CN111682937B - Method and device for applying and distributing key of enhanced CPK - Google Patents

Method and device for applying and distributing key of enhanced CPK Download PDF

Info

Publication number
CN111682937B
CN111682937B CN202010513592.2A CN202010513592A CN111682937B CN 111682937 B CN111682937 B CN 111682937B CN 202010513592 A CN202010513592 A CN 202010513592A CN 111682937 B CN111682937 B CN 111682937B
Authority
CN
China
Prior art keywords
key
random
client
time
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010513592.2A
Other languages
Chinese (zh)
Other versions
CN111682937A (en
Inventor
南相浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jin Shang Bo Chuang Beijing Science&technology Co ltd
Original Assignee
Jin Shang Bo Chuang Beijing Science&technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jin Shang Bo Chuang Beijing Science&technology Co ltd filed Critical Jin Shang Bo Chuang Beijing Science&technology Co ltd
Priority to CN202010513592.2A priority Critical patent/CN111682937B/en
Publication of CN111682937A publication Critical patent/CN111682937A/en
Application granted granted Critical
Publication of CN111682937B publication Critical patent/CN111682937B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Abstract

The embodiment of the invention provides a method and a device for applying and distributing a secret key of an enhanced CPK, belongs to the technical field of network security, and solves the problem that a public key system can be broken through a public key by utilizing quantum computation in the prior art. The method comprises the following steps: the client sends a time key application message to the service center; receiving a first response parameter sent by a service center; defining a first random number and a first random key, and obtaining a first random parameter and a second random parameter according to a first response parameter and the first random number; encrypting the key parameter by using the second random parameter, and transmitting the first random parameter and the encrypted key parameter, wherein the key parameter comprises a network time, a key application identifier and a first random key; and receiving time key information, and obtaining a time key by using the first random key decryption time key information, wherein the time key is related to the network time and the key application identifier. The embodiment of the invention is suitable for the processes of user encryption, decryption, signature and verification.

