CN108494565A - digital signature system and method - Google Patents
digital signature system and method Download PDFInfo
- Publication number
- CN108494565A CN108494565A CN201810505836.5A CN201810505836A CN108494565A CN 108494565 A CN108494565 A CN 108494565A CN 201810505836 A CN201810505836 A CN 201810505836A CN 108494565 A CN108494565 A CN 108494565A
- Authority
- CN
- China
- Prior art keywords
- signature
- digital signature
- terminal
- information safety
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of digital signature system and methods, are related to security technology area, it is therefore intended that improve the safety in digital signature procedure and invent.The digital signature system of the present invention, including:Digital signature terminal and information safety devices;The digital signature terminal is to be exclusively used in the terminal of signature, and inside is configured with signature procedure module, and the signature procedure module includes:Display unit, for showing file to be signed in the form of page file;Authentication unit, for carrying out bidirectional identity authentication with the information safety devices of communication connection;Signature unit, for using bidirectional identity authentication by information safety devices treat signature file sign.Present invention is suitably applied to be digitally signed to electronic document.
Description
Technical field
The present invention relates to security technology area more particularly to a kind of digital signature system and methods.
Background technology
With the development of technology, e-commerce is gradually popularized.During e-commerce, user needs to pass through digital signature
Mode, signed to the file signed using digital certificates, to carry out subsequent operation.Currently, when using
When family needs to be digitally signed, signature operation is carried out usually using USB Key, utilizes the algorithm being arranged inside USB Key
Or the identity of certification authentication operator.Wherein, USB Key are a kind of hardware devices of USB interface, its built-in microcontroller or intelligence
Card chip can store the key or digital certificate of user, usually using the cryptographic algorithms' implementation built in Usbkey to user's body
The certification of part, to ensure the safety of signature process.
In general, when user is digitally signed operation, since the display capabilities of existing USB Key are weaker, or even have
A little USB Key do not have display function, therefore, it is necessary to be attached the intelligent terminals such as USB Key and computer, and in intelligence
It can the enterprising line number signature operations of terminal.However, in practical applications, intelligent terminal is to work as intelligence there may be security risk
When being built wooden horse in energy terminal or controlled by hacker, the electronic document that user is digitally signed can be distorted, user is made to exist
There is difference in the electronic document seen on intelligent terminal and the electronic document actually signed, cause the safety of digital signature compared with
It is low.
Invention content
In view of the above problems, a kind of digital signature system of present invention offer and method, main purpose are to avoid digital label
Influence of the terminal risk to signature process during name improves the safety in digital signature procedure.
In order to solve the above technical problems, in a first aspect, an embodiment of the present invention provides a kind of digital signature system, the system
System includes:Digital signature terminal and information safety devices;The digital signature terminal is to be exclusively used in the terminal of signature, inside configuration
There are the signature procedure module, the signature procedure module to include:
Display unit, for showing file to be signed in the form of page file;
Authentication unit, for carrying out bidirectional identity authentication with the information safety devices of communication connection;
Signature unit, for using bidirectional identity authentication by information safety devices treat signature file sign.
Optionally, the signature procedure module is module built-in when the digital signature terminal is dispatched from the factory.
Optionally, further include in the digital signature terminal:
Memory module, for storing the verification information for being verified to application data packet;
Program installs module, for being verified to the application data packet got using the verification information, and
Corresponding application program is installed after being verified.
Optionally, the authentication unit, including:
Transmission sub-unit, for sending first verification data to the information safety devices of communication connection;
Receiving subelement, the second verify data for receiving the transmission of described information safety equipment;
The transmission sub-unit is additionally operable to be generated according to second verify data to the transmission of described information safety equipment
Third verify data;
The receiving subelement is additionally operable to reception described information safety equipment and is generated according to the first verification data
4th verify data;
Certification subelement for being verified to the 4th verify data, and receives described information safety equipment to described the
Feedback information after the verification of three verify datas, to realize the bidirectional identity authentication with information safety devices.
Optionally, the third verify data by described information safety equipment by with the first private key to first verification data
It is digitally signed and generates;
4th verify data by the authentication unit by with the second private key to second verify data into line number
Word is signed and is generated.
Optionally, the third verify data by described information safety equipment by with the first private key to first verification data
Cryptographic Hash is calculated to ciphertext data after decryption and is generated;
4th verify data by the authentication unit by with the second private key to second verify data decrypt after
Cryptographic Hash is calculated to ciphertext data and is generated.
Optionally, the signature procedure module further includes:
Prompt unit, for when the digital signature terminal and the safety equipment pass through two-way authentication, to user into
Row certification passes through prompt.
Optionally, the signature procedure module further includes:
Input unit, the operational order assigned for inputting user, the operational order include signature request instruction.
Second aspect, the embodiment of the present invention additionally provide a kind of digital signature method, and the method is applied to any of the above-described
Digital signature system described in, including:
Digital signature terminal shows file to be signed in the form of page file;
Digital signature terminal and the information safety devices of communication connection carry out bidirectional identity authentication;
Digital signature terminal using bidirectional identity authentication by information safety devices treat signature file sign.
