Authentication method and system, storage medium based on digital certificate, electronic equipment
Technical field
This specification one or more embodiment is related to mobile terminal digital certificate authentication field, more particularly to based on number card
The authentication method and system of book, storage medium, electronic equipment.
Background technique
It is more more and more intense to the demand for security of user identity authentication along with the development of mobile Internet business.Number card
Book application is a kind of typical user identity authentication mode.Traditional quadrature digital up-converter is to be presented to the individually card of user one
Book hardware carrier, the corresponding private key of carrier built in user certificate, when carrying out network service trade confirmation link, user is used
The certificate is signed, and realizes authentication.In the nowadays mobile Internet stage, the quadrature digital up-converter of user it is built-in in
In safe unit in customer mobile terminal, when needing to authenticate user identity, the digital certificate that calls this built-in into
Row signature operation.But there are security breaches for this usage mode at present in the terminal, for example, by data to be signed
Safety can not ensure in transmittance process in mobile terminal, and especially mobile application is answered toward the digital certificate positioned at safe unit
When being transmitted in, it is understood that there may be a possibility that data to be signed are distorted by people.Accordingly, it is desirable to provide a kind of more reliable side
Case.
A kind of possible security enhanced manner is that one is shared in mobile application and quadrature digital up-converter in the prior art
Security key, for being encrypted to the data to be signed of transmission, however, since mobile application inherently safe protects intensity
Not enough, however it remains security key a possibility that being leaked, therefore this security enhanced manner is still inadequate.
Summary of the invention
This specification one or more embodiment is based at least one above-mentioned technical problem, proposes based on number card
The authentication method and system of book, electronic equipment, storage medium can ensure to a certain degree or avoid in data to be signed in movement
Terminal inner is not maliciously tampered from the safety in the transmission process that mobile application is transmitted to quadrature digital up-converter.
In order to achieve the above objectives, this specification one or more embodiment provides the authentication method based on digital certificate, packet
Include following steps:
S1, mobile terminal send signature request to server side, for generating data to be signed in server side;
S2, server side trusted application server data to be signed are packaged after be back to mobile terminal;
S3, mobile terminal are unsealed by the data to be signed after the key pair encapsulation shared with trusted application server
And verify, it is signed using user certificate private key to the data to be signed after being verified;
S4, mobile terminal will sign after data return server side, and using customer digital certificate public key verifications signature after
Data.
Further, step S2 includes following sub-step:
S21, mobile application server response Mobile terminal signature request and generate data to be signed;
S22, trusted application server receive data to be signed and using the server key in trusted application server into
Row first encapsulates;
S23, trusted application server return to the data to be signed after the first encapsulation to mobile application server;
Data to be signed after first encapsulation are returned to mobile application in mobile terminal by S24, mobile application server.
Further, step S3 includes following sub-step:
The data to be signed after the first encapsulation are sent to number card in mobile terminal by mobile application in S31, mobile terminal
Book application;
S32, quadrature digital up-converter use the key shared with trusted application server to unseal and carry out third verifying, third
It is signed after being verified using user certificate private key.
Further, step S4 includes following sub-step:
S41, data are back to mobile application in mobile terminal after customer digital certificate signature;
Data after signature are back to mobile application server by mobile application in S42, mobile terminal;
S43, mobile application server use data after customer digital certificate public key verifications signature.
Further, step S3 further includes following sub-step:
The data to be signed after the first encapsulation are sent to credible in mobile terminal answer by mobile application in S33, mobile terminal
With;
It is to be signed after trusted application uses the key pair negotiated with trusted application server to encapsulate in S34, mobile terminal
Data unseal and carry out the first verifying of data integrity, first be verified after using trusted application in mobile terminal and number
The key of certificate Application share carries out the second encapsulation;
The data to be signed after the second encapsulation are sent to number card in mobile terminal by trusted application in S35, mobile terminal
Book application;
Quadrature digital up-converter uses the key shared with trusted application in mobile terminal deblocking to go forward side by side in S36, mobile terminal
Row second verify, second be verified after signed using user certificate private key.
Further, step S4 further includes following sub-step:
Data are back to trusted application in mobile terminal after customer digital certificate signature in S44, mobile terminal;
Data after signature are back to mobile application in mobile terminal by trusted application in S45, mobile terminal;
Data after signature are back to mobile application server by mobile application in S46, mobile terminal;
S47, mobile application server use data after customer digital certificate public key verifications signature.
Preferably, it is packaged in step S2 using asymmetrical key pair data to be signed.
Preferably, it is packaged in step S2 using symmetrical key pair data to be signed.
Verification System based on digital certificate, including be built in the safe unit of mobile terminal, mobile application server, can
Believe that application server, the mobile application server are built-in with customer digital certificate public key, are equipped with number in the safe unit
Word certificate application;Mobile application in mobile terminal sends the data to be signed that need customer digital certificate to sign to described
Mobile application server;The mobile application server receives data to be signed and is sent to the trusted application server;Institute
Trusted application server is stated to receive data to be signed and carry out the first encapsulation using server key;The trusted application server
Data to be signed after returning to the first encapsulation are to the mobile application server;The mobile application server will be after the first encapsulation
Data to be signed return to mobile application;Mobile terminal to first encapsulation after data to be signed by with trusted application service
The shared key of device is verified, and is signed after being verified using user certificate private key;Data after mobile terminal will sign
The mobile application server is returned, and uses data after customer digital certificate public key verifications signature.
Preferably, the data to be signed after the first encapsulation are sent to the quadrature digital up-converter by the mobile application;Institute
Stating quadrature digital up-converter uses the key shared with trusted application server to carry out third verifying, and third is used after being verified and used
Family certificate and private key is signed;Data are back to mobile application after customer digital certificate signature;Data after mobile application will sign
It is back to the mobile application server;The mobile application server uses number after customer digital certificate public key verifications signature
According to.
It preferably, further include the trusted application for the digital certificate access being built in credible performing environment;Mobile application will
Data to be signed after first encapsulation are sent to the trusted application;The trusted application use and the trusted application server
Negotiation key pair encapsulation after data to be signed integrality carry out first verifying, first be verified after using trusted application with
The shared key of the quadrature digital up-converter carries out the second encapsulation;The trusted application sends out the data to be signed after the second encapsulation
It send to the quadrature digital up-converter;The quadrature digital up-converter uses the key shared with the trusted application to carry out second and tests
Card, second be verified after signed using user certificate private key;After customer digital certificate signature data be back to it is described can
Letter application;Data after signature are back to mobile application by the trusted application;Data after signature are back to described by mobile application
Mobile application server;The mobile application server uses data after customer digital certificate public key verifications signature.
Preferably, the server key includes symmetric key, the Encryption Algorithm of the symmetric key include DES, 3DES,
Any one of IDEA, FEAL, BLOWFISH.
Preferably, the server key includes unsymmetrical key, the Encryption Algorithm of the unsymmetrical key include RSA,
Any one of Elgamal, knapsack algorithm, Rabin, D-H, ECC.
Preferably, the key that the trusted application and the quadrature digital up-converter are shared includes unsymmetrical key, described non-
The Encryption Algorithm of symmetric key includes any one of RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC.
Preferably, the key that the trusted application and the quadrature digital up-converter are shared includes unsymmetrical key, described non-
The Encryption Algorithm of symmetric key includes any one of RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC.
A kind of electronic equipment, including memory, processor and storage are on a memory and the meter that can run on a processor
Calculation machine program, the processor realize the above-mentioned authentication method based on digital certificate when executing described program.
A kind of computer readable storage medium, is stored thereon with computer program, and the computer program is held by processor
The above-mentioned authentication method based on digital certificate is realized when row.
Compared with prior art, the advantage of this specification one or more embodiment is:
This specification one or more embodiment provides the authentication method based on digital certificate, comprising steps of mobile terminal
It is interacted with server side, for generating data to be signed in server side;The trusted application server of server side will be to
Signed data is back to mobile terminal after being packaged;Mobile terminal is encapsulated by the key pair shared with trusted application server
Data to be signed afterwards are unsealed and are verified, and are signed using user certificate private key to the data to be signed after being verified
Name;Data return to server side after mobile terminal will sign, and use data after customer digital certificate public key verifications signature.This theory
Bright book one or more embodiment further relates to Verification System based on digital certificate, storage medium, electronic equipment.This specification one
A or multiple embodiments by returning again to mobile application after first being sent data to be signed and carrying out secure package to server, by
It is sent to the mode signed in quadrature digital up-converter through trusted application, is answered with ensuring data to be signed being sent to digital certificate
It is not tampered with preceding, guarantees the Information Security of digital certificate authentication process.
Above description is only the general introduction of this specification one or more embodiment technical solution, in order to better understand
The technological means of this specification one or more embodiment, and can be implemented in accordance with the contents of the specification, below with this explanation
The preferred embodiment of book one or more embodiment simultaneously cooperates attached drawing detailed description is as follows.This specification one or more embodiment
Specific embodiment be shown in detail by following embodiment and its attached drawing.
Detailed description of the invention
The embodiment with this specification one or more embodiment is described in further detail with reference to the accompanying drawing.
Fig. 1 is the authentication method flow chart based on digital certificate of this specification one or more embodiment;
Fig. 2 is the authentication method flow chart based on digital certificate of this specification embodiment 1;
Fig. 3 is the Verification System schematic diagram based on digital certificate of this specification embodiment 3;
Fig. 4 is the authentication method flow chart based on digital certificate of this specification embodiment 2;
Fig. 5 is the Verification System schematic diagram based on digital certificate of this specification embodiment 4.
Specific embodiment
In order to make those skilled in the art more fully understand the technical solution in this specification, below in conjunction with this explanation
Attached drawing in book embodiment is clearly and completely described the technical solution in this specification embodiment, it is clear that described
Embodiment be only this specification one or more embodiment a part of the embodiment, instead of all the embodiments.Based on this
Specification embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts
The range of this specification one or more embodiment protection all should belong in example.
Authentication method based on digital certificate, as shown in Figure 1, comprising the following steps:
S1, mobile terminal send signature request to server side, for generating data to be signed in server side;It is real one
It applies in example, as shown in Figure 1, mobile terminal and server side interact and generate data to be signed in server side, for example,
In shopping online, user checks that browsing places an order in on-line shop's platform, is interacted by cell phone client and server-side,
In, some data mobile phone terminal generate, such as user input information or selection user side information, some then server-side produce
It is raw, such as the information of the server sides such as order number, serial number, server side sends signature request according to mobile terminal, by user
The information of side information and server side is summarized and is handled, and data to be signed are generated.It should be appreciated that for generating number to be signed
According to data source can derive from mobile terminal, can also derive from server side, it is not limited here.It is also understood that handing over
Mutually mean that participating in movable object can mutually exchange, and interact on both side;Such as: when computer plays certain Multimedia Program
It waits, programming personnel can issue the operation that instruction controls the program, rather than program unilaterally executes, and program is receiving
Programming personnel correspondingly makes a response after instructing accordingly, this process and behavior, referred to as interactive, in the present embodiment,
When interaction exists only in the data source of data to be signed from mobile terminal and server side, for convenience of describing, implement below
The description that signature request to server side mostly uses mobile terminal with server side progress " interaction " is sent to mobile terminal in example
Mode should not limit protection scope to this.
S2, server side trusted application server data to be signed are packaged after be back to mobile terminal;
S3, mobile terminal are unsealed by the data to be signed after the key pair encapsulation shared with trusted application server
And verify, it is signed using user certificate private key to the data to be signed after being verified;
S4, mobile terminal will sign after data return server side, and using customer digital certificate public key verifications signature after
Data.
It should be appreciated that encapsulation process includes but is not limited to data encryption, the data packing for checking data integrity, correspond to
Deblocking process includes but is not limited to data deciphering, completeness check.
Embodiment 1, the authentication method based on digital certificate are as shown in Figure 2, it should be understood that Cheng Qian is crossed in the present embodiment description
It mentions and has completed initialization for digital certificate and issued, the present embodiment is configured to the application example of digital certificate, including following
Step:
S11, mobile terminal and mobile application server interact;Wherein, user has applied and in mobile terminal
It is mounted with that quadrature digital up-converter, mobile application server have also retained the public key certificate of the user in safe unit;User is logical
It crosses mobile application to interact with server, generates the data to be signed for needing customer digital certificate to sign.For example, user passes through
Mobile application can trigger the calling interface module in third party's calling service mobile terminal and obtain mobile terminal in mobile terminal
Facility information and digital certificate mount message, the discovery of calling interface module mobile terminal is locally-installed have digital certificate after, and lead to
It crosses mobile terminal and generates signature request, signature command, that is, data to be signed are generated with request server side.
S21, mobile application server response mobile terminal interaction request simultaneously generate data to be signed;Trusted application server
It is the server for being located at digital certificate management trusted application in credible performing environment in mobile terminal for corresponding management, the number
Entrance of the word certificate management trusted application as quadrature digital up-converter in control access safety unit.For example, the shifting of server side
Dynamic application server receives the signature request of mobile terminal, generates signature command, that is, data to be signed, and take by mobile application
Signature command, that is, data to be signed are issued to the trusted application server of corresponding digital certificate by business device.
S22, trusted application server receive data to be signed and carry out the first encapsulation using server key;In this implementation
In example, application server key is configured to the key that trusted application server and quadrature digital up-converter are shared, for guaranteeing envelope
The integrality of data to be signed after dress, the key that the trusted application server and quadrature digital up-converter are shared can be configured to pair
Claim key, includes but is not limited to any one of DES, 3DES, IDEA, FEAL, BLOWFISH for example, by using Encryption Algorithm, it can
Believe the cipher key configuration shared in application server with quadrature digital up-converter at symmetric key.Likewise, the trusted application service
The key that device and quadrature digital up-converter are shared may be alternatively configured as unsymmetrical key, for example, by using the Encryption Algorithm of unsymmetrical key
Any one of including but not limited to RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC, by trusted application server with
The shared cipher key configuration of quadrature digital up-converter is at public key for being packaged.For example, trusted application server receives number to be signed
According to, and data to be signed are carried out by the first encapsulation by the asymmetrical public key of trusted application server by utilizing, the data after encapsulation
Safety significantly improves in subsequent data transfer.
S23, trusted application server return to the data to be signed after the first encapsulation to mobile application server;For example,
Data to be signed after first encapsulation are back in mobile application server by server side, trusted application server.
Data to be signed after first encapsulation are returned to mobile application by S24, mobile application server.For example, movement is answered
The data to be signed after the first encapsulation are back in mobile terminal by the calling interface module in mobile terminal with server
Mobile application in, it is ensured that from server return data safety.In previous traditional scheme, in this transmission process
Data to be signed are subject to attack and are tampered, for example, during mobile terminal and server side interact, because to be signed
Data do not have trusted application server to be packaged, and data are easily tampered;In the present embodiment, server key example is at credible
The key that application server and quadrature digital up-converter are shared, it is shared with quadrature digital up-converter in trusted application server due to using
Key carry out encryption encapsulation guarantee integrality.
Data to be signed after first encapsulation are sent to quadrature digital up-converter by S31, mobile application;For example, mobile application
The data to be signed after the first encapsulation are issued to the number in SE (safe unit) by the calling interface module in mobile terminal
In the application of word certificate;In previous traditional scheme, data to be signed are subject to attack and be tampered in this transmission process, example
Such as, during data to be signed are issued to quadrature digital up-converter by mobile application in mobile terminal, because data to be signed do not have
Trusted application server is packaged, and data are easily tampered;In the present embodiment, server key example is at trusted application service
The key that device and quadrature digital up-converter are shared, due to use the key shared in trusted application server with quadrature digital up-converter into
Row encryption encapsulation guarantees integrality.
S32, quadrature digital up-converter use the key shared with trusted application server to carry out third verifying, and third verifying is logical
Later it is signed using user certificate private key.Mobile application get server security encapsulation after data to be signed after,
It is directly sent in quadrature digital up-converter.At this point, trusted application server is direct to the key of secure package data to be signed
Negotiate with the quadrature digital up-converter in safe unit.For example, in the present embodiment, in corresponding step S22, the trusted application
The key that server and quadrature digital up-converter are shared can be configured to symmetric key, include but is not limited to for example, by using Encryption Algorithm
Any one of DES, 3DES, IDEA, FEAL, BLOWFISH, by what is shared in quadrature digital up-converter with trusted application server
Cipher key configuration is at symmetric key.Likewise, the key that the trusted application server is shared with quadrature digital up-converter can also be matched
Be set to unsymmetrical key, the Encryption Algorithm for example, by using unsymmetrical key include but is not limited to RSA, Elgamal, knapsack algorithm,
Any one of Rabin, D-H, ECC, by the cipher key configuration that will be shared in quadrature digital up-converter with trusted application server at private
Key is for being verified.Data to be signed after first encapsulation are verified, the purpose of verifying includes the complete of confirmation data
Property and correctness show that data to be signed are not distorted illegally if being verified, and are signed using user certificate private key
Name;If verifying does not pass through, show for carrying out digitlization payment or the data to be signed authorized of application permission in step S31
Attacked in the process, data are incorrect or imperfect, this signature request is illegal, user certificate private key without signature or
Alarm.
Data are back to mobile application after S41, customer digital certificate signature;For example, the number card in SE (safe unit)
It is back to mobile application by the data that the customer digital certificate in mobile terminal carries out signature authentication in book application, is waited to be sent
Data authentication and the storage of server side are carried out to mobile application server.
Data after signature are back to mobile application server by S42, mobile application;For example, passing through the tune in mobile terminal
The data of signature authentication are back to the mobile application server of server side with interface module.
S43, mobile application server use data after customer digital certificate public key verifications signature.It can recognize after being verified
For in this transaction, really legal user take part in transaction.For example, mobile application server is verified, then this
Third party's business is identified the valid operation of legitimate user.
Embodiment 2, the authentication method based on digital certificate are as shown in Figure 4, it should be understood that Cheng Qian is crossed in the present embodiment description
It mentions and has completed initialization for digital certificate and issued, the present embodiment is configured to the application example of digital certificate, including following
Step:
S11, mobile terminal and mobile application server interact;Wherein, user has applied and in mobile terminal
It is mounted with that quadrature digital up-converter, mobile application server have also retained the public key certificate of the user in safe unit;User is logical
It crosses mobile application to interact with server, generates the data to be signed for needing customer digital certificate to sign.For example, user passes through
Mobile application can trigger the calling interface module in third party's calling service mobile terminal and obtain mobile terminal in mobile terminal
Facility information and digital certificate mount message, the discovery of calling interface module mobile terminal is locally-installed have digital certificate after, and lead to
It crosses mobile terminal and generates signature request, signature command, that is, data to be signed are generated with request server side.
S21, mobile application server response mobile terminal interaction request simultaneously generate data to be signed;Trusted application server
It is the server for being located at digital certificate management trusted application in credible performing environment in mobile terminal for corresponding management, the number
Entrance of the word certificate management trusted application as quadrature digital up-converter in control access safety unit.For example, the shifting of server side
Dynamic application server receives the signature request of mobile terminal, generates signature command, that is, data to be signed, and take by mobile application
Signature command, that is, data to be signed are issued to the trusted application server of corresponding digital certificate by business device.
S22, trusted application server receive data to be signed and carry out the first encapsulation using server key;In this implementation
In example, the key that application server key is configured to trusted application server and digital certificate management trusted application is shared is used
What the integrality of data to be signed after guaranteeing encapsulation, the trusted application server and digital certificate management trusted application were shared
Key can be configured to symmetric key, for example, by using Encryption Algorithm include but is not limited to DES, 3DES, IDEA, FEAL,
Any one of BLOWFISH, the cipher key configuration shared in trusted application server with digital certificate management trusted application is pairs of
Claim key.Likewise, the key that the trusted application server is shared with digital certificate management trusted application may be alternatively configured as
Unsymmetrical key, the Encryption Algorithm for example, by using unsymmetrical key include but is not limited to RSA, Elgamal, knapsack algorithm,
Any one of Rabin, D-H, ECC match the key shared in trusted application server with digital certificate management trusted application
Public key is set to for being packaged.In the present embodiment, trusted application server receives data to be signed, and passes through trusted application
Data to be signed are carried out the first encapsulation by the asymmetrical public key of server by utilizing, and the data after encapsulation were transmitted in subsequent data
Safety significantly improves in journey.
S23, trusted application server return to the data to be signed after the first encapsulation to mobile application server;For example,
Data to be signed after first encapsulation are back in mobile application server by server side, trusted application server.
Data to be signed after first encapsulation are returned to mobile application by S24, mobile application server.For example, movement is answered
The data to be signed after the first encapsulation are back in mobile terminal by the calling interface module in mobile terminal with server
Mobile application in, it is ensured that from server return data safety.In previous traditional scheme, in this transmission process
Data to be signed are subject to attack and are tampered, for example, during mobile terminal and server side interact, because to be signed
Data do not have trusted application server to be packaged, and data are easily tampered;In the present embodiment, server key example is at credible
The key that application server and digital certificate management trusted application are shared, due to using in trusted application server and digital certificate
The shared key of management trusted application carries out encryption encapsulation and guarantees integrality.
Data to be signed after first encapsulation are sent to trusted application by S33, mobile application;In conventional method, at this
Data to be signed are subject to attack and be tampered in transmission process, in the present embodiment, due to using in trusted application server
With digital certificate management trusted application share key carry out encryption encapsulation, even if such as data to be signed attacked, data
Also it can not be distorted due to being decrypted without corresponding key, to guarantee the integrality of data, simultaneously because trusted application is placed in
In credible performing environment and operate under credible performing environment provided for mobile application software or other trusted applications it is safety-related
Service, credible performing environment is operation isolated execution environment in a mobile device, relative to normal operating system have compared with
Strong security capabilities is stored in relatively believable environment with ensuring to run application program therein, sensitive data etc., is located
Reason and protection, promote safety.
S34, trusted application use the data to be signed integrality after the key pair encapsulation negotiated with trusted application server
Carry out the first verifying, first be verified after using the key that trusted application and quadrature digital up-converter are shared carry out the second encapsulation;
In the present embodiment, a trusted key is also had shared in trusted application and quadrature digital up-converter, for carrying out in transmission process
The safeguard protection of data, trusted key carry out safeguard protection by credible performing environment and safe unit respectively, and safety is higher,
In the present embodiment, trusted application key is configured to the key that trusted application and quadrature digital up-converter are shared, for guaranteeing the
The key that the integrality of data to be signed after two encapsulation, the trusted application and quadrature digital up-converter are shared can be configured to symmetrically
Key includes but is not limited to any one of DES, 3DES, IDEA, FEAL, BLOWFISH for example, by using Encryption Algorithm, will be credible
Using the interior cipher key configuration shared with quadrature digital up-converter at symmetric key.Likewise, the trusted application is answered with digital certificate
It may be alternatively configured as unsymmetrical key with shared key, the Encryption Algorithm for example, by using unsymmetrical key includes but is not limited to
Any one of RSA, Elgamal, knapsack algorithm, Rabin, D-H, ECC, by what is shared in trusted application with quadrature digital up-converter
Cipher key configuration is at public key for being packaged.For example, carrying out the first verifying, the first verifying to the data to be signed after the first encapsulation
Purpose include confirm data integrality and correctness show that data to be signed are not distorted illegally if being verified, and
The second encapsulation is carried out using the key shared in trusted application with quadrature digital up-converter;If verifying does not pass through, show to be signed
Data have been attacked during step S33, and data are incorrect or imperfect, this signature request is illegal, and digital certificate is answered
Data safety in subsequent data transfer with shared key without the second encapsulation or alarm, after the second encapsulation
It significantly improves.
Data to be signed after second encapsulation are sent to quadrature digital up-converter by S35, trusted application;In this transmission process
Middle data to be signed are subject to attack and are tampered, in the present embodiment, due to using the second encapsulation of encryption, such as number to be signed
Even if according to being attacked, data can not also be distorted due to being decrypted without corresponding key, to guarantee the integrality of data, together
Shi Tisheng Information Security.
S36, quadrature digital up-converter use with trusted application share key carry out second verifying, second be verified after make
It is signed with user certificate private key.In the present embodiment, in corresponding step S34, when the trusted application is answered with digital certificate
When can be configured to symmetric key with shared key, for example, by using Encryption Algorithm include but is not limited to DES, 3DES, IDEA,
Any one of FEAL, BLOWFISH, by the cipher key configuration shared in quadrature digital up-converter with trusted application at symmetric key.Together
Sample, when the key that the trusted application server and quadrature digital up-converter are shared may be alternatively configured as unsymmetrical key, such as
Encryption Algorithm using unsymmetrical key includes but is not limited to RSA, Elgamal, knapsack algorithm, appointing in Rabin, D-H, ECC
The cipher key configuration shared in quadrature digital up-converter with trusted application will be used to verify by one kind at private key.For example, to second
Data to be signed after encapsulation are verified, and the purpose of verifying includes confirming the integrality and correctness of data, if being verified,
Then show that data to be signed are not distorted illegally, and is signed using user certificate private key;If verifying do not pass through, show to
Signed data has been attacked during step S35, and data are incorrect or imperfect, this signature request is illegal, user certificate
Book private key is without signature or alarm.
Data are back to trusted application after S44, customer digital certificate signature;For example, by by the user in mobile terminal
The data that digital certificate carries out signature authentication are back to the trusted application in SE (safe unit), and waiting is back to mobile application.
Data after signature are back to mobile application by S45, trusted application;For example, the mobile application for passing through mobile terminal will
The data of signature authentication are back to mobile application, wait be sent to mobile application server carry out server side data authentication with
Storage.
Data after signature are back to mobile application server by S46, mobile application;For example, the movement for passing through mobile terminal
Using by signature authentication be used to carry out digitlization payment or the data authorized of application permission are back to Mobile Server.
S47, mobile application server use data after customer digital certificate public key verifications signature.It can recognize after being verified
For in this transaction, really legal user take part in transaction.For example, mobile application server is verified, then recognized
Determine the valid operation of legitimate user, while this transaction is legal.
Embodiment 3, as shown in figure 3, the Verification System based on digital certificate, the safety including being built in mobile terminal is single
Member, mobile application server, trusted application server;The mobile application server is built-in with customer digital certificate public key, institute
It states and quadrature digital up-converter is installed in safe unit;Wherein, quadrature digital up-converter is mark communication each side's identity in combined network communication
The string number of information provides a kind of mode for verifying communication entity identity on internet.It in the present embodiment, is by one
A legal entity is presented to user, and the digital certificate that the certificate corresponding private key of user is stored in mobile terminal safety unit is answered
In, client public key certificate can be obtained from legal issuing organization by mobile application server and be used for subsequent authentication user certificate private
The legitimacy of key signature, thus strictly takes part in transaction by user to determine.Safe unit is capable of providing one more
The data storage of safety and computing environment.
Mobile application in mobile terminal sends the data to be signed that need customer digital certificate to sign to the shifting
Dynamic application server;The mobile application server receives data to be signed and is sent to the trusted application server;It is described
Trusted application server receives data to be signed and carries out the first encapsulation using server key;The trusted application server returns
Data to be signed after returning the first encapsulation are to the mobile application server;The mobile application server will be after the first encapsulation
Data to be signed return to mobile application;Mobile terminal to first encapsulation after data to be signed by with trusted application server
Shared key is verified, and is signed after being verified using user certificate private key;Mobile terminal returns data after signature
The mobile application server is returned, and uses data after customer digital certificate public key verifications signature.Wherein, the institute in mobile application
It states mobile application and the data to be signed after the first encapsulation is sent to the quadrature digital up-converter;The quadrature digital up-converter uses
Third verifying is carried out with the key that trusted application server is shared, third is signed after being verified using user certificate private key
Name;Data are back to mobile application after customer digital certificate signature;Data after signature are back to the movement and answered by mobile application
Use server;The mobile application server uses data after customer digital certificate public key verifications signature.After being verified
Think in this transaction, really legal user take part in transaction.
In previous traditional scheme, data to be signed are subject to attack and be tampered in this transmission process, such as
During mobile terminal and server side interact, because data to be signed do not have trusted application server to be packaged, data
Easily it is tampered;In another example during data to be signed are issued to quadrature digital up-converter by mobile application in mobile terminal, because to
Signed data does not have trusted application server to be packaged, and data are easily tampered;In the present embodiment, server key example at
The key that trusted application server and quadrature digital up-converter are shared, due to using in trusted application server and quadrature digital up-converter
Shared key carries out encryption encapsulation and guarantees integrality.
In the present embodiment, the key that the trusted application server and quadrature digital up-converter are shared can be configured to symmetrically
Key includes but is not limited to any one of DES, 3DES, IDEA, FEAL, BLOWFISH for example, by using Encryption Algorithm, will be credible
The key shared in the interior key shared with quadrature digital up-converter of application server, quadrature digital up-converter with trusted application server
It is configured to symmetric key.Likewise, the key that the trusted application server is shared with quadrature digital up-converter may be alternatively configured as
Unsymmetrical key, the Encryption Algorithm for example, by using unsymmetrical key include but is not limited to RSA, Elgamal, knapsack algorithm,
Any one of Rabin, D-H, ECC, by the cipher key configuration shared in trusted application server with quadrature digital up-converter at public key
It is used to carry out school at private key for being packaged, by the cipher key configuration shared in quadrature digital up-converter with trusted application server
It tests.
Embodiment 4, as shown in figure 5, the Verification System based on digital certificate, the safety including being built in mobile terminal is single
Member, mobile application server, trusted application server, the mobile application server are built-in with customer digital certificate public key, institute
It states and quadrature digital up-converter is installed in safe unit;Wherein, quadrature digital up-converter is mark communication each side's identity in combined network communication
The string number of information provides a kind of mode for verifying communication entity identity on internet.It in the present embodiment, is by one
A legal entity is presented to user, and the digital certificate that the certificate corresponding private key of user is stored in mobile terminal safety unit is answered
In, client public key certificate can be obtained from legal issuing organization by mobile application server and be used for subsequent authentication user certificate private
The legitimacy of key signature, thus strictly takes part in transaction by user to determine.Safe unit is capable of providing one more
The data storage of safety and computing environment.Verification System based on digital certificate further includes the number being built in credible performing environment
The trusted application of word certificate access;Credible performing environment is the isolated execution environment of operation in a mobile device, relative to common
Operating system has stronger security capabilities, to ensure to run application program therein, sensitive data etc. in relatively believable ring
It stored, handled and is protected in border, improve safety.
Mobile application in mobile terminal sends the data to be signed that need customer digital certificate to sign to the shifting
Dynamic application server;The mobile application server receives data to be signed and is sent to the trusted application server;It is described
Trusted application server receives data to be signed and carries out the first encapsulation using server key;The trusted application server returns
Data to be signed after returning the first encapsulation are to the mobile application server;The mobile application server will be after the first encapsulation
Data to be signed return to mobile application;Mobile terminal to first encapsulation after data to be signed by with trusted application server
Shared key is verified, and is signed after being verified using user certificate private key;Mobile terminal returns data after signature
The mobile application server is returned, and uses data after customer digital certificate public key verifications signature.Mobile application is encapsulated first
Data to be signed afterwards are sent to the trusted application;The trusted application is close using negotiating with the trusted application server
Key carries out the first verifying to the data to be signed integrality after encapsulation, first be verified after use trusted application and the number
The key of certificate Application share carries out the second encapsulation;Data to be signed after second encapsulation are sent to described by the trusted application
Quadrature digital up-converter;The quadrature digital up-converter uses the key shared with the trusted application to carry out the second verifying, and second tests
Card is signed after passing through using user certificate private key;Data are back to the trusted application after customer digital certificate signature;Institute
It states trusted application and data after signature is back to mobile application;Data after signature are back to the mobile application and taken by mobile application
Business device;The mobile application server uses data after customer digital certificate public key verifications signature.It is believed that after being verified
In this transaction, really legal user take part in transaction.
In previous traditional scheme, data to be signed are subject to attack and be tampered in this transmission process, such as
During mobile terminal and server side interact, because data to be signed do not have trusted application server to be packaged, data
Easily it is tampered;In another example during data to be signed are issued to trusted application by mobile application in mobile terminal, because to be signed
Data do not have trusted application server to be packaged, and data are easily tampered;For another example trusted application will be wait sign in mobile terminal
Name data are issued to during quadrature digital up-converter, and because data to be signed do not have trusted application to be packaged, data are easily tampered;
In the present embodiment, the key that server key example is shared at trusted application server and trusted application, due to using respectively
The key shared in the interior key shared with trusted application of trusted application server, trusted application with digital application certificate is added
Sealing dress guarantees integrality, simultaneously because it is to move under credible performing environment that trusted application, which is placed in credible performing environment and operates in,
Dynamic application software or other trusted applications provide safety-related service, credible performing environment be run in a mobile device every
From performing environment, has stronger security capabilities relative to normal operating system, to ensure to run application program therein, sensitivity
Data etc. are stored, handled and are protected in relatively believable environment, and safety is improved;Compared to SE (safe unit),
TEE (credible performing environment) and SE are in relatively independent performing environment, are not construed as limiting to scene applied by SE, in this implementation
In example, the quadrature digital up-converter in SE is accessed by the trusted application in TEE, guarantees the safety of access.
In the present embodiment, key, the trusted application and number that the trusted application server and trusted application are shared
The shared key of word Application Certificate can be configured to symmetric key, for example, by using Encryption Algorithm include but is not limited to DES, 3DES,
Any one of IDEA, FEAL, BLOWFISH, by the key shared in trusted application server with trusted application, trusted application
The interior cipher key configuration shared with trusted application server is at symmetric key, or will share with digital application certificate in trusted application
The cipher key configuration shared in key, digital application certificate with trusted application is at symmetric key.Likewise, the trusted application service
The device key shared with trusted application, the trusted application may be alternatively configured as asymmetric with the key that digital application certificate is shared
Key, the Encryption Algorithm for example, by using unsymmetrical key include but is not limited to RSA, Elgamal, knapsack algorithm, Rabin, D-H,
The cipher key configuration shared in trusted application server with trusted application is used to be packaged, be incited somebody to action by any one of ECC at public key
The cipher key configuration shared in trusted application with trusted application server is at private key for being verified;Or by trusted application with number
The key that the shared cipher key configuration of word Application Certificate is used to be packaged, share in digital application certificate with trusted application at public key
Private key is configured to for being verified.
A kind of electronic equipment, including memory, processor and storage are on a memory and the meter that can run on a processor
Calculation machine program, processor realize the above-mentioned authentication method based on digital certificate when executing program.
A kind of computer readable storage medium is stored thereon with computer program, when computer program is executed by processor
Realize the above-mentioned authentication method based on digital certificate.
This specification one or more embodiment provides the authentication method based on digital certificate, including mobile terminal and service
Device side interacts and generates data to be signed in server side;The trusted application server of server side by data to be signed into
Mobile terminal is back to after row encapsulation;Mobile terminal to the data to be signed after encapsulation by with trusted application server share
Key is verified, and is signed after being verified using user certificate private key;Data return to service after mobile terminal will sign
Device side, and use data after customer digital certificate public key verifications signature.This specification one or more embodiment further relates to be based on
The Verification System of digital certificate, storage medium, electronic equipment.This specification one or more embodiment passes through first by number to be signed
According to sending to server progress secure package, returns again to mobile application and be sent to the mode signed in quadrature digital up-converter
Carry out the certification of digital certificate.
It is above-mentioned that this specification specific embodiment is described.Other embodiments are in the scope of the appended claims
It is interior.In some cases, the movement recorded in detail in the claims or step can be come according to the sequence being different from embodiment
It executes and desired result still may be implemented.In addition, process depicted in the drawing not necessarily require show it is specific suitable
Sequence or consecutive order are just able to achieve desired result.In some embodiments, multitasking and parallel processing be also can
With or may be advantageous.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device,
For electronic equipment, nonvolatile computer storage media embodiment, since it is substantially similar to the method embodiment, so description
It is fairly simple, the relevent part can refer to the partial explaination of embodiments of method.
Device that this specification embodiment provides, electronic equipment, nonvolatile computer storage media with method are corresponding
, therefore, device, electronic equipment, nonvolatile computer storage media also have the Advantageous effect similar with corresponding method
Fruit, since the advantageous effects of method being described in detail above, which is not described herein again corresponding intrument,
The advantageous effects of electronic equipment, nonvolatile computer storage media.
In the 1990s, the improvement of a technology can be distinguished clearly be on hardware improvement (for example,
Improvement to circuit structures such as diode, transistor, switches) or software on improvement (improvement for method flow).So
And with the development of technology, the improvement of current many method flows can be considered as directly improving for hardware circuit.
Designer nearly all obtains corresponding hardware circuit by the way that improved method flow to be programmed into hardware circuit.Cause
This, it cannot be said that the improvement of a method flow cannot be realized with hardware entities module.For example, programmable logic device
(Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable Gate
Array, FPGA)) it is exactly such a integrated circuit, logic function determines device programming by user.By designer
Voluntarily programming comes a digital display circuit " integrated " on a piece of PLD, designs and makes without asking chip maker
Dedicated IC chip.Moreover, nowadays, substitution manually makes IC chip, this programming is also used instead mostly " is patrolled
Volume compiler (logic compiler) " software realizes that software compiler used is similar when it writes with program development,
And the source code before compiling also write by handy specific programming language, this is referred to as hardware description language
(Hardware Description Language, HDL), and HDL is also not only a kind of, but there are many kind, such as ABEL
(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description
Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL
(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby
Hardware Description Language) etc., VHDL (Very-High-Speed is most generally used at present
Integrated Circuit Hardware Description Language) and Verilog.Those skilled in the art also answer
This understands, it is only necessary to method flow slightly programming in logic and is programmed into integrated circuit with above-mentioned several hardware description languages,
The hardware circuit for realizing the logical method process can be readily available.
Controller can be implemented in any suitable manner, for example, controller can take such as microprocessor or processing
The computer for the computer readable program code (such as software or firmware) that device and storage can be executed by (micro-) processor can
Read medium, logic gate, switch, specific integrated circuit (Application Specific Integrated Circuit,
ASIC), the form of programmable logic controller (PLC) and insertion microcontroller, the example of controller includes but is not limited to following microcontroller
Device: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320 are deposited
Memory controller is also implemented as a part of the control logic of memory.It is also known in the art that in addition to
Pure computer readable program code mode is realized other than controller, can be made completely by the way that method and step is carried out programming in logic
Controller is obtained to come in fact in the form of logic gate, switch, specific integrated circuit, programmable logic controller (PLC) and insertion microcontroller etc.
Existing identical function.Therefore this controller is considered a kind of hardware component, and to including for realizing various in it
The device of function can also be considered as the structure in hardware component.Or even, it can will be regarded for realizing the device of various functions
For either the software module of implementation method can be the structure in hardware component again.
System, device, module or the unit that above-described embodiment illustrates can specifically realize by computer chip or entity,
Or it is realized by the product with certain function.It is a kind of typically to realize that equipment is computer.Specifically, computer for example may be used
Think personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play
It is any in device, navigation equipment, electronic mail equipment, game console, tablet computer, wearable device or these equipment
The combination of equipment.
For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this
The function of each unit can be realized in the same or multiple software and or hardware when specification one or more embodiment.
It should be understood by those skilled in the art that, this specification embodiment can provide as method, system or computer program
Product.Therefore, this specification embodiment can be used complete hardware embodiment, complete software embodiment or combine software and hardware
The form of the embodiment of aspect.Moreover, it wherein includes that computer is available that this specification embodiment, which can be used in one or more,
It is real in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code
The form for the computer program product applied.
This specification is referring to the method, equipment (system) and computer program product according to this specification embodiment
Flowchart and/or the block diagram describes.It should be understood that can be realized by computer program instructions every in flowchart and/or the block diagram
The combination of process and/or box in one process and/or box and flowchart and/or the block diagram.It can provide these computers
Processor of the program instruction to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices
To generate a machine, so that generating use by the instruction that computer or the processor of other programmable data processing devices execute
In the dress for realizing the function of specifying in one or more flows of the flowchart and/or one or more blocks of the block diagram
It sets.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices
Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability
It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap
Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want
There is also other identical elements in the process, method of element, commodity or equipment.
This specification can describe in the general context of computer-executable instructions executed by a computer, such as journey
Sequence module.Generally, program module include routines performing specific tasks or implementing specific abstract data types, programs, objects,
Component, data structure etc..Specification can also be practiced in a distributed computing environment, in these distributed computing environments,
By executing task by the connected remote processing devices of communication network.In a distributed computing environment, program module can
To be located in the local and remote computer storage media including storage equipment.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system reality
For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method
Part explanation.
The foregoing is merely this specification embodiments, are not limited to this specification one or more embodiment.
To those skilled in the art, this specification one or more embodiment can have various modifications and variations.It is all in this theory
Any modification, equivalent replacement, improvement and so within the spirit and principle of bright book one or more embodiment, should be included in
Within the scope of the claims of this specification one or more embodiment.This specification one or more embodiment this specification one
A or multiple embodiment this specification one or more embodiment this specification one or more embodiments.