Description

Method and device for applying and distributing key of enhanced CPK
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for applying and distributing a secret key of an enhanced CPK (Combined Public Key ).
Background
At present, the working principle of all public key systems is that a public key is disclosed, and if the public key is not disclosed, the key encryption and signature verification cannot be performed. However, with the continuous development of quantum computation, in the case of public key disclosure, the public key system is broken through in a few hours through quantum computation, so as to obtain the private key corresponding to the public key.
Disclosure of Invention
The embodiment of the invention aims to provide a method and a device for applying and distributing a key of an enhanced CPK, which solve the problem that a public key system can be broken through a public key by utilizing quantum computation in the prior art.
In order to achieve the above object, an embodiment of the present invention provides a method for applying and distributing a key of an enhanced CPK, where the method is applied to a client, and the method includes: sending a time key application message to a service center; receiving a first response parameter sent by the service center; defining a first random number and a first random key, and obtaining a first random parameter and a second random parameter according to the first response parameter and the first random number; encrypting the key parameter by using the second random parameter, and sending the first random parameter and the encrypted key parameter to the service center, wherein the key parameter comprises network time, a key application identifier and a first random key; and receiving time key information sent by the service center, and decrypting the time key information by using the first random key to obtain a time key, wherein the time key is related to the network time and the key application identifier.
Further, before the sending the time key application message to the service center, the method further includes a process that the client registers with the service center: sending a registration application message to the service center; receiving a second response parameter sent by the service center; defining a third random number and a second random key, and obtaining a third random parameter and a fourth random parameter according to the second response parameter and the third random number; encrypting the client information of the client and the second random key by using the fourth random parameter to obtain a client information ciphertext, and sending the third random parameter and the client information ciphertext to the service center, wherein the client information comprises the real name, the identity card number and application path information of the client, and the application path information comprises a telephone number and a mail address; and receiving the serial number and the registration certificate which are transmitted by the service center and encrypted by the second random key, and obtaining the serial number and the registration certificate by using the second random key to decrypt, wherein the registration certificate is the signature of the service center on the key application identifier.
Further, when the time key application message is a time private key application message, the key application identifier is an identifier of an application time private key, the key parameter further includes a current serial number and a registration certificate of the client, and the time private key application message is sent to the service center through the application path information, so that the service center verifies whether the application path information is consistent with application path information provided when the client registers with the service center, and when the application path information is verified to be consistent with application path information provided when the client registers with the service center, the current serial number is checked, the registration certificate is verified, and the service center is a service center registered by the client, and the time key information obtaining time key by using the first random key decryption includes: and decrypting the time key information by using the first random key to obtain a time private key and an updated serial number, and replacing the current serial number of the client with the updated serial number.
Further, when the time key application message is a time signature private key application message, the network time is signature time.
Further, when the time key application message is a time decryption private key application message, the network time is an encryption time provided by an encryptor.
Further, when the time key application message is a time verification public key application message, the network time is a signature time provided by a signer.
Further, when the time key application message is a time encryption public key application message, the network time is an encryption time.
Correspondingly, the embodiment of the invention also provides a method for applying and distributing the key of the enhanced CPK, which is applied to the service center and comprises the following steps: receiving a time key application message sent by a client; as a response to receiving the time key application message, sending a first response parameter generated by using the defined first response number to the client; receiving a first random parameter and an encrypted key parameter sent by the client; obtaining the second random parameter according to the first response number and the first random parameter, and decrypting the encrypted key parameter by using the second random parameter to obtain a network time, a key application identifier and a first random key in the key parameter; and generating a time key corresponding to the key application identifier by utilizing the network time and the key application identifier, and sending the time key encrypted by utilizing the first random key to the client.
Further, the method includes a process that the client registers with the service center: receiving a registration application message sent by the client; as a response to receiving the registration application message, sending a second response parameter generated using a defined second response number to the client; receiving a third random parameter and a client information ciphertext sent by the client; obtaining a fourth random parameter according to the second response number and the third random parameter, and decrypting the client information ciphertext by using the fourth random parameter to obtain client information and a second random key, wherein the client information comprises a real name, an identity card number and application path information of a client, and the application path information comprises a telephone number and a mail address; and when the authenticity of the client information is verified to be true, defining a serial number and a registration certificate corresponding to the client, and sending the serial number and the registration certificate encrypted by the second random key to the client.
Further, when the time key application message is a time private key application message, the key parameter further includes a current serial number and a registration certificate of the client, and the method further includes: determining application path information of a private key at the application time of the client; verifying whether the application path information is consistent with application path information provided when the client registers with the service center; when the application path information is verified to be consistent with the application path information provided when the client registers to the service center, checking whether the current serial number of the client is consistent with the serial number of the client stored in the service center, and verifying whether the registration certificate is a certificate issued by the service center; when the current serial number of the client is consistent with the serial number of the client stored in the service center and the registration certificate is verified to be a certificate issued by the service center, generating a time private key corresponding to the key application identifier by utilizing the network time and the key application identifier; and encrypting the time private key and the updated serial number by using the first random key, and sending the encrypted serial number to the client.
Correspondingly, the embodiment of the invention also provides a device for applying and distributing the secret key of the enhanced CPK, which is applied to the client, and comprises the following components: a memory module for storing computer executable instructions; and a control module for executing the computer-executable instructions to perform the following operations: sending a time key application message to a service center; receiving a first response parameter sent by the service center; defining a first random number and a first random key, and obtaining a first random parameter and a second random parameter according to the first response parameter and the first random number; encrypting the key parameter by using the second random parameter, and sending the first random parameter and the encrypted key parameter to the service center, wherein the key parameter comprises network time, a key application identifier and a first random key; and receiving time key information sent by the service center, and decrypting the time key information by using the first random key to obtain a time key, wherein the time key is related to the network time and the key application identifier.
Further, before the sending the time of day key application message to the service center, the control module is further configured to execute the computer executable instructions to perform a process of registering the client with the service center: sending a registration application message to the service center; receiving a second response parameter sent by the service center; defining a third random number and a second random key, and obtaining a third random parameter and a fourth random parameter according to the second response parameter and the third random number; encrypting the client information of the client and the second random key by using the fourth random parameter to obtain a client information ciphertext, and sending the third random parameter and the client information ciphertext to the service center, wherein the client information comprises the real name, the identity card number and application path information of the client, and the application path information comprises a telephone number and a mail address; and receiving the serial number and the registration certificate which are transmitted by the service center and encrypted by the second random key, and obtaining the serial number and the registration certificate by using the second random key to decrypt, wherein the registration certificate is the signature of the service center on the key application identifier.
Further, when the time key application message is a time private key application message, the key application identifier is an identifier of an application time private key, the key parameter further includes a current serial number and a registration certificate of the client, and the time private key application message is sent to the service center through the application path information, so that the service center verifies whether the application path information is consistent with application path information provided when the client registers with the service center, and when the application path information is verified to be consistent with application path information provided when the client registers with the service center, the current serial number is checked, the registration certificate is verified, and the service center is a service center registered by the client, and the time key information obtaining time key by using the first random key decryption includes: and decrypting the time key information by using the first random key to obtain a time private key and an updated serial number, and replacing the current serial number of the client with the updated serial number.
Further, when the time key application message is a time signature private key application message, the network time is signature time.
Further, when the time key application message is a time decryption private key application message, the network time is an encryption time provided by an encryptor.
Further, when the time key application message is a time verification public key application message, the network time is a signature time provided by a signer.
Further, when the time key application message is a time encryption public key application message, the network time is an encryption time.
Correspondingly, the embodiment of the invention also provides a device for applying and distributing the secret key of the enhanced CPK, which is applied to the service center and comprises the following steps: a memory module for storing computer executable instructions; and a control module for executing the computer-executable instructions to perform the following operations: receiving a time key application message sent by a client; as a response to receiving the time key application message, sending a first response parameter generated by using the defined first response number to the client; receiving a first random parameter and an encrypted key parameter sent by the client; obtaining the second random parameter according to the first response number and the first random parameter, and decrypting the encrypted key parameter by using the second random parameter to obtain a network time, a key application identifier and a first random key in the key parameter; and generating a time key corresponding to the key application identifier by utilizing the network time and the key application identifier, and sending the time key encrypted by utilizing the first random key to the client.
Further, the control module also executes the computer-executable instructions to perform a process of the client registering with the service center: receiving a registration application message sent by the client; as a response to receiving the registration application message, sending a second response parameter generated using a defined second response number to the client; receiving a third random parameter and a client information ciphertext sent by the client; obtaining a fourth random parameter according to the second response number and the third random parameter, and decrypting the client information ciphertext by using the fourth random parameter to obtain client information and a second random key, wherein the client information comprises a real name, an identity card number and application path information of a client, and the application path information comprises a telephone number and a mail address; and when the authenticity of the client information is verified to be true, defining a serial number and a registration certificate corresponding to the client, and sending the serial number and the registration certificate encrypted by the second random key to the client.
Further, when the time key application message is a time private key application message, the key parameter further includes a current serial number and a registration certificate of the client, and the control module further executes the computer executable instructions to perform the following operations: determining application path information of a private key at the application time of the client; verifying whether the application path information is consistent with application path information provided when the client registers with the service center; when the application path information is verified to be consistent with the application path information provided when the client registers to the service center, checking whether the current serial number of the client is consistent with the serial number of the client stored in the service center, and verifying whether the registration certificate is a certificate issued by the service center; when the current serial number of the client is consistent with the serial number of the client stored in the service center and the registration certificate is verified to be a certificate issued by the service center, generating a time private key corresponding to the key application identifier by utilizing the network time and the key application identifier; and encrypting the time private key and the updated serial number by using the first random key, and sending the encrypted serial number to the client.
Through the technical scheme, when a user needs to use the key, the key is applied to the service center, and after the applied key is used, the key is invalidated. The embodiment of the invention solves the problem that the public key system can be broken through the public key by utilizing quantum computation in the prior art, adopts the disposable key system, and is not only the public key but also the private key, and the application is used once and then is invalidated, so that even if the key is broken by quantum computation, the broken key is invalidated, and the breaking is meaningless.
Additional features and advantages of embodiments of the invention will be set forth in the detailed description which follows.
Drawings
The accompanying drawings are included to provide a further understanding of embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain, without limitation, the embodiments of the invention. In the drawings:
fig. 1 is a schematic structural diagram of a wind network key management system according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a method for applying and distributing a key of an enhanced CPK according to an embodiment of the present invention;
FIG. 3 is a flow chart illustrating a process of registering a client with a service center according to an embodiment of the present invention;
Fig. 4 is a flow chart of another method for applying and distributing a key of an enhanced CPK according to an embodiment of the present invention;
FIG. 5 is a schematic flow chart of a service center processing client registration procedure according to an embodiment of the present invention;
FIG. 6 is a flow chart of a process for applying for encrypting a public key and decrypting a private key provided by an embodiment of the present invention;
fig. 7 is a flowchart of an application process of signing a private key and verifying a public key according to an embodiment of the present invention.
Detailed Description
The following describes the detailed implementation of the embodiments of the present invention with reference to the drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the invention, are not intended to limit the invention.
The method for applying and distributing the enhanced CPK key in the embodiment of the invention is carried out on a wind network key management system, wherein the wind network key management system is a private network for CPK key management, and is called wind network for short. The wind network is a virtual network constructed based on identification authentication, forms virtual links between any identifications, and provides authenticity proof of the identifications. The wind network key management system comprises a client, a service center, a management center and a key fairness organization as shown in fig. 1. The management center is responsible for defining and updating system keys, the service center is responsible for managing key application and distribution of each client, the client selects one service center for registration, and the client becomes a client of the service center, and can only apply private keys to the registered service centers. The key public institution is used for processing key disputes, for example, when a user copies keys of other users and the copying is successful, the copy user changes a legal user and the legal user changes into an illegal user, at the moment, the legal user can be reflected to the key public institution, the legality of the legal user is restored, and the copy user is changed into the illegal user.
The keys in the embodiments of the present invention are all disposable keys, i.e. the keys are used and invalidated once, so that the keys need to be applied every time the keys are used, and the following embodiments describe the processes of key application and distribution in detail.
Fig. 2 is a flow chart of a method for applying and distributing a key of an enhanced CPK according to an embodiment of the present invention. As shown in fig. 2, the method is applied to a client, and comprises the following steps:
step 201, a time key application message is sent to a service center.
The time key application message may include a time private key application message and a time public key application message. The time private key application message comprises a time signature private key application message and a time decryption private key application message. The time public key application message comprises a time verification public key application message and a time encryption public key application message. The time key application message is only a simple application message, and no special information exists in the message.
Step 202, receiving a first response parameter sent by the service center;
step 203, defining a first random number and a first random key, and obtaining a first random parameter and a second random parameter according to the first response parameter and the first random number.
The client defines a first random number R2 and a first random key ran1, and obtains a first random parameter R2 by using the first random number R2 and a generator G of an elliptic curve, for example, r2×g=r2.
In addition, a second random parameter R3 is obtained according to the first response parameter R1 and the first random number R2, for example, r2×r1=r3.
Step 204, encrypting the key parameter by using the second random parameter, and sending the first random parameter and the encrypted key parameter to the service center, wherein the key parameter comprises a network time, a key application identifier and a first random key.
The key parameter data 1= { network time, key application identifier, first random key }, wherein the key application identifier is the identifier corresponding to the time key. Then, the second random parameter R3 is used to symmetrically encrypt the key parameter data1 to obtain an encrypted key parameter code1, such as E R3 (data 1) =code 1 and transmits the first random parameter and the encrypted key parameter to the service center, for example msg1= { R2, code1} to the service center. Wherein the function E is a symmetric encryption function.
Step 205, receiving time key information sent by the service center, and decrypting the time key information by using the first random key to obtain a time key, wherein the time key is related to the network time and the key application identifier.
Wherein, since the time key information sent by the service center is encrypted by using the first random key, the client terminal, after receiving the time key information code2, uses the first random key to perform decryption to obtain a time key, for example, D ran1 (code 2) =data2, wherein the data2 includes a time key, D is a symmetric decryption function. The time key is related to the network time and the key application identifier, for example, the service center generates a time key according to the network time and the real-time key application identifier.
In addition, for the time private key corresponding to the client, only the service center registered by the client is qualified to generate, that is, the client can only apply for the service center registered by the client, so that the client needs to register with the service center before the client applies for the time private key to the service center.
Thus, the process of registering a client with a service center will be described below, and as shown in fig. 3, before the client sends a time key application message to the service center, the method further includes the steps of:
step 301, a registration application message is sent to the service center;
Step 302, receiving a second response parameter sent by the service center;
step 303, defining a third random number and a second random key, and obtaining a third random parameter and a fourth random parameter according to the second response parameter and the third random number.
The client defines a third random number R5 and a second random key ran2, and obtains a third random parameter R5 by using the third random number R5 and a generator G of an elliptic curve, for example, r5×g=r5.
In addition, a fourth random parameter R6 is obtained according to the second response parameter R4 and the third random number R5, for example, r5×r4=r6.
Step 304, encrypting the client information of the client and the second random key by using the fourth random parameter to obtain a client information ciphertext, and sending the third random parameter and the client information ciphertext to the service center, wherein the client information comprises the real name, the identity card number and the application path information of the client, and the application path information comprises a telephone number and a mail address.
Wherein, customer information data 3= { real name, identification card number, phone number, mail address }. Then, the fourth random parameter is used to symmetrically encrypt the client information data3 and the second random key ran2 to obtain encrypted client information ciphertext 3, such as E R6 (data 3, ran 2) =code3, and sends the third random parameter and the customer information ciphertext to the service center, i.e. msg2= { R5, code3} to the service center. Wherein the function E is a symmetric encryption function.
Step 305, receiving the serial number and the registration certificate sent by the service center and encrypted by using the second random key, and obtaining the serial number and the registration certificate by using the second random key to decrypt, where the registration certificate is a signature of the service center on the key application identifier.
For example, an encrypted serial number and registration certificateFor code4, then the second random key is used for decryption to obtain the serial number and the registration certificate, such as D ran2 (code 4) =data4, wherein, data4 includes serial number and registration certificate, service center sends the serial number of said customer end, and the serial number of service center is synchronous, and keep secret, prevent third party from copying the scheme. After the client obtains the serial number, the serial number is stored by the client so as to be checked by the service center. The registration certificate is a CPK signature carried out by the service center by utilizing a private key thereof, so that the service center can check whether the registration certificate is a certificate issued by the service center, and if so, the client is indicated to be a client which belongs to the jurisdiction of the service center.
After the client registers with the service center, the client applies for the instant private key through application path information provided during registration, for example, when the instant key application message is the instant private key application message, the key application identifier is the identifier of the instant private key application, the key parameter further includes the current serial number and the registration certificate of the client, and sends the instant private key application message to the service center through the application path information, so that the service center verifies whether the application path information is consistent with the application path information provided during registration of the client with the service center, and checks the current serial number and verifies the registration certificate when the application path information is verified to be consistent with the application path information provided during registration of the client with the service center, the service center is the service center registered by the client, and in step 205, the instant key information can be used to de-encrypt the instant private number and updated by using the first random key, and the current serial number is guaranteed to be replaced by the serial number of the client after the update. In addition, when the time key application message is a time signature private key application message, the network time is a signature time. In addition, when the time key application message is a time decryption private key application message, the network time is an encryption time provided by an encryption party.
When the customer applies for the private key of the telephone number, the service center needs to check whether the telephone number of the application path information is consistent with the telephone number in registration, and check the serial number and the registration certificate if the telephone number is consistent with the telephone number in registration. Similarly, when the client applies for the private key at the time of the mail address, the service center first checks whether the mail address of the application path information is consistent with the mail address at the time of registration, and if so, then checks the serial number and the registration certificate. When the client applies for the real name time private key, there are two cases, one is applying for the real name time private key through the phone number, and the other is applying for the real name time private key through the mail address, and in either application mode, the service center is required to verify whether the application path information (phone number or mail address) is consistent with the application path information (phone number or mail address) in registration, and when the application path information (phone number or mail address) is consistent with the application path information in registration, the serial number and the registration certificate are checked again.
In addition, when the time key application message is a time verification public key application message, the network time is a signature time provided by a signature party. When the time key application message is a time encryption public key application message, the network time is an encryption time.
Correspondingly, fig. 4 is a schematic flow chart of a method for applying and distributing a key of an enhanced CPK according to an embodiment of the present invention. As shown in fig. 4, the method is applied to a service center, and the method includes the following steps:
step 401, receiving a time key application message sent by a client;
step 402, as a response to receiving the time key application message, sending a first response parameter generated by using the defined first response number to the client.
The first response number is defined randomly by the service center, for example, the first response number is R1, the first response parameter is R1, and R1 is obtained by the generator G of the elliptic curve and the first response number R1, that is, r1×g=r1.
Step 403, receiving the first random parameter and the encrypted key parameter sent by the client;
step 404, obtaining the second random parameter according to the first response number and the first random parameter, and decrypting the encrypted key parameter by using the second random parameter to obtain the network time, the key application identifier and the first random key in the key parameter.
For example, the first random parameter and the encrypted key parameter sent by the client are msg1= { R2, code1}. The second random parameter R3 is obtained from the first response R1 and the first random parameter R2, i.e. r1×r2=r3. Then, the encrypted key parameter data1 is decrypted using the second random parameter, e.g., D R3 (code 1) =data1. Wherein D is a symmetric decryption function.
And step 405, generating a time key corresponding to the key application identifier by using the network time and the key application identifier, and transmitting the time key encrypted by using the first random key to the client.
The service center takes out the network time and generates a time key corresponding to the key application identifier. The time of day key is then encrypted with the first random key and sent to the client.
In addition, when the client registers with the service center, the registration process is as shown in fig. 5, and includes the following steps:
step 501, receiving a registration application message sent by the client;
step 502, as a response to receiving the registration application message, sending a second response parameter generated by using the defined second response number to the client.
The second response number is defined randomly by the service center, for example, the second response number is R4, the second response parameter is R4, and R4 is obtained from the generator G of the elliptic curve and the second response number R4, that is, r4×g=r4.
Step 503, receiving the third random parameter and the client information ciphertext sent by the client;
Step 504, obtaining the fourth random parameter according to the second response number and the third random parameter, and decrypting the client information ciphertext by using the fourth random parameter to obtain client information and a second random key, wherein the client information comprises a real name, an identity card number and application path information of a client, and the application path information comprises a telephone number and a mail address.
For example, the fourth random parameter R6 is obtained according to the second response number R4 and the third random parameter R5, for example, r5×r4=r6.
Then, the client information ciphertext code3 is decrypted using the fourth random parameter R6, resulting in client information data3 and a second random key ran2, e.g. D R6 (code 3) = (data 3, ran 2). Wherein D is a symmetric decryption function.
And step 505, when the authenticity of the client information is verified to be true, defining a serial number and a registration certificate corresponding to the client, and sending the serial number and the registration certificate encrypted by using the second random key to the client.
Wherein, customer information data 3= { real name, identification card number, phone number, mail address }. The service center verifies the authenticity of the client information, including verifying whether the real name of the client corresponds to the identity card number, and if so, the service center indicates that the authenticity of the client information is true.
When the customer information is verified as authentic, the customer information may be registered for subsequent use. The service center can randomly define the serial number, and CPK signature is carried out on the real name in the client information by utilizing the signature private key of the service center, so that a registration certificate is obtained. Then, the serial number and registration certificate are encrypted with the second random key, e.g., data 4= { serial number, registration certificate }, by E ran2 (data4)=code4。
In addition, when the time key application message is a time private key application message, the key parameter further includes a current serial number and a registration certificate of the client, and the service center first determines application path information of the client for applying for the time private key, where the application path information is the same as the current serial number of the clientThe information includes telephone number and mail address, confirm that the private key of user applies for the time uses the telephone number or mail address, then verify whether the said application route information is unanimous with the application route information that the said customer end provides when registering with the said service center, for example, when the private key of user applies for the time uses the telephone number to apply for, then verify whether the telephone number used is unanimous with the telephone number that provides when registering, or when the private key of user applies for the time uses the mail address, then verify whether the mail address used is unanimous with the mail address that provides when registering. When the application path information is verified to be consistent with the application path information provided when the client is registered with the service center, namely, when the used telephone number is verified to be consistent with the telephone number provided when the client is registered, or the used mail address is verified to be consistent with the mail address provided when the client is registered, checking whether the current serial number of the client is consistent with the serial number of the client stored in the service center, and verifying whether the registration certificate is a certificate issued by the service center. And verifying the registration certificate, namely verifying whether the signature of the registration certificate is the signature performed by the service center, and if so, indicating that the registration certificate is the certificate issued by the service center. When the current serial number of the client is consistent with the serial number of the client stored in the service center and the registration certificate is verified to be the certificate issued by the service center, the network time in the key parameter is taken out, so that the time private key corresponding to the key application identifier is generated by utilizing the network time and the key application identifier, and the serial number of the client is updated to obtain the updated serial number. Then, in step 405, the time private key and the updated serial number are encrypted by using the first random key, and sent to the client. For example, the data 5= { updated serial number, time-of-day private key } is encrypted by using the first random key ran1, E ran1 (data 5) =code 5, and transmits code5 to the client.
The key application identifier may be a real name of the user, or may be a phone number or an email address of the user, which is not limited in the embodiment of the present invention.
In addition, in order to facilitate understanding of the embodiments of the present invention, a client a, a client B, a service center 1 and a service center 2 are taken as examples, where the client a is a registered user of the service center 1 and the client B is a registered user of the service center 2. Before applying for the decryption private key and signing the private key, both the client a and the client B need to register with the service center 1 and the service center 2, respectively. The application of the public key is not limited by the service center, and the public key can be applied to any service center at any time.
The registration procedure between the client a and the service center 1 will be described as an example.
First, the client a transmits a registration request message to the service center 1, and the service center 1 transmits a response number r defined by the response to the client a as a response to receiving the registration request message A Generated response parameter R A . Wherein r is A *G=R A G is the generator of elliptic curve.
Then, the client a defines the random number M1 and the random key ran1, and obtains a random parameter M1 according to the random number M1 and the generator G of the elliptic curve, for example, m1×g=m1. According to response parameter R A With the random number M1 to obtain a random parameter M2, e.g. M1 A =m2. Encrypting the client information info of the client A and the random key ran1 by using the random parameter M2 to obtain a client information ciphertext cip, such as E M2 (info, ran 1) =cip, and sends a random parameter M1 and the customer information ciphertext cip to the service center.
Then, the service center 1 receives the random parameter M1 and the client information ciphertext cip sent by the client a. According to the response number r A With the random parameter M1, a random parameter M2 is obtained, e.g. r A * M1=m2. Then, the client information ciphertext cip is decrypted using the random parameter M2 to obtain the client information info and the random key ran1, e.g., D M2 (cip) = (info, ran 1). Customer information info= { real name, identification card number, phone number, mail address }. The service center 1 checks the real name in the customer informationAnd if the client information corresponds to the identification card number, the authenticity of the client information is true. When verifying that the customer information is authentic, the service center 1 may register the customer information for subsequent use. The service center 1 may randomly define a serial number, and perform CPK signing on the real name in the client information by using a signature private key of the service center 1, so as to obtain a registration certificate. The running number and registration certificate are then encrypted with a random key ran1, e.g. data= { running number, registration certificate }, by E ran1 (data)=code。
After that, the client a receives the encrypted serial number and registration certificate transmitted from the service center 1, and decrypts the serial number and registration certificate using the random key ran1, for example, D ran1 (code) =data. And the client A stores the serial number and the registration certificate.
The registration process of the client B with the service center 2 can be referred to the above registration process of the client a with the service center 1, and will not be described herein. The following first describes the application of the encryption public key and the decryption private key, in which, the user Alice of the client a sends encrypted data to the user Bob of the client B, as shown in fig. 6, and includes the following steps:
step 601, user Alice of client a sends a time-of-day encryption public key application message to its registration service center 1;
step 602, the service center 1 defines a first random number M1, calculates M1×g=m1, and sends M1 as a response to Alice;
in step 603, alice defines a second random number M2, calculates a second random parameter m2=m2, and a third random parameter m2=m1=m3, and defines a random key ran1. Then, encrypting the encryption time, the identifier Bob corresponding to the time encryption public key and the random key ran1 by using a third random parameter, namely encrypting the data 1= { time, bob, ran1 }: e (E) M3 (data 1) =code 1, msg1= { M2, code1} is transmitted to service center 1.
In step 604, the service center 1 receives msg1= { M2, code1}, and calculates a third random parameter m2=m1=m3, and decrypts the data code 1: d (D) M3 (code 1) =data1. When the service center 1 takes out encryption from data1TIME and identity Bob, generating a TIME of day encryption public key TIME-Bob of Bob, and encrypting the TIME of day encryption public key with random key ran 1: e (E) ran1 (TIME-BOB) =code 2, and transmits code2 to Alice.
After alice receives code2, step 605, decryption is performed using a random key: d (D) ran1 (code2)=TIME-BOB。
Alice then defines a random number k, calculating k×g= (x, y), (x+y) 2 mod 2 64 =key,E key (data 3) =code 3, thereby obtaining encrypted data code3, and encrypting the key with the time-of-day encryption public key: key TIME-bob=β, and sends msg2= { code3, TIME, β }, to the user BOB.
In step 606, bob receives msg2= { code3, time, β } sent by Alice, and Bob needs to apply for the time decryption private key to the service center 2, i.e. send a time decryption private key application message to the service center 2. Wherein Bob can send a time-of-day decryption private key application message to the service center 2 through his phone number.
In step 607, after receiving the time decryption private key application message, the service center 2 defines a random number M4, calculates m4=g4, and sends M4 to Bob as a response.
In step 608, bob receives M4, defines a random number M5 and a random key ran2, calculates m5=m5, m5=m4=m6, extracts the encryption time from msg2 sent by Alice, and encrypts data 4= { time, bob, current running water number, registration certificate, ran2} with M6: e (E) M6 (data 4) =code 4, and transmits msg3= { M5, code4} to the service center 2. Likewise msg3 is sent to service center 2 also by its telephone number.
Step 609, the service center 2 first verifies the identity of the user Bob, and then calculates m5=m4=m6, decrypting the data code 4: d (D) M6 (code 4) =data4, resulting in the encryption time, the identification Bob, the current serial number of the user Bob, its registration certificate and the random key ran2.
The service center 2 first determines the way in which the user Bob sends the message, i.e. obtains the telephone number it sent the message, and then verifies whether this telephone number is the same as the telephone number one provided by the user Bob when registering with the service center 2When the phone number of the transmitted message is verified to be consistent with the phone number provided when the phone number is registered, checking whether the current serial number is consistent with the serial number of the user Bob stored in the service center 2 and verifying whether the registration certificate of Bob is the certificate issued by the service center 2, when the serial number is consistent and the certificate is the certificate issued by the service center 2, extracting the encryption time, generating the time-Bob of the time decryption private key of Bob, updating the serial number of Bob, and encrypting and transmitting the updated serial number and the time decryption private key to the user Bob together, namely, data5 = { the updated serial number, time-Bob }, E ran2 (data 5) =code 5, code5 is transmitted to the user Bob.
After bob receives code5, step 610, decryption with ran 2: d (D) ran2 (code 5) =data5, get the serial number after updating and time decrypting private key, bob replaces the current serial number with the serial number after updating, guarantee to synchronize with serial number of service center 2, and decrypting private key with time decrypting: timed-bob -1 *β=key,D key (code 3) =data3, resulting in data sent by Alice to Bob.
The application of the signature private key and the verification public key will be described below, and the user Alice of the client a sends signature data to the user Bob of the client B, which includes the following steps:
in step 701, alice of the client a sends a time-of-day signature private key application message to its registration service center 1. Wherein, the user Alice can send a time signature private key application message to the service center 1 through the mail address.
Step 702, the service center 1 defines a random number P1, calculates p1xg=p1, and sends P1 as a response to Alice;
in step 703, alice defines a random number P2, calculates p2=p2, and p2=p1=p3, defining a random key ran3. Then encrypt the signature time, the identifier Alice, the current running number, the registration certificate and the random key ran3 by P3, that is, encrypt the data 1= { time, alice, the current running number, the registration certificate, ran3}, E P3 (data 1) =code 1, and then msg1= { P2, code1} is transmitted to service center 1. Similarly, subscriber Alice will msg1 through his mail addressTo the service center 1.
In step 704, the service center 1 receives msg1= { P2, code1}, first verifies the identity of the user Alice, and then calculates p2=p1=p3, and decrypts the data code 1: d (D) P3 (code 1) =data1, resulting in a signature time of day, the current serial number identifying Alice, user Alice, their registration certificate and a random key ran3.
The service center 1 firstly determines application path information of user Alice, namely determines whether the path of sending message of user Alice is telephone number or mail address, when determining that the mail address is the same as the mail address provided when the user Alice registers with the service center 1, when verifying that the mail address of sending message is the same as the mail address provided when registering, checks whether the current serial number is the serial number of the user Alice stored in the service center 1 and verifies whether the registration certificate of Alice is the certificate issued by the service center 1, when the serial number is the same and the registration certificate is the certificate issued by the service center 1, extracts the signature time, generates the time signature private key time-Alice of Alice, updates the serial number of Alice, encrypts and sends the updated serial number and the time signature private key to the user Alice together, namely data 2= { updated serial number, time-Alice }, E ran3 (data 2) =code 2, code2 is transmitted to user Alice.
Step 705, after receiving code2, user Alice uses ran3 to decrypt: d (D) ran3 (code 2) =data2, get the serial number after updating and time signature private key, alice replaces the current serial number with the serial number after updating, guarantee to synchronize with serial number of service center 1. Then signing the data h, alice defines a random number k, and calculates a verification code c and a signature code s: k = (x 1, y 1); c= (x) 1 +y 1 ) 2 mod 2 40 ,s=k -1 (h+c time-alice) mod n, the signature being functionally labeled as SIG time-alice (h) = (s, c). The user Alice sends the signature data and the signature time to the user Bob.
In step 706, after receiving the signature data and the signature time, the user Bob automatically sends a time verification public key application message to the service center 2.
In step 707, the service center 2 defines a random number P4, calculates p4xg=p4, and sends P4 as a response to Bob.
In step 708, bob defines a random number P5, calculates p5=p5, p5=p4=p6, and defines a random key ran4. Then, P6 is used to encrypt the signature time, the identifier Alice corresponding to the time verification public key, and the random key ran4, that is, encrypt the data 3= { time, alice, ran4 }: e (E) P6 (data 3) =code 3, msg2= { P5, code3} is transmitted to the service center 2.
In step 709, the service center 2 receives msg2= { P5, code3}, and calculates p4=p5=p6, and de-encrypts the data code 3: d (D) P6 (code 3) =data3. The service center 2 takes out the signature TIME and the identification Alice from the data3, generates a TIME verification public key TIME-Alice of Alice, and encrypts the TIME verification public key with the random key ran 4: e (E) ran4 (TIME-Alice) =code 4, and transmits code4 to Bob.
After bob receives code4, step 710, it uses random key ran4 to decrypt: d (D) ran4 (code4)=TIME-Alice。
Bob then verifies Alice's signature:
alice verifies c: s is(s) -1 *h*G+s -1 *c*TIME-Alice=(x 1 ,y 1 );c'=(x 1 +y 1 ) 2 mod 2 40
Verification is marked as a function of VER TIME-Alice (h,s)=c’。
The secret key applied by the client to the service center is used, and then the secret key applied by the client is used once and is used as a public key or a private key. When the data is encrypted and decrypted next time or signed and verified, the public key or the private key is applied again, so that the application is ensured to be used once, and the data is invalidated after being used once.
The embodiment of the invention solves the problem that the public key system can be broken through the public key by utilizing quantum computation in the prior art, adopts the disposable key system, namely the public key or the private key, and is invalidated after being applied for one time use, so that even if the key is broken by quantum computation, the broken key is invalidated, and the breaking is meaningless.
Correspondingly, the embodiment of the invention also provides a device for applying and distributing the secret key of the enhanced CPK, which is applied to the client, and comprises the following components: a memory module for storing computer executable instructions; and a control module for executing the computer-executable instructions to perform the following operations: sending a time key application message to a service center; receiving a first response parameter sent by the service center; defining a first random number and a first random key, and obtaining a first random parameter and a second random parameter according to the first response parameter and the first random number; encrypting the key parameter by using the second random parameter, and sending the first random parameter and the encrypted key parameter to the service center, wherein the key parameter comprises network time, a key application identifier and a first random key; and receiving time key information sent by the service center, and decrypting the time key information by using the first random key to obtain a time key, wherein the time key is related to the network time and the key application identifier.
Further, before the sending the time of day key application message to the service center, the control module is further configured to execute the computer executable instructions to perform a process of registering the client with the service center: sending a registration application message to the service center; receiving a second response parameter sent by the service center; defining a third random number and a second random key, and obtaining a third random parameter and a fourth random parameter according to the second response parameter and the third random number; encrypting the client information of the client and the second random key by using the fourth random parameter to obtain a client information ciphertext, and sending the third random parameter and the client information ciphertext to the service center, wherein the client information comprises the real name, the identity card number and application path information of the client, and the application path information comprises a telephone number and a mail address; and receiving the serial number and the registration certificate which are transmitted by the service center and encrypted by the second random key, and obtaining the serial number and the registration certificate by using the second random key to decrypt, wherein the registration certificate is the signature of the service center on the key application identifier.
Further, when the time key application message is a time private key application message, the key application identifier is an identifier of an application time private key, the key parameter further includes a current serial number and a registration certificate of the client, and the time private key application message is sent to the service center through the application path information, so that the service center verifies whether the application path information is consistent with application path information provided when the client registers with the service center, and when the application path information is verified to be consistent with application path information provided when the client registers with the service center, the current serial number is checked, the registration certificate is verified, and the service center is a service center registered by the client, and the time key information obtaining time key by using the first random key decryption includes:
and decrypting the time key information by using the first random key to obtain a time private key and an updated serial number, and replacing the current serial number of the client with the updated serial number.
Further, when the time key application message is a time signature private key application message, the network time is signature time.
Further, when the time key application message is a time decryption private key application message, the network time is an encryption time provided by an encryptor.
Further, when the time key application message is a time verification public key application message, the network time is a signature time provided by a signer.
Further, when the time key application message is a time encryption public key application message, the network time is an encryption time.
The specific implementation details and effects of the embodiments of the present invention may refer to the implementation process of the foregoing enhanced CPK key application and distribution method applied to the client, and will not be described herein.
Correspondingly, the embodiment of the invention also provides a device for applying and distributing the secret key of the enhanced CPK, which is applied to the service center and comprises the following steps: a memory module for storing computer executable instructions; and a control module for executing the computer-executable instructions to perform the following operations: receiving a time key application message sent by a client; as a response to receiving the time key application message, sending a first response parameter generated by using the defined first response number to the client; receiving a first random parameter and an encrypted key parameter sent by the client; obtaining the second random parameter according to the first response number and the first random parameter, and decrypting the encrypted key parameter by using the second random parameter to obtain a network time, a key application identifier and a first random key in the key parameter; and generating a time key corresponding to the key application identifier by utilizing the network time and the key application identifier, and sending the time key encrypted by utilizing the first random key to the client.
Further, the control module also executes the computer-executable instructions to perform a process of the client registering with the service center: receiving a registration application message sent by the client; as a response to receiving the registration application message, sending a second response parameter generated using a defined second response number to the client; receiving a third random parameter and a client information ciphertext sent by the client; obtaining a fourth random parameter according to the second response number and the third random parameter, and decrypting the client information ciphertext by using the fourth random parameter to obtain client information and a second random key, wherein the client information comprises a real name, an identity card number and application path information of a client, and the application path information comprises a telephone number and a mail address; and when the authenticity of the client information is verified to be true, defining a serial number and a registration certificate corresponding to the client, and sending the serial number and the registration certificate encrypted by the second random key to the client.
Further, when the time key application message is a time private key application message, the key parameter further includes a current serial number and a registration certificate of the client, and the control module further executes the computer executable instructions to perform the following operations: determining application path information of a private key at the application time of the client; verifying whether the application path information is consistent with application path information provided when the client registers with the service center; when the application path information is verified to be consistent with the application path information provided when the client registers to the service center, checking whether the current serial number of the client is consistent with the serial number of the client stored in the service center, and verifying whether the registration certificate is a certificate issued by the service center; when the current serial number of the client is consistent with the serial number of the client stored in the service center and the registration certificate is verified to be a certificate issued by the service center, generating a time private key corresponding to the key application identifier by utilizing the network time and the key application identifier; and encrypting the time private key and the updated serial number by using the first random key, and sending the encrypted serial number to the client.
The specific implementation details and effects of the embodiments of the present invention may refer to the implementation process of the foregoing enhanced CPK key application and distribution method applied to the service center, and will not be described herein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus, and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims (20)

1. A method for applying and distributing a key of an enhanced combined public key CPK, wherein the method is applied to a client, and the method comprises:
sending a time key application message to a service center;
Receiving a first response parameter generated by the service center and using the defined first response number,
the service center generates the first response parameter according to the product of the generating element G of the elliptic curve and the first response number;
defining a first random number and a first random key, obtaining a first random parameter and a second random parameter according to the first response parameter and the first random number,
obtaining a first random parameter according to the product of the first random number and a generator G of an elliptic curve, and obtaining a second random parameter according to the first response parameter and the first random number;
encrypting the key parameter by using the second random parameter, and sending the first random parameter and the encrypted key parameter to the service center, wherein the key parameter comprises network time, a key application identifier and a first random key;
receiving time key information sent by the service center, decrypting the time key information by using the first random key to obtain a time key, wherein the time key is related to the network time and the key application identifier,
and the service center obtains the second random parameter according to the first response number and the first random parameter.
2. The key application and distribution method of the enhanced CPK according to claim 1, wherein before said sending the time of day key application message to the service center, said method further comprises a process of registering said client with said service center:
sending a registration application message to the service center;
receiving a second response parameter generated by using the defined second response number and sent by the service center;
the service center generates the second response parameter according to the product of the generating element G of the elliptic curve and the second response number;
defining a third random number and a second random key, obtaining a third random parameter and a fourth random parameter according to the second response parameter and the third random number,
obtaining a third random parameter according to the product of the third random number and the generator G of the elliptic curve, and obtaining a fourth random parameter according to the second response parameter and the third random number;
encrypting the client information of the client and the second random key by using the fourth random parameter to obtain a client information ciphertext, and sending the third random parameter and the client information ciphertext to the service center, wherein the client information comprises the real name, the identity card number and application path information of the client, and the application path information comprises a telephone number and a mail address;
Receiving the serial number and the registration certificate which are sent by the service center and encrypted by the second random key, obtaining the serial number and the registration certificate by using the second random key to decrypt, wherein the registration certificate is the signature of the service center on the key application identifier,
and the service center obtains the fourth random parameter according to the second response number and the third random parameter.
3. The method for applying and distributing the key of the enhanced CPK according to claim 2, wherein when the time key application message is a time private key application message, the key application identifier is an identifier of a time private key, the key parameter further includes a current serial number and a registration certificate of the client, and the time private key application message is sent to the service center through the application path information, so that the service center verifies whether the application path information is consistent with application path information provided when the client registers with the service center, and checks the current serial number and verifies the registration certificate when the application path information is verified to be consistent with application path information provided when the client registers with the service center, and the service center uses the first random key to decrypt the time key information to obtain the time key, where the method includes:
And decrypting the time key information by using the first random key to obtain a time private key and an updated serial number, and replacing the current serial number of the client with the updated serial number.
4. The key application and distribution method of the enhanced CPK according to claim 3, wherein when said time key application message is a time-of-day signature private key application message, said network time is a signature time.
5. The key application and distribution method of the enhanced CPK according to claim 3, wherein when said time key application message is a time decryption private key application message, said network time is an encryption time provided by an encryptor.
6. The key application and distribution method of the enhanced CPK according to claim 1, wherein said network time is a signature time provided by a signer when said time key application message is a time verification public key application message.
7. The key application and distribution method of the enhanced CPK according to claim 1, wherein when said time key application message is a time-of-day encrypted public key application message, said network time is an encryption time.
8. A method for key application and distribution of an enhanced combined public key CPK, the method being applied to a service center, the method comprising:
receiving a time key application message sent by a client;
as a response to receiving the time key application message, transmitting a first response parameter generated using a defined first response number to the client, wherein the first response parameter is generated from a generator G of an elliptic curve and the first response number,
generating the first response parameter according to the product of the generating element G of the elliptic curve and the first response number;
receiving a first random parameter and an encrypted key parameter sent by the client,
the client defines a first random number and a first random key, obtains a first random parameter and a second random parameter according to the first response parameter and the first random number,
obtaining a first random parameter according to the product of the first random number and the generating element G of the elliptic curve, and obtaining a second random parameter according to the first response parameter and the first random number;
obtaining the second random parameter according to the first response number and the first random parameter, and decrypting the encrypted key parameter by using the second random parameter to obtain a network time, a key application identifier and a first random key in the key parameter;
And generating a time key corresponding to the key application identifier by utilizing the network time and the key application identifier, and sending the time key encrypted by utilizing the first random key to the client.
9. The key application and distribution method of the enhanced CPK according to claim 8, further comprising a process of registering said client with said service center:
receiving a registration application message sent by the client;
in response to receiving the registration application message, sending to the client a product of a second response parameter generated with a defined second number of responses,
generating the second response parameter according to the generating element G of the elliptic curve and the second response number;
receiving a third random parameter and a client information ciphertext sent by the client,
the client defines a third random number and a second random key, obtains a third random parameter and a fourth random parameter according to the second response parameter and the third random number,
obtaining a third random parameter according to the product of the third random number and the generator G of the elliptic curve, and obtaining a fourth random parameter according to the second response parameter and the third random number;
Obtaining a fourth random parameter according to the second response number and the third random parameter, and decrypting the client information ciphertext by using the fourth random parameter to obtain client information and a second random key, wherein the client information comprises a real name, an identity card number and application path information of a client, and the application path information comprises a telephone number and a mail address;
and when the authenticity of the client information is verified to be true, defining a serial number and a registration certificate corresponding to the client, and sending the serial number and the registration certificate encrypted by the second random key to the client.
10. The method for applying for and distributing a key of an enhanced CPK according to claim 9, wherein when said time key application message is a time private key application message, said key parameter further includes a current serial number and a registration certificate of said client, said method further comprising:
determining application path information of a private key at the application time of the client;
verifying whether the application path information is consistent with application path information provided when the client registers with the service center;
when the application path information is verified to be consistent with the application path information provided when the client registers to the service center, checking whether the current serial number of the client is consistent with the serial number of the client stored in the service center, and verifying whether the registration certificate is a certificate issued by the service center;
When the current serial number of the client is consistent with the serial number of the client stored in the service center and the registration certificate is verified to be a certificate issued by the service center, generating a time private key corresponding to the key application identifier by utilizing the network time and the key application identifier;
and encrypting the time private key and the updated serial number by using the first random key, and sending the encrypted serial number to the client.
11. An apparatus for key application and distribution of an enhanced combined public key CPK, the apparatus being applied to a client, the apparatus comprising:
a memory module for storing computer executable instructions; and
a control module for executing the computer-executable instructions to perform the following operations:
sending a time key application message to a service center;
receiving a first response parameter generated by the service center and using the defined first response number,
the service center generates the first response parameter according to the product of the generating element G of the elliptic curve and the first response number;
defining a first random number and a first random key, obtaining a first random parameter and a second random parameter according to the first response parameter and the first random number,
Obtaining a first random parameter according to the product of the first random number and a generator G of an elliptic curve, and obtaining a second random parameter according to the first response parameter and the first random number;
encrypting the key parameter by using the second random parameter, and sending the first random parameter and the encrypted key parameter to the service center, wherein the key parameter comprises network time, a key application identifier and a first random key;
receiving time key information sent by the service center, decrypting the time key information by using the first random key to obtain a time key, wherein the time key is related to the network time and the key application identifier,
and the service center obtains the second random parameter according to the first response number and the first random parameter.
12. The key application and distribution device of the enhanced CPK according to claim 11, wherein said control module is further configured to execute said computer-executable instructions to perform a process of registering said client with said service center before said sending of a time-of-day key application message to said service center:
sending a registration application message to the service center;
Receiving a second response parameter generated by the service center by using the defined second response number,
the service center generates the second response parameter according to the product of the generating element G of the elliptic curve and the second response number;
defining a third random number and a second random key, obtaining a third random parameter and a fourth random parameter according to the second response parameter and the third random number,
obtaining a third random parameter according to the product of the third random number and the generator G of the elliptic curve, and obtaining a fourth random parameter according to the second response parameter and the third random number;
encrypting the client information of the client and the second random key by using the fourth random parameter to obtain a client information ciphertext, and sending the third random parameter and the client information ciphertext to the service center, wherein the client information comprises the real name, the identity card number and the application path information of the client, the application path information comprises a telephone number and a mail address,
the service center obtains the fourth random parameter according to the second response number and the third random parameter;
And receiving the serial number and the registration certificate which are transmitted by the service center and encrypted by the second random key, and obtaining the serial number and the registration certificate by using the second random key to decrypt, wherein the registration certificate is the signature of the service center on the key application identifier.
13. The apparatus for applying and distributing a key of an enhanced CPK according to claim 12, wherein when the time key application message is a time private key application message, the key application identifier is an identifier of a time private key, the key parameter further includes a current serial number and a registration certificate of the client, and the time private key application message is sent to the service center through the application path information, so that the service center verifies whether the application path information is consistent with application path information provided when the client registers with the service center, and checks the current serial number and verifies the registration certificate when the application path information is verified to be consistent with application path information provided when the client registers with the service center, and the service center uses the first random key to decrypt the time key information to obtain the time key, where the method includes:
And decrypting the time key information by using the first random key to obtain a time private key and an updated serial number, and replacing the current serial number of the client with the updated serial number.
14. The key application and distribution device of the enhanced CPK according to claim 13, wherein when said time key application message is a time-of-day signature private key application message, said network time is a signature time.
15. The key application and distribution device of the enhanced CPK according to claim 13, wherein when said time key application message is a time decryption private key application message, said network time is an encryption time provided by an encryptor.
16. The key application and distribution device of the enhanced CPK according to claim 11, wherein said network time is a signature time provided by a signer when said time key application message is a time verification public key application message.
17. The key application and distribution device of the enhanced CPK according to claim 11, wherein when said time instant key application message is a time instant encrypted public key application message, said network time instant is an encrypted time instant.
18. A key application and distribution device of an enhanced combined public key CPK, wherein the device is applied to a service center, the device comprising:
a memory module for storing computer executable instructions; and
a control module for executing the computer-executable instructions to perform the following operations:
receiving a time key application message sent by a client;
in response to receiving the time instant key application message, transmitting to the client a first response parameter generated using a defined first response number,
generating the first response parameter according to the product of the generating element G of the elliptic curve and the first response number;
receiving a first random parameter and an encrypted key parameter sent by the client,
the client defines a first random number and a first random key, obtains a first random parameter and a second random parameter according to the first response parameter and the first random number,
obtaining a first random parameter according to the product of the first random number and the generating element G of the elliptic curve, and obtaining a second random parameter according to the first response parameter and the first random number;
Obtaining the second random parameter according to the first response number and the first random parameter, and decrypting the encrypted key parameter by using the second random parameter to obtain a network time, a key application identifier and a first random key in the key parameter;
and generating a time key corresponding to the key application identifier by utilizing the network time and the key application identifier, and sending the time key encrypted by utilizing the first random key to the client.
19. The key application and distribution device of the enhanced CPK according to claim 18, wherein said control module further executes said computer-executable instructions to perform a process of said client registering with said service center:
receiving a registration application message sent by the client;
in response to receiving the registration application message, sending to the client a second response parameter generated using a defined second number of responses,
generating the second response parameter according to the product of the generating element G of the elliptic curve and the second response number;
receiving a third random parameter and a client information ciphertext sent by the client,
The client defines a third random number and a second random key, obtains a third random parameter and a fourth random parameter according to the second response parameter and the third random number,
obtaining a third random parameter according to the product of the third random number and the generator G of the elliptic curve, and obtaining a fourth random parameter according to the second response parameter and the third random number;
obtaining a fourth random parameter according to the second response number and the third random parameter, and decrypting the client information ciphertext by using the fourth random parameter to obtain client information and a second random key, wherein the client information comprises a real name, an identity card number and application path information of a client, and the application path information comprises a telephone number and a mail address;
and when the authenticity of the client information is verified to be true, defining a serial number and a registration certificate corresponding to the client, and sending the serial number and the registration certificate encrypted by the second random key to the client.
20. The key application and distribution device of the enhanced CPK according to claim 19, wherein when said time instant key application message is a time instant private key application message, said key parameter further includes a current serial number and a registration certificate of said client, and said control module further executes said computer executable instructions to perform operations of:
Determining application path information of a private key at the application time of the client;
verifying whether the application path information is consistent with application path information provided when the client registers with the service center;
when the application path information is verified to be consistent with the application path information provided when the client registers to the service center, checking whether the current serial number of the client is consistent with the serial number of the client stored in the service center, and verifying whether the registration certificate is a certificate issued by the service center;
when the current serial number of the client is consistent with the serial number of the client stored in the service center and the registration certificate is verified to be a certificate issued by the service center, generating a time private key corresponding to the key application identifier by utilizing the network time and the key application identifier;
and encrypting the time private key and the updated serial number by using the first random key, and sending the encrypted serial number to the client.
CN202010513592.2A 2020-06-08 2020-06-08 Method and device for applying and distributing key of enhanced CPK Active CN111682937B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010513592.2A CN111682937B (en) 2020-06-08 2020-06-08 Method and device for applying and distributing key of enhanced CPK

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010513592.2A CN111682937B (en) 2020-06-08 2020-06-08 Method and device for applying and distributing key of enhanced CPK

Publications (2)

Publication Number Publication Date
CN111682937A CN111682937A (en) 2020-09-18
CN111682937B true CN111682937B (en) 2023-07-25

Family

ID=72454038

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010513592.2A Active CN111682937B (en) 2020-06-08 2020-06-08 Method and device for applying and distributing key of enhanced CPK

Country Status (1)

Country Link
CN (1) CN111682937B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113206739B (en) * 2021-05-21 2023-05-12 晋商博创(北京)科技有限公司 Key generation method, device and storage medium for combined public key CPK
CN113742760A (en) * 2021-11-04 2021-12-03 武汉泰乐奇信息科技有限公司 Big data calling method and device for preventing data increase

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1835434B (en) * 2006-04-10 2012-07-18 北京易恒信认证科技有限公司 Electronic mail system and method based on CPK safety authentication
CN101340282B (en) * 2008-05-28 2011-05-11 北京易恒信认证科技有限公司 Generation method of composite public key
CN108777619B (en) * 2018-05-08 2021-03-16 晋商博创(北京)科技有限公司 CPK system and key management method, device, server and terminal based on identification
CN110830237B (en) * 2019-11-29 2023-05-12 晋商博创(北京)科技有限公司 CPK key generation method, device, entity and key center based on time

Also Published As

Publication number Publication date
CN111682937A (en) 2020-09-18

Similar Documents

Publication Publication Date Title
CN110602138B (en) Data processing method and device for block chain network, electronic equipment and storage medium
CN107196966B (en) Identity authentication method and system based on block chain multi-party trust
CN110084068B (en) Block chain system and data processing method for block chain system
WO2021120683A1 (en) Method and apparatus for secure communication based on identity authentication
US8724819B2 (en) Credential provisioning
US9137221B2 (en) Method of exchanging data such as cryptographic keys between a data processing system and an electronic entity such as a microcircuit card
KR101985179B1 (en) Blockchain based id as a service
US10880100B2 (en) Apparatus and method for certificate enrollment
US20040165728A1 (en) Limiting service provision to group members
CN103685138A (en) Method and system for authenticating application software of Android platform on mobile internet
CN113497709A (en) Trusted data source management method based on block chain, signature device and verification device
CN104836776A (en) Data interaction method and device
CN108199844B (en) Method for supporting off-line SM9 algorithm key first application downloading
CN112187466B (en) Identity management method, device, equipment and storage medium
CN111682937B (en) Method and device for applying and distributing key of enhanced CPK
CN113326541A (en) Cloud edge collaborative multi-mode private data transfer method based on intelligent contract
CN113364597A (en) Privacy information proving method and system based on block chain
CN113312664A (en) User data authorization method and user data authorization system
US20190305940A1 (en) Group shareable credentials
CN111131160B (en) User, service and data authentication system
CN110545325B (en) Data encryption sharing method based on intelligent contract
CN114338091B (en) Data transmission method, device, electronic equipment and storage medium
CN113691376B (en) Key management method and device
CN115001673A (en) Key processing method, device and system based on unified multi-domain identifier
CN109104393B (en) Identity authentication method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant