry system that E-Government, the energy, traffic, health, education etc. are related to the people's livelihood and basic information resources.
SM2 algorithms are the ellipse curve public key cipher algorithms that national Password Management office issued on December 17th, 2010, SM2
Algorithm under equal key strength, has the advantages of safe, calculating speed is fast, memory space is small, together compared with RSA Algorithm
When, relative to the ECC algorithm of international standard, SM2 algorithms will be more preferable in original state coding, computations efficiency.
With the development of mobile Internet, mobile device turns into a basic trend for changing traditional calculations, mobile device
Intellectualization times, the popularity rate more and more higher of mobile intelligent terminal are stepped into.People are surfed the Net using the time of fragmentation, are moved
Dynamic office, mobile e-business, mobile e-government have huge development, and the thing followed is safety problem, it is necessary to solve
The authentication of mobile terminal and digital signature.In this case, how efficiently to utilize mobile device and combine domestic close
Code algorithm realizes the problem of digital signature turns into a urgent need to resolve.
The content of the invention
In order to solve problem of the prior art, the invention provides a kind of SM2 algorithm secret keys to split signature system and method,
It combines the characteristics of mobile terminal, produces SM2 keys jointly using mobile device and high in the clouds cryptographic service, and be two by Secret splitting
Part, each preserved by mobile device end and high in the clouds cipher server respectively, this method realizes the label based on SM2 Secret splittings
Name algorithm, completes digital signature by mobile device and high in the clouds, ensure that signature process key is not compromised jointly, and can be effective
Protect the key safety of mobile device end.
The technical solution adopted in the present invention is as follows:
A kind of SM2 algorithm secret keys split signature system, including mobile device, high in the clouds cryptographic service and third party CA centers, described
Mobile device and high in the clouds cryptographic service each produce random number, and the legitimacy for completing in mobile device one end SM2 keys is tested
Card, confirm generation SM2 keys;Described mobile device and high in the clouds cryptographic service each completes one of SM2 algorithm digital signature
Point, and finally generate digital signature in mobile device one end;
Described mobile device is responsible for generating random number, the legitimate verification for completing SM2 keys and generation SM2 digital signature
Part calculates, in addition, mobile device can produce temporary key, for the communication with high in the clouds cryptographic services;
Described high in the clouds cryptographic service is responsible for generating random number, the transmission of encryption authentication data and realization with mobile device end
The part of SM2 signature algorithms calculates;
Signing and issuing for digital certificate is responsible at described third party CA centers, is on the one hand high in the clouds cryptographic service grant a certificate, it is ensured that cloud
The legal identity of cryptographic service is held, on the other hand digital certificate is issued for mobile device, is provided for the cipher application of mobile device
Legal identity certification.
Mobile device uses external hardware ciphering terminal equipment.
High in the clouds cryptographic service uses hardware encryption machine, or is operated using cloud cipher machine to complete ciphering signature.
A kind of SM2 algorithm secret keys split endorsement method, including the method for Split Key generation and the side for completing digital signature
Method, wherein, the method for Split Key generation includes:
Step 101, third party CA centers are that high in the clouds cryptographic service issues digital certificate;
Step 102, mobile device generation temporary key pair, Split Key generation request is proposed to described high in the clouds cryptographic service;
Step 103, described high in the clouds cryptographic service generation random number dc, are encrypted, and use using the public key of mobile device
Own key is signed, and is sent to described mobile device;
Step 104, described mobile device are decrypted first with temporary private, then verify that its certificate validity and signature are effective
Property, the random number dc of acquisition high in the clouds cryptographic service;
Step 105, described mobile device produce random number dm, calculate d=dc*dm -1, d ∈ [1;N -2], wherein n
For the rank of a basic point of SM2 elliptic curves;
It is basic point that step 106, described mobile device, which calculate point P=(xP, yP)=[d] G, wherein G,(XP, yP)For coordinate;
If P meets the requirement of SM2 elliptic curves, step 107 is gone to, otherwise goes to step 108;
Step 107, described mobile device send generation key success message, SM2 keys pair to described high in the clouds cryptographic service
It is SM2 keys to being (dm*dc-1;P), private keys of the wherein dm as described mobile device, dc is as described high in the clouds password
The private key of service, P are public key;
Step 108, described mobile device send generation key failed message to described high in the clouds cryptographic service, and go to step
102, re-start random number application;
To generating successfully, described third party CA centers are that the key issues digital certificate for step 109, SM2 Split Keys;
Completing the method for digital signature includes:
Step 201, described mobile device first calculate the Hash Value Z of this user, then splice plaintext M, calculate its digest value and turn
Integer is changed to, is denoted as e;
Step 202, described mobile device generation temporary key pair, Split Key generation is proposed to described high in the clouds cryptographic service
Request;
Step 203, described high in the clouds cryptographic service generation random number k ∈ [1, n-1], calculating SM2 elliptic curve points (x1, y1)=
[k] G, then r=(e+x1) mod n are calculated, regenerate random number if r=0 or r+k=n;
Step 204, described high in the clouds cryptographic service calculating t=(k+r)*dc-1;And will(R, t)Entered using the public key of mobile device
Row encryption, and signed using own key, it is sent to described mobile device;
Step 205, described mobile device are decrypted first with temporary private, then verify that its certificate validity and signature are effective
Property, obtain(R, t);
Step 206, described mobile device, which produce, calculates s=(t-r*dm) * dm-1, if s=0, goes to step 207, otherwise
Go to step 208;
Step 207, described mobile device send generation key failed message to described high in the clouds cryptographic service, and go to step
202, re-start signature;
Step 208, described mobile device send generation signature success message, SM2 signature values to described high in the clouds cryptographic service
For(R, s).
In step 102, mobile device proposes the request of Split Key generation, including movement to described high in the clouds cryptographic service
Device identification, the public key of temporary key pair, application time.
In step 202, described mobile device proposes the request bag of Split Key generation to described high in the clouds cryptographic service
Include mobile device mark, the public key of temporary key pair, digest value integer e.
The method of Split Key generation also includes:
Step 209, mobile device carry out sign test using its public key certificate to signature value.
The beneficial effect that technical scheme provided in an embodiment of the present invention is brought is:
The invention provides a kind of SM2 algorithm secret keys segmentation signature system and method, with reference to the characteristics of mobile terminal, is set using movement
Standby and high in the clouds cryptographic service produces SM2 keys jointly, and is two parts by Secret splitting, close by mobile device end and high in the clouds respectively
Code server each preserves.The process of generation key employs ciphering signature to realize the data interaction of equipment end and high in the clouds, protects
Transmission security is demonstrate,proved.SM signature algorithms based on Secret splitting, mobile device end and high in the clouds is transferred to complete respectively by calculating,
The generation of random number make use of high in the clouds hardware device to realize that this guarantees the generation intensity of random number in signature process;Key
All completed with signature generation in mobile device end, high in the clouds can not obtain the key part of mobile device end, or even connect by calculating
Cipher key content afterwards can not also obtain, this ensure that the key safety of mobile device end.On the other hand, key is split,
Even if partial Key Exposure, malicious attacker can not also forge digital signature, be effectively protected key safety.In addition, move
Dynamic equipment end can also access outer cipher encryption hardware equipment and produce the intensity of SM2 keys to strengthen it.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, make required in being described below to embodiment
Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for
For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 is that a kind of SM2 algorithm secret keys of the present invention split the system composition structure chart of signature system;
Fig. 2 is that a kind of SM2 algorithm secret keys of the present invention split the key generation method flow chart of endorsement method;
Fig. 3 is that a kind of SM2 algorithm secret keys of the present invention split the digital signature method flow chart of endorsement method.
Embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to embodiment party of the present invention
Formula is described in further detail.
Embodiment one
As shown in Figure 1, a kind of SM2 algorithm secret keys segmentation signature system of the present embodiment, including mobile device, high in the clouds password clothes
Business and third party CA centers.Mobile device and high in the clouds cryptographic service each produce random number, and close in mobile device end completion SM2
The legitimate verification of key, confirm generation SM2 keys;Mobile device and high in the clouds cryptographic service each complete SM2 algorithm digital signature
A part, and finally mobile device end generate digital signature;SM2 digital signature verification operations and standard based on this method
SM2 algorithms it is identical.Wherein, described mobile device is responsible for generating random number, the legitimate verification of SM2 keys and generation
The part of SM2 digital signature calculates, in addition, mobile device, which can produce temporary key, is used for communication with high in the clouds cryptographic services, this
In mobile device can also improve its security by using external hardware ciphering terminal equipment.Described high in the clouds password clothes
Generation random number is responsible in business, and the part for transmitting and realizing SM2 signature algorithms with the encryption authentication data of mobile device end calculates,
High in the clouds cryptographic service can use hardware encryption machine, can also be operated using cloud cipher machine to complete ciphering signature etc..Described
Signing and issuing for digital certificate is mainly responsible at third party CA centers, is on the one hand high in the clouds cryptographic service grant a certificate, it is ensured that high in the clouds password
The legal identity of service, on the other hand issues digital certificate for mobile device, and legal body is provided for the cipher application of mobile device
Part certification.
It is clear in order to describe, it is assumed that in the present embodiment, high in the clouds and equipment end carry out message transmission and use state's Data Encryption Standard
SM2 algorithms, encryption key algorithm are SM2 national secret algorithms, and SM3 national secret algorithms are as digest algorithm, SM3SM2 national secret algorithm conducts
Signature algorithm, digital certificate use X509 forms.The data format of mobile device end key generation request is as follows:
ID :Mobile device identifies
PubKey:The public key of temporary key pair
T1:Application time
Nonce :Digital one time identifies
SigAlg :Signature algorithm
Signature :Signature value
The data format of the digital signature request of mobile device end is as follows:
ID :Mobile device identifies
e :Plaintext digest value after processing
PubKey:The public key of temporary key pair
T1:Application time
Nonce :Digital one time identifies
SigAlg :Signature algorithm
Signature :Signature value
It will be appreciated by those skilled in the art that in addition to using data above form, according to the embodiment of the present invention
Construction can also apply on other data formats.
Embodiment 2:
A kind of SM2 algorithm secret keys segmentation endorsement method of the present embodiment, including the method for Split Key generation and completion numeral label
The method of name, wherein, key generation method comprises the following steps with reference to figure 2:
Step 101, described third party CA centers are that described high in the clouds cryptographic service issues digital certificate;
Step 102, described mobile device generation temporary key pair, Split Key generation is proposed to described high in the clouds cryptographic service
Request(Identified including mobile device, the public key of temporary key pair, application time etc.);
Step 103, described high in the clouds cryptographic service generation random number dc, are encrypted, and use using the public key of mobile device
Own key is signed, and is sent to described mobile device;
Step 104, described mobile device are decrypted first with temporary private, then verify that its certificate validity and signature are effective
Property, the random number dc of acquisition high in the clouds cryptographic service.
Step 105, described mobile device produce random number dm, calculate d=dc*dm -1, d ∈ [1;N -2],
Wherein n is the rank of a basic point of SM2 elliptic curves.
It is basic point that step 106, described mobile device, which calculate point P=(xP, yP)=[d] G, wherein G,(XP, yP)For
Coordinate;If P meets the requirement of SM2 elliptic curves, step 107 is gone to, otherwise goes to step 108;
Step 107, described mobile device send generation key success message, SM2 keys pair to described high in the clouds cryptographic service
It is SM2 keys to being (dm*dc-1;P), private keys of the wherein dm as described mobile device, dc is as described high in the clouds password
The private key of service, P are public key;
Step 108, described mobile device send generation key failed message to described high in the clouds cryptographic service, and go to step
102, re-start random number application.
To generating successfully, described third party CA centers are that the key issues digital certificate for step 109, SM2 Split Keys.
The method of digital signature is completed with reference to figure 3, is comprised the following steps:
Step 201, described mobile device first calculate the Hash Value Z of this user, then splice plaintext M, calculate its digest value and turn
Integer is changed to, is denoted as e;
Step 202, described mobile device generation temporary key pair, Split Key generation is proposed to described high in the clouds cryptographic service
Request(Identified including mobile device, the public key of temporary key pair, digest value integer e etc.);
Step 203, described high in the clouds cryptographic service generation random number k ∈ [1, n-1], calculating SM2 elliptic curve points (x1, y1)=
[k] G, then r=(e+x1) mod n are calculated, regenerate random number if r=0 or r+k=n;
Step 204, described high in the clouds cryptographic service calculating t=(k+r)*dc-1;And will(R, t)Entered using the public key of mobile device
Row encryption, and signed using own key, it is sent to described mobile device;
Step 205, described mobile device are decrypted first with temporary private, then verify that its certificate validity and signature are effective
Property, obtain(R, t);
Step 206, described mobile device produce, and calculate s=(t-r*dm) * dm-1, if s=0, go to step 207, no
Then go to step 208;
Step 207, described mobile device send generation key failed message to described high in the clouds cryptographic service, and go to step
202, re-start signature.
Step 208, described mobile device send generation signature success message, SM2 label to described high in the clouds cryptographic service
Name value be(R, s);
Step 209, described mobile device carry out sign test using its public key certificate to signature value.
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit the invention, it is all the present invention spirit and
Within principle, any modification, equivalent substitution and improvements made etc., it should be included in the scope of the protection.
Claims (7)
1. a kind of SM2 algorithm secret keys split signature system, including mobile device, high in the clouds cryptographic service and third party CA centers, institute
The mobile device and high in the clouds cryptographic service stated each produce random number, and complete the legitimacy of SM2 keys in mobile device one end
Checking, confirm generation SM2 keys;Described mobile device and high in the clouds cryptographic service each completes the one of SM2 algorithm digital signature
Part, and finally generate digital signature in mobile device one end;
Described mobile device is responsible for generating random number, the legitimate verification for completing SM2 keys and generation SM2 digital signature
Part calculates, in addition, mobile device can produce temporary key, for the communication with high in the clouds cryptographic services;
Described high in the clouds cryptographic service is responsible for generating random number, the transmission of encryption authentication data and realization with mobile device end
The part of SM2 signature algorithms calculates;
Signing and issuing for digital certificate is responsible at described third party CA centers, is on the one hand high in the clouds cryptographic service grant a certificate, it is ensured that cloud
The legal identity of cryptographic service is held, on the other hand digital certificate is issued for mobile device, is provided for the cipher application of mobile device
Legal identity certification.
2. a kind of SM2 algorithm secret keys segmentation signature system according to claim 1, it is characterised in that described movement is set
It is standby to use external hardware ciphering terminal equipment.
3. a kind of SM2 algorithm secret keys segmentation signature system according to claim 1, it is characterised in that described high in the clouds is close
Code service uses hardware encryption machine, or is operated using cloud cipher machine to complete ciphering signature.
4. a kind of SM2 algorithm secret keys split endorsement method, including the method for the method of Split Key generation and completion digital signature,
Wherein, the method for Split Key generation includes:
Step 101, third party CA centers are that high in the clouds cryptographic service issues digital certificate;
Step 102, mobile device generation temporary key pair, Split Key generation request is proposed to described high in the clouds cryptographic service;
Step 103, described high in the clouds cryptographic service generation random number dc, are encrypted, and use using the public key of mobile device
Own key is signed, and is sent to described mobile device;
Step 104, described mobile device are decrypted first with temporary private, then verify that its certificate validity and signature are effective
Property, the random number dc of acquisition high in the clouds cryptographic service;
Step 105, described mobile device produce random number dm, calculate d=dc*dm -1, d ∈ [1;N -2], wherein n
For the rank of a basic point of SM2 elliptic curves;
It is basic point that step 106, described mobile device, which calculate point P=(xP, yP)=[d] G, wherein G,(XP, yP)For coordinate;
If P meets the requirement of SM2 elliptic curves, step 107 is gone to, otherwise goes to step 108;
Step 107, described mobile device send generation key success message, SM2 keys pair to described high in the clouds cryptographic service
It is SM2 keys to being (dm*dc-1;P), private keys of the wherein dm as described mobile device, dc is as described high in the clouds password
The private key of service, P are public key;
Step 108, described mobile device send generation key failed message to described high in the clouds cryptographic service, and go to step
102, re-start random number application;
To generating successfully, described third party CA centers are that the key issues digital certificate for step 109, SM2 Split Keys;
Completing the method for digital signature includes:
Step 201, described mobile device first calculate the Hash Value Z of this user, then splice plaintext M, calculate its digest value and turn
Integer is changed to, is denoted as e;
Step 202, described mobile device generation temporary key pair, Split Key generation is proposed to described high in the clouds cryptographic service
Request;
Step 203, described high in the clouds cryptographic service generation random number k ∈ [1, n-1], calculating SM2 elliptic curve points (x1, y1)=
[k] G, then r=(e+x1) mod n are calculated, regenerate random number if r=0 or r+k=n;
Step 204, described high in the clouds cryptographic service calculating t=(k+r)*dc-1;And will(R, t)Entered using the public key of mobile device
Row encryption, and signed using own key, it is sent to described mobile device;
Step 205, described mobile device are decrypted first with temporary private, then verify that its certificate validity and signature are effective
Property, obtain(R, t);
Step 206, described mobile device, which produce, calculates s=(t-r*dm) * dm-1, if s=0, goes to step 207, otherwise
Go to step 208;
Step 207, described mobile device send generation key failed message to described high in the clouds cryptographic service, and go to step
202, re-start signature;
Step 208, described mobile device send generation signature success message, SM2 signature values to described high in the clouds cryptographic service
For(R, s).
A kind of 5. SM2 algorithm secret keys segmentation endorsement method according to claim 4, it is characterised in that described step 102
In, mobile device proposes the request of Split Key generation, including mobile device mark to described high in the clouds cryptographic service, interim close
The public key of key pair, application time.
A kind of 6. SM2 algorithm secret keys segmentation endorsement method according to claim 4, it is characterised in that described step 202
In, described mobile device proposes that the request of Split Key generation identifies including mobile device to described high in the clouds cryptographic service,
The public key of temporary key pair, digest value integer e.
7. a kind of SM2 algorithm secret keys segmentation endorsement method according to claim 4, it is characterised in that described segmentation is close
The method of key generation also includes:
Step 209, mobile device carry out sign test using its public key certificate to signature value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710701512.4A CN107483191B (en) | 2017-08-16 | 2017-08-16 | SM2 algorithm key segmentation signature system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710701512.4A CN107483191B (en) | 2017-08-16 | 2017-08-16 | SM2 algorithm key segmentation signature system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107483191A true CN107483191A (en) | 2017-12-15 |
| CN107483191B CN107483191B (en) | 2020-04-14 |
Family
ID=60599770
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710701512.4A Active CN107483191B (en) | 2017-08-16 | 2017-08-16 | SM2 algorithm key segmentation signature system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107483191B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109598126A (en) * | 2018-12-03 | 2019-04-09 | 贵州华芯通半导体技术有限公司 | A kind of safety startup of system methods, devices and systems based on national secret algorithm |
| CN109600224A (en) * | 2018-11-06 | 2019-04-09 | 卓望数码技术(深圳)有限公司 | A kind of SM2 key generation, endorsement method, terminal, server and storage medium |
| CN109639415A (en) * | 2018-12-19 | 2019-04-16 | 南京壹证通信息科技有限公司 | A kind of collaboration key storage restoration methods based on Secret splitting |
| CN109787767A (en) * | 2018-11-30 | 2019-05-21 | 济南晟安信息技术有限公司 | SM2 cooperative digital endorsement method and device |
| CN110572258A (en) * | 2019-07-24 | 2019-12-13 | 中国科学院数据与通信保护研究教育中心 | Cloud password computing platform and computing service method |
| CN111800377A (en) * | 2020-05-20 | 2020-10-20 | 中国电力科学研究院有限公司 | Mobile terminal identity authentication system based on safe multi-party calculation |
| CN111917756A (en) * | 2020-07-27 | 2020-11-10 | 杭州叙简科技股份有限公司 | Encryption system and encryption method of law enforcement recorder based on public key routing |
| CN113055161A (en) * | 2021-03-09 | 2021-06-29 | 武汉大学 | Mobile terminal authentication method and system based on SM2 and SM9 digital signature algorithms |
| CN114650136A (en) * | 2022-05-18 | 2022-06-21 | 杭州天谷信息科技有限公司 | Electronic signature method and device based on hybrid cloud |
| CN116015679A (en) * | 2022-12-20 | 2023-04-25 | 浪潮云信息技术股份公司 | Multi-cloud management authentication method and system based on SM2 digital signature for government cloud |
| CN116015679B (en) * | 2022-12-20 | 2024-04-30 | 浪潮云信息技术股份公司 | Government cloud multi-cloud management authentication system based on SM2 digital signature |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050078821A1 (en) * | 2003-10-09 | 2005-04-14 | Samsung Electronics Co., Ltd. | Security system using RSA algorithm and method thereof |
| CN104580250A (en) * | 2015-01-29 | 2015-04-29 | 成都卫士通信息产业股份有限公司 | System and method for authenticating credible identities on basis of safety chips |
| CN106506170A (en) * | 2016-12-15 | 2017-03-15 | 北京三未信安科技发展有限公司 | A kind of distributed signature method and system based on RSA |
| CN106506156A (en) * | 2016-12-15 | 2017-03-15 | 北京三未信安科技发展有限公司 | A kind of distributed Threshold Signature method based on elliptic curve |
| CN106603246A (en) * | 2017-01-22 | 2017-04-26 | 武汉理工大学 | SM2 digital signature segmentation generation method and system |
| CN106713279A (en) * | 2016-11-29 | 2017-05-24 | 北京航天爱威电子技术有限公司 | Video terminal identity authentication system |
| CN106851635A (en) * | 2016-12-15 | 2017-06-13 | 北京三未信安科技发展有限公司 | A kind of distributed signature method and system of identity-based |
| CN106850229A (en) * | 2017-01-22 | 2017-06-13 | 武汉理工大学 | SM2 digital signature generation method and system based on the secret segmentation of product |
| CN106961336A (en) * | 2017-04-18 | 2017-07-18 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithms |
-
2017
- 2017-08-16 CN CN201710701512.4A patent/CN107483191B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050078821A1 (en) * | 2003-10-09 | 2005-04-14 | Samsung Electronics Co., Ltd. | Security system using RSA algorithm and method thereof |
| CN104580250A (en) * | 2015-01-29 | 2015-04-29 | 成都卫士通信息产业股份有限公司 | System and method for authenticating credible identities on basis of safety chips |
| CN106713279A (en) * | 2016-11-29 | 2017-05-24 | 北京航天爱威电子技术有限公司 | Video terminal identity authentication system |
| CN106506170A (en) * | 2016-12-15 | 2017-03-15 | 北京三未信安科技发展有限公司 | A kind of distributed signature method and system based on RSA |
| CN106506156A (en) * | 2016-12-15 | 2017-03-15 | 北京三未信安科技发展有限公司 | A kind of distributed Threshold Signature method based on elliptic curve |
| CN106851635A (en) * | 2016-12-15 | 2017-06-13 | 北京三未信安科技发展有限公司 | A kind of distributed signature method and system of identity-based |
| CN106603246A (en) * | 2017-01-22 | 2017-04-26 | 武汉理工大学 | SM2 digital signature segmentation generation method and system |
| CN106850229A (en) * | 2017-01-22 | 2017-06-13 | 武汉理工大学 | SM2 digital signature generation method and system based on the secret segmentation of product |
| CN106961336A (en) * | 2017-04-18 | 2017-07-18 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithms |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109600224A (en) * | 2018-11-06 | 2019-04-09 | 卓望数码技术(深圳)有限公司 | A kind of SM2 key generation, endorsement method, terminal, server and storage medium |
| CN109787767A (en) * | 2018-11-30 | 2019-05-21 | 济南晟安信息技术有限公司 | SM2 cooperative digital endorsement method and device |
| CN109598126A (en) * | 2018-12-03 | 2019-04-09 | 贵州华芯通半导体技术有限公司 | A kind of safety startup of system methods, devices and systems based on national secret algorithm |
| CN109639415A (en) * | 2018-12-19 | 2019-04-16 | 南京壹证通信息科技有限公司 | A kind of collaboration key storage restoration methods based on Secret splitting |
| CN110572258A (en) * | 2019-07-24 | 2019-12-13 | 中国科学院数据与通信保护研究教育中心 | Cloud password computing platform and computing service method |
| CN111800377B (en) * | 2020-05-20 | 2023-03-24 | 中国电力科学研究院有限公司 | Mobile terminal identity authentication system based on safe multi-party calculation |
| CN111800377A (en) * | 2020-05-20 | 2020-10-20 | 中国电力科学研究院有限公司 | Mobile terminal identity authentication system based on safe multi-party calculation |
| CN111917756A (en) * | 2020-07-27 | 2020-11-10 | 杭州叙简科技股份有限公司 | Encryption system and encryption method of law enforcement recorder based on public key routing |
| CN111917756B (en) * | 2020-07-27 | 2022-05-27 | 杭州叙简科技股份有限公司 | Encryption system and encryption method of law enforcement recorder based on public key routing |
| CN113055161B (en) * | 2021-03-09 | 2021-11-26 | 武汉大学 | Mobile terminal authentication method and system based on SM2 and SM9 digital signature algorithms |
| CN113055161A (en) * | 2021-03-09 | 2021-06-29 | 武汉大学 | Mobile terminal authentication method and system based on SM2 and SM9 digital signature algorithms |
| CN114650136A (en) * | 2022-05-18 | 2022-06-21 | 杭州天谷信息科技有限公司 | Electronic signature method and device based on hybrid cloud |
| CN116015679A (en) * | 2022-12-20 | 2023-04-25 | 浪潮云信息技术股份公司 | Multi-cloud management authentication method and system based on SM2 digital signature for government cloud |
| CN116015679B (en) * | 2022-12-20 | 2024-04-30 | 浪潮云信息技术股份公司 | Government cloud multi-cloud management authentication system based on SM2 digital signature |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107483191B (en) | 2020-04-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107483191A (en) | A kind of SM2 algorithm secret keys segmentation signature system and method | |
| US10944575B2 (en) | Implicitly certified digital signatures | |
| CN111314089B (en) | SM 2-based two-party collaborative signature method and decryption method | |
| CN102594558B (en) | Anonymous digital certificate system and verification method of trustable computing environment | |
| EP2416524B1 (en) | System and method for secure transaction of data between wireless communication device and server | |
| CN108809658A (en) | A kind of digital signature method and system of the identity base based on SM2 | |
| CN106656503B (en) | Method for storing cipher key, data encryption/decryption method, electric endorsement method and its device | |
| CN103532713B (en) | Sensor authentication and shared key production method and system and sensor | |
| CN107483212A (en) | A kind of method of both sides' cooperation generation digital signature | |
| CN102547688B (en) | Virtual-dedicated-channel-based establishment method for high-credibility mobile security communication channel | |
| CN109347635A (en) | A kind of Internet of Things security certification system and authentication method based on national secret algorithm | |
| CN107612934A (en) | A kind of block chain mobile terminal computing system and method based on Secret splitting | |
| CN1922816B (en) | One way authentication | |
| CN101931536B (en) | Method for encrypting and authenticating efficient data without authentication center | |
| CN113301022B (en) | Internet of things equipment identity security authentication method based on block chain and fog calculation | |
| CN103699920A (en) | Radio frequency identification two-way authentication method based on ellipse curve | |
| CN106685651A (en) | Method for creating digital signatures by cooperation of client and server | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CN107454077A (en) | A kind of single-point logging method based on IKI ID authentications | |
| CN103037366A (en) | Mobile terminal user authentication method and mobile terminal based on asymmetric cryptographic technique | |
| CN109272314B (en) | Secure communication method and system based on two-party collaborative signature calculation | |
| CN103414559A (en) | Identity authentication method based on IBE-like system in cloud computing environment | |
| CN107612680A (en) | A kind of national secret algorithm in mobile network's payment | |
| CN109284618A (en) | The verification method and system of data source data | |
| CN114726546A (en) | Digital identity authentication method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200317 Address after: 250100 Ji'nan high tech Zone, Shandong, No. 1036 wave road Applicant after: INSPUR GROUP Co.,Ltd. Address before: 250100, Ji'nan province high tech Zone, Sun Village Branch Road, No. 2877, building, floor, building, on the first floor Applicant before: JINAN INSPUR HIGH-TECH TECHNOLOGY DEVELOPMENT Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230322 Address after: 250000 building S02, No. 1036, Langchao Road, high tech Zone, Jinan City, Shandong Province Patentee after: Shandong Inspur Scientific Research Institute Co.,Ltd. Address before: No. 1036, Shandong high tech Zone wave road, Ji'nan, Shandong Patentee before: INSPUR GROUP Co.,Ltd. |
|
| TR01 | Transfer of patent right |