CN108494565A - digital signature system and method - Google Patents

digital signature system and method Download PDF

Info

Publication number
CN108494565A
CN108494565A CN201810505836.5A CN201810505836A CN108494565A CN 108494565 A CN108494565 A CN 108494565A CN 201810505836 A CN201810505836 A CN 201810505836A CN 108494565 A CN108494565 A CN 108494565A
Authority
CN
China
Prior art keywords
signature
digital signature
terminal
information safety
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810505836.5A
Other languages
Chinese (zh)
Inventor
孙吉平
念龙龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Senseshield Technology Co Ltd
Original Assignee
Beijing Senseshield Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Senseshield Technology Co Ltd filed Critical Beijing Senseshield Technology Co Ltd
Priority to CN201810505836.5A priority Critical patent/CN108494565A/en
Publication of CN108494565A publication Critical patent/CN108494565A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of digital signature system and methods, are related to security technology area, it is therefore intended that improve the safety in digital signature procedure and invent.The digital signature system of the present invention, including:Digital signature terminal and information safety devices;The digital signature terminal is to be exclusively used in the terminal of signature, and inside is configured with signature procedure module, and the signature procedure module includes:Display unit, for showing file to be signed in the form of page file;Authentication unit, for carrying out bidirectional identity authentication with the information safety devices of communication connection;Signature unit, for using bidirectional identity authentication by information safety devices treat signature file sign.Present invention is suitably applied to be digitally signed to electronic document.

Description

Digital signature system and method
Technical field
The present invention relates to security technology area more particularly to a kind of digital signature system and methods.
Background technology
With the development of technology, e-commerce is gradually popularized.During e-commerce, user needs to pass through digital signature Mode, signed to the file signed using digital certificates, to carry out subsequent operation.Currently, when using When family needs to be digitally signed, signature operation is carried out usually using USB Key, utilizes the algorithm being arranged inside USB Key Or the identity of certification authentication operator.Wherein, USB Key are a kind of hardware devices of USB interface, its built-in microcontroller or intelligence Card chip can store the key or digital certificate of user, usually using the cryptographic algorithms' implementation built in Usbkey to user's body The certification of part, to ensure the safety of signature process.
In general, when user is digitally signed operation, since the display capabilities of existing USB Key are weaker, or even have A little USB Key do not have display function, therefore, it is necessary to be attached the intelligent terminals such as USB Key and computer, and in intelligence It can the enterprising line number signature operations of terminal.However, in practical applications, intelligent terminal is to work as intelligence there may be security risk When being built wooden horse in energy terminal or controlled by hacker, the electronic document that user is digitally signed can be distorted, user is made to exist There is difference in the electronic document seen on intelligent terminal and the electronic document actually signed, cause the safety of digital signature compared with It is low.
Invention content
In view of the above problems, a kind of digital signature system of present invention offer and method, main purpose are to avoid digital label Influence of the terminal risk to signature process during name improves the safety in digital signature procedure.
In order to solve the above technical problems, in a first aspect, an embodiment of the present invention provides a kind of digital signature system, the system System includes:Digital signature terminal and information safety devices;The digital signature terminal is to be exclusively used in the terminal of signature, inside configuration There are the signature procedure module, the signature procedure module to include:
Display unit, for showing file to be signed in the form of page file;
Authentication unit, for carrying out bidirectional identity authentication with the information safety devices of communication connection;
Signature unit, for using bidirectional identity authentication by information safety devices treat signature file sign.
Optionally, the signature procedure module is module built-in when the digital signature terminal is dispatched from the factory.
Optionally, further include in the digital signature terminal:
Memory module, for storing the verification information for being verified to application data packet;
Program installs module, for being verified to the application data packet got using the verification information, and Corresponding application program is installed after being verified.
Optionally, the authentication unit, including:
Transmission sub-unit, for sending first verification data to the information safety devices of communication connection;
Receiving subelement, the second verify data for receiving the transmission of described information safety equipment;
The transmission sub-unit is additionally operable to be generated according to second verify data to the transmission of described information safety equipment Third verify data;
The receiving subelement is additionally operable to reception described information safety equipment and is generated according to the first verification data 4th verify data;
Certification subelement for being verified to the 4th verify data, and receives described information safety equipment to described the Feedback information after the verification of three verify datas, to realize the bidirectional identity authentication with information safety devices.
Optionally, the third verify data by described information safety equipment by with the first private key to first verification data It is digitally signed and generates;
4th verify data by the authentication unit by with the second private key to second verify data into line number Word is signed and is generated.
Optionally, the third verify data by described information safety equipment by with the first private key to first verification data Cryptographic Hash is calculated to ciphertext data after decryption and is generated;
4th verify data by the authentication unit by with the second private key to second verify data decrypt after Cryptographic Hash is calculated to ciphertext data and is generated.
Optionally, the signature procedure module further includes:
Prompt unit, for when the digital signature terminal and the safety equipment pass through two-way authentication, to user into Row certification passes through prompt.
Optionally, the signature procedure module further includes:
Input unit, the operational order assigned for inputting user, the operational order include signature request instruction.
Second aspect, the embodiment of the present invention additionally provide a kind of digital signature method, and the method is applied to any of the above-described Digital signature system described in, including:
Digital signature terminal shows file to be signed in the form of page file;
Digital signature terminal and the information safety devices of communication connection carry out bidirectional identity authentication;
Digital signature terminal using bidirectional identity authentication by information safety devices treat signature file sign.
To achieve the goals above, according to the third aspect of the invention we, a kind of storage medium, the storage medium are provided Program including storage, wherein equipment where controlling the storage medium when described program is run, which executes in preceding method, appoints Digital signature method described in meaning one.
To achieve the goals above, according to the fourth aspect of the invention, a kind of processor is provided, the processor is used for Run program, wherein digital signature method when described program is run described in any one of execution method.
By above-mentioned technical proposal, digital signature system provided by the invention and method, for the prior art based on USB During Key is digitally signed, there are terminal risk, the problem for causing the safety of digital signature relatively low, the present invention is led to Cross display unit and show file to be signed in the form of page file, then by authentication unit be the digital signature terminal with Two-way authentication is carried out between the safety equipment, finally by signature unit using bidirectional identity authentication by information security set It is standby to treat signature file signature, to realize the safety verification to signature terminal and safety equipment, ensuring both ends safety Digital signing operations are realized in the case of property, and avoiding may be influenced in digital signature procedure by terminal risk, improve Safety in digital signature procedure.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technical means of the present invention, And can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, below the special specific implementation mode for lifting the present invention.
Description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this field Technical staff will become clear.Attached drawing only for the purpose of illustrating preferred embodiments, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of digital signature method flow chart provided in an embodiment of the present invention;
Fig. 2 shows another digital signature method flow charts provided in an embodiment of the present invention;
Fig. 3 shows a kind of composition frame chart of digital signature system provided in an embodiment of the present invention;
Fig. 4 shows the composition frame chart of another digital signature system provided in an embodiment of the present invention;
Specific implementation mode
Exemplary embodiment of the present invention is more fully described below with reference to accompanying drawings.Although showing the present invention in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the present invention without should be by embodiments set forth here It is limited.It is to be able to be best understood from the present invention on the contrary, providing these embodiments, and can be by the scope of the present invention Completely it is communicated to those skilled in the art.
The embodiment of the present invention provides a kind of digital signature method based on digital signature system, as shown in Figure 1, wherein should Method is mainly used in bank, financial field, is used when user needs to be digitally signed.Described in the embodiment of the present invention Method be to solve the problems, such as that the safety in the digital signature procedure caused by terminal risk is vulnerable to influence, work as user The system described in the embodiment of the present invention is operated during being digitally signed, it is specific execute can in the following way into Row:
101, digital signature terminal shows file to be signed with page format;
In digital signature system described in book of the embodiment of the present invention, the digital signature terminal in the system can be special In the intelligent terminal of signature, such as the digital signature terminal is the intelligent terminal that inside is configured with signature procedure module, described Information safety devices can be understood as a kind of built-in equipment for verify signature Terminal security, such as encryption lock, encrypt Card etc..Before user needs to be digitally signed, generally requiring will establish between digital signature terminal and information safety devices Communication connection, and upon connection, the required file for carrying out signature operation is shown in the form of the page by the digital signature terminal, i.e., File to be signed described in this step.Meanwhile in this step, when showing file to be signed with page format, can also lead to It crosses and issues the user with prompt message, to ensure that user in time confirms the current desired file signed.
102, digital signature terminal and the information safety devices of communication connection carry out bidirectional identity authentication.
In embodiments of the present invention, can also include for two-way authentication in digital signature terminal and information safety devices Private key and public key.In addition, the file to be signed described in the embodiment of the present invention can be electronic contract or electronic documents.
According to the method described in this step, by the safety of digital signature terminal authentication information safety devices, meanwhile, by institute State the safety that information safety devices verify the digital signature terminal, that is, the bidirectional identity authentication described in the embodiment of the present invention.
In addition, can also include signature device before this step, in the digital signature method described in the embodiment of the present invention It establishes a connection with information safety devices, wherein establishing the mode of connection can be built based on hardware mode by interfaces such as USB It is vertical, it can also wirelessly establish connection, such as WLAN or bluetooth mode.It is connected when being established using hardware mode Then link block can be arranged in the digital signature terminal described in the embodiment of the present invention in relationship, which can be specially hardware Interface module, and when being established a connection using radio connection, then wherein the link block of equipment can be specially then It is right with the wireless interface module or the bluetooth connection module for having bluetooth connection function for realizing that equipment room is wirelessly connected This, the choosing for the signature terminal and the establishment of connection mode of described information safety equipment and its corresponding link block It selects, does not do specific restriction, can be determined according to actual needs.
When digital signature terminal and information safety devices carry out bidirectional identity authentication, can be judged by signature terminal with extremely Whether the two-way authentication for establishing the information safety devices of communication connection passes through.Wherein,
After carrying out bi-directional verification, need to judge whether described information safety equipment is tested by identity by digital signature terminal Card and information safety devices judge whether signature terminal passes through verification.In embodiments of the present invention, whether two-way authentication passes through It can be by judging whether the identity of both sides normally carries out.Due to during being digitally signed, the label of distinct device It is different when name information, therefore, the verification of identity can be carried out based on the information such as signing messages and public key therein, to Ensure that equipment is not tampered or controls.Wherein, bidirectional identity authentication specific of this step in digital signature terminal side is held Line mode can be:Determine whether information safety devices can be tested by the identity of the digital signature terminal by digital signature terminal Card, and detect whether to receive and be set by information security by the digital signature terminal that is used to indicate that information safety devices are fed back The instruction information of standby authentication, to realize digital signature terminal-pair both sides whether by the judgement of two-way authentication.Here, Include but not limited to above-mentioned authentication mode for judgment mode, can also voluntarily choose as needed.
It, can also be by the center of signing and issuing of electronic signature, needed for acquisition in addition, before method described in this step executes The Standard signatures for verifying equipment, are then compared according to the Standard signatures and the signing messages for the equipment that need to be verified, to real The authentication of verification equipment needed for existing.
103, digital signature terminal using bidirectional identity authentication by information safety devices treat signature file and signed Name.
After being determined that the two-way authentication between signature terminal and information safety devices has passed through, it may be determined that current label Name terminal and information safety devices be all it is reliable, be not present security risk, therefore, it is possible to use bidirectional identity authentication by Information safety devices carry out signature operation to the electronic document of required signature.
Digital signature method provided in an embodiment of the present invention is digitally signed the prior art based on USB Key During, there is a problem of that safety is relatively low, compared with the prior art, the embodiment of the present invention is using internal configured with signature journey The dedicated signatures terminal of sequence module, and carry out between the signature terminal and described information safety equipment before signing two-way Certification, and sign to electronic document after two-way authentication passes through, realize the peace to signature terminal and information safety devices Full verification, and realize digital signing operations in the case where ensuring both ends safety, it is ensured that show text in signature terminal Part is signature file, and avoiding in digital signature procedure may be influenced by terminal risk, improve digital signature procedure Middle safety.
Further, as the refinement and extension to embodiment illustrated in fig. 1, the embodiment of the present invention additionally provides another number Word endorsement method, as shown in Figure 2, wherein be as follows:
201, digital signature terminal receives the signature request that user assigns.
In embodiments of the present invention, the signature terminal, information safety devices and the two establish the mode of connection with Description in previous embodiment in step 102 is consistent, and details are not described herein.
It should be noted that in embodiments of the present invention, it, should in order to further ensure the accuracy of digital signature procedure Digital signature terminal can be to be exclusively used in the terminal of digital signature, be only equipped in the terminal for digital signature software or Program.
Optionally, it is that digital signature terminal is built-in when dispatching from the factory for the software of digital signature or program in digital signature terminal Module.Wherein, the terminal for being exclusively used in digital signature be forbid networking download application program closed terminal, inside only pacify Equipped with the software or program for digital signature, the monitoring of rogue program or literary to signature in digital signature procedure is thus avoided The malice of part is distorted.
In another optional mode, digital signature terminal allows user's networking download application data packet, but right The application data packet downloaded is allowed to be limited.
For example, the verification information that storage is verified for application data packet in digital signature terminal, when needing to install When application program, the application data packet of acquisition is verified using the verification information of storage, and pacifies after being verified Fill corresponding application program.
In a specific embodiment, the verification information can be root certificate or the public key that software vendor configures; Legal application data packet is the data packet that software vendor uses private key signature;Digital signature terminal is being got using journey After sequence data packet, the public key configured using root certificate or software vendor is passed through to application data packet sign test, and in sign test Afterwards, corresponding application program is installed.
In the scheme for allowing user to download application program, the verification by verification information to application data packet, really Bao Yingyongchengxushuojubao comes from legal software manufacturer, avoids installation Malware, thereby guarantees that software loop in digital terminal The safety in border.
Whether in another optional embodiment, one can be arranged in digital terminal can be with to distinguish user The program listing downloaded or installed when user's download, reception, preservation, installation or runs answering indicated by the instruction of application program When with program being included in described program list, then allow to execute the download about the program, reception, preservation, installation or operation Instruction, otherwise forbid responding corresponding instruction.
In the embodiment that digital signature terminal allows networking to download application program, signature procedure module can be only fitted to Allow to download in the program listing installed, user downloads the signature procedure module by networking mode.
In the above method, the control of application program is installed by that can be downloaded to digital signature terminal, it is ensured that terminal applies The safety of program avoids the installation of Malware, prevents the monitoring of rogue program or literary to signature in digital signature procedure The malice of part is distorted.
In embodiments of the present invention, can the signature request that assigned by user be received by signature terminal, wherein the label Name request is used to indicate the signature terminal and is ready for signature operation, and the specific mode that receives can be based on the signature terminal The input unit of upper setting carries out, such as can tap the different modes such as instruction by touching instruction and carry out connecing for signature request It brings drill to an end work.Specifically, can be carried out according to any mode in existing way for reception mode, specific limit is not done herein It is fixed.
The signature request that user assigns is received by terminal of signing as a result, signature terminal can be made to enter in time to be signed State timely responds to be provided for subsequent signature operation, reduces the time loss in digital signature procedure, improves signature effect Rate.
202, digital signature terminal shows file to be signed in the form of page file.
In order to avoid because in digital signature procedure, because terminal risk may to the influence of digital signing safety, therefore, It is provided with signature terminal for being digitally signed in the embodiment of the present invention, is provided in this terminal for being shown Screen can show the corresponding electronic document of signature request by the screen, to prompt the electronics signed needed for user File.In this way, by being shown to the corresponding electronic document of signature request, can make user in signature terminal to it is required into The electronic document of row digital signature is confirmed, is ensured that the accuracy of the required file signed, is ensured that number The accuracy of the signature result of signature.
203, two-way authentication is carried out between digital signature terminal and information safety devices.
In this step, due to progress be the two-way authentication signed between terminal and information safety devices, into During row certification, the verification by carrying out identity between signature terminal and information safety devices to other side respectively is needed.As a result, This step is specifically as follows:Terminal of signing carries out authentication by presetting rule to information safety devices, meanwhile, information security Equipment carries out authentication by presetting rule to the signature device.
When terminal of signing carries out authentication by presetting rule to information safety devices, it is specifically as follows:First, digital Authentication unit in terminal of signing sends first verification data to the information safety devices of communication connection and receives described information The second verify data that safety equipment is sent;Then, authentication unit sends to information safety devices and verifies number according to described second According to and the third verify data that generates, and receive described information safety equipment is generated according to the first verification data the Four verify datas.Finally, the 4th verify data of authentication unit pair is verified, and by information safety devices to the third verify data Verification, to realize the bidirectional identity authentication with information safety devices.In embodiments of the present invention, in signature terminal and information security When identity between equipment is verified mutually, specifically signature terminal and information security can be carried out according to following two modes Verification between equipment:
In the above-mentioned methods, in a first aspect, when third verify data be by described information safety equipment by with first private Key is digitally signed first verification data and generates;Meanwhile the 4th verify data can be passed through by the authentication unit When being digitally signed and being generated to second verify data with the second private key.Then verify bidirectional identification verify whether by Whether concrete mode both can be determined according to the third verify data and the 4th verify data by sign test operation It is no to pass through identity two-way identification.Wherein, first, second private key is difference corresponding informance safety equipment, digital signature The private key of terminal, described first, second does not have the meaning of sequencing.
For example, above-mentioned first verification data and the second verify data are random number, according to bi-directional verification described above Mode, the mode specifically executed can be:First, digital signature terminal and information safety devices exchange certificate, are taken in certificate With respective public key;Then, digital signature terminal generates random number 1 and is sent to information safety devices;Information safety devices generate Random number 2 is sent to digital signature terminal;Later, digital signature terminal is sent after being signed to random number 2 using the private key of oneself To information safety devices;Information safety devices are sent to digital signature terminal after signing to random number 1 using the private key of oneself;Most Afterwards, digital signature terminal and information safety devices use the public key of other side to signed data sign test respectively, double if sign test passes through Square authentication success.
In the methods described above, second aspect, when third verify data by described information safety equipment by with first private Key calculates cryptographic Hash to ciphertext data and generates after being decrypted to first verification data;Meanwhile the 4th verify data by the certification When unit calculates cryptographic Hash to ciphertext data after being decrypted to second verify data with the second private key by generates, then verify Bidirectional identification verify whether by concrete mode can be by whether consistent to first verification data and the 4th verify data, And second verify data and third verify data it is whether consistent, so that it is determined that both digital signature terminal and information safety devices Bidirectional identity authentication whether pass through.
Such as:Above-mentioned first verification data and the second verify data be using the data after public key encryption first, electronics Terminal of signing and information safety devices exchange certificate, and respective public key is carried in certificate;Then, electronic signature terminal generates random Number 1, the public key of use information safety equipment after the encryption of random number 1 to being sent to information safety devices;Information safety devices generate Random number 2 is sent to electronic signature terminal after being encrypted to random number 2 using the public key of electronic signature terminal;Later, it signs electronically Terminal calculates cryptographic Hash 1 using the decryption of encrypted random number of the private key of oneself to receiving and the random number to decrypting, Cryptographic Hash 1 is sent to information safety devices by electronic signature terminal;Information safety devices are using oneself private key to receiving Cryptographic Hash 2 is sent to by encrypted random number decryption and the random number calculating cryptographic Hash 2 obtained to decryption, information safety devices Sign electronically terminal;Then, electronic signature terminal calculates the cryptographic Hash of original random number 1 and is compared with the cryptographic Hash 2 received It is whether consistent;Whether information safety devices calculate the cryptographic Hash of original random number 2 and are compared with the cryptographic Hash 1 received consistent; Finally, if two above-mentioned cryptographic Hash compare consistent, the terminal that signs electronically and information safety devices bidirectional identity authentication Success.
Based on the mode described in terms of above-mentioned two, can by exchanging verify data itself in bi-directional verification, or The cryptographic Hash obtained based on hash algorithm, interaction data when it is different, and when using cryptographic Hash as bidirectional identification When the interaction data of certification, the possibility that can further avoid interaction data from being intercepted or distort improves safety.
As a result, according to the method described in this step, the is sent to the information safety devices of communication connection by authentication unit One verify data and the second verify data for receiving the transmission of described information safety equipment;Then, authentication unit is to information security Equipment sends the third verify data that is generated according to second verify data, and receive described information safety equipment according to The first verification data and the 4th verify data generated.Finally, the 4th verify data of authentication unit pair is verified, and by information Safety equipment verifies the third verify data, to realize the bidirectional identity authentication with information safety devices, can realize letter Cease authentication of the safety equipment to terminal of signing, it is ensured that the safety of two-way authentication is the accurate of subsequent digital signature Property, provide safety guarantee.
Further, third verify data, the 4th verify data are generated by way of private key signature, it can be ensured that private Whether key is accurately verified, and is then the safety of subsequent digital signature to demonstrate the safety of digital signature terminal Provide guarantee.In addition, by with private key to first, second verify data decrypt after to ciphertext data calculate cryptographic Hash come Generate third verify data and the 4th verify data, it can be ensured that when carrying out two-way authentication, the third transmitted, the 4th verify The data format of data is cryptographic Hash, data transmission risk caused by transmission verify data is then avoided, to ensure that number The overall accuracy of word endorsement method.
204, the output of digital signature terminal is verified prompt and information safety devices output is verified prompt.
In order to after two-way authentication passes through, to user feedback authentication result, in embodiments of the present invention, sign when determining It, can also be by the method described in this step, in signature terminal after two-way authentication between terminal and information safety devices passes through And carry out being verified the output operation of prompt in information safety devices respectively, wherein described to be verified prompt and be used to indicate Bi-directional verification between the signature terminal and described information safety equipment has passed through.
Certainly, in embodiments of the present invention, the signature terminal is outputed with described information safety equipment is verified Prompt one end setting wherein can be verified the output function of prompt as needed in practical operation.It needs to illustrate It is that, when abovementioned steps 203 judge that two-way authentication occurs abnormal, may be provided for prompt terminal risk in this step Indicating risk output function, with remind user's Contemporary Digital signature terminal and information safety devices between certification occur it is different Often, there are risks for digital signing operations, and certainly, the setting for the function can be based on actual needs and be chosen, herein simultaneously Specific restriction is not done.
It should be noted that in this step, when information safety devices do not have display function, can also only pass through number Word signature terminal carries out the information alert of bidirectional identity authentication.Here, the displaying of the prompt facility described in the embodiment of the present invention, This is only used as exemplary parsing, does not do specific restriction, the prompting mode selected by reality is with specific digital signature terminal It is determined with security information equipment.
Prompt is verified by output as a result, it can be ensured that signature terminal passes through with information safety devices two-way authentication Afterwards, in time to user feedback authentication result, it is ensured that can user understands carry out subsequent signature operation.
205, digital signature terminal using bidirectional identity authentication by information safety devices sign to electronic document.
This step is specifically as follows:When the identity of the signature terminal authentication described information safety equipment is normal and described Information safety devices verify the signature terminal identity it is normal when, the signature terminal can be using in the information safety devices Signed data is extracted, and is signed to the electronic document.
Wherein, the method according to abovementioned steps 203, signature terminal authentication described information described in this step are set safely Standby identity is normal, is specifically as follows:To first signed data in described information safety equipment is by the signature Sign test operates, then the identity of the signature terminal authentication described information safety equipment is normal.Meanwhile this step described information safety The identity for terminal of signing described in device authentication is normal, is specifically as follows:To described in the signature terminal is by the signature The sign test of second signed data operates, then described information safety equipment verify the signature terminal identity it is normal.
Further, the method according to abovementioned steps 203, signature terminal authentication described information peace described in this step The identity of full equipment is normal, can also be specifically:When the signature terminal determine the third verify data can by verification, And information safety devices are when determining that the 4th verify data can pass through verification, it is determined that both sides can be recognized by two-way Card, the identity of the two are simultaneously without exception.Meanwhile this step described information safety equipment verify it is described signature terminal identity it is normal, It is specifically as follows:When described information safety equipment determines that the third verify data is consistent with the 4th verify data, then The identity that described information safety equipment verifies the signature terminal is normal.
Further, as the realization to method shown in above-mentioned Fig. 1, the embodiment of the present invention additionally provides a kind of digital signature System, for being realized to above-mentioned method shown in FIG. 1.The device embodiment is corresponding with preceding method embodiment, for ease of It reads, present apparatus embodiment no longer repeats the detail content in preceding method embodiment one by one, it should be understood that this reality The full content realized in preceding method embodiment can be corresponded to by applying the device in example.As shown in figure 3, the system comprises:Number Word signature terminal 31 and information safety devices 32;The digital signature terminal is to be exclusively used in the terminal of signature, and inside is configured with label Name program module 311, the signature procedure module 311 include:
Display unit 3111 can be used for showing file to be signed in the form of page file.
Authentication unit 3112 can be used for carrying out bidirectional identity authentication with the information safety devices 32 of communication connection.
Signature unit 3113, be used for through 3112 bidirectional identity authentication of the authentication unit by information pacify Full equipment 32 is to the file signature to be signed shown by the display unit 3111.
Further, as the realization to method shown in above-mentioned Fig. 2, the embodiment of the present invention additionally provides another number label Name system, for being realized to above-mentioned method shown in Fig. 2.The device embodiment is corresponding with preceding method embodiment, for just In reading, present apparatus embodiment no longer repeats the detail content in preceding method embodiment one by one, it should be understood that this Device in embodiment can correspond to the full content realized in preceding method embodiment.As shown in figure 4, the system comprises: Digital signature terminal 41 and information safety devices 42;The digital signature terminal is to be exclusively used in the terminal of signature, and inside is configured with Signature procedure module 411, the signature procedure module 411 include:
Display unit 4111 can be used for showing file to be signed in the form of page file.
Authentication unit 4112 can be used for carrying out bidirectional identity authentication with the information safety devices 42 of communication connection.
Signature unit 4113, be used for through 4112 bidirectional identity authentication of the authentication unit by information pacify Full equipment is to the file signature to be signed shown by the display unit 4111.
Further, the signature procedure module 411 is module built-in when the digital signature terminal is dispatched from the factory.
Further, further include in the digital signature terminal:
Memory module 412, can be used for storing digital signature terminal allows to download the program listing installed;
Program installs module 413, can be used for receiving download, reception, preservation, installation or the instruction for running application program When, judge whether the application program indicated by the instruction downloading, receive, preserving, installing or run application program is included in In the described program list that the memory module 412 stores, corresponding instruction is responded if included in described program list, with Note name program module 4111 carries out signature operation, otherwise forbids responding corresponding instruction according to command adapted thereto.
Further, the authentication unit 4112, including:
Transmission sub-unit 41121 can be used for sending first verification data to the information safety devices 42 of communication connection;
Receiving subelement 41122 can be used for receiving the second verify data that described information safety equipment 42 is sent;
The transmission sub-unit 41121 can be also used for sending to described information safety equipment 42 and be tested according to described second The third verify data demonstrate,proved data and generated;
The receiving subelement 41122 can be also used for receiving described information safety equipment 42 according to first verification Data and the 4th verify data generated;
Certification subelement 41123, the 4th verify data verification that can be used for receiving the receiving subelement 41122, And the feedback information after described information safety equipment 42 verifies the third verify data is received, it is set with information security with realizing Standby 42 bidirectional identity authentication.
Further, the third verify data by described information safety equipment 42 by with the first private key pair first verify Data are digitally signed and generate;
4th verify data by the authentication unit by with the second private key to second verify data into line number Word is signed and is generated.
Further, the third verify data by described information safety equipment 42 by with the first private key pair first verify Cryptographic Hash is calculated to ciphertext data after data deciphering and is generated;
4th verify data by the authentication unit by with the second private key to second verify data decrypt after Cryptographic Hash is calculated to ciphertext data and is generated.
Further, the signature procedure module 411 further includes:
Prompt unit 4114 can be used for confirming digital signature terminal and described information safety when the authentication unit 4112 When equipment passes through two-way authentication, user is authenticated and passes through prompt.
Further, the signature procedure module further includes:
Input unit 4115 can be used for inputting the operational order that user assigns, to be carried out according to the operational order Corresponding operation, the operational order includes signature request instruction, so that the signature unit 4113 is signed accordingly Operation.
Further, the terminal can also include:
Link block 414 can be used for establishing a connection with information safety devices 42, to realize that the digital signature is whole Connection between end and described information safety equipment 42.
By above-mentioned technical proposal, a kind of digital signature system provided in an embodiment of the present invention and method, for existing skill For art during being digitally signed based on USB Key, there are terminal risks, cause the safety of digital signature is lower to ask Topic, the present invention show file to be signed by display unit in the form of page file, are then the number by authentication unit Word signs and carries out two-way authentication between terminal and described information safety equipment, equal using bidirectional identity authentication finally by signature unit By information safety devices treat signature file signature, signature terminal and the safety of information safety devices are tested to realize Card, realizes digital signing operations, avoiding may be by end in digital signature procedure in the case where ensuring both ends safety The influence for holding risk, improves safety in digital signature procedure.
The software protecting device includes processor and memory, above-mentioned signature procedure module, memory module, program installation Module etc. is stored in memory, executes above procedure unit stored in memory by processor to realize corresponding work( Energy.
Include kernel in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can be arranged one Or more, improve the safety in digital signature procedure by adjusting kernel parameter.
Memory may include computer-readable medium in volatile memory, random access memory (RAM) and/ Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include at least one deposit Store up chip.
An embodiment of the present invention provides a kind of storage mediums, are stored thereon with program, real when which is executed by processor The existing digital signature method.
An embodiment of the present invention provides a kind of processor, the processor is for running program, wherein described program is run Digital signature method described in Shi Zhihang.
An embodiment of the present invention provides a kind of software protecting devices, including processor, memory and are stored in storage On device and the program that can run on a processor, processor realize following steps when executing program:Digital signature terminal is with the page The form of file shows file to be signed;Digital signature terminal and the information safety devices of communication connection, which carry out bidirectional identification, to be recognized Card;Digital signature terminal using bidirectional identity authentication by information safety devices treat signature file sign.
The embodiment of the present invention additionally provides a kind of computer program product, when being executed on data processing equipment, is suitable for The progressive number signature terminal for executing initialization there are as below methods step shows file to be signed in the form of page file;Number Terminal of signing and the information safety devices of communication connection carry out bidirectional identity authentication;Digital signature terminal uses bidirectional identity authentication By information safety devices treat signature file signature.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, the application can be used in one or more wherein include computer usable program code computer The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The application is with reference to method, the flow of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net Network interface and memory.
Memory may include computer-readable medium in volatile memory, random access memory (RAM) and/ Or the forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable Jie The example of matter.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology realizes information storage.Information can be computer-readable instruction, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storages, magnetic tape cassette, tape magnetic disk storage or other magnetic storage apparatus Or any other non-transmission medium, it can be used for storage and can be accessed by a computing device information.As defined in this article, it calculates Machine readable medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability Including so that process, method, commodity or equipment including a series of elements include not only those elements, but also wrap Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including element There is also other identical elements in process, method, commodity or equipment.
It will be understood by those skilled in the art that embodiments herein can be provided as method, system or computer program product. Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the application Form.It is deposited moreover, the application can be used to can be used in the computer that one or more wherein includes computer usable program code The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) Formula.
It these are only embodiments herein, be not intended to limit this application.To those skilled in the art, The application can have various modifications and variations.It is all within spirit herein and principle made by any modification, equivalent replacement, Improve etc., it should be included within the scope of claims hereof.

Claims (9)

1. a kind of digital signature system, which is characterized in that the system comprises:Digital signature terminal and information safety devices;Institute It is to be exclusively used in the terminal of signature to state digital signature terminal, and inside is configured with signature procedure module, and the signature procedure module includes:
Display unit, for showing file to be signed in the form of page file;
Authentication unit, for carrying out bidirectional identity authentication with the information safety devices of communication connection;
Signature unit, for using bidirectional identity authentication by information safety devices treat signature file sign.
2. system according to claim 1, which is characterized in that the signature procedure module is that the digital signature terminal goes out Built-in module when factory.
3. system according to claim 1 or 2, which is characterized in that further include in the digital signature terminal:
Memory module, for storing the verification information for being verified to application data packet;
Program installs module, for being verified to the application data packet got using the verification information, and is testing Card installs corresponding application program after passing through.
4. system according to claim 1, which is characterized in that the authentication unit, including:
Transmission sub-unit, for sending first verification data to the information safety devices of communication connection;
Receiving subelement, the second verify data for receiving the transmission of described information safety equipment;
The transmission sub-unit is additionally operable to send the generated according to second verify data to described information safety equipment Three verify datas;
The receiving subelement is additionally operable to receive the described information safety equipment is generated according to the first verification data the 4th Verify data;
Certification subelement for being verified to the 4th verify data, and receives described information safety equipment and tests the third The feedback information after data verification is demonstrate,proved, to realize the bidirectional identity authentication with information safety devices.
5. system according to claim 4, which is characterized in that the third verify data is led to by described information safety equipment It crosses and first verification data is digitally signed with the first private key and is generated;
4th verify data is by the authentication unit by carrying out digital label to second verify data with the second private key Name and generate.
6. system according to claim 4, which is characterized in that the third verify data is led to by described information safety equipment It crosses after being decrypted to first verification data with the first private key and cryptographic Hash is calculated to ciphertext data and is generated;
4th verify data by the authentication unit by with the second private key to second verify data decrypt after to solution Ciphertext data calculates cryptographic Hash and generates.
7. system according to claim 6, which is characterized in that the signature procedure module further includes:
Prompt unit, for when the digital signature terminal passes through two-way authentication with the safety equipment, recognizing user Card passes through prompt.
8. according to the system described in any one of claim 1-7, which is characterized in that the signature procedure module further includes:
Input unit, the operational order assigned for inputting user, the operational order include signature request instruction.
9. a kind of digital signature method, which is characterized in that the method is applied to 1 to 8 any one of them digital signature system of power System, including:
Digital signature terminal shows file to be signed in the form of page file;
Digital signature terminal and the information safety devices of communication connection carry out bidirectional identity authentication;
Digital signature terminal using bidirectional identity authentication by information safety devices treat signature file sign.
CN201810505836.5A 2018-05-24 2018-05-24 digital signature system and method Pending CN108494565A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810505836.5A CN108494565A (en) 2018-05-24 2018-05-24 digital signature system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810505836.5A CN108494565A (en) 2018-05-24 2018-05-24 digital signature system and method

Publications (1)

Publication Number Publication Date
CN108494565A true CN108494565A (en) 2018-09-04

Family

ID=63350739

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810505836.5A Pending CN108494565A (en) 2018-05-24 2018-05-24 digital signature system and method

Country Status (1)

Country Link
CN (1) CN108494565A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474434A (en) * 2018-11-14 2019-03-15 北京天威诚信电子商务服务有限公司 A kind of visualization digital endorsement method, device, medium and equipment
CN110417808A (en) * 2019-08-08 2019-11-05 深圳市英博超算科技有限公司 Tamper resistant method, device, system and terminal
CN113748642A (en) * 2019-02-26 2021-12-03 上海亚融信息技术有限公司 Digital signature terminal and secure communication method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101206542A (en) * 2006-12-18 2008-06-25 汉王科技股份有限公司 Ciphering signature writing pad with press keys and display screen
CN101686127A (en) * 2008-09-24 2010-03-31 北京创原天地科技有限公司 Novel USBKey secure calling method and USBKey device
CN102708491A (en) * 2012-04-27 2012-10-03 东信和平智能卡股份有限公司 Trusted computing based novel USB (universal serial bus) Key device and safety transaction method thereof
CN103473498A (en) * 2013-09-12 2013-12-25 深圳市文鼎创数据科技有限公司 Application program security verification method and terminal
CN103971044A (en) * 2014-05-07 2014-08-06 深圳市建设工程交易服务中心 Radio frequency identification and digital signature integration device
CN107248075A (en) * 2017-05-19 2017-10-13 飞天诚信科技股份有限公司 A kind of method and device for realizing bidirectional authentication of smart secret key equipment and transaction
JP2018038036A (en) * 2016-08-30 2018-03-08 株式会社ワコム Authentication and safe data transmission between signature tablet and host computer using transport layer security

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101206542A (en) * 2006-12-18 2008-06-25 汉王科技股份有限公司 Ciphering signature writing pad with press keys and display screen
CN101686127A (en) * 2008-09-24 2010-03-31 北京创原天地科技有限公司 Novel USBKey secure calling method and USBKey device
CN102708491A (en) * 2012-04-27 2012-10-03 东信和平智能卡股份有限公司 Trusted computing based novel USB (universal serial bus) Key device and safety transaction method thereof
CN103473498A (en) * 2013-09-12 2013-12-25 深圳市文鼎创数据科技有限公司 Application program security verification method and terminal
CN103971044A (en) * 2014-05-07 2014-08-06 深圳市建设工程交易服务中心 Radio frequency identification and digital signature integration device
JP2018038036A (en) * 2016-08-30 2018-03-08 株式会社ワコム Authentication and safe data transmission between signature tablet and host computer using transport layer security
CN107248075A (en) * 2017-05-19 2017-10-13 飞天诚信科技股份有限公司 A kind of method and device for realizing bidirectional authentication of smart secret key equipment and transaction

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474434A (en) * 2018-11-14 2019-03-15 北京天威诚信电子商务服务有限公司 A kind of visualization digital endorsement method, device, medium and equipment
CN113748642A (en) * 2019-02-26 2021-12-03 上海亚融信息技术有限公司 Digital signature terminal and secure communication method
CN110417808A (en) * 2019-08-08 2019-11-05 深圳市英博超算科技有限公司 Tamper resistant method, device, system and terminal

Similar Documents

Publication Publication Date Title
CN104021333B (en) Mobile security watch bag
CN101426012B (en) Software module management device
CN101258505B (en) Secure software updates
CN109214168A (en) Firmware upgrade method and device
CN105787357B (en) One kind being based on Android system APK method for down loading and its system
EP3017580B1 (en) Signatures for near field communications
CN104737177B (en) method for providing security service
CN101490698A (en) Component authentication for computer systems
US20210216306A1 (en) Secure deployment of software on industrial control systems
CN103269271A (en) Method and system for back-upping private key in electronic signature token
EP3862899A1 (en) Information communication apparatus, authentication program for information communication apparatus, and authentication method
CN101983375A (en) Binding a cryptographic module to a platform
CN110326266A (en) A kind of method and device of data processing
CN108494565A (en) digital signature system and method
CN107980132A (en) A kind of APK signature authentications method and system
US20170353315A1 (en) Secure electronic entity, electronic apparatus and method for verifying the integrity of data stored in such a secure electronic entity
CN108768963A (en) The communication means and system of trusted application and safety element
CN103996117A (en) Safety mobile phone
CN102523095A (en) User digital certificate remote update method with intelligent card protection function
CN108200014A (en) The method, apparatus and system of server are accessed using intelligent key apparatus
CN105939194A (en) Backup method and backup system for private key of electronic key device
CN108416224A (en) A kind of data encryption/decryption method and device
US20140012761A1 (en) Method for operating a cash box with customer-specific keys
CN110268675A (en) Method in programmable hardware security module and programmable hardware security module
CN111404706B (en) Application downloading method, secure element, client device and service management device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180904

RJ01 Rejection of invention patent application after publication