To achieve the goals above, according to the third aspect of the invention we, a kind of storage medium, the storage medium are provided
Program including storage, wherein equipment where controlling the storage medium when described program is run, which executes in preceding method, appoints
Digital signature method described in meaning one.
To achieve the goals above, according to the fourth aspect of the invention, a kind of processor is provided, the processor is used for
Run program, wherein digital signature method when described program is run described in any one of execution method.
By above-mentioned technical proposal, digital signature system provided by the invention and method, for the prior art based on USB
During Key is digitally signed, there are terminal risk, the problem for causing the safety of digital signature relatively low, the present invention is led to
Cross display unit and show file to be signed in the form of page file, then by authentication unit be the digital signature terminal with
Two-way authentication is carried out between the safety equipment, finally by signature unit using bidirectional identity authentication by information security set
It is standby to treat signature file signature, to realize the safety verification to signature terminal and safety equipment, ensuring both ends safety
Digital signing operations are realized in the case of property, and avoiding may be influenced in digital signature procedure by terminal risk, improve
Safety in digital signature procedure.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technical means of the present invention,
And can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, below the special specific implementation mode for lifting the present invention.
Description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this field
Technical staff will become clear.Attached drawing only for the purpose of illustrating preferred embodiments, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of digital signature method flow chart provided in an embodiment of the present invention;
Fig. 2 shows another digital signature method flow charts provided in an embodiment of the present invention;
Fig. 3 shows a kind of composition frame chart of digital signature system provided in an embodiment of the present invention;
Fig. 4 shows the composition frame chart of another digital signature system provided in an embodiment of the present invention;
Specific implementation mode
Exemplary embodiment of the present invention is more fully described below with reference to accompanying drawings.Although showing the present invention in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the present invention without should be by embodiments set forth here
It is limited.It is to be able to be best understood from the present invention on the contrary, providing these embodiments, and can be by the scope of the present invention
Completely it is communicated to those skilled in the art.
The embodiment of the present invention provides a kind of digital signature method based on digital signature system, as shown in Figure 1, wherein should
Method is mainly used in bank, financial field, is used when user needs to be digitally signed.Described in the embodiment of the present invention
Method be to solve the problems, such as that the safety in the digital signature procedure caused by terminal risk is vulnerable to influence, work as user
The system described in the embodiment of the present invention is operated during being digitally signed, it is specific execute can in the following way into
Row:
101, digital signature terminal shows file to be signed with page format;
In digital signature system described in book of the embodiment of the present invention, the digital signature terminal in the system can be special
In the intelligent terminal of signature, such as the digital signature terminal is the intelligent terminal that inside is configured with signature procedure module, described
Information safety devices can be understood as a kind of built-in equipment for verify signature Terminal security, such as encryption lock, encrypt
Card etc..Before user needs to be digitally signed, generally requiring will establish between digital signature terminal and information safety devices
Communication connection, and upon connection, the required file for carrying out signature operation is shown in the form of the page by the digital signature terminal, i.e.,
File to be signed described in this step.Meanwhile in this step, when showing file to be signed with page format, can also lead to
It crosses and issues the user with prompt message, to ensure that user in time confirms the current desired file signed.
102, digital signature terminal and the information safety devices of communication connection carry out bidirectional identity authentication.
In embodiments of the present invention, can also include for two-way authentication in digital signature terminal and information safety devices
Private key and public key.In addition, the file to be signed described in the embodiment of the present invention can be electronic contract or electronic documents.
According to the method described in this step, by the safety of digital signature terminal authentication information safety devices, meanwhile, by institute
State the safety that information safety devices verify the digital signature terminal, that is, the bidirectional identity authentication described in the embodiment of the present invention.
In addition, can also include signature device before this step, in the digital signature method described in the embodiment of the present invention
It establishes a connection with information safety devices, wherein establishing the mode of connection can be built based on hardware mode by interfaces such as USB
It is vertical, it can also wirelessly establish connection, such as WLAN or bluetooth mode.It is connected when being established using hardware mode
Then link block can be arranged in the digital signature terminal described in the embodiment of the present invention in relationship, which can be specially hardware
Interface module, and when being established a connection using radio connection, then wherein the link block of equipment can be specially then
It is right with the wireless interface module or the bluetooth connection module for having bluetooth connection function for realizing that equipment room is wirelessly connected
This, the choosing for the signature terminal and the establishment of connection mode of described information safety equipment and its corresponding link block
It selects, does not do specific restriction, can be determined according to actual needs.
When digital signature terminal and information safety devices carry out bidirectional identity authentication, can be judged by signature terminal with extremely
Whether the two-way authentication for establishing the information safety devices of communication connection passes through.Wherein,
After carrying out bi-directional verification, need to judge whether described information safety equipment is tested by identity by digital signature terminal
Card and information safety devices judge whether signature terminal passes through verification.In embodiments of the present invention, whether two-way authentication passes through
It can be by judging whether the identity of both sides normally carries out.Due to during being digitally signed, the label of distinct device
It is different when name information, therefore, the verification of identity can be carried out based on the information such as signing messages and public key therein, to
Ensure that equipment is not tampered or controls.Wherein, bidirectional identity authentication specific of this step in digital signature terminal side is held
Line mode can be:Determine whether information safety devices can be tested by the identity of the digital signature terminal by digital signature terminal
Card, and detect whether to receive and be set by information security by the digital signature terminal that is used to indicate that information safety devices are fed back
The instruction information of standby authentication, to realize digital signature terminal-pair both sides whether by the judgement of two-way authentication.Here,
Include but not limited to above-mentioned authentication mode for judgment mode, can also voluntarily choose as needed.
It, can also be by the center of signing and issuing of electronic signature, needed for acquisition in addition, before method described in this step executes
The Standard signatures for verifying equipment, are then compared according to the Standard signatures and the signing messages for the equipment that need to be verified, to real
The authentication of verification equipment needed for existing.
103, digital signature terminal using bidirectional identity authentication by information safety devices treat signature file and signed
Name.
After being determined that the two-way authentication between signature terminal and information safety devices has passed through, it may be determined that current label
Name terminal and information safety devices be all it is reliable, be not present security risk, therefore, it is possible to use bidirectional identity authentication by
Information safety devices carry out signature operation to the electronic document of required signature.
Digital signature method provided in an embodiment of the present invention is digitally signed the prior art based on USB Key
During, there is a problem of that safety is relatively low, compared with the prior art, the embodiment of the present invention is using internal configured with signature journey
The dedicated signatures terminal of sequence module, and carry out between the signature terminal and described information safety equipment before signing two-way
Certification, and sign to electronic document after two-way authentication passes through, realize the peace to signature terminal and information safety devices
Full verification, and realize digital signing operations in the case where ensuring both ends safety, it is ensured that show text in signature terminal
Part is signature file, and avoiding in digital signature procedure may be influenced by terminal risk, improve digital signature procedure
Middle safety.
Further, as the refinement and extension to embodiment illustrated in fig. 1, the embodiment of the present invention additionally provides another number
Word endorsement method, as shown in Figure 2, wherein be as follows:
201, digital signature terminal receives the signature request that user assigns.
In embodiments of the present invention, the signature terminal, information safety devices and the two establish the mode of connection with
Description in previous embodiment in step 102 is consistent, and details are not described herein.
It should be noted that in embodiments of the present invention, it, should in order to further ensure the accuracy of digital signature procedure
Digital signature terminal can be to be exclusively used in the terminal of digital signature, be only equipped in the terminal for digital signature software or
Program.
Optionally, it is that digital signature terminal is built-in when dispatching from the factory for the software of digital signature or program in digital signature terminal
Module.Wherein, the terminal for being exclusively used in digital signature be forbid networking download application program closed terminal, inside only pacify
Equipped with the software or program for digital signature, the monitoring of rogue program or literary to signature in digital signature procedure is thus avoided
The malice of part is distorted.
In another optional mode, digital signature terminal allows user's networking download application data packet, but right
The application data packet downloaded is allowed to be limited.
For example, the verification information that storage is verified for application data packet in digital signature terminal, when needing to install
When application program, the application data packet of acquisition is verified using the verification information of storage, and pacifies after being verified
Fill corresponding application program.
In a specific embodiment, the verification information can be root certificate or the public key that software vendor configures;
Legal application data packet is the data packet that software vendor uses private key signature;Digital signature terminal is being got using journey
After sequence data packet, the public key configured using root certificate or software vendor is passed through to application data packet sign test, and in sign test
Afterwards, corresponding application program is installed.
In the scheme for allowing user to download application program, the verification by verification information to application data packet, really
Bao Yingyongchengxushuojubao comes from legal software manufacturer, avoids installation Malware, thereby guarantees that software loop in digital terminal
The safety in border.
Whether in another optional embodiment, one can be arranged in digital terminal can be with to distinguish user
The program listing downloaded or installed when user's download, reception, preservation, installation or runs answering indicated by the instruction of application program
When with program being included in described program list, then allow to execute the download about the program, reception, preservation, installation or operation
Instruction, otherwise forbid responding corresponding instruction.
In the embodiment that digital signature terminal allows networking to download application program, signature procedure module can be only fitted to
Allow to download in the program listing installed, user downloads the signature procedure module by networking mode.
In the above method, the control of application program is installed by that can be downloaded to digital signature terminal, it is ensured that terminal applies
The safety of program avoids the installation of Malware, prevents the monitoring of rogue program or literary to signature in digital signature procedure
The malice of part is distorted.
In embodiments of the present invention, can the signature request that assigned by user be received by signature terminal, wherein the label
Name request is used to indicate the signature terminal and is ready for signature operation, and the specific mode that receives can be based on the signature terminal
The input unit of upper setting carries out, such as can tap the different modes such as instruction by touching instruction and carry out connecing for signature request
It brings drill to an end work.Specifically, can be carried out according to any mode in existing way for reception mode, specific limit is not done herein
It is fixed.
The signature request that user assigns is received by terminal of signing as a result, signature terminal can be made to enter in time to be signed
State timely responds to be provided for subsequent signature operation, reduces the time loss in digital signature procedure, improves signature effect
Rate.
202, digital signature terminal shows file to be signed in the form of page file.
In order to avoid because in digital signature procedure, because terminal risk may to the influence of digital signing safety, therefore,
It is provided with signature terminal for being digitally signed in the embodiment of the present invention, is provided in this terminal for being shown
Screen can show the corresponding electronic document of signature request by the screen, to prompt the electronics signed needed for user
File.In this way, by being shown to the corresponding electronic document of signature request, can make user in signature terminal to it is required into
The electronic document of row digital signature is confirmed, is ensured that the accuracy of the required file signed, is ensured that number
The accuracy of the signature result of signature.
203, two-way authentication is carried out between digital signature terminal and information safety devices.
In this step, due to progress be the two-way authentication signed between terminal and information safety devices, into
During row certification, the verification by carrying out identity between signature terminal and information safety devices to other side respectively is needed.As a result,
This step is specifically as follows:Terminal of signing carries out authentication by presetting rule to information safety devices, meanwhile, information security
Equipment carries out authentication by presetting rule to the signature device.
When terminal of signing carries out authentication by presetting rule to information safety devices, it is specifically as follows:First, digital
Authentication unit in terminal of signing sends first verification data to the information safety devices of communication connection and receives described information
The second verify data that safety equipment is sent;Then, authentication unit sends to information safety devices and verifies number according to described second
According to and the third verify data that generates, and receive described information safety equipment is generated according to the first verification data the
Four verify datas.Finally, the 4th verify data of authentication unit pair is verified, and by information safety devices to the third verify data
Verification, to realize the bidirectional identity authentication with information safety devices.In embodiments of the present invention, in signature terminal and information security
When identity between equipment is verified mutually, specifically signature terminal and information security can be carried out according to following two modes
Verification between equipment:
In the above-mentioned methods, in a first aspect, when third verify data be by described information safety equipment by with first private
Key is digitally signed first verification data and generates;Meanwhile the 4th verify data can be passed through by the authentication unit
When being digitally signed and being generated to second verify data with the second private key.Then verify bidirectional identification verify whether by
Whether concrete mode both can be determined according to the third verify data and the 4th verify data by sign test operation
It is no to pass through identity two-way identification.Wherein, first, second private key is difference corresponding informance safety equipment, digital signature
The private key of terminal, described first, second does not have the meaning of sequencing.
For example, above-mentioned first verification data and the second verify data are random number, according to bi-directional verification described above
Mode, the mode specifically executed can be:First, digital signature terminal and information safety devices exchange certificate, are taken in certificate
With respective public key;Then, digital signature terminal generates random number 1 and is sent to information safety devices;Information safety devices generate
Random number 2 is sent to digital signature terminal;Later, digital signature terminal is sent after being signed to random number 2 using the private key of oneself
To information safety devices;Information safety devices are sent to digital signature terminal after signing to random number 1 using the private key of oneself;Most
Afterwards, digital signature terminal and information safety devices use the public key of other side to signed data sign test respectively, double if sign test passes through
Square authentication success.
In the methods described above, second aspect, when third verify data by described information safety equipment by with first private
Key calculates cryptographic Hash to ciphertext data and generates after being decrypted to first verification data;Meanwhile the 4th verify data by the certification
When unit calculates cryptographic Hash to ciphertext data after being decrypted to second verify data with the second private key by generates, then verify
Bidirectional identification verify whether by concrete mode can be by whether consistent to first verification data and the 4th verify data,
And second verify data and third verify data it is whether consistent, so that it is determined that both digital signature terminal and information safety devices
Bidirectional identity authentication whether pass through.
Such as:Above-mentioned first verification data and the second verify data be using the data after public key encryption first, electronics
Terminal of signing and information safety devices exchange certificate, and respective public key is carried in certificate;Then, electronic signature terminal generates random
Number 1, the public key of use information safety equipment after the encryption of random number 1 to being sent to information safety devices;Information safety devices generate
Random number 2 is sent to electronic signature terminal after being encrypted to random number 2 using the public key of electronic signature terminal;Later, it signs electronically
Terminal calculates cryptographic Hash 1 using the decryption of encrypted random number of the private key of oneself to receiving and the random number to decrypting,
Cryptographic Hash 1 is sent to information safety devices by electronic signature terminal;Information safety devices are using oneself private key to receiving
Cryptographic Hash 2 is sent to by encrypted random number decryption and the random number calculating cryptographic Hash 2 obtained to decryption, information safety devices
Sign electronically terminal;Then, electronic signature terminal calculates the cryptographic Hash of original random number 1 and is compared with the cryptographic Hash 2 received
It is whether consistent;Whether information safety devices calculate the cryptographic Hash of original random number 2 and are compared with the cryptographic Hash 1 received consistent;
Finally, if two above-mentioned cryptographic Hash compare consistent, the terminal that signs electronically and information safety devices bidirectional identity authentication
Success.
Based on the mode described in terms of above-mentioned two, can by exchanging verify data itself in bi-directional verification, or
The cryptographic Hash obtained based on hash algorithm, interaction data when it is different, and when using cryptographic Hash as bidirectional identification
When the interaction data of certification, the possibility that can further avoid interaction data from being intercepted or distort improves safety.
As a result, according to the method described in this step, the is sent to the information safety devices of communication connection by authentication unit
One verify data and the second verify data for receiving the transmission of described information safety equipment;Then, authentication unit is to information security
Equipment sends the third verify data that is generated according to second verify data, and receive described information safety equipment according to
The first verification data and the 4th verify data generated.Finally, the 4th verify data of authentication unit pair is verified, and by information
Safety equipment verifies the third verify data, to realize the bidirectional identity authentication with information safety devices, can realize letter
Cease authentication of the safety equipment to terminal of signing, it is ensured that the safety of two-way authentication is the accurate of subsequent digital signature
Property, provide safety guarantee.
Further, third verify data, the 4th verify data are generated by way of private key signature, it can be ensured that private
Whether key is accurately verified, and is then the safety of subsequent digital signature to demonstrate the safety of digital signature terminal
Provide guarantee.In addition, by with private key to first, second verify data decrypt after to ciphertext data calculate cryptographic Hash come
Generate third verify data and the 4th verify data, it can be ensured that when carrying out two-way authentication, the third transmitted, the 4th verify
The data format of data is cryptographic Hash, data transmission risk caused by transmission verify data is then avoided, to ensure that number
The overall accuracy of word endorsement method.
204, the output of digital signature terminal is verified prompt and information safety devices output is verified prompt.
In order to after two-way authentication passes through, to user feedback authentication result, in embodiments of the present invention, sign when determining
It, can also be by the method described in this step, in signature terminal after two-way authentication between terminal and information safety devices passes through
And carry out being verified the output operation of prompt in information safety devices respectively, wherein described to be verified prompt and be used to indicate
Bi-directional verification between the signature terminal and described information safety equipment has passed through.
Certainly, in embodiments of the present invention, the signature terminal is outputed with described information safety equipment is verified
Prompt one end setting wherein can be verified the output function of prompt as needed in practical operation.It needs to illustrate
It is that, when abovementioned steps 203 judge that two-way authentication occurs abnormal, may be provided for prompt terminal risk in this step
Indicating risk output function, with remind user's Contemporary Digital signature terminal and information safety devices between certification occur it is different
Often, there are risks for digital signing operations, and certainly, the setting for the function can be based on actual needs and be chosen, herein simultaneously
Specific restriction is not done.
It should be noted that in this step, when information safety devices do not have display function, can also only pass through number
Word signature terminal carries out the information alert of bidirectional identity authentication.Here, the displaying of the prompt facility described in the embodiment of the present invention,
This is only used as exemplary parsing, does not do specific restriction, the prompting mode selected by reality is with specific digital signature terminal
It is determined with security information equipment.
Prompt is verified by output as a result, it can be ensured that signature terminal passes through with information safety devices two-way authentication
Afterwards, in time to user feedback authentication result, it is ensured that can user understands carry out subsequent signature operation.
205, digital signature terminal using bidirectional identity authentication by information safety devices sign to electronic document.
This step is specifically as follows:When the identity of the signature terminal authentication described information safety equipment is normal and described
Information safety devices verify the signature terminal identity it is normal when, the signature terminal can be using in the information safety devices
Signed data is extracted, and is signed to the electronic document.
Wherein, the method according to abovementioned steps 203, signature terminal authentication described information described in this step are set safely
Standby identity is normal, is specifically as follows:To first signed data in described information safety equipment is by the signature
Sign test operates, then the identity of the signature terminal authentication described information safety equipment is normal.Meanwhile this step described information safety
The identity for terminal of signing described in device authentication is normal, is specifically as follows:To described in the signature terminal is by the signature
The sign test of second signed data operates, then described information safety equipment verify the signature terminal identity it is normal.
Further, the method according to abovementioned steps 203, signature terminal authentication described information peace described in this step
The identity of full equipment is normal, can also be specifically:When the signature terminal determine the third verify data can by verification,
And information safety devices are when determining that the 4th verify data can pass through verification, it is determined that both sides can be recognized by two-way
Card, the identity of the two are simultaneously without exception.Meanwhile this step described information safety equipment verify it is described signature terminal identity it is normal,
It is specifically as follows:When described information safety equipment determines that the third verify data is consistent with the 4th verify data, then
The identity that described information safety equipment verifies the signature terminal is normal.
Further, as the realization to method shown in above-mentioned Fig. 1, the embodiment of the present invention additionally provides a kind of digital signature
System, for being realized to above-mentioned method shown in FIG. 1.The device embodiment is corresponding with preceding method embodiment, for ease of
It reads, present apparatus embodiment no longer repeats the detail content in preceding method embodiment one by one, it should be understood that this reality
The full content realized in preceding method embodiment can be corresponded to by applying the device in example.As shown in figure 3, the system comprises:Number
Word signature terminal 31 and information safety devices 32;The digital signature terminal is to be exclusively used in the terminal of signature, and inside is configured with label
Name program module 311, the signature procedure module 311 include:
Display unit 3111 can be used for showing file to be signed in the form of page file.
Authentication unit 3112 can be used for carrying out bidirectional identity authentication with the information safety devices 32 of communication connection.
Signature unit 3113, be used for through 3112 bidirectional identity authentication of the authentication unit by information pacify
Full equipment 32 is to the file signature to be signed shown by the display unit 3111.
Further, as the realization to method shown in above-mentioned Fig. 2, the embodiment of the present invention additionally provides another number label
Name system, for being realized to above-mentioned method shown in Fig. 2.The device embodiment is corresponding with preceding method embodiment, for just
In reading, present apparatus embodiment no longer repeats the detail content in preceding method embodiment one by one, it should be understood that this
Device in embodiment can correspond to the full content realized in preceding method embodiment.As shown in figure 4, the system comprises:
Digital signature terminal 41 and information safety devices 42;The digital signature terminal is to be exclusively used in the terminal of signature, and inside is configured with
Signature procedure module 411, the signature procedure module 411 include:
Display unit 4111 can be used for showing file to be signed in the form of page file.
Authentication unit 4112 can be used for carrying out bidirectional identity authentication with the information safety devices 42 of communication connection.
Signature unit 4113, be used for through 4112 bidirectional identity authentication of the authentication unit by information pacify
Full equipment is to the file signature to be signed shown by the display unit 4111.
Further, the signature procedure module 411 is module built-in when the digital signature terminal is dispatched from the factory.
Further, further include in the digital signature terminal:
Memory module 412, can be used for storing digital signature terminal allows to download the program listing installed;
Program installs module 413, can be used for receiving download, reception, preservation, installation or the instruction for running application program
When, judge whether the application program indicated by the instruction downloading, receive, preserving, installing or run application program is included in
In the described program list that the memory module 412 stores, corresponding instruction is responded if included in described program list, with
Note name program module 4111 carries out signature operation, otherwise forbids responding corresponding instruction according to command adapted thereto.
Further, the authentication unit 4112, including:
Transmission sub-unit 41121 can be used for sending first verification data to the information safety devices 42 of communication connection;
Receiving subelement 41122 can be used for receiving the second verify data that described information safety equipment 42 is sent;
The transmission sub-unit 41121 can be also used for sending to described information safety equipment 42 and be tested according to described second
The third verify data demonstrate,proved data and generated;
The receiving subelement 41122 can be also used for receiving described information safety equipment 42 according to first verification
Data and the 4th verify data generated;
Certification subelement 41123, the 4th verify data verification that can be used for receiving the receiving subelement 41122,
And the feedback information after described information safety equipment 42 verifies the third verify data is received, it is set with information security with realizing
Standby 42 bidirectional identity authentication.
Further, the third verify data by described information safety equipment 42 by with the first private key pair first verify
Data are digitally signed and generate;
4th verify data by the authentication unit by with the second private key to second verify data into line number
Word is signed and is generated.
Further, the third verify data by described information safety equipment 42 by with the first private key pair first verify
Cryptographic Hash is calculated to ciphertext data after data deciphering and is generated;
4th verify data by the authentication unit by with the second private key to second verify data decrypt after
Cryptographic Hash is calculated to ciphertext data and is generated.
Further, the signature procedure module 411 further includes:
Prompt unit 4114 can be used for confirming digital signature terminal and described information safety when the authentication unit 4112
When equipment passes through two-way authentication, user is authenticated and passes through prompt.
Further, the signature procedure module further includes:
Input unit 4115 can be used for inputting the operational order that user assigns, to be carried out according to the operational order
Corresponding operation, the operational order includes signature request instruction, so that the signature unit 4113 is signed accordingly
Operation.
Further, the terminal can also include:
Link block 414 can be used for establishing a connection with information safety devices 42, to realize that the digital signature is whole
Connection between end and described information safety equipment 42.
By above-mentioned technical proposal, a kind of digital signature system provided in an embodiment of the present invention and method, for existing skill
For art during being digitally signed based on USB Key, there are terminal risks, cause the safety of digital signature is lower to ask
Topic, the present invention show file to be signed by display unit in the form of page file, are then the number by authentication unit
Word signs and carries out two-way authentication between terminal and described information safety equipment, equal using bidirectional identity authentication finally by signature unit
By information safety devices treat signature file signature, signature terminal and the safety of information safety devices are tested to realize
Card, realizes digital signing operations, avoiding may be by end in digital signature procedure in the case where ensuring both ends safety
The influence for holding risk, improves safety in digital signature procedure.
The software protecting device includes processor and memory, above-mentioned signature procedure module, memory module, program installation
Module etc. is stored in memory, executes above procedure unit stored in memory by processor to realize corresponding work(
Energy.
Include kernel in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can be arranged one
Or more, improve the safety in digital signature procedure by adjusting kernel parameter.
Memory may include computer-readable medium in volatile memory, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include at least one deposit
Store up chip.
An embodiment of the present invention provides a kind of storage mediums, are stored thereon with program, real when which is executed by processor
The existing digital signature method.
An embodiment of the present invention provides a kind of processor, the processor is for running program, wherein described program is run
Digital signature method described in Shi Zhihang.
An embodiment of the present invention provides a kind of software protecting devices, including processor, memory and are stored in storage
On device and the program that can run on a processor, processor realize following steps when executing program:Digital signature terminal is with the page
The form of file shows file to be signed;Digital signature terminal and the information safety devices of communication connection, which carry out bidirectional identification, to be recognized
Card;Digital signature terminal using bidirectional identity authentication by information safety devices treat signature file sign.
The embodiment of the present invention additionally provides a kind of computer program product, when being executed on data processing equipment, is suitable for
The progressive number signature terminal for executing initialization there are as below methods step shows file to be signed in the form of page file;Number
Terminal of signing and the information safety devices of communication connection carry out bidirectional identity authentication;Digital signature terminal uses bidirectional identity authentication
By information safety devices treat signature file signature.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, the application can be used in one or more wherein include computer usable program code computer
The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The application is with reference to method, the flow of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include computer-readable medium in volatile memory, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable Jie
The example of matter.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology realizes information storage.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic tape cassette, tape magnetic disk storage or other magnetic storage apparatus
Or any other non-transmission medium, it can be used for storage and can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability
Including so that process, method, commodity or equipment including a series of elements include not only those elements, but also wrap
Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including element
There is also other identical elements in process, method, commodity or equipment.
It will be understood by those skilled in the art that embodiments herein can be provided as method, system or computer program product.
Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the application
Form.It is deposited moreover, the application can be used to can be used in the computer that one or more wherein includes computer usable program code
The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
It these are only embodiments herein, be not intended to limit this application.To those skilled in the art,
The application can have various modifications and variations.It is all within spirit herein and principle made by any modification, equivalent replacement,
Improve etc., it should be included within the scope of claims hereof.
Claims (9)
1. a kind of digital signature system, which is characterized in that the system comprises:Digital signature terminal and information safety devices;Institute
It is to be exclusively used in the terminal of signature to state digital signature terminal, and inside is configured with signature procedure module, and the signature procedure module includes:
Display unit, for showing file to be signed in the form of page file;
Authentication unit, for carrying out bidirectional identity authentication with the information safety devices of communication connection;
Signature unit, for using bidirectional identity authentication by information safety devices treat signature file sign.
2. system according to claim 1, which is characterized in that the signature procedure module is that the digital signature terminal goes out
Built-in module when factory.
3. system according to claim 1 or 2, which is characterized in that further include in the digital signature terminal:
Memory module, for storing the verification information for being verified to application data packet;
Program installs module, for being verified to the application data packet got using the verification information, and is testing
Card installs corresponding application program after passing through.
4. system according to claim 1, which is characterized in that the authentication unit, including:
Transmission sub-unit, for sending first verification data to the information safety devices of communication connection;
Receiving subelement, the second verify data for receiving the transmission of described information safety equipment;
The transmission sub-unit is additionally operable to send the generated according to second verify data to described information safety equipment
Three verify datas;
The receiving subelement is additionally operable to receive the described information safety equipment is generated according to the first verification data the 4th
Verify data;
Certification subelement for being verified to the 4th verify data, and receives described information safety equipment and tests the third
The feedback information after data verification is demonstrate,proved, to realize the bidirectional identity authentication with information safety devices.
5. system according to claim 4, which is characterized in that the third verify data is led to by described information safety equipment
It crosses and first verification data is digitally signed with the first private key and is generated;
4th verify data is by the authentication unit by carrying out digital label to second verify data with the second private key
Name and generate.
6. system according to claim 4, which is characterized in that the third verify data is led to by described information safety equipment
It crosses after being decrypted to first verification data with the first private key and cryptographic Hash is calculated to ciphertext data and is generated;
4th verify data by the authentication unit by with the second private key to second verify data decrypt after to solution
Ciphertext data calculates cryptographic Hash and generates.
7. system according to claim 6, which is characterized in that the signature procedure module further includes:
Prompt unit, for when the digital signature terminal passes through two-way authentication with the safety equipment, recognizing user
Card passes through prompt.
8. according to the system described in any one of claim 1-7, which is characterized in that the signature procedure module further includes:
Input unit, the operational order assigned for inputting user, the operational order include signature request instruction.
9. a kind of digital signature method, which is characterized in that the method is applied to 1 to 8 any one of them digital signature system of power
System, including:
Digital signature terminal shows file to be signed in the form of page file;
Digital signature terminal and the information safety devices of communication connection carry out bidirectional identity authentication;
Digital signature terminal using bidirectional identity authentication by information safety devices treat signature file sign.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810505836.5A CN108494565A (en) | 2018-05-24 | 2018-05-24 | digital signature system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810505836.5A CN108494565A (en) | 2018-05-24 | 2018-05-24 | digital signature system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108494565A true CN108494565A (en) | 2018-09-04 |
Family
ID=63350739
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810505836.5A Pending CN108494565A (en) | 2018-05-24 | 2018-05-24 | digital signature system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108494565A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109474434A (en) * | 2018-11-14 | 2019-03-15 | 北京天威诚信电子商务服务有限公司 | A kind of visualization digital endorsement method, device, medium and equipment |
CN110417808A (en) * | 2019-08-08 | 2019-11-05 | 深圳市英博超算科技有限公司 | Tamper resistant method, device, system and terminal |
CN113748642A (en) * | 2019-02-26 | 2021-12-03 | 上海亚融信息技术有限公司 | Digital signature terminal and secure communication method |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101206542A (en) * | 2006-12-18 | 2008-06-25 | 汉王科技股份有限公司 | Ciphering signature writing pad with press keys and display screen |
CN101686127A (en) * | 2008-09-24 | 2010-03-31 | 北京创原天地科技有限公司 | Novel USBKey secure calling method and USBKey device |
CN102708491A (en) * | 2012-04-27 | 2012-10-03 | 东信和平智能卡股份有限公司 | Trusted computing based novel USB (universal serial bus) Key device and safety transaction method thereof |
CN103473498A (en) * | 2013-09-12 | 2013-12-25 | 深圳市文鼎创数据科技有限公司 | Application program security verification method and terminal |
CN103971044A (en) * | 2014-05-07 | 2014-08-06 | 深圳市建设工程交易服务中心 | Radio frequency identification and digital signature integration device |
CN107248075A (en) * | 2017-05-19 | 2017-10-13 | 飞天诚信科技股份有限公司 | A kind of method and device for realizing bidirectional authentication of smart secret key equipment and transaction |
JP2018038036A (en) * | 2016-08-30 | 2018-03-08 | 株式会社ワコム | Authentication and safe data transmission between signature tablet and host computer using transport layer security |
-
2018
- 2018-05-24 CN CN201810505836.5A patent/CN108494565A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101206542A (en) * | 2006-12-18 | 2008-06-25 | 汉王科技股份有限公司 | Ciphering signature writing pad with press keys and display screen |
CN101686127A (en) * | 2008-09-24 | 2010-03-31 | 北京创原天地科技有限公司 | Novel USBKey secure calling method and USBKey device |
CN102708491A (en) * | 2012-04-27 | 2012-10-03 | 东信和平智能卡股份有限公司 | Trusted computing based novel USB (universal serial bus) Key device and safety transaction method thereof |
CN103473498A (en) * | 2013-09-12 | 2013-12-25 | 深圳市文鼎创数据科技有限公司 | Application program security verification method and terminal |
CN103971044A (en) * | 2014-05-07 | 2014-08-06 | 深圳市建设工程交易服务中心 | Radio frequency identification and digital signature integration device |
JP2018038036A (en) * | 2016-08-30 | 2018-03-08 | 株式会社ワコム | Authentication and safe data transmission between signature tablet and host computer using transport layer security |
CN107248075A (en) * | 2017-05-19 | 2017-10-13 | 飞天诚信科技股份有限公司 | A kind of method and device for realizing bidirectional authentication of smart secret key equipment and transaction |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109474434A (en) * | 2018-11-14 | 2019-03-15 | 北京天威诚信电子商务服务有限公司 | A kind of visualization digital endorsement method, device, medium and equipment |
CN113748642A (en) * | 2019-02-26 | 2021-12-03 | 上海亚融信息技术有限公司 | Digital signature terminal and secure communication method |
CN110417808A (en) * | 2019-08-08 | 2019-11-05 | 深圳市英博超算科技有限公司 | Tamper resistant method, device, system and terminal |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104021333B (en) | Mobile security watch bag | |
CN101426012B (en) | Software module management device | |
CN101258505B (en) | Secure software updates | |
CN109214168A (en) | Firmware upgrade method and device | |
CN105787357B (en) | One kind being based on Android system APK method for down loading and its system | |
EP3017580B1 (en) | Signatures for near field communications | |
CN104737177B (en) | method for providing security service | |
CN101490698A (en) | Component authentication for computer systems | |
US20210216306A1 (en) | Secure deployment of software on industrial control systems | |
CN103269271A (en) | Method and system for back-upping private key in electronic signature token | |
EP3862899A1 (en) | Information communication apparatus, authentication program for information communication apparatus, and authentication method | |
CN101983375A (en) | Binding a cryptographic module to a platform | |
CN110326266A (en) | A kind of method and device of data processing | |
CN108494565A (en) | digital signature system and method | |
CN107980132A (en) | A kind of APK signature authentications method and system | |
US20170353315A1 (en) | Secure electronic entity, electronic apparatus and method for verifying the integrity of data stored in such a secure electronic entity | |
CN108768963A (en) | The communication means and system of trusted application and safety element | |
CN103996117A (en) | Safety mobile phone | |
CN102523095A (en) | User digital certificate remote update method with intelligent card protection function | |
CN108200014A (en) | The method, apparatus and system of server are accessed using intelligent key apparatus | |
CN105939194A (en) | Backup method and backup system for private key of electronic key device | |
CN108416224A (en) | A kind of data encryption/decryption method and device | |
US20140012761A1 (en) | Method for operating a cash box with customer-specific keys | |
CN110268675A (en) | Method in programmable hardware security module and programmable hardware security module | |
CN111404706B (en) | Application downloading method, secure element, client device and service management device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180904 |
|
RJ01 | Rejection of invention patent application after publication |