CN109981278A - Applying digital certificate method, system, subscriber identification card, equipment and medium - Google Patents

Applying digital certificate method, system, subscriber identification card, equipment and medium Download PDF

Info

Publication number
CN109981278A
CN109981278A CN201711456434.2A CN201711456434A CN109981278A CN 109981278 A CN109981278 A CN 109981278A CN 201711456434 A CN201711456434 A CN 201711456434A CN 109981278 A CN109981278 A CN 109981278A
Authority
CN
China
Prior art keywords
certificate
identification card
service system
subscriber identification
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711456434.2A
Other languages
Chinese (zh)
Other versions
CN109981278B (en
Inventor
于绍泉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Liaoning Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201711456434.2A priority Critical patent/CN109981278B/en
Publication of CN109981278A publication Critical patent/CN109981278A/en
Application granted granted Critical
Publication of CN109981278B publication Critical patent/CN109981278B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Abstract

The invention discloses applying digital certificate method, Digital signature service system, subscriber identification card, applying digital certificate system, applying digital certificate equipment and computer readable storage mediums.The applying digital certificate method includes: to generate key pair when receiving the certificate request request that operation system is sent and generate instruction, and key pair is generated instruction and is sent to subscriber identification card;After the public key information for receiving subscriber identification card return, the certificate request information including public key information is formed;Hash operation is carried out to certificate solicited message, obtains hash, and hash is sent to subscriber identification card;When receiving the signed data of subscriber identification card return, the certificate request data packet including certification request information and signed data is formed;According to certificate request data packet, digital certificate is obtained.The reliability and stability of applying digital certificate process can be improved in the embodiment of the present invention.

Description

Applying digital certificate method, system, subscriber identification card, equipment and medium
Technical field
The present invention relates to digital certificate technical field more particularly to a kind of applying digital certificate method, Digital signature service system, Subscriber identification card, applying digital certificate system, applying digital certificate equipment and computer readable storage medium.
Background technique
In recent years, internet especially mobile Internet was quickly grown, and safety, pervasive mobile signature product are that protection moves The important leverage of dynamic Internet service safety.Traditional U-shield, scrambler in portability, terminal transparency there are many deficiencies, because A kind of this digital certificate technology suitable for mobile internet era is come into being, and is provided for all kinds of account number safeties, safety of payment Safety protection function.
Current applying digital certificate method is as follows:
1, mobile signature platform sends data SMS request to SIM card by mobile network and generates P10 data packet, that is, certificate Request data package;
2, SIM card generates public private key pair, assembles P10 data packet;
3, complete P10 data packet is divided into a plurality of data SMS and is sent to mobile signature platform by SIM card;
4, P10 data packet is issued digital certificate and signs and issues platform to obtain digital certificate by mobile signature platform.
Above applying digital certificate method has the disadvantage in that
Data interaction is carried out by data SMS mode between mobile signature service system and SIM card, is wrapped in P10 data packet Containing much information.By taking length is 1024 RSA Algorithms as an example, according to the byte for the P10 data packet that ASN.1 coding mode generates Length is at least up to 350 bytes or more.And the most loaded lengths of data short message are the data of 140 bytes, and it is short to remove data Outside the safe packet head of letter, complete P10 data packet is dealt into mobile signature service system by SIM card, at least needs continuously upper hair Four data short messages.In view of extending to the factors such as short message carrying data length is limited when short message, send short needed for P10 data packet Creed number is more, and the waiting time of mobile signature platform is longer, therefore system reliability and stability are poor.
Summary of the invention
The embodiment of the invention provides a kind of applying digital certificate method, Digital signature service system, subscriber identification cards, number Word certificate request system, applying digital certificate equipment and computer readable storage medium.
In a first aspect, the embodiment of the invention provides a kind of applying digital certificate method, method includes:
When receiving the certificate request request that operation system is sent, generates key pair and generate instruction, and will be described close Key is sent to subscriber identification card to instruction is generated;
After receiving the public key information that the subscriber identification card returns, the certificate including the public key information is formed Solicited message;
Hash operation is carried out to the certificate request information, obtains hash, and the hash is sent to institute State subscriber identification card;
When receiving the signed data that the subscriber identification card returns, formed include the certification request information and The certificate request data packet of the signed data;Wherein, the signed data is the subscriber identification card using generation The private key of cipher key pair signs to obtain to the hash;
According to the certificate request data packet, digital certificate is obtained.
Second aspect, the embodiment of the invention provides a kind of applying digital certificate method, method includes:
When receiving the key pair that Digital signature service system sends and generating instruction, key pair is generated, and by the key The public key information of centering is back to the Digital signature service system;
When receiving the hash that the Digital signature service system is sent, using the private key of the cipher key pair to institute It states hash to sign, obtains signed data, and the signed data is back to the Digital signature service system.
The third aspect, the embodiment of the invention provides a kind of applying digital certificate method, method includes:
Digital signature service system generates key pair generation and refers to when receiving the certificate request request that operation system is sent It enables, and the key pair is generated into instruction and is sent to subscriber identification card;
The subscriber identification card generates close when receiving the key pair generation instruction that Digital signature service system is sent Key pair, and the public key information of the cipher key pair is back to the Digital signature service system;
For the Digital signature service system after receiving the public key information that the subscriber identification card returns, being formed includes institute State the certificate request information of public key information;Hash operation is carried out to the certificate request information, obtains hash, and will be described Hash is sent to the subscriber identification card;
The subscriber identification card is when receiving the hash that the Digital signature service system is sent, using described The private key of cipher key pair signs to the hash, obtains signed data, and the signed data is back to described Digital signature service system;
For the Digital signature service system when receiving the signed data that the subscriber identification card returns, being formed includes institute State the certificate request data packet of certification request information and the signed data;And according to the certificate request data packet, number is obtained Word certificate.
Fourth aspect, the embodiment of the invention provides a kind of Digital signature service system, which includes:
Directive generation module, for it is raw to generate key pair when receiving the certificate request request that operation system is sent At instruction, and the key pair is generated into instruction and is sent to subscriber identification card;
Information forms module, for after receiving the public key information that the subscriber identification card returns, formation to include The certificate request information of the public key information;
Hash operation module carries out Hash operation to the certificate request information, obtains hash, and by the Hash Data are sent to the subscriber identification card;
Data packet forms module, and when receiving the signed data that the subscriber identification card returns, being formed includes institute State the certificate request data packet of certification request information and the signed data;Wherein, the signed data is the user identity Identification card signs to obtain using the private key of the cipher key pair generated to the hash;
Certificate acquisition module, for obtaining digital certificate according to the certificate request data packet.
5th aspect, the embodiment of the invention provides a kind of subscriber identification cards, comprising:
Key pair generation module, for generating when receiving the key pair generation instruction that Digital signature service system is sent Key pair, and the public key information of the cipher key pair is back to the Digital signature service system;
Data signature module, for when receiving the hash that the Digital signature service system is sent, using described The private key of cipher key pair signs to the hash, obtains signed data, and the signed data is back to described Digital signature service system.
6th aspect, the embodiment of the invention provides a kind of applying digital certificate system, the label provided including fourth aspect The subscriber identification card that name service system and the 5th aspect provide.
7th aspect, the embodiment of the invention provides a kind of applying digital certificate equipment, including at least one processor, extremely A few memory and computer program instructions stored in memory, when computer program instructions are executed by processor It realizes such as the method for first aspect or second aspect in above embodiment.
Eighth aspect, the embodiment of the invention provides a kind of computer readable storage mediums, are stored thereon with computer journey Sequence instruction, is realized when computer program instructions are executed by processor such as first aspect in above embodiment or second aspect Method.
Above scheme provided in an embodiment of the present invention, the certification request information in certificate request data packet is by Digital signature service system System is formed, and it is also to complete in Digital signature service system that various data, which form the process of complete certificate request data packet, is only demonstrate,proved Signed data in book request data package is formed by subscriber identification card, therefore subscriber identification card sends signed data A data short message is only needed to Digital signature service system, does not need a plurality of data SMS, therefore when the waiting of Digital signature service system Between it is short, compared with the existing technology in subscriber identification card need a plurality of data SMS that related data are sent to Digital signature service system The case where system, the reliability and stability of applying digital certificate process can all improve.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, will make below to required in the embodiment of the present invention Attached drawing is briefly described, for those of ordinary skill in the art, without creative efforts, also Other drawings may be obtained according to these drawings without any creative labor.
Fig. 1 shows the flow diagram of applying digital certificate method in one embodiment of the invention;
Fig. 2 shows the flow diagrams of applying digital certificate method in one embodiment of the invention;
Fig. 3 shows the flow diagram of applying digital certificate method in one embodiment of the invention;
Fig. 4 shows the flow diagram of applying digital certificate method in one embodiment of the invention;
Fig. 5 shows the flow diagram that signature service is executed in one embodiment of the invention;
Fig. 6 shows the structural block diagram of Digital signature service system in one embodiment of the invention;
Fig. 7 shows the structural block diagram of subscriber identification card in one embodiment of the invention;
Fig. 8 shows the structural block diagram of applying digital certificate equipment in one embodiment of the invention.
Specific embodiment
The feature and exemplary embodiment of various aspects of the invention is described more fully below, in order to make mesh of the invention , technical solution and advantage be more clearly understood, with reference to the accompanying drawings and embodiments, the present invention is further retouched in detail It states.It should be understood that specific embodiment described herein is only configured to explain the present invention, it is not configured as limiting the present invention. To those skilled in the art, the present invention can be real in the case where not needing some details in these details It applies.Below the description of embodiment is used for the purpose of better understanding the present invention to provide by showing example of the invention.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including There is also other identical elements in the process, method, article or equipment of the element.
In a first aspect, the embodiment of the present invention provides a kind of applying digital certificate method, this method can be by Digital signature service system System executes, as shown in Figure 1, can specifically include following steps:
S101, when receiving the certificate request request that operation system sends, generate key pair and generate instruction, and by institute It states key pair generation instruction and is sent to subscriber identification card;
Above-mentioned operation system, is referred to as business platform.
For example, when user helps to handle the downloading service of digital certificate to business platform requested service administrator, pipe Reason person audits the identity of user, after audit passes through, sends certificate Shen to Digital signature service system by business platform It please request, that is, open the application process of digital certificate.It certainly, can also be successively to industry when receiving certificate request request The legitimacy of the legitimacy and PKI (i.e. Public Key Infrastructure) of business is verified, and after verification passes through, is generated key pair generation and is referred to It enables.
The request of digital certificate is applied in above-mentioned certificate request request.
Above-mentioned subscriber identification card, is referred to as SIM card.It will be appreciated that SIM card is the safety of financial chip-scale Medium.After SIM card, which receives the key pair that Digital signature service system sends, generates instruction, key pair is generated, and by secret key pair In public key information return to Digital signature service system.Wherein, public key information may include public key, public exponent and/or other public affairs Key is for information about.
S102, after receiving the public key information that the subscriber identification card returns, being formed includes the public key information Certificate request information;
Above-mentioned certificate request information, i.e. certificationRequestInformation include that public key is believed in the information Breath can also include certainly other information, for example, entity name.Other information in certificate request information can be customized Data, the self-defining data can according to need setting.After Digital signature service system receives the public key information of SIM card return, Public key information and other information can be made to form certificate request information by way of assembling.
It will be appreciated that certificate request information is a part of data during certificate request data package, that is, P10 data include, it should Partial data is formed by Digital signature service system.
S103, Hash operation is carried out to the certificate request information, obtains hash, and the hash is sent To the subscriber identification card;
For example, Hash operation is carried out to certificate solicited message using SHA-1 algorithm, to obtain hash.
It, can be using the private key of the cipher key pair generated to the hash label after SIM card receives hash Name, to obtain signed data, and then returns to Digital signature service system for signed data.As it can be seen that signed data is by SIM card shape At.
S104, when receiving the signed data that the subscriber identification card returns, being formed includes the certification request The certificate request data packet of information and the signed data;Wherein, the signed data is subscriber identification card use The private key of the cipher key pair of generation signs to obtain to the hash;
It will be appreciated that including certification request in certificate request data packet, that is, PKCS#10 data packet (abbreviation P10 data packet) Information, signed data.It is, of course, also possible to include other data, such as signature algorithm.It specifically can be according to P10 data packet Certification request information, signed data, signature algorithm and/or other data are formed complete P10 data packet by call format.
P10 data packet can be obtained by above step, and then digital certificate can be obtained by S105.
S105, according to the certificate request data packet, obtain digital certificate.
Applying digital certificate method provided in an embodiment of the present invention, the certification request information in certificate request data packet is by signing Name service system is formed, and it is also complete in Digital signature service system that various data, which form the process of complete certificate request data packet, At only the signed data in certificate request data packet is formed by subscriber identification card, therefore subscriber identification card will be signed Name data are sent to Digital signature service system and only need a data short message, do not need a plurality of data SMS, therefore Digital signature service system The waiting time of system is short, and middle subscriber identification card needs a plurality of data SMS to be sent to related data compared with the existing technology The case where Digital signature service system, time delay is shorter, and the reliability and stability of applying digital certificate process are improved.Moreover, by Certification request information in certificate request data packet is formed by Digital signature service system, and is not to be formed in SIM card, therefore Other data of certification request information other than public key information can be self-defining data, with each PKI (i.e. public base Facility) when being docked, Digital signature service system can flexibly be adapted to the interface of each PKI, compared with the existing technology in because of card Book request message is generated by SIM card causes the fixed situation that forms of certificate request message to be compared, and signs in the embodiment of the present invention Service system can be compatible with each PKI interface, improve the flexibility and scalability of Digital signature service system,
Be conducive to Digital signature service system and Digital signature service is provided.
In some embodiments, there are many modes for obtaining digital certificate in step S105 according to P10 data packet, below Introduce a kind of optional mode:
S1051, the certificate request request that system transmission carries the certificate request data packet is signed and issued to digital certificate;
Above-mentioned digital certificate signs and issues system, such as Public Key Infrastructure, that is, PKI, such as digital certificate registration approving authority RA, digital certificate authentication center CA etc..After Digital signature service system forms P10 data packet, system just is signed and issued to digital certificate Certificate request request is sent, carries P10 data packet in the request.When digital certificate sign and issue system receive this request it Afterwards, digital certificate is just generated and signed and issued, and digital certificate is returned into Digital signature service system.
S1052, receive the digital certificate sign and issue system return digital certificate when, to the digital certificate carry out Parsing, obtains certificate data, and the certificate data is sent to the subscriber identification card;
S1053, when receiving the response message that the certificate that the subscriber identification card returns is installed, Xiang Suoshu Operation system sends the successful response message of certificate request.
After subscriber identification card receives certificate data, the installation of digital certificate is carried out, after the installation is complete, to Digital signature service system sends the response message that certificate is installed.After Digital signature service system receives this response message, to Operation system returns to a response message, with the success of informing business system applying digital certificate.
Second aspect, the present invention also provides a kind of applying digital certificate method, this method can be by subscriber identification card It executes, as shown in Fig. 2, this method is corresponding with the applying digital certificate method executed by Digital signature service system, specifically can wrap Include following steps:
S201, when receiving the key pair that Digital signature service system sends and generating instruction, generate key pair, and will be described The public key information of cipher key pair is back to the Digital signature service system;
It will be appreciated that above-mentioned public key information may include public key, public exponent and/or other information.
In practical application, can also before generating secret key pair, to whether be arranged signature password detect.Specially Whether the terminal or the terminal where SIM card for detecting SIM card owning user are arranged signature password, if being provided with signature password, Then execute the step of generating key pair;If being not provided with signature password, need to send setting signature password to user terminal Prompt information, after user is provided with signature password on the subscriber terminal, it can execute the step of generating key pair.In this way Guarantee that user is already provided with signature password when executing the step for generating key pair.
S202, when receiving the hash that the Digital signature service system is sent, using the private of the cipher key pair Key signs to the hash, obtains signed data, and the signed data is back to the Digital signature service system.
It will be appreciated that so-called signature, the process actually encrypted, i.e., using the private key of cipher key pair to Hash number According to being encrypted.
The applying digital certificate side that applying digital certificate method provided in an embodiment of the present invention and Digital signature service system execute Method matches, and realizes the application of digital certificate.Due to only having the signed data in certificate request data packet by user identity identification Card is formed, therefore signed data is sent to Digital signature service system and only needs a data short message by subscriber identification card, is not required to A plurality of data SMS is wanted, therefore the waiting time of Digital signature service system is short, middle subscriber identification card needs compared with the existing technology The case where wanting a plurality of data SMS that related data are sent to Digital signature service system, the reliability of applying digital certificate process and steady It is qualitative all to improve.
In some embodiments, subscriber identification card can also carry out following steps:
S203, when receiving the certificate data that the Digital signature service system is sent, install digital certificate;And described When digital certificate is installed, Xiang Suoshu Digital signature service system sends the response message that certificate is installed.
S203 through the above steps makes SIM card complete the installation of digital certificate.Step S203 and above-mentioned steps S1051~ S1053 is matched, and completes the whole process for obtaining digital certificate.
The third aspect, based on the applying digital certificate method that first aspect and second aspect provide, the embodiment of the present invention is also A kind of applying digital certificate method is provided, this method is executed by Digital signature service system and subscriber identification card, as shown in figure 3, It specifically includes:
It is raw to generate key pair when receiving the certificate request request that operation system is sent for S301, Digital signature service system At instruction, and the key pair is generated into instruction and is sent to subscriber identification card;
S302, the subscriber identification card when receiving the key pair that Digital signature service system sends and generating instruction, Key pair is generated, and the public key information of the cipher key pair is back to the Digital signature service system;
S303, the Digital signature service system are formed after receiving the public key information that the subscriber identification card returns Certificate request information including the public key information;Hash operation is carried out to the certificate request information, obtains hash, and The hash is sent to the subscriber identification card;
S304, the subscriber identification card are adopted when receiving the hash that the Digital signature service system is sent It is signed with the private key of the cipher key pair to the hash, obtains signed data, and the signed data is returned To the Digital signature service system;
S305, the Digital signature service system are formed when receiving the signed data that the subscriber identification card returns Certificate request data packet including the certification request information and the signed data;And according to the certificate request data packet, Obtain digital certificate.
Explanation, citing, the beneficial effect of related content etc. in applying digital certificate method provided by the embodiments of the present application Can be with reference to the corresponding portion in above-mentioned first aspect and second aspect, which is not described herein again.
Referring specifically to Fig. 4, the overall process of applying digital certificate is generally comprised:
S401, user request downloading digital certificate to service management person;
S402, service management person verify the identity of user;
S403, after verification passes through, pass through operation system trigger certificate request process;
S404, after certificate request trigger flow, operation system to Digital signature service system send certificate request request;
After S405, Digital signature service system receive the certificate request request that operation system is sent, generates key pair and generate Instruction;
S406, key pair generation instruction is sent to SIM card;
S407, SIM card generate secret key pair after receiving key pair and generating instruction;
S408, the public key informations such as the public key of cipher key pair, public exponent are sent to Digital signature service system;
S409, Digital signature service system form certificate request information according to public key information, and breathe out to certificate solicited message Uncommon operation, obtains hash;
The hash of generation is sent to SIM card by S410, Digital signature service system;
S411, SIM card sign to hash using private key, obtain signed data;
Signed data is returned to Digital signature service system by S412, SIM card;
S413, Digital signature service system are by data such as signed data, certificate request information, signature algorithms according to P10 data packet Call format be assembled into P10 data packet:
S414, Digital signature service system send the certificate request request for carrying P10 data packet to RA/CA;
When S415, RA/CA receive certificate request request, corresponding digital certificate is generated;
Digital certificate is returned to Digital signature service system by S416, RA/CA;
S417, Digital signature service system parse digital certificate, obtain certificate data and (are referred to as certificate letter Breath),;
Certificate data is sent to SIM card by S418, Digital signature service system;
S419, SIM card install digital certificate;
S420, SIM card after installation is complete, the response message being installed are sent to Digital signature service system;
S421, Digital signature service system are applied successfully after the response message for receiving SIM card transmission to operation system transmission Response message.
S401~S421 through the above steps completes the application of digital certificate.
After the application for completing digital certificate using above-mentioned steps S401~S421, user can provide digital signature Business, specific signature service process may include:
RSA (public key encryption algorithm) encrypted data to be signed are sent to Digital signature service system by S501, operation system;
S502, Digital signature service system send the business signature request for carrying data to be signed to SIM card;
After S503, Digital signature service system carry out rsa encryption to data to be signed, transaction data is obtained;
Transaction data is sent to the user terminal by S504, Digital signature service system;
S505, user terminal pop up STK (sim tools kit, i.e. User Identification Application Development Tools) menu, and display is handed over Easy data, then user confirms transaction data;
User's confirmation result is sent to SIM card by S506, user terminal;
S507, SIM card confirm that result is signed to user using private key;
S508, SIM card are according to user's confirmation after signature as a result, sending response message to Digital signature service system;
S509, Digital signature service system send response letter after receiving the response message that SIM card is sent, to operation system Breath.
S501~S509 through the above steps realizes signature service.In above process, operation system passes through Digital signature service Data to be signed are directly sent to SIM card and signed by system, and Digital signature service system no longer carries out Hash to data to be signed Operation, signature process are simple, high-efficient.
Fourth aspect, the embodiment of the present invention provide a kind of Digital signature service system, as shown in fig. 6, the system 600 includes:
Directive generation module 601, for generating key pair when receiving the certificate request request that operation system is sent Instruction is generated, and the key pair is generated into instruction and is sent to subscriber identification card;
Information forms module 602, for forming packet after receiving the public key information that the subscriber identification card returns Include the certificate request information of the public key information;
Hash operation module 603 carries out Hash operation to the certificate request information, obtains hash, and will be described Hash is sent to the subscriber identification card;
Data packet forms module 604, and when receiving the signed data that the subscriber identification card returns, formation includes The certificate request data packet of the certification request information and the signed data;Wherein, the signed data is user's body Part identification card signs to obtain using the private key of the cipher key pair generated to the hash;
Certificate acquisition module 605, for obtaining digital certificate according to the certificate request data packet.
In some embodiments, the certificate acquisition module is specifically used for: signing and issuing system transmission to digital certificate and carries The certificate request of the certificate request data packet is requested;The digital certificate that system returns is signed and issued receiving the digital certificate When, the digital certificate is parsed, obtains certificate data, and the certificate data is sent to the user identity identification Card;When receiving the response message that the certificate that the subscriber identification card returns is installed, Xiang Suoshu operation system hair Send certificate request successful response message.
In some embodiments, it includes the certification request information, the signature that the information, which forms module and specifically formed, The certificate request data packet of data and signature algorithm.
In some embodiments, the public key information includes public key and public exponent.
It will be appreciated that the digital certificate Shen that each functional module and first aspect in above-mentioned Digital signature service system provide Please each step in method it is corresponding, the part such as explanation, citing, beneficial effect in relation to content can refer to first aspect In corresponding contents, details are not described herein again.
5th aspect, the embodiment of the present invention provides a kind of subscriber identification card, as shown in fig. 7, the user identity identification Blocking 700 includes:
Key pair generation module 701, for giving birth to when receiving the key pair generation instruction that Digital signature service system is sent The Digital signature service system is back at key pair, and by the public key information of the cipher key pair;
Data signature module 702, for when receiving the hash that the Digital signature service system is sent, using institute The private key for stating cipher key pair signs to the hash, obtains signed data, and the signed data is back to institute State Digital signature service system.
In some embodiments, subscriber identification card further include:
Certificate installs module, for when receiving the certificate data that the Digital signature service system is sent, installation to be digital Certificate;When the digital certificate is installed, Xiang Suoshu Digital signature service system sends the response message that certificate is installed.
In some embodiments, for key pair generation module before generating key pair, whether detection user terminal is arranged label Name password;If so, the step of executing the generation key pair;Otherwise, the prompt of setting signature password is issued to user terminal Information, and user terminal be arranged signature password after, execute the generation key pair the step of.
It will be appreciated that the digital certificate that each functional module and second aspect in above-mentioned subscriber identification card provide Each step in application method is corresponding, and the part such as explanation, citing, beneficial effect in relation to content can refer to second party Corresponding contents in face, details are not described herein again.
6th aspect, the embodiment of the present invention provide a kind of applying digital certificate system, including the signature clothes in fourth aspect Subscriber identification card in business system and the 5th aspect.
7th aspect, the embodiment of the present invention provides a kind of applying digital certificate equipment, to execute first aspect or second Applying digital certificate method in aspect, Fig. 8 show the hardware knot of applying digital certificate equipment provided in an embodiment of the present invention Structure schematic diagram.
Applying digital certificate equipment equipment may include processor 801 and the memory for being stored with computer program instructions 802。
Specifically, above-mentioned processor 801 may include central processing unit (CPU) or specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured to implement implementation of the present invention One or more integrated circuits of example.
Memory 802 may include the mass storage for data or instruction.For example it rather than limits, memory 802 may include hard disk drive (Hard Disk Drive, HDD), floppy disk drive, flash memory, CD, magneto-optic disk, tape or logical With the combination of universal serial bus (Universal Serial Bus, USB) driver or two or more the above.It is closing In the case where suitable, memory 802 may include the medium of removable or non-removable (or fixed).In a suitable case, it stores Device 802 can be inside or outside data processing equipment.In a particular embodiment, memory 802 is nonvolatile solid state storage Device.In a particular embodiment, memory 802 includes read-only memory (ROM).In a suitable case, which can be mask ROM, programming ROM (PROM), erasable PROM (EPROM), the electric erasable PROM (EEPROM), electrically-alterable ROM of programming (EAROM) or the combination of flash memory or two or more the above.
Processor 801 is by reading and executing the computer program instructions stored in memory 802, to realize above-mentioned implementation Any one applying digital certificate method in example.
In one example, applying digital certificate equipment may also include communication interface 803 and bus 810.Wherein, such as Fig. 8 Shown, processor 801, memory 802, communication interface 803 connect by bus 810 and complete mutual communication.
Communication interface 803 is mainly used for realizing in the embodiment of the present invention between each module, device, unit and/or equipment Communication.
Bus 810 includes hardware, software or both, and the component of applying digital certificate equipment is coupled to each other together.It lifts It for example rather than limits, bus may include accelerated graphics port (AGP) or other graphics bus, enhancing Industry Standard Architecture (EISA) bus, front side bus (FSB), super transmission (HT) interconnection, Industry Standard Architecture (ISA) bus, infinite bandwidth interconnect, are low Number of pins (LPC) bus, memory bus, micro- channel architecture (MCA) bus, peripheral component interconnection (PCI) bus, PCI- Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association part (VLB) bus or The combination of other suitable buses or two or more the above.In a suitable case, bus 810 may include one Or multiple buses.Although specific bus has been described and illustrated in the embodiment of the present invention, the present invention considers any suitable bus Or interconnection.
The applying digital certificate equipment can be executed the present invention and be implemented based on the network management performance index for getting cell to be measured Applying digital certificate method in example.
It should be clear that the invention is not limited to specific configuration described above and shown in figure and processing. For brevity, it is omitted here the detailed description to known method.In the above-described embodiments, several tools have been described and illustrated The step of body, is as example.But method process of the invention is not limited to described and illustrated specific steps, this field Technical staff can be variously modified, modification and addition after understanding spirit of the invention, or suitable between changing the step Sequence.
Functional block shown in structures described above block diagram can be implemented as hardware, software, firmware or their group It closes.When realizing in hardware, it may, for example, be electronic circuit, specific integrated circuit (ASIC), firmware appropriate, insert Part, function card etc..When being realized with software mode, element of the invention is used to execute program or the generation of required task Code section.Perhaps code segment can store in machine readable media program or the data-signal by carrying in carrier wave is passing Defeated medium or communication links are sent." machine readable media " may include any medium for capableing of storage or transmission information. The example of machine readable media includes electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), soft Disk, CD-ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via such as internet, inline The computer network of net etc. is downloaded.
Eighth aspect, the embodiment of the present invention provide a kind of computer readable storage medium, this is stored thereon with computer journey Sequence instruction, realizes the digital certificate Shen provided in first aspect or second aspect when computer program instructions are executed by processor It please method.
It should also be noted that, the exemplary embodiment referred in the present invention, is retouched based on a series of step or device State certain methods or system.But the present invention is not limited to the sequence of above-mentioned steps, that is to say, that can be according in embodiment The sequence referred to executes step, may also be distinct from that the sequence in embodiment or several steps are performed simultaneously.
The above description is merely a specific embodiment, it is apparent to those skilled in the art that, For convenience of description and succinctly, the system, module of foregoing description and the specific work process of unit can refer to preceding method Corresponding process in embodiment, details are not described herein.It should be understood that scope of protection of the present invention is not limited thereto, it is any to be familiar with Those skilled in the art in the technical scope disclosed by the present invention, can readily occur in various equivalent modifications or substitutions, These modifications or substitutions should be covered by the protection scope of the present invention.

Claims (13)

1. a kind of applying digital certificate method characterized by comprising
It when receiving the certificate request request that operation system sends, generates key pair and generates instruction, and by the key pair It generates instruction and is sent to subscriber identification card;
After receiving the public key information that the subscriber identification card returns, the certificate request including the public key information is formed Information;
Hash operation is carried out to the certificate request information, obtains hash, and the hash is sent to the use Family identification card;
When receiving the signed data that the subscriber identification card returns, it includes the certification request information and described for being formed The certificate request data packet of signed data, wherein the signed data is the subscriber identification card using the key generated The private key of centering signs to obtain to the hash;
According to the certificate request data packet, digital certificate is obtained.
2. the method according to claim 1, wherein described according to the certificate request data packet, acquisition number Certificate, comprising:
The certificate request request that system transmission carries the certificate request data packet is signed and issued to digital certificate;
Receive the digital certificate sign and issue system return digital certificate when, the digital certificate is parsed, is obtained Certificate data, and the certificate data is sent to the subscriber identification card;
When receiving the response message that the certificate that the subscriber identification card returns is installed, Xiang Suoshu operation system hair Send certificate request successful response message.
3. the method according to claim 1, wherein described formed includes the certification request information and the label The certificate request data packet of name data, comprising: being formed includes the certification request information, the signed data and signature algorithm Certificate request data packet.
4. described in any item methods according to claim 1~3, which is characterized in that the public key information includes public key and public key Index.
5. a kind of applying digital certificate method characterized by comprising
When receiving the key pair that Digital signature service system sends and generating instruction, key pair is generated, and by the cipher key pair Public key information be back to the Digital signature service system;
When receiving the hash that the Digital signature service system is sent, using the private key of the cipher key pair to the Kazakhstan Uncommon data are signed, and obtain signed data, and the signed data is back to the Digital signature service system.
6. according to the method described in claim 5, it is characterized by further comprising:
When receiving the certificate data that the Digital signature service system is sent, digital certificate is installed;
When the digital certificate is installed, Xiang Suoshu Digital signature service system sends the response message that certificate is installed.
7. method according to claim 5 or 6, which is characterized in that before the generation key pair, the method is also wrapped It includes:
Whether detection user terminal is arranged signature password;
If so, the step of executing the generation key pair;
Otherwise, the prompt information of setting signature password is issued to user terminal, and after signature password is arranged in user terminal, is executed The step of generation key pair.
8. a kind of applying digital certificate method characterized by comprising
Digital signature service system generates key pair and generates instruction when receiving the certificate request request that operation system is sent, and The key pair is generated into instruction and is sent to subscriber identification card;
The subscriber identification card generates key when receiving the key pair generation instruction that Digital signature service system is sent It is right, and the public key information of the cipher key pair is back to the Digital signature service system;
For the Digital signature service system after receiving the public key information that the subscriber identification card returns, being formed includes the public affairs The certificate request information of key information;Hash operation is carried out to the certificate request information, obtains hash, and by the Hash Data are sent to the subscriber identification card;
The subscriber identification card is when receiving the hash that the Digital signature service system is sent, using the key The private key of centering signs to the hash, obtains signed data, and the signed data is back to the signature Service system;
The Digital signature service system forms and recognizes including described when receiving the signed data that the subscriber identification card returns Demonstrate,prove the certificate request data packet of solicited message and the signed data;And according to the certificate request data packet, number card is obtained Book.
9. a kind of Digital signature service system characterized by comprising
Directive generation module, for generating key pair generation and referring to when receiving the certificate request request that operation system is sent It enables, and the key pair is generated into instruction and is sent to subscriber identification card;
Information forms module, includes described for being formed after receiving the public key information that the subscriber identification card returns The certificate request information of public key information;
Hash operation module carries out Hash operation to the certificate request information, obtains hash, and by the hash It is sent to the subscriber identification card;
Data packet forms module, when receiving the signed data that the subscriber identification card returns, is formed and is recognized including described Demonstrate,prove the certificate request data packet of solicited message and the signed data;Wherein, the signed data is the user identity identification Card signs to obtain using the private key of the cipher key pair generated to the hash;
Certificate acquisition module, for obtaining digital certificate according to the certificate request data packet.
10. a kind of subscriber identification card characterized by comprising
Key pair generation module, for generating key when receiving the key pair generation instruction that Digital signature service system is sent It is right, and the public key information of the cipher key pair is back to the Digital signature service system;
Data signature module, for when receiving the hash that the Digital signature service system is sent, using the key The private key of centering signs to the hash, obtains signed data, and the signed data is back to the signature Service system.
11. a kind of applying digital certificate system, which is characterized in that including Digital signature service system as claimed in claim 9 and right It is required that subscriber identification card described in 10.
12. a kind of applying digital certificate equipment characterized by comprising at least one processor, at least one processor and The computer program instructions of storage in the memory, are realized when the computer program instructions are executed by the processor Method as described in any one of claim 1-4 or any one of claim 5-7.
13. a kind of computer readable storage medium, is stored thereon with computer program instructions, which is characterized in that when the calculating It is realized as described in any one of claim 1-4 or any one of claim 5-7 when machine program instruction is executed by processor Method.
CN201711456434.2A 2017-12-28 2017-12-28 Digital certificate application method, system, user identification card, device and medium Active CN109981278B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711456434.2A CN109981278B (en) 2017-12-28 2017-12-28 Digital certificate application method, system, user identification card, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711456434.2A CN109981278B (en) 2017-12-28 2017-12-28 Digital certificate application method, system, user identification card, device and medium

Publications (2)

Publication Number Publication Date
CN109981278A true CN109981278A (en) 2019-07-05
CN109981278B CN109981278B (en) 2022-09-13

Family

ID=67074332

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711456434.2A Active CN109981278B (en) 2017-12-28 2017-12-28 Digital certificate application method, system, user identification card, device and medium

Country Status (1)

Country Link
CN (1) CN109981278B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111125665A (en) * 2019-12-04 2020-05-08 中国联合网络通信集团有限公司 Authentication method and device
CN111209589A (en) * 2019-12-31 2020-05-29 航天信息股份有限公司 Method and system for dynamic data desensitization based on regional chain
CN111291392A (en) * 2020-01-22 2020-06-16 京东数字科技控股有限公司 Electronic signature method and device, electronic equipment and storage medium
CN111428279A (en) * 2020-03-26 2020-07-17 国汽(北京)智能网联汽车研究院有限公司 Explicit certificate generation method, device, equipment and storage medium
CN112491613A (en) * 2020-11-26 2021-03-12 北京航空航天大学 Information service identifier generation method and device
CN114125844A (en) * 2021-11-24 2022-03-01 中国银行股份有限公司 Method and device for generating and downloading digital certificate

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101527630A (en) * 2008-12-31 2009-09-09 北京飞天诚信科技有限公司 Method, server and system for manufacturing certificate remotely
CN101777978A (en) * 2008-11-24 2010-07-14 华为终端有限公司 Method and system based on wireless terminal for applying digital certificate and wireless terminal
CN101938520A (en) * 2010-09-07 2011-01-05 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
CN101977193A (en) * 2010-10-28 2011-02-16 北京飞天诚信科技有限公司 Method and system for safely downloading certificate
CN102904865A (en) * 2011-07-29 2013-01-30 中国移动通信集团公司 Method, system and equipment for management of multiple digital certificates on basis of mobile terminal
CN106921496A (en) * 2015-12-25 2017-07-04 卓望数码技术(深圳)有限公司 A kind of digital signature method and system
CN106936577A (en) * 2015-12-29 2017-07-07 航天信息股份有限公司 A kind of method for certificate request, terminal and system
US20170244558A1 (en) * 2003-12-22 2017-08-24 Assa Abloy Ab Trusted and unsupervised digital certificate generation using a security token

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170244558A1 (en) * 2003-12-22 2017-08-24 Assa Abloy Ab Trusted and unsupervised digital certificate generation using a security token
CN101777978A (en) * 2008-11-24 2010-07-14 华为终端有限公司 Method and system based on wireless terminal for applying digital certificate and wireless terminal
CN101527630A (en) * 2008-12-31 2009-09-09 北京飞天诚信科技有限公司 Method, server and system for manufacturing certificate remotely
CN101938520A (en) * 2010-09-07 2011-01-05 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
WO2012031433A1 (en) * 2010-09-07 2012-03-15 中兴通讯股份有限公司 System and method for remote payment based on mobile terminal
CN101977193A (en) * 2010-10-28 2011-02-16 北京飞天诚信科技有限公司 Method and system for safely downloading certificate
CN102904865A (en) * 2011-07-29 2013-01-30 中国移动通信集团公司 Method, system and equipment for management of multiple digital certificates on basis of mobile terminal
CN106921496A (en) * 2015-12-25 2017-07-04 卓望数码技术(深圳)有限公司 A kind of digital signature method and system
CN106936577A (en) * 2015-12-29 2017-07-07 航天信息股份有限公司 A kind of method for certificate request, terminal and system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111125665A (en) * 2019-12-04 2020-05-08 中国联合网络通信集团有限公司 Authentication method and device
CN111209589A (en) * 2019-12-31 2020-05-29 航天信息股份有限公司 Method and system for dynamic data desensitization based on regional chain
CN111291392A (en) * 2020-01-22 2020-06-16 京东数字科技控股有限公司 Electronic signature method and device, electronic equipment and storage medium
CN111428279A (en) * 2020-03-26 2020-07-17 国汽(北京)智能网联汽车研究院有限公司 Explicit certificate generation method, device, equipment and storage medium
CN111428279B (en) * 2020-03-26 2023-12-08 国汽(北京)智能网联汽车研究院有限公司 Explicit certificate generation method, device, equipment and storage medium
CN112491613A (en) * 2020-11-26 2021-03-12 北京航空航天大学 Information service identifier generation method and device
CN114125844A (en) * 2021-11-24 2022-03-01 中国银行股份有限公司 Method and device for generating and downloading digital certificate
CN114125844B (en) * 2021-11-24 2024-04-19 中国银行股份有限公司 Method and device for generating and downloading digital certificate

Also Published As

Publication number Publication date
CN109981278B (en) 2022-09-13

Similar Documents

Publication Publication Date Title
CN109981278A (en) Applying digital certificate method, system, subscriber identification card, equipment and medium
CN111224788B (en) Electronic contract management method, device and system based on block chain
CN113572715B (en) Data transmission method and system based on block chain
US10237072B2 (en) Signatures for near field communications
JP2007502578A (en) How to use reliable hardware-based identity credentials in runtime package signing for secure mobile communications and expensive transaction execution
CN110362990A (en) Using the security processing of installation, apparatus and system
CN110414190B (en) Signature method of application installation package, related device, storage medium and electronic equipment
CA2355928C (en) Method and system for implementing a digital signature
CN109005032B (en) Routing method and device
CN106789075B (en) POS digital signature anti-cutting system
CN108683674A (en) Verification method, device, terminal and the computer readable storage medium of door lock communication
CN109245899B (en) Trust chain design method based on SM9 cryptographic algorithm
CN108900311A (en) A kind of no certificate bluetooth key endorsement method and system
CN112055019A (en) Method for establishing communication channel and user terminal
US20030059049A1 (en) Method and apparatus for secure mobile transaction
CN106656993B (en) Dynamic verification code verification method and device
CN111130798A (en) Request authentication method and related equipment
US20080082830A1 (en) Method and system for displaying trust level on a wireless communication device
CN105939194A (en) Backup method and backup system for private key of electronic key device
CN114760114A (en) Identity authentication method, device, equipment and medium
CN109391473B (en) Electronic signature method, device and storage medium
CN113742709A (en) Information processing method and device, readable medium and electronic equipment
CN110635916A (en) TEE-based security application authentication method
CN111600703B (en) SM 2-based signature method, system, electronic equipment and storage medium
CN109005187A (en) A kind of communication information guard method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant