CN109560933A - Authentication method and system, storage medium based on digital certificate, electronic equipment - Google Patents

Authentication method and system, storage medium based on digital certificate, electronic equipment Download PDF

Info

Publication number
CN109560933A
CN109560933A CN201811186820.9A CN201811186820A CN109560933A CN 109560933 A CN109560933 A CN 109560933A CN 201811186820 A CN201811186820 A CN 201811186820A CN 109560933 A CN109560933 A CN 109560933A
Authority
CN
China
Prior art keywords
data
signed
mobile terminal
key
application server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811186820.9A
Other languages
Chinese (zh)
Other versions
CN109560933B (en
Inventor
孙曦
落红卫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ant Rongxin Chengdu Network Technology Co ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201811186820.9A priority Critical patent/CN109560933B/en
Publication of CN109560933A publication Critical patent/CN109560933A/en
Application granted granted Critical
Publication of CN109560933B publication Critical patent/CN109560933B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

This specification one or more embodiment provides the authentication method based on digital certificate, including mobile terminal and server side interact and generate data to be signed in server side;The trusted application server of server side is back to mobile terminal after being packaged data to be signed;Mobile terminal verifies the data to be signed after encapsulation by the key shared with trusted application server, is signed after being verified using user certificate private key;Data return to server side after mobile terminal will sign, and use data after customer digital certificate public key verifications signature.This specification one or more embodiment further relates to Verification System based on digital certificate, storage medium, electronic equipment.This specification one or more embodiment is by returning again to mobile application and being sent to the certification that the mode signed in quadrature digital up-converter carries out digital certificate after first sending data to be signed and carrying out secure package to server.

Description

Authentication method and system, storage medium based on digital certificate, electronic equipment
Technical field
This specification one or more embodiment is related to mobile terminal digital certificate authentication field, more particularly to based on number card The authentication method and system of book, storage medium, electronic equipment.
Background technique
It is more more and more intense to the demand for security of user identity authentication along with the development of mobile Internet business.Number card Book application is a kind of typical user identity authentication mode.Traditional quadrature digital up-converter is to be presented to the individually card of user one Book hardware carrier, the corresponding private key of carrier built in user certificate, when carrying out network service trade confirmation link, user is used The certificate is signed, and realizes authentication.In the nowadays mobile Internet stage, the quadrature digital up-converter of user it is built-in in In safe unit in customer mobile terminal, when needing to authenticate user identity, the digital certificate that calls this built-in into Row signature operation.But there are security breaches for this usage mode at present in the terminal, for example, by data to be signed Safety can not ensure in transmittance process in mobile terminal, and especially mobile application is answered toward the digital certificate positioned at safe unit When being transmitted in, it is understood that there may be a possibility that data to be signed are distorted by people.Accordingly, it is desirable to provide a kind of more reliable side Case.
A kind of possible security enhanced manner is that one is shared in mobile application and quadrature digital up-converter in the prior art Security key, for being encrypted to the data to be signed of transmission, however, since mobile application inherently safe protects intensity Not enough, however it remains security key a possibility that being leaked, therefore this security enhanced manner is still inadequate.
Summary of the invention
This specification one or more embodiment is based at least one above-mentioned technical problem, proposes based on number card The authentication method and system of book, electronic equipment, storage medium can ensure to a certain degree or avoid in data to be signed in movement Terminal inner is not maliciously tampered from the safety in the transmission process that mobile application is transmitted to quadrature digital up-converter.
In order to achieve the above objectives, this specification one or more embodiment provides the authentication method based on digital certificate, packet Include following steps:
S1, mobile terminal send signature request to server side, for generating data to be signed in server side;
S2, server side trusted application server data to be signed are packaged after be back to mobile terminal;
S3, mobile terminal are unsealed by the data to be signed after the key pair encapsulation shared with trusted application server And verify, it is signed using user certificate private key to the data to be signed after being verified;
S4, mobile terminal will sign after data return server side, and using customer digital certificate public key verifications signature after Data.
Further, step S2 includes following sub-step:
S21, mobile application server response Mobile terminal signature request and generate data to be signed;
S22, trusted application server receive data to be signed and using the server key in trusted application server into Row first encapsulates;
S23, trusted application server return to the data to be signed after the first encapsulation to mobile application server;
Data to be signed after first encapsulation are returned to mobile application in mobile terminal by S24, mobile application server.
Further, step S3 includes following sub-step:
The data to be signed after the first encapsulation are sent to number card in mobile terminal by mobile application in S31, mobile terminal Book application;
S32, quadrature digital up-converter use the key shared with trusted application server to unseal and carry out third verifying, third It is signed after being verified using user certificate private key.
Further, step S4 includes following sub-step:
S41, data are back to mobile application in mobile terminal after customer digital certificate signature;
Data after signature are back to mobile application server by mobile application in S42, mobile terminal;
S43, mobile application server use data after customer digital certificate public key verifications signature.
Further, step S3 further includes following sub-step:
The data to be signed after the first encapsulation are sent to credible in mobile terminal answer by mobile application in S33, mobile terminal With;
It is to be signed after trusted application uses the key pair negotiated with trusted application server to encapsulate in S34, mobile terminal Data unseal and carry out the first verifying of data integrity, first be verified after using trusted application in mobile terminal and number The key of certificate Application share carries out the second encapsulation;
The data to be signed after the second encapsulation are sent to number card in mobile terminal by trusted application in S35, mobile terminal Book application;
Quadrature digital up-converter uses the key shared with trusted application in mobile terminal deblocking to go forward side by side in S36, mobile terminal Row second verify, second be verified after signed using user certificate private key.
Further, step S4 further includes following sub-step:
Data are back to trusted application in mobile terminal after customer digital certificate signature in S44, mobile terminal;
Data after signature are back to mobile application in mobile terminal by trusted application in S45, mobile terminal;
Data after signature are back to mobile application server by mobile application in S46, mobile terminal;
S47, mobile application server use data after customer digital certificate public key verifications signature.
Preferably, it is packaged in step S2 using asymmetrical key pair data to be signed.
Preferably, it is packaged in step S2 using symmetrical key pair data to be signed.
Verification System based on digital certificate, including be built in the safe unit of mobile terminal, mobile application server, can Believe that application server, the mobile application server are built-in with customer digital certificate public key, are equipped with number in the safe unit Word certificate application;Mobile application in mobile terminal sends the data to be signed that need customer digital certificate to sign to described Mobile application server;The mobile application server receives data to be signed and is sent to the trusted application server;Institute Trusted application server is stated to receive data to be signed and carry out the first encapsulation using server key;The trusted application server Data to be signed after returning to the first encapsulation are to the mobile application server;The mobile application server will be after the first encapsulation Data to be signed return to mobile application;Mobile terminal to first encapsulation after data to be signed by with trusted application service The shared key of device is verified, and is signed after being verified using user certificate private key;Data after mobile terminal will sign The mobile application server is returned, and uses data after customer digital certificate public key verifications signature.
Preferably, the data to be signed after the first encapsulation are sent to the quadrature digital up-converter by the mobile application;Institute Stating quadrature digital up-converter uses the key shared with trusted application server to carry out third verifying, and third is used after being verified and used Family certificate and private key is signed;Data are back to mobile application after customer digital certificate signature;Data after mobile application will sign It is back to the mobile application server;The mobile application server uses number after customer digital certificate public key verifications signature According to.
It preferably, further include the trusted application for the digital certificate access being built in credible performing environment;Mobile application will Data to be signed after first encapsulation are sent to the trusted application;The trusted application use and the trusted application server Negotiation key pair encapsulation after data to be signed integrality carry out first verifying, first be verified after using trusted application with The shared key of the quadrature digital up-converter carries out the second encapsulation;The trusted application sends out the data to be signed after the second encapsulation It send to the quadrature digital up-converter;The quadrature digital up-converter uses the key shared with the trusted application to carry out second and tests Card, second be verified after signed using user certificate private key;After customer digital certificate signature data be back to it is described can Letter application;Data after signature are back to mobile application by the trusted application;Data after signature are back to described by mobile application Mobile application server;The mobile application server uses data after customer digital certificate public key verifications signature.
Preferably, the server key includes symmetric key, the Encryption Algorithm of the symmetric key include DES, 3DES, Any one of IDEA, FEAL, BLOWFISH.
Preferably, the server key includes unsymmetrical key, the Encryption Algorithm of the unsymmetrical key include RSA, Any one of Elgamal, knapsack algorithm, Rabin, D-H, ECC.
Preferably, the key that the trusted application and the quadrature digital up-converter are shared includes unsymmetrical key, described non- The Encryption Algorithm of symmetric key includes any one of RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC.
Preferably, the key that the trusted application and the quadrature digital up-converter are shared includes unsymmetrical key, described non- The Encryption Algorithm of symmetric key includes any one of RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC.
A kind of electronic equipment, including memory, processor and storage are on a memory and the meter that can run on a processor Calculation machine program, the processor realize the above-mentioned authentication method based on digital certificate when executing described program.
A kind of computer readable storage medium, is stored thereon with computer program, and the computer program is held by processor The above-mentioned authentication method based on digital certificate is realized when row.
Compared with prior art, the advantage of this specification one or more embodiment is:
This specification one or more embodiment provides the authentication method based on digital certificate, comprising steps of mobile terminal It is interacted with server side, for generating data to be signed in server side;The trusted application server of server side will be to Signed data is back to mobile terminal after being packaged;Mobile terminal is encapsulated by the key pair shared with trusted application server Data to be signed afterwards are unsealed and are verified, and are signed using user certificate private key to the data to be signed after being verified Name;Data return to server side after mobile terminal will sign, and use data after customer digital certificate public key verifications signature.This theory Bright book one or more embodiment further relates to Verification System based on digital certificate, storage medium, electronic equipment.This specification one A or multiple embodiments by returning again to mobile application after first being sent data to be signed and carrying out secure package to server, by It is sent to the mode signed in quadrature digital up-converter through trusted application, is answered with ensuring data to be signed being sent to digital certificate It is not tampered with preceding, guarantees the Information Security of digital certificate authentication process.
Above description is only the general introduction of this specification one or more embodiment technical solution, in order to better understand The technological means of this specification one or more embodiment, and can be implemented in accordance with the contents of the specification, below with this explanation The preferred embodiment of book one or more embodiment simultaneously cooperates attached drawing detailed description is as follows.This specification one or more embodiment Specific embodiment be shown in detail by following embodiment and its attached drawing.
Detailed description of the invention
The embodiment with this specification one or more embodiment is described in further detail with reference to the accompanying drawing.
Fig. 1 is the authentication method flow chart based on digital certificate of this specification one or more embodiment;
Fig. 2 is the authentication method flow chart based on digital certificate of this specification embodiment 1;
Fig. 3 is the Verification System schematic diagram based on digital certificate of this specification embodiment 3;
Fig. 4 is the authentication method flow chart based on digital certificate of this specification embodiment 2;
Fig. 5 is the Verification System schematic diagram based on digital certificate of this specification embodiment 4.
Specific embodiment
In order to make those skilled in the art more fully understand the technical solution in this specification, below in conjunction with this explanation Attached drawing in book embodiment is clearly and completely described the technical solution in this specification embodiment, it is clear that described Embodiment be only this specification one or more embodiment a part of the embodiment, instead of all the embodiments.Based on this Specification embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts The range of this specification one or more embodiment protection all should belong in example.
Authentication method based on digital certificate, as shown in Figure 1, comprising the following steps:
S1, mobile terminal send signature request to server side, for generating data to be signed in server side;It is real one It applies in example, as shown in Figure 1, mobile terminal and server side interact and generate data to be signed in server side, for example, In shopping online, user checks that browsing places an order in on-line shop's platform, is interacted by cell phone client and server-side, In, some data mobile phone terminal generate, such as user input information or selection user side information, some then server-side produce It is raw, such as the information of the server sides such as order number, serial number, server side sends signature request according to mobile terminal, by user The information of side information and server side is summarized and is handled, and data to be signed are generated.It should be appreciated that for generating number to be signed According to data source can derive from mobile terminal, can also derive from server side, it is not limited here.It is also understood that handing over Mutually mean that participating in movable object can mutually exchange, and interact on both side;Such as: when computer plays certain Multimedia Program It waits, programming personnel can issue the operation that instruction controls the program, rather than program unilaterally executes, and program is receiving Programming personnel correspondingly makes a response after instructing accordingly, this process and behavior, referred to as interactive, in the present embodiment, When interaction exists only in the data source of data to be signed from mobile terminal and server side, for convenience of describing, implement below The description that signature request to server side mostly uses mobile terminal with server side progress " interaction " is sent to mobile terminal in example Mode should not limit protection scope to this.
S2, server side trusted application server data to be signed are packaged after be back to mobile terminal;
S3, mobile terminal are unsealed by the data to be signed after the key pair encapsulation shared with trusted application server And verify, it is signed using user certificate private key to the data to be signed after being verified;
S4, mobile terminal will sign after data return server side, and using customer digital certificate public key verifications signature after Data.
It should be appreciated that encapsulation process includes but is not limited to data encryption, the data packing for checking data integrity, correspond to Deblocking process includes but is not limited to data deciphering, completeness check.
Embodiment 1, the authentication method based on digital certificate are as shown in Figure 2, it should be understood that Cheng Qian is crossed in the present embodiment description It mentions and has completed initialization for digital certificate and issued, the present embodiment is configured to the application example of digital certificate, including following Step:
S11, mobile terminal and mobile application server interact;Wherein, user has applied and in mobile terminal It is mounted with that quadrature digital up-converter, mobile application server have also retained the public key certificate of the user in safe unit;User is logical It crosses mobile application to interact with server, generates the data to be signed for needing customer digital certificate to sign.For example, user passes through Mobile application can trigger the calling interface module in third party's calling service mobile terminal and obtain mobile terminal in mobile terminal Facility information and digital certificate mount message, the discovery of calling interface module mobile terminal is locally-installed have digital certificate after, and lead to It crosses mobile terminal and generates signature request, signature command, that is, data to be signed are generated with request server side.
S21, mobile application server response mobile terminal interaction request simultaneously generate data to be signed;Trusted application server It is the server for being located at digital certificate management trusted application in credible performing environment in mobile terminal for corresponding management, the number Entrance of the word certificate management trusted application as quadrature digital up-converter in control access safety unit.For example, the shifting of server side Dynamic application server receives the signature request of mobile terminal, generates signature command, that is, data to be signed, and take by mobile application Signature command, that is, data to be signed are issued to the trusted application server of corresponding digital certificate by business device.
S22, trusted application server receive data to be signed and carry out the first encapsulation using server key;In this implementation In example, application server key is configured to the key that trusted application server and quadrature digital up-converter are shared, for guaranteeing envelope The integrality of data to be signed after dress, the key that the trusted application server and quadrature digital up-converter are shared can be configured to pair Claim key, includes but is not limited to any one of DES, 3DES, IDEA, FEAL, BLOWFISH for example, by using Encryption Algorithm, it can Believe the cipher key configuration shared in application server with quadrature digital up-converter at symmetric key.Likewise, the trusted application service The key that device and quadrature digital up-converter are shared may be alternatively configured as unsymmetrical key, for example, by using the Encryption Algorithm of unsymmetrical key Any one of including but not limited to RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC, by trusted application server with The shared cipher key configuration of quadrature digital up-converter is at public key for being packaged.For example, trusted application server receives number to be signed According to, and data to be signed are carried out by the first encapsulation by the asymmetrical public key of trusted application server by utilizing, the data after encapsulation Safety significantly improves in subsequent data transfer.
S23, trusted application server return to the data to be signed after the first encapsulation to mobile application server;For example, Data to be signed after first encapsulation are back in mobile application server by server side, trusted application server.
Data to be signed after first encapsulation are returned to mobile application by S24, mobile application server.For example, movement is answered The data to be signed after the first encapsulation are back in mobile terminal by the calling interface module in mobile terminal with server Mobile application in, it is ensured that from server return data safety.In previous traditional scheme, in this transmission process Data to be signed are subject to attack and are tampered, for example, during mobile terminal and server side interact, because to be signed Data do not have trusted application server to be packaged, and data are easily tampered;In the present embodiment, server key example is at credible The key that application server and quadrature digital up-converter are shared, it is shared with quadrature digital up-converter in trusted application server due to using Key carry out encryption encapsulation guarantee integrality.
Data to be signed after first encapsulation are sent to quadrature digital up-converter by S31, mobile application;For example, mobile application The data to be signed after the first encapsulation are issued to the number in SE (safe unit) by the calling interface module in mobile terminal In the application of word certificate;In previous traditional scheme, data to be signed are subject to attack and be tampered in this transmission process, example Such as, during data to be signed are issued to quadrature digital up-converter by mobile application in mobile terminal, because data to be signed do not have Trusted application server is packaged, and data are easily tampered;In the present embodiment, server key example is at trusted application service The key that device and quadrature digital up-converter are shared, due to use the key shared in trusted application server with quadrature digital up-converter into Row encryption encapsulation guarantees integrality.
S32, quadrature digital up-converter use the key shared with trusted application server to carry out third verifying, and third verifying is logical Later it is signed using user certificate private key.Mobile application get server security encapsulation after data to be signed after, It is directly sent in quadrature digital up-converter.At this point, trusted application server is direct to the key of secure package data to be signed Negotiate with the quadrature digital up-converter in safe unit.For example, in the present embodiment, in corresponding step S22, the trusted application The key that server and quadrature digital up-converter are shared can be configured to symmetric key, include but is not limited to for example, by using Encryption Algorithm Any one of DES, 3DES, IDEA, FEAL, BLOWFISH, by what is shared in quadrature digital up-converter with trusted application server Cipher key configuration is at symmetric key.Likewise, the key that the trusted application server is shared with quadrature digital up-converter can also be matched Be set to unsymmetrical key, the Encryption Algorithm for example, by using unsymmetrical key include but is not limited to RSA, Elgamal, knapsack algorithm, Any one of Rabin, D-H, ECC, by the cipher key configuration that will be shared in quadrature digital up-converter with trusted application server at private Key is for being verified.Data to be signed after first encapsulation are verified, the purpose of verifying includes the complete of confirmation data Property and correctness show that data to be signed are not distorted illegally if being verified, and are signed using user certificate private key Name;If verifying does not pass through, show for carrying out digitlization payment or the data to be signed authorized of application permission in step S31 Attacked in the process, data are incorrect or imperfect, this signature request is illegal, user certificate private key without signature or Alarm.
Data are back to mobile application after S41, customer digital certificate signature;For example, the number card in SE (safe unit) It is back to mobile application by the data that the customer digital certificate in mobile terminal carries out signature authentication in book application, is waited to be sent Data authentication and the storage of server side are carried out to mobile application server.
Data after signature are back to mobile application server by S42, mobile application;For example, passing through the tune in mobile terminal The data of signature authentication are back to the mobile application server of server side with interface module.
S43, mobile application server use data after customer digital certificate public key verifications signature.It can recognize after being verified For in this transaction, really legal user take part in transaction.For example, mobile application server is verified, then this Third party's business is identified the valid operation of legitimate user.
Embodiment 2, the authentication method based on digital certificate are as shown in Figure 4, it should be understood that Cheng Qian is crossed in the present embodiment description It mentions and has completed initialization for digital certificate and issued, the present embodiment is configured to the application example of digital certificate, including following Step:
S11, mobile terminal and mobile application server interact;Wherein, user has applied and in mobile terminal It is mounted with that quadrature digital up-converter, mobile application server have also retained the public key certificate of the user in safe unit;User is logical It crosses mobile application to interact with server, generates the data to be signed for needing customer digital certificate to sign.For example, user passes through Mobile application can trigger the calling interface module in third party's calling service mobile terminal and obtain mobile terminal in mobile terminal Facility information and digital certificate mount message, the discovery of calling interface module mobile terminal is locally-installed have digital certificate after, and lead to It crosses mobile terminal and generates signature request, signature command, that is, data to be signed are generated with request server side.
S21, mobile application server response mobile terminal interaction request simultaneously generate data to be signed;Trusted application server It is the server for being located at digital certificate management trusted application in credible performing environment in mobile terminal for corresponding management, the number Entrance of the word certificate management trusted application as quadrature digital up-converter in control access safety unit.For example, the shifting of server side Dynamic application server receives the signature request of mobile terminal, generates signature command, that is, data to be signed, and take by mobile application Signature command, that is, data to be signed are issued to the trusted application server of corresponding digital certificate by business device.
S22, trusted application server receive data to be signed and carry out the first encapsulation using server key;In this implementation In example, the key that application server key is configured to trusted application server and digital certificate management trusted application is shared is used What the integrality of data to be signed after guaranteeing encapsulation, the trusted application server and digital certificate management trusted application were shared Key can be configured to symmetric key, for example, by using Encryption Algorithm include but is not limited to DES, 3DES, IDEA, FEAL, Any one of BLOWFISH, the cipher key configuration shared in trusted application server with digital certificate management trusted application is pairs of Claim key.Likewise, the key that the trusted application server is shared with digital certificate management trusted application may be alternatively configured as Unsymmetrical key, the Encryption Algorithm for example, by using unsymmetrical key include but is not limited to RSA, Elgamal, knapsack algorithm, Any one of Rabin, D-H, ECC match the key shared in trusted application server with digital certificate management trusted application Public key is set to for being packaged.In the present embodiment, trusted application server receives data to be signed, and passes through trusted application Data to be signed are carried out the first encapsulation by the asymmetrical public key of server by utilizing, and the data after encapsulation were transmitted in subsequent data Safety significantly improves in journey.
S23, trusted application server return to the data to be signed after the first encapsulation to mobile application server;For example, Data to be signed after first encapsulation are back in mobile application server by server side, trusted application server.
Data to be signed after first encapsulation are returned to mobile application by S24, mobile application server.For example, movement is answered The data to be signed after the first encapsulation are back in mobile terminal by the calling interface module in mobile terminal with server Mobile application in, it is ensured that from server return data safety.In previous traditional scheme, in this transmission process Data to be signed are subject to attack and are tampered, for example, during mobile terminal and server side interact, because to be signed Data do not have trusted application server to be packaged, and data are easily tampered;In the present embodiment, server key example is at credible The key that application server and digital certificate management trusted application are shared, due to using in trusted application server and digital certificate The shared key of management trusted application carries out encryption encapsulation and guarantees integrality.
Data to be signed after first encapsulation are sent to trusted application by S33, mobile application;In conventional method, at this Data to be signed are subject to attack and be tampered in transmission process, in the present embodiment, due to using in trusted application server With digital certificate management trusted application share key carry out encryption encapsulation, even if such as data to be signed attacked, data Also it can not be distorted due to being decrypted without corresponding key, to guarantee the integrality of data, simultaneously because trusted application is placed in In credible performing environment and operate under credible performing environment provided for mobile application software or other trusted applications it is safety-related Service, credible performing environment is operation isolated execution environment in a mobile device, relative to normal operating system have compared with Strong security capabilities is stored in relatively believable environment with ensuring to run application program therein, sensitive data etc., is located Reason and protection, promote safety.
S34, trusted application use the data to be signed integrality after the key pair encapsulation negotiated with trusted application server Carry out the first verifying, first be verified after using the key that trusted application and quadrature digital up-converter are shared carry out the second encapsulation; In the present embodiment, a trusted key is also had shared in trusted application and quadrature digital up-converter, for carrying out in transmission process The safeguard protection of data, trusted key carry out safeguard protection by credible performing environment and safe unit respectively, and safety is higher, In the present embodiment, trusted application key is configured to the key that trusted application and quadrature digital up-converter are shared, for guaranteeing the The key that the integrality of data to be signed after two encapsulation, the trusted application and quadrature digital up-converter are shared can be configured to symmetrically Key includes but is not limited to any one of DES, 3DES, IDEA, FEAL, BLOWFISH for example, by using Encryption Algorithm, will be credible Using the interior cipher key configuration shared with quadrature digital up-converter at symmetric key.Likewise, the trusted application is answered with digital certificate It may be alternatively configured as unsymmetrical key with shared key, the Encryption Algorithm for example, by using unsymmetrical key includes but is not limited to Any one of RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC, by what is shared in trusted application with quadrature digital up-converter Cipher key configuration is at public key for being packaged.For example, carrying out the first verifying, the first verifying to the data to be signed after the first encapsulation Purpose include confirm data integrality and correctness show that data to be signed are not distorted illegally if being verified, and The second encapsulation is carried out using the key shared in trusted application with quadrature digital up-converter;If verifying does not pass through, show to be signed Data have been attacked during step S33, and data are incorrect or imperfect, this signature request is illegal, and digital certificate is answered Data safety in subsequent data transfer with shared key without the second encapsulation or alarm, after the second encapsulation It significantly improves.
Data to be signed after second encapsulation are sent to quadrature digital up-converter by S35, trusted application;In this transmission process Middle data to be signed are subject to attack and are tampered, in the present embodiment, due to using the second encapsulation of encryption, such as number to be signed Even if according to being attacked, data can not also be distorted due to being decrypted without corresponding key, to guarantee the integrality of data, together Shi Tisheng Information Security.
S36, quadrature digital up-converter use with trusted application share key carry out second verifying, second be verified after make It is signed with user certificate private key.In the present embodiment, in corresponding step S34, when the trusted application is answered with digital certificate When can be configured to symmetric key with shared key, for example, by using Encryption Algorithm include but is not limited to DES, 3DES, IDEA, Any one of FEAL, BLOWFISH, by the cipher key configuration shared in quadrature digital up-converter with trusted application at symmetric key.Together Sample, when the key that the trusted application server and quadrature digital up-converter are shared may be alternatively configured as unsymmetrical key, such as Encryption Algorithm using unsymmetrical key includes but is not limited to RSA, Elgamal, knapsack algorithm, appointing in Rabin, D-H, ECC The cipher key configuration shared in quadrature digital up-converter with trusted application will be used to verify by one kind at private key.For example, to second Data to be signed after encapsulation are verified, and the purpose of verifying includes confirming the integrality and correctness of data, if being verified, Then show that data to be signed are not distorted illegally, and is signed using user certificate private key;If verifying do not pass through, show to Signed data has been attacked during step S35, and data are incorrect or imperfect, this signature request is illegal, user certificate Book private key is without signature or alarm.
Data are back to trusted application after S44, customer digital certificate signature;For example, by by the user in mobile terminal The data that digital certificate carries out signature authentication are back to the trusted application in SE (safe unit), and waiting is back to mobile application.
Data after signature are back to mobile application by S45, trusted application;For example, the mobile application for passing through mobile terminal will The data of signature authentication are back to mobile application, wait be sent to mobile application server carry out server side data authentication with Storage.
Data after signature are back to mobile application server by S46, mobile application;For example, the movement for passing through mobile terminal Using by signature authentication be used to carry out digitlization payment or the data authorized of application permission are back to Mobile Server.
S47, mobile application server use data after customer digital certificate public key verifications signature.It can recognize after being verified For in this transaction, really legal user take part in transaction.For example, mobile application server is verified, then recognized Determine the valid operation of legitimate user, while this transaction is legal.
Embodiment 3, as shown in figure 3, the Verification System based on digital certificate, the safety including being built in mobile terminal is single Member, mobile application server, trusted application server;The mobile application server is built-in with customer digital certificate public key, institute It states and quadrature digital up-converter is installed in safe unit;Wherein, quadrature digital up-converter is mark communication each side's identity in combined network communication The string number of information provides a kind of mode for verifying communication entity identity on internet.It in the present embodiment, is by one A legal entity is presented to user, and the digital certificate that the certificate corresponding private key of user is stored in mobile terminal safety unit is answered In, client public key certificate can be obtained from legal issuing organization by mobile application server and be used for subsequent authentication user certificate private The legitimacy of key signature, thus strictly takes part in transaction by user to determine.Safe unit is capable of providing one more The data storage of safety and computing environment.
Mobile application in mobile terminal sends the data to be signed that need customer digital certificate to sign to the shifting Dynamic application server;The mobile application server receives data to be signed and is sent to the trusted application server;It is described Trusted application server receives data to be signed and carries out the first encapsulation using server key;The trusted application server returns Data to be signed after returning the first encapsulation are to the mobile application server;The mobile application server will be after the first encapsulation Data to be signed return to mobile application;Mobile terminal to first encapsulation after data to be signed by with trusted application server Shared key is verified, and is signed after being verified using user certificate private key;Mobile terminal returns data after signature The mobile application server is returned, and uses data after customer digital certificate public key verifications signature.Wherein, the institute in mobile application It states mobile application and the data to be signed after the first encapsulation is sent to the quadrature digital up-converter;The quadrature digital up-converter uses Third verifying is carried out with the key that trusted application server is shared, third is signed after being verified using user certificate private key Name;Data are back to mobile application after customer digital certificate signature;Data after signature are back to the movement and answered by mobile application Use server;The mobile application server uses data after customer digital certificate public key verifications signature.After being verified Think in this transaction, really legal user take part in transaction.
In previous traditional scheme, data to be signed are subject to attack and be tampered in this transmission process, such as During mobile terminal and server side interact, because data to be signed do not have trusted application server to be packaged, data Easily it is tampered;In another example during data to be signed are issued to quadrature digital up-converter by mobile application in mobile terminal, because to Signed data does not have trusted application server to be packaged, and data are easily tampered;In the present embodiment, server key example at The key that trusted application server and quadrature digital up-converter are shared, due to using in trusted application server and quadrature digital up-converter Shared key carries out encryption encapsulation and guarantees integrality.
In the present embodiment, the key that the trusted application server and quadrature digital up-converter are shared can be configured to symmetrically Key includes but is not limited to any one of DES, 3DES, IDEA, FEAL, BLOWFISH for example, by using Encryption Algorithm, will be credible The key shared in the interior key shared with quadrature digital up-converter of application server, quadrature digital up-converter with trusted application server It is configured to symmetric key.Likewise, the key that the trusted application server is shared with quadrature digital up-converter may be alternatively configured as Unsymmetrical key, the Encryption Algorithm for example, by using unsymmetrical key include but is not limited to RSA, Elgamal, knapsack algorithm, Any one of Rabin, D-H, ECC, by the cipher key configuration shared in trusted application server with quadrature digital up-converter at public key It is used to carry out school at private key for being packaged, by the cipher key configuration shared in quadrature digital up-converter with trusted application server It tests.
Embodiment 4, as shown in figure 5, the Verification System based on digital certificate, the safety including being built in mobile terminal is single Member, mobile application server, trusted application server, the mobile application server are built-in with customer digital certificate public key, institute It states and quadrature digital up-converter is installed in safe unit;Wherein, quadrature digital up-converter is mark communication each side's identity in combined network communication The string number of information provides a kind of mode for verifying communication entity identity on internet.It in the present embodiment, is by one A legal entity is presented to user, and the digital certificate that the certificate corresponding private key of user is stored in mobile terminal safety unit is answered In, client public key certificate can be obtained from legal issuing organization by mobile application server and be used for subsequent authentication user certificate private The legitimacy of key signature, thus strictly takes part in transaction by user to determine.Safe unit is capable of providing one more The data storage of safety and computing environment.Verification System based on digital certificate further includes the number being built in credible performing environment The trusted application of word certificate access;Credible performing environment is the isolated execution environment of operation in a mobile device, relative to common Operating system has stronger security capabilities, to ensure to run application program therein, sensitive data etc. in relatively believable ring It stored, handled and is protected in border, improve safety.
Mobile application in mobile terminal sends the data to be signed that need customer digital certificate to sign to the shifting Dynamic application server;The mobile application server receives data to be signed and is sent to the trusted application server;It is described Trusted application server receives data to be signed and carries out the first encapsulation using server key;The trusted application server returns Data to be signed after returning the first encapsulation are to the mobile application server;The mobile application server will be after the first encapsulation Data to be signed return to mobile application;Mobile terminal to first encapsulation after data to be signed by with trusted application server Shared key is verified, and is signed after being verified using user certificate private key;Mobile terminal returns data after signature The mobile application server is returned, and uses data after customer digital certificate public key verifications signature.Mobile application is encapsulated first Data to be signed afterwards are sent to the trusted application;The trusted application is close using negotiating with the trusted application server Key carries out the first verifying to the data to be signed integrality after encapsulation, first be verified after use trusted application and the number The key of certificate Application share carries out the second encapsulation;Data to be signed after second encapsulation are sent to described by the trusted application Quadrature digital up-converter;The quadrature digital up-converter uses the key shared with the trusted application to carry out the second verifying, and second tests Card is signed after passing through using user certificate private key;Data are back to the trusted application after customer digital certificate signature;Institute It states trusted application and data after signature is back to mobile application;Data after signature are back to the mobile application and taken by mobile application Business device;The mobile application server uses data after customer digital certificate public key verifications signature.It is believed that after being verified In this transaction, really legal user take part in transaction.
In previous traditional scheme, data to be signed are subject to attack and be tampered in this transmission process, such as During mobile terminal and server side interact, because data to be signed do not have trusted application server to be packaged, data Easily it is tampered;In another example during data to be signed are issued to trusted application by mobile application in mobile terminal, because to be signed Data do not have trusted application server to be packaged, and data are easily tampered;For another example trusted application will be wait sign in mobile terminal Name data are issued to during quadrature digital up-converter, and because data to be signed do not have trusted application to be packaged, data are easily tampered; In the present embodiment, the key that server key example is shared at trusted application server and trusted application, due to using respectively The key shared in the interior key shared with trusted application of trusted application server, trusted application with digital application certificate is added Sealing dress guarantees integrality, simultaneously because it is to move under credible performing environment that trusted application, which is placed in credible performing environment and operates in, Dynamic application software or other trusted applications provide safety-related service, credible performing environment be run in a mobile device every From performing environment, has stronger security capabilities relative to normal operating system, to ensure to run application program therein, sensitivity Data etc. are stored, handled and are protected in relatively believable environment, and safety is improved;Compared to SE (safe unit), TEE (credible performing environment) and SE are in relatively independent performing environment, are not construed as limiting to scene applied by SE, in this implementation In example, the quadrature digital up-converter in SE is accessed by the trusted application in TEE, guarantees the safety of access.
In the present embodiment, key, the trusted application and number that the trusted application server and trusted application are shared The shared key of word Application Certificate can be configured to symmetric key, for example, by using Encryption Algorithm include but is not limited to DES, 3DES, Any one of IDEA, FEAL, BLOWFISH, by the key shared in trusted application server with trusted application, trusted application The interior cipher key configuration shared with trusted application server is at symmetric key, or will share with digital application certificate in trusted application The cipher key configuration shared in key, digital application certificate with trusted application is at symmetric key.Likewise, the trusted application service The device key shared with trusted application, the trusted application may be alternatively configured as asymmetric with the key that digital application certificate is shared Key, the Encryption Algorithm for example, by using unsymmetrical key include but is not limited to RSA, Elgamal, knapsack algorithm, Rabin, D-H, The cipher key configuration shared in trusted application server with trusted application is used to be packaged, be incited somebody to action by any one of ECC at public key The cipher key configuration shared in trusted application with trusted application server is at private key for being verified;Or by trusted application with number The key that the shared cipher key configuration of word Application Certificate is used to be packaged, share in digital application certificate with trusted application at public key Private key is configured to for being verified.
A kind of electronic equipment, including memory, processor and storage are on a memory and the meter that can run on a processor Calculation machine program, processor realize the above-mentioned authentication method based on digital certificate when executing program.
A kind of computer readable storage medium is stored thereon with computer program, when computer program is executed by processor Realize the above-mentioned authentication method based on digital certificate.
This specification one or more embodiment provides the authentication method based on digital certificate, including mobile terminal and service Device side interacts and generates data to be signed in server side;The trusted application server of server side by data to be signed into Mobile terminal is back to after row encapsulation;Mobile terminal to the data to be signed after encapsulation by with trusted application server share Key is verified, and is signed after being verified using user certificate private key;Data return to service after mobile terminal will sign Device side, and use data after customer digital certificate public key verifications signature.This specification one or more embodiment further relates to be based on The Verification System of digital certificate, storage medium, electronic equipment.This specification one or more embodiment passes through first by number to be signed According to sending to server progress secure package, returns again to mobile application and be sent to the mode signed in quadrature digital up-converter Carry out the certification of digital certificate.
It is above-mentioned that this specification specific embodiment is described.Other embodiments are in the scope of the appended claims It is interior.In some cases, the movement recorded in detail in the claims or step can be come according to the sequence being different from embodiment It executes and desired result still may be implemented.In addition, process depicted in the drawing not necessarily require show it is specific suitable Sequence or consecutive order are just able to achieve desired result.In some embodiments, multitasking and parallel processing be also can With or may be advantageous.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device, For electronic equipment, nonvolatile computer storage media embodiment, since it is substantially similar to the method embodiment, so description It is fairly simple, the relevent part can refer to the partial explaination of embodiments of method.
Device that this specification embodiment provides, electronic equipment, nonvolatile computer storage media with method are corresponding , therefore, device, electronic equipment, nonvolatile computer storage media also have the Advantageous effect similar with corresponding method Fruit, since the advantageous effects of method being described in detail above, which is not described herein again corresponding intrument, The advantageous effects of electronic equipment, nonvolatile computer storage media.
In the 1990s, the improvement of a technology can be distinguished clearly be on hardware improvement (for example, Improvement to circuit structures such as diode, transistor, switches) or software on improvement (improvement for method flow).So And with the development of technology, the improvement of current many method flows can be considered as directly improving for hardware circuit. Designer nearly all obtains corresponding hardware circuit by the way that improved method flow to be programmed into hardware circuit.Cause This, it cannot be said that the improvement of a method flow cannot be realized with hardware entities module.For example, programmable logic device (Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable Gate Array, FPGA)) it is exactly such a integrated circuit, logic function determines device programming by user.By designer Voluntarily programming comes a digital display circuit " integrated " on a piece of PLD, designs and makes without asking chip maker Dedicated IC chip.Moreover, nowadays, substitution manually makes IC chip, this programming is also used instead mostly " is patrolled Volume compiler (logic compiler) " software realizes that software compiler used is similar when it writes with program development, And the source code before compiling also write by handy specific programming language, this is referred to as hardware description language (Hardware Description Language, HDL), and HDL is also not only a kind of, but there are many kind, such as ABEL (Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL (Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language) etc., VHDL (Very-High-Speed is most generally used at present Integrated Circuit Hardware Description Language) and Verilog.Those skilled in the art also answer This understands, it is only necessary to method flow slightly programming in logic and is programmed into integrated circuit with above-mentioned several hardware description languages, The hardware circuit for realizing the logical method process can be readily available.
Controller can be implemented in any suitable manner, for example, controller can take such as microprocessor or processing The computer for the computer readable program code (such as software or firmware) that device and storage can be executed by (micro-) processor can Read medium, logic gate, switch, specific integrated circuit (Application Specific Integrated Circuit, ASIC), the form of programmable logic controller (PLC) and insertion microcontroller, the example of controller includes but is not limited to following microcontroller Device: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320 are deposited Memory controller is also implemented as a part of the control logic of memory.It is also known in the art that in addition to Pure computer readable program code mode is realized other than controller, can be made completely by the way that method and step is carried out programming in logic Controller is obtained to come in fact in the form of logic gate, switch, specific integrated circuit, programmable logic controller (PLC) and insertion microcontroller etc. Existing identical function.Therefore this controller is considered a kind of hardware component, and to including for realizing various in it The device of function can also be considered as the structure in hardware component.Or even, it can will be regarded for realizing the device of various functions For either the software module of implementation method can be the structure in hardware component again.
System, device, module or the unit that above-described embodiment illustrates can specifically realize by computer chip or entity, Or it is realized by the product with certain function.It is a kind of typically to realize that equipment is computer.Specifically, computer for example may be used Think personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play It is any in device, navigation equipment, electronic mail equipment, game console, tablet computer, wearable device or these equipment The combination of equipment.
For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this The function of each unit can be realized in the same or multiple software and or hardware when specification one or more embodiment.
It should be understood by those skilled in the art that, this specification embodiment can provide as method, system or computer program Product.Therefore, this specification embodiment can be used complete hardware embodiment, complete software embodiment or combine software and hardware The form of the embodiment of aspect.Moreover, it wherein includes that computer is available that this specification embodiment, which can be used in one or more, It is real in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code The form for the computer program product applied.
This specification is referring to the method, equipment (system) and computer program product according to this specification embodiment Flowchart and/or the block diagram describes.It should be understood that can be realized by computer program instructions every in flowchart and/or the block diagram The combination of process and/or box in one process and/or box and flowchart and/or the block diagram.It can provide these computers Processor of the program instruction to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices To generate a machine, so that generating use by the instruction that computer or the processor of other programmable data processing devices execute In the dress for realizing the function of specifying in one or more flows of the flowchart and/or one or more blocks of the block diagram It sets.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want There is also other identical elements in the process, method of element, commodity or equipment.
This specification can describe in the general context of computer-executable instructions executed by a computer, such as journey Sequence module.Generally, program module include routines performing specific tasks or implementing specific abstract data types, programs, objects, Component, data structure etc..Specification can also be practiced in a distributed computing environment, in these distributed computing environments, By executing task by the connected remote processing devices of communication network.In a distributed computing environment, program module can To be located in the local and remote computer storage media including storage equipment.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system reality For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method Part explanation.
The foregoing is merely this specification embodiments, are not limited to this specification one or more embodiment. To those skilled in the art, this specification one or more embodiment can have various modifications and variations.It is all in this theory Any modification, equivalent replacement, improvement and so within the spirit and principle of bright book one or more embodiment, should be included in Within the scope of the claims of this specification one or more embodiment.This specification one or more embodiment this specification one A or multiple embodiment this specification one or more embodiment this specification one or more embodiments.

Claims (12)

1. the authentication method based on digital certificate, it is characterised in that the following steps are included:
Mobile terminal initiates signature request to server side, for generating data to be signed in server side;
The trusted application server of server side is back to mobile terminal after being packaged data to be signed;
Data to be signed after mobile terminal is encapsulated by the key pair shared with trusted application server are unsealed and are verified, It is signed using user certificate private key to the data to be signed after being verified;
Data return to server side after mobile terminal will sign, and use data after customer digital certificate public key verifications signature.
2. as described in claim 1 based on the authentication method of digital certificate, which is characterized in that the credible of the server side answers Mobile terminal is back to after being packaged data to be signed with server to specifically include:
Mobile application server response Mobile terminal signature requests and generates data to be signed;
Trusted application server receives data to be signed and carries out the first envelope using the server key in trusted application server Dress;
Trusted application server returns to the data to be signed after the first encapsulation to mobile application server;
Data to be signed after first encapsulation are returned to mobile application in mobile terminal by mobile application server.
3. as claimed in claim 2 based on the authentication method of digital certificate, which is characterized in that after the mobile terminal is to encapsulation Data to be signed by with trusted application server share key verified, after being verified use user certificate private key Signature is carried out to specifically include:
The data to be signed after the first encapsulation are sent to quadrature digital up-converter in mobile terminal by mobile application in mobile terminal;
Quadrature digital up-converter uses the key shared with trusted application server to unseal and carries out third verifying, and third is verified It is signed afterwards using user certificate private key.
4. as claimed in claim 3 based on the authentication method of digital certificate, which is characterized in that after the mobile terminal will sign Data return to server side, and are specifically included using data after customer digital certificate public key verifications signature:
Data are back to mobile application in mobile terminal after customer digital certificate signature;
Data after signature are back to mobile application server by mobile application in mobile terminal;
Mobile application server uses data after customer digital certificate public key verifications signature.
5. as claimed in claim 2 based on the authentication method of digital certificate, which is characterized in that after the mobile terminal is to encapsulation Data to be signed by with trusted application server share key verified, after being verified use user certificate private key Signature is carried out to specifically include:
The data to be signed after the first encapsulation are sent to trusted application in mobile terminal by mobile application in mobile terminal;
Trusted application uses the data to be signed after the key pair encapsulation negotiated with trusted application server to unseal in mobile terminal And carry out the first verifying of data integrity, first be verified after using trusted application and quadrature digital up-converter in mobile terminal Shared key carries out the second encapsulation;
The data to be signed after the second encapsulation are sent to quadrature digital up-converter in mobile terminal by trusted application in mobile terminal;
Quadrature digital up-converter uses the key shared with trusted application in mobile terminal to unseal and carry out second and tests in mobile terminal Card, second be verified after signed using user certificate private key.
6. as claimed in claim 5 based on the authentication method of digital certificate, which is characterized in that after the mobile terminal will sign Data return to server side, and specific using data after customer digital certificate public key verifications signature further include:
Data are back to trusted application in mobile terminal after customer digital certificate signature in mobile terminal;
Data after signature are back to mobile application in mobile terminal by trusted application in mobile terminal;
Data after signature are back to mobile application server by mobile application in mobile terminal;
Mobile application server uses data after customer digital certificate public key verifications signature.
7. the authentication method as claimed in any one of claims 1 to 6 based on digital certificate, which is characterized in that using asymmetrical Key or symmetrical key pair data to be signed are packaged.
8. a kind of electronic equipment, including memory, processor and storage are on a memory and the calculating that can run on a processor Machine program, which is characterized in that the processor realizes the step of any one of claim 1-7 method when executing described program.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program quilt The step of any one of claim 1-7 method is realized when processor executes.
10. the Verification System based on digital certificate, it is characterised in that: including being built in the safe unit of mobile terminal, movement is answered With server, trusted application server;
The mobile application server is built-in with customer digital certificate public key, is equipped with digital certificate in the safe unit and answers With;Mobile application in mobile terminal sends the data to be signed that need customer digital certificate to sign to the mobile application Server;The mobile application server receives data to be signed and is sent to the trusted application server;
The trusted application server receives data to be signed and carries out the first encapsulation using server key;The trusted application Server returns to the data to be signed after the first encapsulation to the mobile application server;The mobile application server is by first Data to be signed after encapsulation return to mobile application;
Mobile terminal verifies the data to be signed after the first encapsulation by the key shared with trusted application server, tests Card is signed after passing through using user certificate private key;Data return to the mobile application server after mobile terminal will sign, And use data after customer digital certificate public key verifications signature.
11. as claimed in claim 10 based on the Verification System of digital certificate, it is characterised in that: the mobile application is by first Data to be signed after encapsulation are sent to the quadrature digital up-converter;The quadrature digital up-converter use and trusted application server Shared key carries out third verifying, and third is signed after being verified using user certificate private key;Customer digital certificate label Data are back to mobile application after name;Data after signature are back to the mobile application server by mobile application;The movement Application server uses data after customer digital certificate public key verifications signature.
12. as claimed in claim 10 based on the Verification System of digital certificate, it is characterised in that: further include being built in credible hold The trusted application of digital certificate access in row environment;Mobile application by the data to be signed after the first encapsulation be sent to it is described can Letter application;The trusted application uses the data to be signed after the key pair encapsulation negotiated with the trusted application server complete Property carry out the first verifying, first be verified after carried out using the key that the trusted application and the quadrature digital up-converter are shared Second encapsulation;Data to be signed after second encapsulation are sent to the quadrature digital up-converter by the trusted application;The number Certificate carries out the second verifying using the key shared with the trusted application, second be verified after it is private using user certificate Key is signed;Data are back to the trusted application after customer digital certificate signature;Data after the trusted application will sign It is back to mobile application;Data after signature are back to the mobile application server by mobile application;The mobile application service Device uses data after customer digital certificate public key verifications signature.
CN201811186820.9A 2018-10-12 2018-10-12 Authentication method and system based on digital certificate, storage medium and electronic equipment Active CN109560933B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811186820.9A CN109560933B (en) 2018-10-12 2018-10-12 Authentication method and system based on digital certificate, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811186820.9A CN109560933B (en) 2018-10-12 2018-10-12 Authentication method and system based on digital certificate, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN109560933A true CN109560933A (en) 2019-04-02
CN109560933B CN109560933B (en) 2022-04-08

Family

ID=65864912

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811186820.9A Active CN109560933B (en) 2018-10-12 2018-10-12 Authentication method and system based on digital certificate, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN109560933B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365488A (en) * 2019-07-23 2019-10-22 上海铂英飞信息技术有限公司 Based on the authentication method under untrusted environment, apparatus and system
CN110838919A (en) * 2019-11-01 2020-02-25 广州小鹏汽车科技有限公司 Communication method, storage method, operation method and device
CN114531225A (en) * 2020-11-02 2022-05-24 深圳Tcl新技术有限公司 End-to-end communication encryption method, device, storage medium and terminal equipment
CN114785514A (en) * 2022-03-23 2022-07-22 国网上海能源互联网研究院有限公司 Method and system for authorizing application permission of industrial Internet of things terminal

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101790166A (en) * 2009-12-30 2010-07-28 上海柯斯软件有限公司 Digital signing method based on mobile phone intelligent card
CN102088441A (en) * 2009-12-08 2011-06-08 北京大学 Data encryption transmission method and system for message-oriented middleware
WO2014106181A2 (en) * 2012-12-31 2014-07-03 Vasco Data Security, Inc. A method and an apparatus for securely signing application data
CN105871867A (en) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 Identity authentication method, system and equipment
US20160335627A1 (en) * 2015-05-11 2016-11-17 Gemalto Sa Method, device and a server for signing data
CN108335105A (en) * 2018-01-18 2018-07-27 中国建设银行股份有限公司 Data processing method and relevant device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102088441A (en) * 2009-12-08 2011-06-08 北京大学 Data encryption transmission method and system for message-oriented middleware
CN101790166A (en) * 2009-12-30 2010-07-28 上海柯斯软件有限公司 Digital signing method based on mobile phone intelligent card
WO2014106181A2 (en) * 2012-12-31 2014-07-03 Vasco Data Security, Inc. A method and an apparatus for securely signing application data
US20160335627A1 (en) * 2015-05-11 2016-11-17 Gemalto Sa Method, device and a server for signing data
CN105871867A (en) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 Identity authentication method, system and equipment
CN108335105A (en) * 2018-01-18 2018-07-27 中国建设银行股份有限公司 Data processing method and relevant device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365488A (en) * 2019-07-23 2019-10-22 上海铂英飞信息技术有限公司 Based on the authentication method under untrusted environment, apparatus and system
CN110838919A (en) * 2019-11-01 2020-02-25 广州小鹏汽车科技有限公司 Communication method, storage method, operation method and device
CN110838919B (en) * 2019-11-01 2021-04-13 广州小鹏汽车科技有限公司 Communication method, storage method, operation method and device
CN114531225A (en) * 2020-11-02 2022-05-24 深圳Tcl新技术有限公司 End-to-end communication encryption method, device, storage medium and terminal equipment
CN114785514A (en) * 2022-03-23 2022-07-22 国网上海能源互联网研究院有限公司 Method and system for authorizing application permission of industrial Internet of things terminal
CN114785514B (en) * 2022-03-23 2023-11-14 国网上海能源互联网研究院有限公司 Method and system for application license authorization of industrial Internet of things terminal

Also Published As

Publication number Publication date
CN109560933B (en) 2022-04-08

Similar Documents

Publication Publication Date Title
CN111181720B (en) Service processing method and device based on trusted execution environment
US20200372503A1 (en) Transaction messaging
CN111401902B (en) Service processing method, device and equipment based on block chain
US20200167775A1 (en) Virtual pos terminal method and apparatus
CN110020855B (en) Method, node and storage medium for realizing privacy protection in block chain
CN111680305B (en) Data processing method, device and equipment based on block chain
CN109560933A (en) Authentication method and system, storage medium based on digital certificate, electronic equipment
CN108932297A (en) A kind of data query, data sharing method, device and equipment
CN107743133A (en) Mobile terminal and its access control method and system based on trustable security environment
CN110033368A (en) The method of secret protection is realized in block chain
CN107067056A (en) Two-dimensional code generation method and its equipment and two-dimensional code identification method and its equipment
CN111027632B (en) Model training method, device and equipment
CN109522722A (en) System method and device of safe processing
CN110033267A (en) Method, node, system and the storage medium of secret protection are realized in block chain
CN108055132A (en) The method, apparatus and equipment of a kind of service authorization
CN110020856B (en) Method, node and storage medium for realizing mixed transaction in block chain
CN109347629A (en) Key transmission method and system based on shared security application, storage medium, equipment
CN110032885A (en) Method, node and the storage medium of secret protection are realized in block chain
CN109741063A (en) Digital signature method and device based on block chain
CN110060054A (en) Method, node, system and the storage medium of secret protection are realized in block chain
CN110008736A (en) The method and node, storage medium of secret protection are realized in block chain
TWI697854B (en) Method, device and equipment for paying ride fee
CN111079152B (en) Model deployment method, device and equipment
CN111683103A (en) Information interaction method and device
CN108768963A (en) The communication means and system of trusted application and safety element

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20201010

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant after: Innovative advanced technology Co.,Ltd.

Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20201010

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant after: Advanced innovation technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Applicant before: Alibaba Group Holding Ltd.

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220310

Address after: Room 204, building 15, No. 1999, middle section of Yizhou Avenue, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan

Applicant after: Ant Rongxin (Chengdu) Network Technology Co.,Ltd.

Address before: 27 Hospital Road, George Town, Grand Cayman ky1-9008

Applicant before: Innovative advanced technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant