CN109981278A - Applying digital certificate method, system, subscriber identification card, equipment and medium - Google Patents
Applying digital certificate method, system, subscriber identification card, equipment and medium Download PDFInfo
- Publication number
- CN109981278A CN109981278A CN201711456434.2A CN201711456434A CN109981278A CN 109981278 A CN109981278 A CN 109981278A CN 201711456434 A CN201711456434 A CN 201711456434A CN 109981278 A CN109981278 A CN 109981278A
- Authority
- CN
- China
- Prior art keywords
- certificate
- identification card
- service system
- subscriber identification
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
Abstract
The invention discloses applying digital certificate method, Digital signature service system, subscriber identification card, applying digital certificate system, applying digital certificate equipment and computer readable storage mediums.The applying digital certificate method includes: to generate key pair when receiving the certificate request request that operation system is sent and generate instruction, and key pair is generated instruction and is sent to subscriber identification card;After the public key information for receiving subscriber identification card return, the certificate request information including public key information is formed;Hash operation is carried out to certificate solicited message, obtains hash, and hash is sent to subscriber identification card;When receiving the signed data of subscriber identification card return, the certificate request data packet including certification request information and signed data is formed;According to certificate request data packet, digital certificate is obtained.The reliability and stability of applying digital certificate process can be improved in the embodiment of the present invention.
Description
Technical field
The present invention relates to digital certificate technical field more particularly to a kind of applying digital certificate method, Digital signature service system,
Subscriber identification card, applying digital certificate system, applying digital certificate equipment and computer readable storage medium.
Background technique
In recent years, internet especially mobile Internet was quickly grown, and safety, pervasive mobile signature product are that protection moves
The important leverage of dynamic Internet service safety.Traditional U-shield, scrambler in portability, terminal transparency there are many deficiencies, because
A kind of this digital certificate technology suitable for mobile internet era is come into being, and is provided for all kinds of account number safeties, safety of payment
Safety protection function.
Current applying digital certificate method is as follows:
1, mobile signature platform sends data SMS request to SIM card by mobile network and generates P10 data packet, that is, certificate
Request data package;
2, SIM card generates public private key pair, assembles P10 data packet;
3, complete P10 data packet is divided into a plurality of data SMS and is sent to mobile signature platform by SIM card;
4, P10 data packet is issued digital certificate and signs and issues platform to obtain digital certificate by mobile signature platform.
Above applying digital certificate method has the disadvantage in that
Data interaction is carried out by data SMS mode between mobile signature service system and SIM card, is wrapped in P10 data packet
Containing much information.By taking length is 1024 RSA Algorithms as an example, according to the byte for the P10 data packet that ASN.1 coding mode generates
Length is at least up to 350 bytes or more.And the most loaded lengths of data short message are the data of 140 bytes, and it is short to remove data
Outside the safe packet head of letter, complete P10 data packet is dealt into mobile signature service system by SIM card, at least needs continuously upper hair
Four data short messages.In view of extending to the factors such as short message carrying data length is limited when short message, send short needed for P10 data packet
Creed number is more, and the waiting time of mobile signature platform is longer, therefore system reliability and stability are poor.
Summary of the invention
The embodiment of the invention provides a kind of applying digital certificate method, Digital signature service system, subscriber identification cards, number
Word certificate request system, applying digital certificate equipment and computer readable storage medium.
In a first aspect, the embodiment of the invention provides a kind of applying digital certificate method, method includes:
When receiving the certificate request request that operation system is sent, generates key pair and generate instruction, and will be described close
Key is sent to subscriber identification card to instruction is generated;
After receiving the public key information that the subscriber identification card returns, the certificate including the public key information is formed
Solicited message;
Hash operation is carried out to the certificate request information, obtains hash, and the hash is sent to institute
State subscriber identification card;
When receiving the signed data that the subscriber identification card returns, formed include the certification request information and
The certificate request data packet of the signed data;Wherein, the signed data is the subscriber identification card using generation
The private key of cipher key pair signs to obtain to the hash;
According to the certificate request data packet, digital certificate is obtained.
Second aspect, the embodiment of the invention provides a kind of applying digital certificate method, method includes:
When receiving the key pair that Digital signature service system sends and generating instruction, key pair is generated, and by the key
The public key information of centering is back to the Digital signature service system;
When receiving the hash that the Digital signature service system is sent, using the private key of the cipher key pair to institute
It states hash to sign, obtains signed data, and the signed data is back to the Digital signature service system.
The third aspect, the embodiment of the invention provides a kind of applying digital certificate method, method includes:
Digital signature service system generates key pair generation and refers to when receiving the certificate request request that operation system is sent
It enables, and the key pair is generated into instruction and is sent to subscriber identification card;
The subscriber identification card generates close when receiving the key pair generation instruction that Digital signature service system is sent
Key pair, and the public key information of the cipher key pair is back to the Digital signature service system;
For the Digital signature service system after receiving the public key information that the subscriber identification card returns, being formed includes institute
State the certificate request information of public key information;Hash operation is carried out to the certificate request information, obtains hash, and will be described
Hash is sent to the subscriber identification card;
The subscriber identification card is when receiving the hash that the Digital signature service system is sent, using described
The private key of cipher key pair signs to the hash, obtains signed data, and the signed data is back to described
Digital signature service system;
For the Digital signature service system when receiving the signed data that the subscriber identification card returns, being formed includes institute
State the certificate request data packet of certification request information and the signed data;And according to the certificate request data packet, number is obtained
Word certificate.
Fourth aspect, the embodiment of the invention provides a kind of Digital signature service system, which includes:
Directive generation module, for it is raw to generate key pair when receiving the certificate request request that operation system is sent
At instruction, and the key pair is generated into instruction and is sent to subscriber identification card;
Information forms module, for after receiving the public key information that the subscriber identification card returns, formation to include
The certificate request information of the public key information;
Hash operation module carries out Hash operation to the certificate request information, obtains hash, and by the Hash
Data are sent to the subscriber identification card;
Data packet forms module, and when receiving the signed data that the subscriber identification card returns, being formed includes institute
State the certificate request data packet of certification request information and the signed data;Wherein, the signed data is the user identity
Identification card signs to obtain using the private key of the cipher key pair generated to the hash;
Certificate acquisition module, for obtaining digital certificate according to the certificate request data packet.
5th aspect, the embodiment of the invention provides a kind of subscriber identification cards, comprising:
Key pair generation module, for generating when receiving the key pair generation instruction that Digital signature service system is sent
Key pair, and the public key information of the cipher key pair is back to the Digital signature service system;
Data signature module, for when receiving the hash that the Digital signature service system is sent, using described
The private key of cipher key pair signs to the hash, obtains signed data, and the signed data is back to described
Digital signature service system.
6th aspect, the embodiment of the invention provides a kind of applying digital certificate system, the label provided including fourth aspect
The subscriber identification card that name service system and the 5th aspect provide.
7th aspect, the embodiment of the invention provides a kind of applying digital certificate equipment, including at least one processor, extremely
A few memory and computer program instructions stored in memory, when computer program instructions are executed by processor
It realizes such as the method for first aspect or second aspect in above embodiment.
Eighth aspect, the embodiment of the invention provides a kind of computer readable storage mediums, are stored thereon with computer journey
Sequence instruction, is realized when computer program instructions are executed by processor such as first aspect in above embodiment or second aspect
Method.
Above scheme provided in an embodiment of the present invention, the certification request information in certificate request data packet is by Digital signature service system
System is formed, and it is also to complete in Digital signature service system that various data, which form the process of complete certificate request data packet, is only demonstrate,proved
Signed data in book request data package is formed by subscriber identification card, therefore subscriber identification card sends signed data
A data short message is only needed to Digital signature service system, does not need a plurality of data SMS, therefore when the waiting of Digital signature service system
Between it is short, compared with the existing technology in subscriber identification card need a plurality of data SMS that related data are sent to Digital signature service system
The case where system, the reliability and stability of applying digital certificate process can all improve.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, will make below to required in the embodiment of the present invention
Attached drawing is briefly described, for those of ordinary skill in the art, without creative efforts, also
Other drawings may be obtained according to these drawings without any creative labor.
Fig. 1 shows the flow diagram of applying digital certificate method in one embodiment of the invention;
Fig. 2 shows the flow diagrams of applying digital certificate method in one embodiment of the invention;
Fig. 3 shows the flow diagram of applying digital certificate method in one embodiment of the invention;
Fig. 4 shows the flow diagram of applying digital certificate method in one embodiment of the invention;
Fig. 5 shows the flow diagram that signature service is executed in one embodiment of the invention;
Fig. 6 shows the structural block diagram of Digital signature service system in one embodiment of the invention;
Fig. 7 shows the structural block diagram of subscriber identification card in one embodiment of the invention;
Fig. 8 shows the structural block diagram of applying digital certificate equipment in one embodiment of the invention.
Specific embodiment
The feature and exemplary embodiment of various aspects of the invention is described more fully below, in order to make mesh of the invention
, technical solution and advantage be more clearly understood, with reference to the accompanying drawings and embodiments, the present invention is further retouched in detail
It states.It should be understood that specific embodiment described herein is only configured to explain the present invention, it is not configured as limiting the present invention.
To those skilled in the art, the present invention can be real in the case where not needing some details in these details
It applies.Below the description of embodiment is used for the purpose of better understanding the present invention to provide by showing example of the invention.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including
There is also other identical elements in the process, method, article or equipment of the element.
In a first aspect, the embodiment of the present invention provides a kind of applying digital certificate method, this method can be by Digital signature service system
System executes, as shown in Figure 1, can specifically include following steps:
S101, when receiving the certificate request request that operation system sends, generate key pair and generate instruction, and by institute
It states key pair generation instruction and is sent to subscriber identification card;
Above-mentioned operation system, is referred to as business platform.
For example, when user helps to handle the downloading service of digital certificate to business platform requested service administrator, pipe
Reason person audits the identity of user, after audit passes through, sends certificate Shen to Digital signature service system by business platform
It please request, that is, open the application process of digital certificate.It certainly, can also be successively to industry when receiving certificate request request
The legitimacy of the legitimacy and PKI (i.e. Public Key Infrastructure) of business is verified, and after verification passes through, is generated key pair generation and is referred to
It enables.
The request of digital certificate is applied in above-mentioned certificate request request.
Above-mentioned subscriber identification card, is referred to as SIM card.It will be appreciated that SIM card is the safety of financial chip-scale
Medium.After SIM card, which receives the key pair that Digital signature service system sends, generates instruction, key pair is generated, and by secret key pair
In public key information return to Digital signature service system.Wherein, public key information may include public key, public exponent and/or other public affairs
Key is for information about.
S102, after receiving the public key information that the subscriber identification card returns, being formed includes the public key information
Certificate request information;
Above-mentioned certificate request information, i.e. certificationRequestInformation include that public key is believed in the information
Breath can also include certainly other information, for example, entity name.Other information in certificate request information can be customized
Data, the self-defining data can according to need setting.After Digital signature service system receives the public key information of SIM card return,
Public key information and other information can be made to form certificate request information by way of assembling.
It will be appreciated that certificate request information is a part of data during certificate request data package, that is, P10 data include, it should
Partial data is formed by Digital signature service system.
S103, Hash operation is carried out to the certificate request information, obtains hash, and the hash is sent
To the subscriber identification card;
For example, Hash operation is carried out to certificate solicited message using SHA-1 algorithm, to obtain hash.
It, can be using the private key of the cipher key pair generated to the hash label after SIM card receives hash
Name, to obtain signed data, and then returns to Digital signature service system for signed data.As it can be seen that signed data is by SIM card shape
At.
S104, when receiving the signed data that the subscriber identification card returns, being formed includes the certification request
The certificate request data packet of information and the signed data;Wherein, the signed data is subscriber identification card use
The private key of the cipher key pair of generation signs to obtain to the hash;
It will be appreciated that including certification request in certificate request data packet, that is, PKCS#10 data packet (abbreviation P10 data packet)
Information, signed data.It is, of course, also possible to include other data, such as signature algorithm.It specifically can be according to P10 data packet
Certification request information, signed data, signature algorithm and/or other data are formed complete P10 data packet by call format.
P10 data packet can be obtained by above step, and then digital certificate can be obtained by S105.
S105, according to the certificate request data packet, obtain digital certificate.
Applying digital certificate method provided in an embodiment of the present invention, the certification request information in certificate request data packet is by signing
Name service system is formed, and it is also complete in Digital signature service system that various data, which form the process of complete certificate request data packet,
At only the signed data in certificate request data packet is formed by subscriber identification card, therefore subscriber identification card will be signed
Name data are sent to Digital signature service system and only need a data short message, do not need a plurality of data SMS, therefore Digital signature service system
The waiting time of system is short, and middle subscriber identification card needs a plurality of data SMS to be sent to related data compared with the existing technology
The case where Digital signature service system, time delay is shorter, and the reliability and stability of applying digital certificate process are improved.Moreover, by
Certification request information in certificate request data packet is formed by Digital signature service system, and is not to be formed in SIM card, therefore
Other data of certification request information other than public key information can be self-defining data, with each PKI (i.e. public base
Facility) when being docked, Digital signature service system can flexibly be adapted to the interface of each PKI, compared with the existing technology in because of card
Book request message is generated by SIM card causes the fixed situation that forms of certificate request message to be compared, and signs in the embodiment of the present invention
Service system can be compatible with each PKI interface, improve the flexibility and scalability of Digital signature service system,
Be conducive to Digital signature service system and Digital signature service is provided.
In some embodiments, there are many modes for obtaining digital certificate in step S105 according to P10 data packet, below
Introduce a kind of optional mode:
S1051, the certificate request request that system transmission carries the certificate request data packet is signed and issued to digital certificate;
Above-mentioned digital certificate signs and issues system, such as Public Key Infrastructure, that is, PKI, such as digital certificate registration approving authority
RA, digital certificate authentication center CA etc..After Digital signature service system forms P10 data packet, system just is signed and issued to digital certificate
Certificate request request is sent, carries P10 data packet in the request.When digital certificate sign and issue system receive this request it
Afterwards, digital certificate is just generated and signed and issued, and digital certificate is returned into Digital signature service system.
S1052, receive the digital certificate sign and issue system return digital certificate when, to the digital certificate carry out
Parsing, obtains certificate data, and the certificate data is sent to the subscriber identification card;
S1053, when receiving the response message that the certificate that the subscriber identification card returns is installed, Xiang Suoshu
Operation system sends the successful response message of certificate request.
After subscriber identification card receives certificate data, the installation of digital certificate is carried out, after the installation is complete, to
Digital signature service system sends the response message that certificate is installed.After Digital signature service system receives this response message, to
Operation system returns to a response message, with the success of informing business system applying digital certificate.
Second aspect, the present invention also provides a kind of applying digital certificate method, this method can be by subscriber identification card
It executes, as shown in Fig. 2, this method is corresponding with the applying digital certificate method executed by Digital signature service system, specifically can wrap
Include following steps:
S201, when receiving the key pair that Digital signature service system sends and generating instruction, generate key pair, and will be described
The public key information of cipher key pair is back to the Digital signature service system;
It will be appreciated that above-mentioned public key information may include public key, public exponent and/or other information.
In practical application, can also before generating secret key pair, to whether be arranged signature password detect.Specially
Whether the terminal or the terminal where SIM card for detecting SIM card owning user are arranged signature password, if being provided with signature password,
Then execute the step of generating key pair;If being not provided with signature password, need to send setting signature password to user terminal
Prompt information, after user is provided with signature password on the subscriber terminal, it can execute the step of generating key pair.In this way
Guarantee that user is already provided with signature password when executing the step for generating key pair.
S202, when receiving the hash that the Digital signature service system is sent, using the private of the cipher key pair
Key signs to the hash, obtains signed data, and the signed data is back to the Digital signature service system.
It will be appreciated that so-called signature, the process actually encrypted, i.e., using the private key of cipher key pair to Hash number
According to being encrypted.
The applying digital certificate side that applying digital certificate method provided in an embodiment of the present invention and Digital signature service system execute
Method matches, and realizes the application of digital certificate.Due to only having the signed data in certificate request data packet by user identity identification
Card is formed, therefore signed data is sent to Digital signature service system and only needs a data short message by subscriber identification card, is not required to
A plurality of data SMS is wanted, therefore the waiting time of Digital signature service system is short, middle subscriber identification card needs compared with the existing technology
The case where wanting a plurality of data SMS that related data are sent to Digital signature service system, the reliability of applying digital certificate process and steady
It is qualitative all to improve.
In some embodiments, subscriber identification card can also carry out following steps:
S203, when receiving the certificate data that the Digital signature service system is sent, install digital certificate;And described
When digital certificate is installed, Xiang Suoshu Digital signature service system sends the response message that certificate is installed.
S203 through the above steps makes SIM card complete the installation of digital certificate.Step S203 and above-mentioned steps S1051~
S1053 is matched, and completes the whole process for obtaining digital certificate.
The third aspect, based on the applying digital certificate method that first aspect and second aspect provide, the embodiment of the present invention is also
A kind of applying digital certificate method is provided, this method is executed by Digital signature service system and subscriber identification card, as shown in figure 3,
It specifically includes:
It is raw to generate key pair when receiving the certificate request request that operation system is sent for S301, Digital signature service system
At instruction, and the key pair is generated into instruction and is sent to subscriber identification card;
S302, the subscriber identification card when receiving the key pair that Digital signature service system sends and generating instruction,
Key pair is generated, and the public key information of the cipher key pair is back to the Digital signature service system;
S303, the Digital signature service system are formed after receiving the public key information that the subscriber identification card returns
Certificate request information including the public key information;Hash operation is carried out to the certificate request information, obtains hash, and
The hash is sent to the subscriber identification card;
S304, the subscriber identification card are adopted when receiving the hash that the Digital signature service system is sent
It is signed with the private key of the cipher key pair to the hash, obtains signed data, and the signed data is returned
To the Digital signature service system;
S305, the Digital signature service system are formed when receiving the signed data that the subscriber identification card returns
Certificate request data packet including the certification request information and the signed data;And according to the certificate request data packet,
Obtain digital certificate.
Explanation, citing, the beneficial effect of related content etc. in applying digital certificate method provided by the embodiments of the present application
Can be with reference to the corresponding portion in above-mentioned first aspect and second aspect, which is not described herein again.
Referring specifically to Fig. 4, the overall process of applying digital certificate is generally comprised:
S401, user request downloading digital certificate to service management person;
S402, service management person verify the identity of user;
S403, after verification passes through, pass through operation system trigger certificate request process;
S404, after certificate request trigger flow, operation system to Digital signature service system send certificate request request;
After S405, Digital signature service system receive the certificate request request that operation system is sent, generates key pair and generate
Instruction;
S406, key pair generation instruction is sent to SIM card;
S407, SIM card generate secret key pair after receiving key pair and generating instruction;
S408, the public key informations such as the public key of cipher key pair, public exponent are sent to Digital signature service system;
S409, Digital signature service system form certificate request information according to public key information, and breathe out to certificate solicited message
Uncommon operation, obtains hash;
The hash of generation is sent to SIM card by S410, Digital signature service system;
S411, SIM card sign to hash using private key, obtain signed data;
Signed data is returned to Digital signature service system by S412, SIM card;
S413, Digital signature service system are by data such as signed data, certificate request information, signature algorithms according to P10 data packet
Call format be assembled into P10 data packet:
S414, Digital signature service system send the certificate request request for carrying P10 data packet to RA/CA;
When S415, RA/CA receive certificate request request, corresponding digital certificate is generated;
Digital certificate is returned to Digital signature service system by S416, RA/CA;
S417, Digital signature service system parse digital certificate, obtain certificate data and (are referred to as certificate letter
Breath),;
Certificate data is sent to SIM card by S418, Digital signature service system;
S419, SIM card install digital certificate;
S420, SIM card after installation is complete, the response message being installed are sent to Digital signature service system;
S421, Digital signature service system are applied successfully after the response message for receiving SIM card transmission to operation system transmission
Response message.
S401~S421 through the above steps completes the application of digital certificate.
After the application for completing digital certificate using above-mentioned steps S401~S421, user can provide digital signature
Business, specific signature service process may include:
RSA (public key encryption algorithm) encrypted data to be signed are sent to Digital signature service system by S501, operation system;
S502, Digital signature service system send the business signature request for carrying data to be signed to SIM card;
After S503, Digital signature service system carry out rsa encryption to data to be signed, transaction data is obtained;
Transaction data is sent to the user terminal by S504, Digital signature service system;
S505, user terminal pop up STK (sim tools kit, i.e. User Identification Application Development Tools) menu, and display is handed over
Easy data, then user confirms transaction data;
User's confirmation result is sent to SIM card by S506, user terminal;
S507, SIM card confirm that result is signed to user using private key;
S508, SIM card are according to user's confirmation after signature as a result, sending response message to Digital signature service system;
S509, Digital signature service system send response letter after receiving the response message that SIM card is sent, to operation system
Breath.
S501~S509 through the above steps realizes signature service.In above process, operation system passes through Digital signature service
Data to be signed are directly sent to SIM card and signed by system, and Digital signature service system no longer carries out Hash to data to be signed
Operation, signature process are simple, high-efficient.
Fourth aspect, the embodiment of the present invention provide a kind of Digital signature service system, as shown in fig. 6, the system 600 includes:
Directive generation module 601, for generating key pair when receiving the certificate request request that operation system is sent
Instruction is generated, and the key pair is generated into instruction and is sent to subscriber identification card;
Information forms module 602, for forming packet after receiving the public key information that the subscriber identification card returns
Include the certificate request information of the public key information;
Hash operation module 603 carries out Hash operation to the certificate request information, obtains hash, and will be described
Hash is sent to the subscriber identification card;
Data packet forms module 604, and when receiving the signed data that the subscriber identification card returns, formation includes
The certificate request data packet of the certification request information and the signed data;Wherein, the signed data is user's body
Part identification card signs to obtain using the private key of the cipher key pair generated to the hash;
Certificate acquisition module 605, for obtaining digital certificate according to the certificate request data packet.
In some embodiments, the certificate acquisition module is specifically used for: signing and issuing system transmission to digital certificate and carries
The certificate request of the certificate request data packet is requested;The digital certificate that system returns is signed and issued receiving the digital certificate
When, the digital certificate is parsed, obtains certificate data, and the certificate data is sent to the user identity identification
Card;When receiving the response message that the certificate that the subscriber identification card returns is installed, Xiang Suoshu operation system hair
Send certificate request successful response message.
In some embodiments, it includes the certification request information, the signature that the information, which forms module and specifically formed,
The certificate request data packet of data and signature algorithm.
In some embodiments, the public key information includes public key and public exponent.
It will be appreciated that the digital certificate Shen that each functional module and first aspect in above-mentioned Digital signature service system provide
Please each step in method it is corresponding, the part such as explanation, citing, beneficial effect in relation to content can refer to first aspect
In corresponding contents, details are not described herein again.
5th aspect, the embodiment of the present invention provides a kind of subscriber identification card, as shown in fig. 7, the user identity identification
Blocking 700 includes:
Key pair generation module 701, for giving birth to when receiving the key pair generation instruction that Digital signature service system is sent
The Digital signature service system is back at key pair, and by the public key information of the cipher key pair;
Data signature module 702, for when receiving the hash that the Digital signature service system is sent, using institute
The private key for stating cipher key pair signs to the hash, obtains signed data, and the signed data is back to institute
State Digital signature service system.
In some embodiments, subscriber identification card further include:
Certificate installs module, for when receiving the certificate data that the Digital signature service system is sent, installation to be digital
Certificate;When the digital certificate is installed, Xiang Suoshu Digital signature service system sends the response message that certificate is installed.
In some embodiments, for key pair generation module before generating key pair, whether detection user terminal is arranged label
Name password;If so, the step of executing the generation key pair;Otherwise, the prompt of setting signature password is issued to user terminal
Information, and user terminal be arranged signature password after, execute the generation key pair the step of.
It will be appreciated that the digital certificate that each functional module and second aspect in above-mentioned subscriber identification card provide
Each step in application method is corresponding, and the part such as explanation, citing, beneficial effect in relation to content can refer to second party
Corresponding contents in face, details are not described herein again.
6th aspect, the embodiment of the present invention provide a kind of applying digital certificate system, including the signature clothes in fourth aspect
Subscriber identification card in business system and the 5th aspect.
7th aspect, the embodiment of the present invention provides a kind of applying digital certificate equipment, to execute first aspect or second
Applying digital certificate method in aspect, Fig. 8 show the hardware knot of applying digital certificate equipment provided in an embodiment of the present invention
Structure schematic diagram.
Applying digital certificate equipment equipment may include processor 801 and the memory for being stored with computer program instructions
802。
Specifically, above-mentioned processor 801 may include central processing unit (CPU) or specific integrated circuit
(Application Specific Integrated Circuit, ASIC), or may be configured to implement implementation of the present invention
One or more integrated circuits of example.
Memory 802 may include the mass storage for data or instruction.For example it rather than limits, memory
802 may include hard disk drive (Hard Disk Drive, HDD), floppy disk drive, flash memory, CD, magneto-optic disk, tape or logical
With the combination of universal serial bus (Universal Serial Bus, USB) driver or two or more the above.It is closing
In the case where suitable, memory 802 may include the medium of removable or non-removable (or fixed).In a suitable case, it stores
Device 802 can be inside or outside data processing equipment.In a particular embodiment, memory 802 is nonvolatile solid state storage
Device.In a particular embodiment, memory 802 includes read-only memory (ROM).In a suitable case, which can be mask
ROM, programming ROM (PROM), erasable PROM (EPROM), the electric erasable PROM (EEPROM), electrically-alterable ROM of programming
(EAROM) or the combination of flash memory or two or more the above.
Processor 801 is by reading and executing the computer program instructions stored in memory 802, to realize above-mentioned implementation
Any one applying digital certificate method in example.
In one example, applying digital certificate equipment may also include communication interface 803 and bus 810.Wherein, such as Fig. 8
Shown, processor 801, memory 802, communication interface 803 connect by bus 810 and complete mutual communication.
Communication interface 803 is mainly used for realizing in the embodiment of the present invention between each module, device, unit and/or equipment
Communication.
Bus 810 includes hardware, software or both, and the component of applying digital certificate equipment is coupled to each other together.It lifts
It for example rather than limits, bus may include accelerated graphics port (AGP) or other graphics bus, enhancing Industry Standard Architecture
(EISA) bus, front side bus (FSB), super transmission (HT) interconnection, Industry Standard Architecture (ISA) bus, infinite bandwidth interconnect, are low
Number of pins (LPC) bus, memory bus, micro- channel architecture (MCA) bus, peripheral component interconnection (PCI) bus, PCI-
Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association part (VLB) bus or
The combination of other suitable buses or two or more the above.In a suitable case, bus 810 may include one
Or multiple buses.Although specific bus has been described and illustrated in the embodiment of the present invention, the present invention considers any suitable bus
Or interconnection.
The applying digital certificate equipment can be executed the present invention and be implemented based on the network management performance index for getting cell to be measured
Applying digital certificate method in example.
It should be clear that the invention is not limited to specific configuration described above and shown in figure and processing.
For brevity, it is omitted here the detailed description to known method.In the above-described embodiments, several tools have been described and illustrated
The step of body, is as example.But method process of the invention is not limited to described and illustrated specific steps, this field
Technical staff can be variously modified, modification and addition after understanding spirit of the invention, or suitable between changing the step
Sequence.
Functional block shown in structures described above block diagram can be implemented as hardware, software, firmware or their group
It closes.When realizing in hardware, it may, for example, be electronic circuit, specific integrated circuit (ASIC), firmware appropriate, insert
Part, function card etc..When being realized with software mode, element of the invention is used to execute program or the generation of required task
Code section.Perhaps code segment can store in machine readable media program or the data-signal by carrying in carrier wave is passing
Defeated medium or communication links are sent." machine readable media " may include any medium for capableing of storage or transmission information.
The example of machine readable media includes electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), soft
Disk, CD-ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via such as internet, inline
The computer network of net etc. is downloaded.
Eighth aspect, the embodiment of the present invention provide a kind of computer readable storage medium, this is stored thereon with computer journey
Sequence instruction, realizes the digital certificate Shen provided in first aspect or second aspect when computer program instructions are executed by processor
It please method.
It should also be noted that, the exemplary embodiment referred in the present invention, is retouched based on a series of step or device
State certain methods or system.But the present invention is not limited to the sequence of above-mentioned steps, that is to say, that can be according in embodiment
The sequence referred to executes step, may also be distinct from that the sequence in embodiment or several steps are performed simultaneously.
The above description is merely a specific embodiment, it is apparent to those skilled in the art that,
For convenience of description and succinctly, the system, module of foregoing description and the specific work process of unit can refer to preceding method
Corresponding process in embodiment, details are not described herein.It should be understood that scope of protection of the present invention is not limited thereto, it is any to be familiar with
Those skilled in the art in the technical scope disclosed by the present invention, can readily occur in various equivalent modifications or substitutions,
These modifications or substitutions should be covered by the protection scope of the present invention.
Claims (13)
1. a kind of applying digital certificate method characterized by comprising
It when receiving the certificate request request that operation system sends, generates key pair and generates instruction, and by the key pair
It generates instruction and is sent to subscriber identification card;
After receiving the public key information that the subscriber identification card returns, the certificate request including the public key information is formed
Information;
Hash operation is carried out to the certificate request information, obtains hash, and the hash is sent to the use
Family identification card;
When receiving the signed data that the subscriber identification card returns, it includes the certification request information and described for being formed
The certificate request data packet of signed data, wherein the signed data is the subscriber identification card using the key generated
The private key of centering signs to obtain to the hash;
According to the certificate request data packet, digital certificate is obtained.
2. the method according to claim 1, wherein described according to the certificate request data packet, acquisition number
Certificate, comprising:
The certificate request request that system transmission carries the certificate request data packet is signed and issued to digital certificate;
Receive the digital certificate sign and issue system return digital certificate when, the digital certificate is parsed, is obtained
Certificate data, and the certificate data is sent to the subscriber identification card;
When receiving the response message that the certificate that the subscriber identification card returns is installed, Xiang Suoshu operation system hair
Send certificate request successful response message.
3. the method according to claim 1, wherein described formed includes the certification request information and the label
The certificate request data packet of name data, comprising: being formed includes the certification request information, the signed data and signature algorithm
Certificate request data packet.
4. described in any item methods according to claim 1~3, which is characterized in that the public key information includes public key and public key
Index.
5. a kind of applying digital certificate method characterized by comprising
When receiving the key pair that Digital signature service system sends and generating instruction, key pair is generated, and by the cipher key pair
Public key information be back to the Digital signature service system;
When receiving the hash that the Digital signature service system is sent, using the private key of the cipher key pair to the Kazakhstan
Uncommon data are signed, and obtain signed data, and the signed data is back to the Digital signature service system.
6. according to the method described in claim 5, it is characterized by further comprising:
When receiving the certificate data that the Digital signature service system is sent, digital certificate is installed;
When the digital certificate is installed, Xiang Suoshu Digital signature service system sends the response message that certificate is installed.
7. method according to claim 5 or 6, which is characterized in that before the generation key pair, the method is also wrapped
It includes:
Whether detection user terminal is arranged signature password;
If so, the step of executing the generation key pair;
Otherwise, the prompt information of setting signature password is issued to user terminal, and after signature password is arranged in user terminal, is executed
The step of generation key pair.
8. a kind of applying digital certificate method characterized by comprising
Digital signature service system generates key pair and generates instruction when receiving the certificate request request that operation system is sent, and
The key pair is generated into instruction and is sent to subscriber identification card;
The subscriber identification card generates key when receiving the key pair generation instruction that Digital signature service system is sent
It is right, and the public key information of the cipher key pair is back to the Digital signature service system;
For the Digital signature service system after receiving the public key information that the subscriber identification card returns, being formed includes the public affairs
The certificate request information of key information;Hash operation is carried out to the certificate request information, obtains hash, and by the Hash
Data are sent to the subscriber identification card;
The subscriber identification card is when receiving the hash that the Digital signature service system is sent, using the key
The private key of centering signs to the hash, obtains signed data, and the signed data is back to the signature
Service system;
The Digital signature service system forms and recognizes including described when receiving the signed data that the subscriber identification card returns
Demonstrate,prove the certificate request data packet of solicited message and the signed data;And according to the certificate request data packet, number card is obtained
Book.
9. a kind of Digital signature service system characterized by comprising
Directive generation module, for generating key pair generation and referring to when receiving the certificate request request that operation system is sent
It enables, and the key pair is generated into instruction and is sent to subscriber identification card;
Information forms module, includes described for being formed after receiving the public key information that the subscriber identification card returns
The certificate request information of public key information;
Hash operation module carries out Hash operation to the certificate request information, obtains hash, and by the hash
It is sent to the subscriber identification card;
Data packet forms module, when receiving the signed data that the subscriber identification card returns, is formed and is recognized including described
Demonstrate,prove the certificate request data packet of solicited message and the signed data;Wherein, the signed data is the user identity identification
Card signs to obtain using the private key of the cipher key pair generated to the hash;
Certificate acquisition module, for obtaining digital certificate according to the certificate request data packet.
10. a kind of subscriber identification card characterized by comprising
Key pair generation module, for generating key when receiving the key pair generation instruction that Digital signature service system is sent
It is right, and the public key information of the cipher key pair is back to the Digital signature service system;
Data signature module, for when receiving the hash that the Digital signature service system is sent, using the key
The private key of centering signs to the hash, obtains signed data, and the signed data is back to the signature
Service system.
11. a kind of applying digital certificate system, which is characterized in that including Digital signature service system as claimed in claim 9 and right
It is required that subscriber identification card described in 10.
12. a kind of applying digital certificate equipment characterized by comprising at least one processor, at least one processor and
The computer program instructions of storage in the memory, are realized when the computer program instructions are executed by the processor
Method as described in any one of claim 1-4 or any one of claim 5-7.
13. a kind of computer readable storage medium, is stored thereon with computer program instructions, which is characterized in that when the calculating
It is realized as described in any one of claim 1-4 or any one of claim 5-7 when machine program instruction is executed by processor
Method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711456434.2A CN109981278B (en) | 2017-12-28 | 2017-12-28 | Digital certificate application method, system, user identification card, device and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711456434.2A CN109981278B (en) | 2017-12-28 | 2017-12-28 | Digital certificate application method, system, user identification card, device and medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109981278A true CN109981278A (en) | 2019-07-05 |
CN109981278B CN109981278B (en) | 2022-09-13 |
Family
ID=67074332
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711456434.2A Active CN109981278B (en) | 2017-12-28 | 2017-12-28 | Digital certificate application method, system, user identification card, device and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109981278B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111125665A (en) * | 2019-12-04 | 2020-05-08 | 中国联合网络通信集团有限公司 | Authentication method and device |
CN111209589A (en) * | 2019-12-31 | 2020-05-29 | 航天信息股份有限公司 | Method and system for dynamic data desensitization based on regional chain |
CN111291392A (en) * | 2020-01-22 | 2020-06-16 | 京东数字科技控股有限公司 | Electronic signature method and device, electronic equipment and storage medium |
CN111428279A (en) * | 2020-03-26 | 2020-07-17 | 国汽(北京)智能网联汽车研究院有限公司 | Explicit certificate generation method, device, equipment and storage medium |
CN112491613A (en) * | 2020-11-26 | 2021-03-12 | 北京航空航天大学 | Information service identifier generation method and device |
CN114125844A (en) * | 2021-11-24 | 2022-03-01 | 中国银行股份有限公司 | Method and device for generating and downloading digital certificate |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101527630A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | Method, server and system for manufacturing certificate remotely |
CN101777978A (en) * | 2008-11-24 | 2010-07-14 | 华为终端有限公司 | Method and system based on wireless terminal for applying digital certificate and wireless terminal |
CN101938520A (en) * | 2010-09-07 | 2011-01-05 | 中兴通讯股份有限公司 | Mobile terminal signature-based remote payment system and method |
CN101977193A (en) * | 2010-10-28 | 2011-02-16 | 北京飞天诚信科技有限公司 | Method and system for safely downloading certificate |
CN102904865A (en) * | 2011-07-29 | 2013-01-30 | 中国移动通信集团公司 | Method, system and equipment for management of multiple digital certificates on basis of mobile terminal |
CN106921496A (en) * | 2015-12-25 | 2017-07-04 | 卓望数码技术(深圳)有限公司 | A kind of digital signature method and system |
CN106936577A (en) * | 2015-12-29 | 2017-07-07 | 航天信息股份有限公司 | A kind of method for certificate request, terminal and system |
US20170244558A1 (en) * | 2003-12-22 | 2017-08-24 | Assa Abloy Ab | Trusted and unsupervised digital certificate generation using a security token |
-
2017
- 2017-12-28 CN CN201711456434.2A patent/CN109981278B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170244558A1 (en) * | 2003-12-22 | 2017-08-24 | Assa Abloy Ab | Trusted and unsupervised digital certificate generation using a security token |
CN101777978A (en) * | 2008-11-24 | 2010-07-14 | 华为终端有限公司 | Method and system based on wireless terminal for applying digital certificate and wireless terminal |
CN101527630A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | Method, server and system for manufacturing certificate remotely |
CN101938520A (en) * | 2010-09-07 | 2011-01-05 | 中兴通讯股份有限公司 | Mobile terminal signature-based remote payment system and method |
WO2012031433A1 (en) * | 2010-09-07 | 2012-03-15 | 中兴通讯股份有限公司 | System and method for remote payment based on mobile terminal |
CN101977193A (en) * | 2010-10-28 | 2011-02-16 | 北京飞天诚信科技有限公司 | Method and system for safely downloading certificate |
CN102904865A (en) * | 2011-07-29 | 2013-01-30 | 中国移动通信集团公司 | Method, system and equipment for management of multiple digital certificates on basis of mobile terminal |
CN106921496A (en) * | 2015-12-25 | 2017-07-04 | 卓望数码技术(深圳)有限公司 | A kind of digital signature method and system |
CN106936577A (en) * | 2015-12-29 | 2017-07-07 | 航天信息股份有限公司 | A kind of method for certificate request, terminal and system |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111125665A (en) * | 2019-12-04 | 2020-05-08 | 中国联合网络通信集团有限公司 | Authentication method and device |
CN111209589A (en) * | 2019-12-31 | 2020-05-29 | 航天信息股份有限公司 | Method and system for dynamic data desensitization based on regional chain |
CN111291392A (en) * | 2020-01-22 | 2020-06-16 | 京东数字科技控股有限公司 | Electronic signature method and device, electronic equipment and storage medium |
CN111428279A (en) * | 2020-03-26 | 2020-07-17 | 国汽(北京)智能网联汽车研究院有限公司 | Explicit certificate generation method, device, equipment and storage medium |
CN111428279B (en) * | 2020-03-26 | 2023-12-08 | 国汽(北京)智能网联汽车研究院有限公司 | Explicit certificate generation method, device, equipment and storage medium |
CN112491613A (en) * | 2020-11-26 | 2021-03-12 | 北京航空航天大学 | Information service identifier generation method and device |
CN114125844A (en) * | 2021-11-24 | 2022-03-01 | 中国银行股份有限公司 | Method and device for generating and downloading digital certificate |
CN114125844B (en) * | 2021-11-24 | 2024-04-19 | 中国银行股份有限公司 | Method and device for generating and downloading digital certificate |
Also Published As
Publication number | Publication date |
---|---|
CN109981278B (en) | 2022-09-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109981278A (en) | Applying digital certificate method, system, subscriber identification card, equipment and medium | |
CN111224788B (en) | Electronic contract management method, device and system based on block chain | |
CN113572715B (en) | Data transmission method and system based on block chain | |
US10237072B2 (en) | Signatures for near field communications | |
JP2007502578A (en) | How to use reliable hardware-based identity credentials in runtime package signing for secure mobile communications and expensive transaction execution | |
CN110362990A (en) | Using the security processing of installation, apparatus and system | |
CN110414190B (en) | Signature method of application installation package, related device, storage medium and electronic equipment | |
CA2355928C (en) | Method and system for implementing a digital signature | |
CN109005032B (en) | Routing method and device | |
CN106789075B (en) | POS digital signature anti-cutting system | |
CN108683674A (en) | Verification method, device, terminal and the computer readable storage medium of door lock communication | |
CN109245899B (en) | Trust chain design method based on SM9 cryptographic algorithm | |
CN108900311A (en) | A kind of no certificate bluetooth key endorsement method and system | |
CN112055019A (en) | Method for establishing communication channel and user terminal | |
US20030059049A1 (en) | Method and apparatus for secure mobile transaction | |
CN106656993B (en) | Dynamic verification code verification method and device | |
CN111130798A (en) | Request authentication method and related equipment | |
US20080082830A1 (en) | Method and system for displaying trust level on a wireless communication device | |
CN105939194A (en) | Backup method and backup system for private key of electronic key device | |
CN114760114A (en) | Identity authentication method, device, equipment and medium | |
CN109391473B (en) | Electronic signature method, device and storage medium | |
CN113742709A (en) | Information processing method and device, readable medium and electronic equipment | |
CN110635916A (en) | TEE-based security application authentication method | |
CN111600703B (en) | SM 2-based signature method, system, electronic equipment and storage medium | |
CN109005187A (en) | A kind of communication information guard method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |