CN112688784A - Digital signature and verification method, device and system - Google Patents
Digital signature and verification method, device and system Download PDFInfo
- Publication number
- CN112688784A CN112688784A CN202011532883.2A CN202011532883A CN112688784A CN 112688784 A CN112688784 A CN 112688784A CN 202011532883 A CN202011532883 A CN 202011532883A CN 112688784 A CN112688784 A CN 112688784A
- Authority
- CN
- China
- Prior art keywords
- signature
- ciphertext
- application system
- private key
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a digital signature and verification method, a device and a system, wherein the method comprises the following steps: the method comprises the following steps: acquiring a dynamic identifier of a user side, using a combination of an SM9 private key and the dynamic identifier as input, and using an SM3 algorithm to obtain a first hash result; taking the first hash result as a key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext; taking the combination of an SM9 private key, a ciphertext and a timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext; and sending the encrypted signature of the ciphertext, the dynamic identification, the user information of the user side and the timestamp to an application system so that the application system can verify the encrypted signature of the ciphertext.
Description
Technical Field
The invention relates to the technical field of data encryption, in particular to a digital signature and verification method, device and system.
Background
With the rapid development of internet technology, signature verification technology is also increasingly applied to e-commerce transactions and document approval in order to ensure security and fairness.
The invention patent with application number 201410616744.6 in the prior art discloses a data signature method, a signature verification method, data signature equipment and a verification server, wherein the data signature method comprises the following steps: when a first signature request is received, extracting a signature identifier and data to be signed from the first signature request, generating abstract information of the data to be signed, determining a target signature certificate corresponding to the signature identifier from a plurality of preset signature certificates, signing the abstract information by using the target signature certificate to obtain first signature data, and sending the first signature data and the signature identifier to a verification server for the verification server to verify the first signature data. Therefore, the invention can identify the data to be signed through the signature mark, and ensure the security of the signature to a certain extent. Even if the signature identification is tampered, the signature identification is sent to a verification server to verify whether a fraudulent signature condition exists. The invention presets a plurality of signature certificates, at least comprises a transaction signature certificate and a common signature certificate, and respectively signs transaction data and common data.
In the prior art, a hash algorithm is used for hashing a plaintext and an identifier to obtain summary information, and then a signature certificate is used for signing the obtained summary information, so that essentially an asymmetric encryption algorithm is used for signing, but the SM9 has low encryption efficiency and high requirement on hardware, so that the prior art has the technical problem of low signature efficiency.
Disclosure of Invention
The technical problem to be solved by the present invention is how to provide a method, device and system for digital signature and verification to improve the signature efficiency.
The invention solves the technical problems through the following technical means:
in a first aspect, the present invention provides a digital signature method, applied to a user side, where the user side has an SM9 private key in advance, and the method includes:
acquiring a dynamic identifier of a user side, using a combination of an SM9 private key and the dynamic identifier as input, and using an SM3 algorithm to obtain a first hash result;
taking the first hash result as a key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext;
taking the combination of an SM9 private key, a ciphertext and a timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext;
and sending the encrypted signature of the ciphertext, the dynamic identification, the user information of the user side and the timestamp to an application system so that the application system can verify the encrypted signature of the ciphertext.
Optionally, the dynamic identification includes:
the random number is dynamically generated, and one or a combination of a preset number of subsets selected from preset character sets.
In a second aspect, the present invention further provides a digital signature verification method, applied to an application system, where the method includes:
receiving an encrypted signature, a ciphertext, a dynamic identification, user information of a user side and a timestamp sent by the user side, sending the ciphertext, the user information of the user side and the timestamp to an encryption machine, so that the user information of the user side of the encryption machine is queried to obtain an SM9 private key, generating a verification signature according to the ciphertext, the SM9 private key obtained by querying and the timestamp, and sending the verification signature to an application system;
comparing whether the verification signature is consistent with the encrypted signature;
if so, sending the dynamic identifier to an encryption machine, so that the encryption machine processes the dynamic identifier and the searched SM9 private key by using an SM3 algorithm to obtain a third hash value and sends the third hash value to an application system;
and receiving the third hash value, and decrypting the ciphertext by using the third hash value as a key to obtain a plaintext.
Optionally, when the step of sending the dynamic identifier to the encryption engine is executed, the method further includes:
and sending the user information to the encryption machine so that the encryption machine queries an SM9 private key according to the user information.
In a third aspect, the present invention further provides a digital signature verification method, which is applied to an encryption apparatus, where a plurality of user information SM9 private key pairs are preset in the encryption apparatus, and the method includes:
receiving a ciphertext, user information of a user side and a timestamp sent by an application system, inquiring an obtained SM9 private key according to the user information, and generating a verification signature according to the ciphertext, the inquired obtained SM9 private key and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
receiving a dynamic identifier under the condition that the comparison verification signature is consistent with the signature;
and processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value, and sending the third hash value to an application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
In a fourth aspect, the present invention provides a digital signature apparatus, applied to a user side, where the user side has a secret key SM9 in advance, and the apparatus includes:
the acquisition module is used for acquiring the dynamic identifier of the user side, using the combination of an SM9 private key and the dynamic identifier as input, and using an SM3 algorithm to obtain a first hash result;
the encryption module is used for encrypting the plaintext by using the SM4 algorithm by taking the first hash result as a key to obtain a ciphertext;
the signature module is used for taking the combination of an SM9 private key, a ciphertext and a timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext;
the first sending module is used for sending the encrypted signature of the ciphertext, the dynamic identifier, the user information of the user side and the timestamp to the application system so that the application system can verify the encrypted signature of the ciphertext.
Optionally, the dynamic identification includes:
the random number is dynamically generated, and one or a combination of a preset number of subsets selected from preset character sets.
In a fifth aspect, the present invention provides a digital signature verification apparatus, applied to an application system, the apparatus including:
the first receiving module is used for receiving the encrypted signature, the ciphertext, the dynamic identification, the user information of the user side and the timestamp sent by the user side, sending the ciphertext, the user information of the user side and the timestamp to the encryption machine, so that the user information of the user side of the encryption machine is inquired to obtain an SM9 private key, a verification signature is generated according to the ciphertext, the SM9 private key obtained by inquiry and the timestamp, and the verification signature is sent to an application system;
the comparison module is used for comparing whether the verification signature is consistent with the encrypted signature or not, and if so, triggering a second sending module;
the second sending module is used for sending the dynamic identifier to the encryption machine so that the encryption machine processes the dynamic identifier and the searched SM9 private key by using an SM3 algorithm to obtain a third hash value and sends the third hash value to an application system;
the first receiving module is further configured to receive the third hash value, and decrypt the ciphertext with the third hash value as the key to obtain the plaintext.
Optionally, the second sending module is further configured to:
and sending the user information to the encryption machine so that the encryption machine queries an SM9 private key according to the user information.
In a sixth aspect, the present invention provides a digital signature verification apparatus, which is applied to an encryption apparatus, where a plurality of private key pairs of user information SM9 are preset in the encryption apparatus, and the apparatus includes:
the second receiving module is used for receiving the ciphertext, the user information of the user side and the timestamp sent by the application system, generating a verification signature according to the SM9 private key obtained by user information query and the SM9 private key obtained by the ciphertext and the query and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
the second receiving module is also used for receiving the dynamic identification under the condition that the comparison verification signature is consistent with the signature;
and the third sending module is used for processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sending the third hash value to the application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
In a seventh aspect, the present invention provides a digital signature and verification method, where the method includes:
the method comprises the steps that a user side obtains a dynamic identification of the user side, the SM9 private key and the dynamic identification are combined to be used as input, and a first Hash result is obtained through an SM3 algorithm; taking the first hash result as a key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext; taking the combination of an SM9 private key, a ciphertext and a timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext; sending the encrypted signature, the ciphertext, the dynamic identification, the user information of the user side and the timestamp of the ciphertext to an application system;
the application system receives an encrypted signature, a ciphertext, a dynamic identifier, user information of a user side and a timestamp sent by the user side, and sends the ciphertext, the user information of the user side and the timestamp to the encryption machine;
the encryption machine receives a ciphertext, user information of a user side and a timestamp sent by an application system, processes the dynamic identification and an SM9 private key obtained by query by utilizing an SM3 algorithm, generates a verification signature and generates the verification signature; and sending the verification signature to an application system;
the application system compares whether the verification signature is consistent with the encryption signature; if yes, the dynamic identification and the user information of the user side are sent to the encryption machine;
the encryption machine receives the dynamic identification under the condition that the comparison verification signature is consistent with the signature; processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sending the third hash value to an application system;
and the application system receives the third hash value, and decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
In an eighth aspect, the present invention provides a digital signature and verification system, including:
the user terminal according to the fourth aspect;
the application system according to the fifth aspect;
the encryption engine according to the sixth aspect.
The invention has the advantages that:
by applying the embodiment of the invention, only the private key of SM9 is used as the encrypted object of the SM3 algorithm for signature, compared with the prior art that the SM9 algorithm is used for encryption, for example, public information such as mobile phone numbers and the like is used as the public key, the embodiment of the invention does not need to call the encryption algorithm of SM9, and the operation speed of the SM3 algorithm is far higher than that of the SM9 algorithm, so that the signature efficiency is improved.
The embodiment of the invention can also ensure the integrity of data while improving the signature efficiency and realize the anti-repudiation of the data of the client.
Drawings
Fig. 1 is a schematic flow chart of a digital signature method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a digital signature verification method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a digital signature verification method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a digital signature and verification system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a digital signature method, a digital signature verification device and a digital signature verification system.
Example 1
The invention is applied to a digital signature and verification system, which comprises: the system comprises a user side, an application system and an encryption machine, wherein the user side is in remote communication with the application system; the application system and the encryption machine are deployed on the same side, and short-range secret communication is achieved between the application system and the encryption machine.
Fig. 1 is a schematic flow chart of a digital signature method according to an embodiment of the present invention, as shown in fig. 1, the digital signature method is applied to a user side, where the user side has an SM9 private key in advance, and the method includes:
s101: and acquiring the dynamic identification of the user side, using the combination of the SM9 private key and the dynamic identification as input, and using an SM3 algorithm to obtain a first hash result.
Illustratively, the dynamic identifier may be a dynamically generated random number, and the length of the random number may be 5 bits, may be 10 bits, may be 100 bits, and may be 1000 bits. The set of characters with set number can be selected from a preset character set stored in the user side, and a set formed by the characters is used as the dynamic identification.
Then, splicing the SM9 private key with the dynamic identifier to obtain a splicing result: SM9+ dynamic identification.
Then, a digest is obtained using an SM3 algorithm, e.g. a hash algorithm, hash (SM9+ dynamic id), and this digest is taken as the first hash result.
In this step, the SM9 private key is added in the generation process of the first hash result, which can ensure that the private key can only be generated in the user side and the encryption machine, and since the man in the middle can not manufacture the SM9 private key, the embodiment of the present invention can realize the high security of the encryption system under the condition that the client side and the encryption machine are secure.
S102: and using the first hash result as a key, and encrypting the plaintext by using an SM4 algorithm to obtain a ciphertext.
Illustratively, the first hash result obtained in step S101 is used as a key of the SM4 encryption algorithm, wherein the SM4 encryption algorithm may be a symmetric encryption algorithm.
The plaintext is again encrypted using SM 4:
SM4 (plaintext).
S103: and taking the combination of the SM9 private key, the ciphertext and the timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as the encrypted signature of the ciphertext.
And splicing the SM9 private key, the ciphertext and the timestamp to obtain a splicing result of the SM9 private key, the ciphertext and the timestamp.
The stitching result is then digested using the SM3 algorithm:
SM3(SM9 private key + ciphertext + timestamp) is the second hash result, which is the signature of the ciphertext.
In practical applications, the time stamp may be the time stamp of the moment when the embodiment of the present invention starts to be executed.
In practical application, the SM3 algorithm, namely the hash algorithm, has irreversibility, low falsification and uniqueness, so that the integrity of plaintext data can be ensured. In this step, after adding the SM9 key parameter to the SM3 to generate a second hash result operation, the second hash result may be made to correspond to trace information of the client, that is, the SM9 private key. Meanwhile, the SM9 secret key is stored in a highly secure mode, only the client and the encryption machine are used for storing the secret key, and the SM9 private key has uniqueness, so that the data integrity can be guaranteed, and meanwhile the anti-repudiation performance of the client data is achieved.
S104: carrying out encrypted signature on the ciphertext, namely a second hash result; and sending the ciphertext, the dynamic identification, the user information of the user side and the timestamp to an application system so that the application system verifies the encrypted signature of the ciphertext.
In embodiment 1 of the present invention, only the private key of SM9 is used as the encrypted object of the SM3 algorithm to perform signature, and compared with the encryption using the SM9 algorithm in the prior art, for example, public information such as a mobile phone number is used as the public key, the encryption algorithm of SM9 does not need to be called in the embodiment of the present invention, and the operation speed of the SM3 algorithm is much faster than that of the SM9 algorithm, so that the signature efficiency can be greatly improved under the condition that the security and integrity of a plaintext are ensured.
In addition, the embodiment of the invention does not relate to the transmission of a public key and a private key, so that the invention is safer; the dynamic identification is used by the user side and used for generating the key A, the identification cannot be corresponding to the key A by illegal molecules, and further the dynamic identification has complex variability, for example, random numbers can be used, so that the information security is further improved.
In addition, in the embodiment of the present invention, the data size of the SM9 private key used by the SM9 is smaller, and the data size is usually only several k volumes and will not exceed 10 k; the CA certificate has larger data volume, and usually has capacity of dozens of k, even hundreds of k, so the embodiment of the invention can save more memory.
Finally, the embodiment of the invention omits a CA certificate authentication center and can realize decentralization.
Example 2
Fig. 2 is a schematic flow chart of a digital signature verification method according to an embodiment of the present invention, and as shown in fig. 2, embodiment 2 of the present invention is implemented based on embodiment 1, embodiment 2 of the present invention is applied to an application system, and the method includes:
s201: the method comprises the steps of receiving an encrypted signature, a ciphertext, a dynamic identification, user information of a user side and a timestamp sent by the user side, sending the ciphertext, the user information of the user side and the timestamp to an encryption machine, enabling the user information of the user side of the encryption machine to be queried to obtain an SM9 private key, generating a verification signature according to the ciphertext, the SM9 private key obtained through query and the timestamp, and sending the verification signature to an application system.
The user side signs the ciphertext, namely a second hash result; a ciphertext; dynamic identification; a time stamp; user information of a user side, namely identity identification information of the user is sent to an application system, the application system receives the information, and then the user information, the ciphertext and the time stamp in the information are sent to an encryption machine.
After receiving the user information, the ciphertext and the timestamp, the encryption machine queries a user information SM9 private key pair corresponding to the user information from a plurality of user information SM9 private key pairs stored in the encryption machine, and further obtains an SM9 private key corresponding to the user information received by the encryption machine.
And obtaining a verification signature by using an SM3(SM9 private key + ciphertext + timestamp corresponding to the user information) by using an SM3 algorithm.
The encryption engine sends the verification signature to the application system.
S202: and the application system compares and compares whether the verification signature is consistent with the encrypted signature.
If the two are consistent, executing S203;
and if the two are not consistent, returning the information that the signature verification fails to pass to the user terminal.
S203: in order to reduce the running load of the encryption machine and focus the functions of the encryption machine on key life cycle management and key operation, in the embodiment of the invention, a complex logic processing process is placed in an application system, and therefore, the logic steps of verifying the consistency of the signature and the encrypted signature and verifying whether the consistency is passed are executed by the application system. And further, after the verification is passed, the application system sends the dynamic identification to the encryption machine. Since the encryption machine verifies the encryption signature in step S201, the encryption machine stores the queried SM9 private key in its own cache, and at this time, after the encryption machine receives the dynamic identifier, the encryption machine processes the dynamic identifier and the queried SM9 private key stored in the cache by using an SM3 algorithm, obtains a third hash value, and sends the third hash value to the application system.
Further, if there are a large number of concurrent encryption signature verifications at the same time, the storage of a large number of SM9 in the encryptor may cause memory overflow and may also cause data confusion, so that in a high-concurrency situation, such as a situation where the number of times of verification is more than 1000 times/second, the encryptor does not store the SM9 private key queried in the step S01 in the cache, but performs re-query according to the user information re-sent by the application system, that is, while the application system sends the dynamic identifier to the encryptor, the application system also sends the user information to the encryptor; the encryption machine queries a corresponding SM9 private key from a plurality of SM9 private key pairs stored in the encryption machine, and then generates a third hash value by using the SM9 private key.
The application system sends the dynamic identifier to the encryption machine, and after receiving the dynamic identifier, the encryption machine obtains the digest by using an SM3 algorithm, such as a hash algorithm, hash (SM9+ dynamic identifier), and uses the digest as a third hash result. And the encryption machine sends the third hash result to the application system as a decryption key corresponding to the user information.
S204: and receiving the third hash value, and decrypting the ciphertext by using the third hash value as a key to obtain a plaintext.
Example 3
Fig. 3 is a schematic flow diagram of a digital signature verification method according to an embodiment of the present invention, and as shown in fig. 3, embodiment 3 of the present invention is implemented based on embodiment 1 and embodiment 2, embodiment 3 of the present invention is applied to an encryption apparatus, a plurality of user information SM9 private key pairs are preset in the encryption apparatus, and the method includes:
s301: receiving a ciphertext, user information of a user side and a timestamp sent by an application system, inquiring an obtained SM9 private key according to the user information, and generating a verification signature according to the ciphertext, the inquired obtained SM9 private key and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
s302: receiving a dynamic identifier under the condition that the comparison verification signature is consistent with the signature;
s303: and processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value, and sending the third hash value to an application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
The specific principle and process of embodiment 3 of the present invention have been described in embodiment 2, and the embodiments of the present invention are not described herein again.
Example 4
Corresponding to embodiment 1 of the present invention, embodiment 4 of the present invention further provides a digital signature apparatus, which is applied to a user side, where the user side has an SM9 private key in advance, and the apparatus includes:
the acquisition module is used for acquiring the dynamic identifier of the user side, using the combination of an SM9 private key and the dynamic identifier as input, and using an SM3 algorithm to obtain a first hash result;
the encryption module is used for encrypting the plaintext by using the SM4 algorithm by taking the first hash result as a key to obtain a ciphertext;
the signature module is used for taking the combination of an SM9 private key, a ciphertext and a timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext;
the first sending module is used for sending the encrypted signature of the ciphertext, the dynamic identifier, the user information of the user side and the timestamp to the application system so that the application system can verify the encrypted signature of the ciphertext.
In a specific implementation manner of the embodiment of the present invention, the dynamic identifier includes:
the random number is dynamically generated, and one or a combination of a preset number of subsets selected from preset character sets.
Example 5
Corresponding to embodiment 1 of the present invention, embodiment 5 of the present invention further provides a digital signature verification apparatus, which is applied to an application system, and the apparatus includes:
the first receiving module is used for receiving the encrypted signature, the ciphertext, the dynamic identification, the user information of the user side and the timestamp sent by the user side, sending the ciphertext, the user information of the user side and the timestamp to the encryption machine, so that the user information of the user side of the encryption machine is inquired to obtain an SM9 private key, a verification signature is generated according to the ciphertext, the SM9 private key obtained by inquiry and the timestamp, and the verification signature is sent to an application system;
the comparison module is used for comparing whether the verification signature is consistent with the encrypted signature or not, and if so, triggering a second sending module;
the second sending module is used for sending the dynamic identifier to the encryption machine so that the encryption machine processes the dynamic identifier and the searched SM9 private key by using an SM3 algorithm to obtain a third hash value and sends the third hash value to an application system;
the first receiving module is further configured to receive the third hash value, and decrypt the ciphertext with the third hash value as the key to obtain the plaintext.
In a specific implementation manner of the embodiment of the present invention, the second sending module is further configured to:
and sending the user information to the encryption machine so that the encryption machine queries an SM9 private key according to the user information.
Example 6
Corresponding to embodiment 1 of the present invention, embodiment 6 of the present invention further provides a digital signature verification apparatus, which is applied to an encryption apparatus, where a plurality of user information SM9 private key pairs are preset in the encryption apparatus, and the apparatus includes:
the second receiving module is used for receiving the ciphertext, the user information of the user side and the timestamp sent by the application system, generating a verification signature according to the SM9 private key obtained by user information query and the SM9 private key obtained by the ciphertext and the query and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
the second receiving module is also used for receiving the dynamic identification under the condition that the comparison verification signature is consistent with the signature;
and the third sending module is used for processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sending the third hash value to the application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
Example 7
Corresponding to embodiments 1 to 6 of the present invention, embodiment 7 of the present invention further provides a digital signature and verification method, where the method includes:
the method comprises the steps that a user side obtains a dynamic identification of the user side, the SM9 private key and the dynamic identification are combined to be used as input, and a first Hash result is obtained through an SM3 algorithm; taking the first hash result as a key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext; taking the combination of an SM9 private key, a ciphertext and a timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext; sending the encrypted signature, the ciphertext, the dynamic identification, the user information of the user side and the timestamp of the ciphertext to an application system;
the application system receives an encrypted signature, a ciphertext, a dynamic identifier, user information of a user side and a timestamp sent by the user side, and sends the ciphertext, the user information of the user side and the timestamp to the encryption machine;
the encryption machine receives a ciphertext, user information of a user side and a timestamp sent by an application system, processes the dynamic identification and an SM9 private key obtained by query by utilizing an SM3 algorithm, generates a verification signature and generates the verification signature; and sending the verification signature to an application system;
the application system compares whether the verification signature is consistent with the encryption signature; if yes, the dynamic identification and the user information of the user side are sent to the encryption machine;
the encryption machine receives the dynamic identification under the condition that the comparison verification signature is consistent with the signature; processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sending the third hash value to an application system;
and the application system receives the third hash value, and decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
Example 8
Corresponding to embodiments 1 to 7 of the present invention, embodiment 8 of the present invention further provides a digital signature and verification system. Fig. 4 is a schematic diagram of an architecture of a digital signature and verification system according to an embodiment of the present invention, as shown in fig. 4, the system includes:
the user terminal 801 according to embodiment 4;
the application system 802 according to embodiment 5;
the encryption equipment 803 according to embodiment 6.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A digital signature method, applied to a user side, wherein the user side has an SM9 private key in advance, the method comprising:
acquiring a dynamic identifier of a user side, using a combination of an SM9 private key and the dynamic identifier as input, and using an SM3 algorithm to obtain a first hash result;
taking the first hash result as a key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext;
taking the combination of an SM9 private key, a ciphertext and a timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext;
and sending the encrypted signature of the ciphertext, the dynamic identification, the user information of the user side and the timestamp to an application system so that the application system can verify the encrypted signature of the ciphertext.
2. A digital signature method as claimed in claim 1, wherein said dynamic identification comprises:
the random number is dynamically generated, and one or a combination of a preset number of subsets selected from preset character sets.
3. A digital signature verification method based on the method of claim 1 or 2, applied to an application system, the method comprising:
receiving an encrypted signature, a ciphertext, a dynamic identification, user information of a user side and a timestamp sent by the user side, sending the ciphertext, the user information of the user side and the timestamp to an encryption machine, so that the user information of the user side of the encryption machine is queried to obtain an SM9 private key, generating a verification signature according to the ciphertext, the SM9 private key obtained by querying and the timestamp, and sending the verification signature to an application system;
comparing whether the verification signature is consistent with the encrypted signature;
if so, sending the dynamic identifier to an encryption machine, so that the encryption machine processes the dynamic identifier and the searched SM9 private key by using an SM3 algorithm to obtain a third hash value and sends the third hash value to an application system;
and receiving the third hash value, and decrypting the ciphertext by using the third hash value as a key to obtain a plaintext.
4. A digital signature verification method as claimed in claim 3, wherein in performing said step of sending said dynamic identification to a cryptographic engine, said method further comprises:
and sending the user information to the encryption machine so that the encryption machine queries an SM9 private key according to the user information.
5. A digital signature verification method based on any one of the methods in claims 1-4, characterized in that, the method is applied to a cryptographic machine, a plurality of private key pairs of user information SM9 are preset in the cryptographic machine, the method includes:
receiving a ciphertext, user information of a user side and a timestamp sent by an application system, inquiring an obtained SM9 private key according to the user information, and generating a verification signature according to the ciphertext, the inquired obtained SM9 private key and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
receiving a dynamic identifier under the condition that the comparison verification signature is consistent with the signature;
and processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value, and sending the third hash value to an application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
6. A digital signature device, applied to a user side, said user side having a secret key SM9 in advance, said device comprising:
the acquisition module is used for acquiring the dynamic identifier of the user side, using the combination of an SM9 private key and the dynamic identifier as input, and using an SM3 algorithm to obtain a first hash result;
the encryption module is used for encrypting the plaintext by using the SM4 algorithm by taking the first hash result as a key to obtain a ciphertext;
the signature module is used for taking the combination of an SM9 private key, a ciphertext and a timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext;
the first sending module is used for sending the encrypted signature of the ciphertext, the dynamic identifier, the user information of the user side and the timestamp to the application system so that the application system can verify the encrypted signature of the ciphertext.
7. A digital signature verification device based on the device of claim 6, applied to an application system, the device comprising:
the first receiving module is used for receiving the encrypted signature, the ciphertext, the dynamic identification, the user information of the user side and the timestamp sent by the user side, sending the ciphertext, the user information of the user side and the timestamp to the encryption machine, so that the user information of the user side of the encryption machine is inquired to obtain an SM9 private key, a verification signature is generated according to the ciphertext, the SM9 private key obtained by inquiry and the timestamp, and the verification signature is sent to an application system;
the comparison module is used for comparing whether the verification signature is consistent with the encrypted signature or not, and if so, triggering a second sending module;
the second sending module is used for sending the dynamic identifier to the encryption machine so that the encryption machine processes the dynamic identifier and the searched SM9 private key by using an SM3 algorithm to obtain a third hash value and sends the third hash value to an application system;
the first receiving module is further configured to receive the third hash value, and decrypt the ciphertext with the third hash value as the key to obtain the plaintext.
8. A digital signature verification device based on the device of claim 6 or 7, characterized in that, it is applied to the encryption machine, in which several private key pairs of user information SM9 are preset, said device includes:
the second receiving module is used for receiving the ciphertext, the user information of the user side and the timestamp sent by the application system, generating a verification signature according to the SM9 private key obtained by user information query and the SM9 private key obtained by the ciphertext and the query and the timestamp; sending the verification signature to an application system so that the application system can compare whether the verification signature is consistent with the encryption signature or not;
the second receiving module is also used for receiving the dynamic identification under the condition that the comparison verification signature is consistent with the signature;
and the third sending module is used for processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sending the third hash value to the application system, so that the application system decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
9. A digital signature and verification method, the method comprising:
the method comprises the steps that a user side obtains a dynamic identification of the user side, the SM9 private key and the dynamic identification are combined to be used as input, and a first Hash result is obtained through an SM3 algorithm; taking the first hash result as a key, and encrypting a plaintext by using an SM4 algorithm to obtain a ciphertext; taking the combination of an SM9 private key, a ciphertext and a timestamp as input, obtaining a second hash result by using an SM3 algorithm, and taking the second hash result as an encrypted signature of the ciphertext; sending the encrypted signature, the ciphertext, the dynamic identification, the user information of the user side and the timestamp of the ciphertext to an application system;
the application system receives an encrypted signature, a ciphertext, a dynamic identifier, user information of a user side and a timestamp sent by the user side, and sends the ciphertext, the user information of the user side and the timestamp to the encryption machine;
the encryption machine receives a ciphertext, user information of a user side and a timestamp sent by an application system, processes the dynamic identification and an SM9 private key obtained by query by utilizing an SM3 algorithm, generates a verification signature and generates the verification signature; and sending the verification signature to an application system;
the application system compares whether the verification signature is consistent with the encryption signature; if yes, the dynamic identification and the user information of the user side are sent to the encryption machine;
the encryption machine receives the dynamic identification under the condition that the comparison verification signature is consistent with the signature; processing the dynamic identification and the SM9 private key obtained by query by using an SM3 algorithm to obtain a third hash value and sending the third hash value to an application system;
and the application system receives the third hash value, and decrypts the ciphertext by using the third hash value as a secret key to obtain a plaintext.
10. A digital signature verification system, the system comprising:
the user terminal of claim 6;
the application system of claim 7;
the encryption machine of claim 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011532883.2A CN112688784B (en) | 2020-12-23 | 2020-12-23 | Digital signature and verification method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011532883.2A CN112688784B (en) | 2020-12-23 | 2020-12-23 | Digital signature and verification method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112688784A true CN112688784A (en) | 2021-04-20 |
| CN112688784B CN112688784B (en) | 2023-04-11 |
Family
ID=75450872
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011532883.2A Active CN112688784B (en) | 2020-12-23 | 2020-12-23 | Digital signature and verification method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112688784B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113127934A (en) * | 2021-06-17 | 2021-07-16 | 北京信安世纪科技股份有限公司 | Log file based signature and signature verification method and electronic equipment |
| CN113259934A (en) * | 2021-06-25 | 2021-08-13 | 贵州大学 | Short message verification code encryption method, decryption method and encryption and decryption system |
| CN113285959A (en) * | 2021-06-25 | 2021-08-20 | 贵州大学 | Mail encryption method, decryption method and encryption and decryption system |
| CN113382002A (en) * | 2021-06-10 | 2021-09-10 | 杭州安恒信息技术股份有限公司 | Data request method, request response method, data communication system, and storage medium |
| CN113392418A (en) * | 2021-06-30 | 2021-09-14 | 北京紫光展锐通信技术有限公司 | Data deployment method and device, computer readable storage medium, deployment device and user side |
| CN113472542A (en) * | 2021-06-29 | 2021-10-01 | 广州炒米信息科技有限公司 | Network attack defense method and device based on SM3 algorithm, storage medium, client terminal and service terminal |
| CN113726503A (en) * | 2021-07-12 | 2021-11-30 | 国网山东省电力公司信息通信公司 | Method and system for protecting web interaction information |
| CN113986845A (en) * | 2021-12-27 | 2022-01-28 | 南京大学 | Method and system for issuing unconditional trusted timestamp |
| CN114553438A (en) * | 2022-03-02 | 2022-05-27 | 深圳壹账通智能科技有限公司 | Data transmission method and device, electronic equipment and storage medium |
| CN114817068A (en) * | 2022-05-25 | 2022-07-29 | 云账户技术(天津)有限公司 | Interface testing method and device based on mock test and electronic equipment |
| CN114978694A (en) * | 2022-05-23 | 2022-08-30 | 深圳云创数安科技有限公司 | Data volume generation method, device, equipment and storage medium based on digital signature |
| CN115174260A (en) * | 2022-07-29 | 2022-10-11 | 中国工商银行股份有限公司 | Data verification method, data verification device, computer, storage medium and program product |
| CN115208632A (en) * | 2022-06-16 | 2022-10-18 | 国网浙江省电力有限公司营销服务中心 | Front-end and back-end data encryption transmission method and system |
| CN115225272A (en) * | 2022-09-20 | 2022-10-21 | 北方健康医疗大数据科技有限公司 | Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm |
| CN116527236A (en) * | 2023-06-29 | 2023-08-01 | 深圳市亲邻科技有限公司 | Information change verification method and system for encryption card |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013078970A1 (en) * | 2011-11-30 | 2013-06-06 | 西安西电捷通无线网络通信股份有限公司 | Key negotiation method and apparatus according to sm2 key exchange protocol |
| CN107483429A (en) * | 2017-08-09 | 2017-12-15 | 北京中软信科技有限公司 | A kind of data ciphering method and device |
| CN108199847A (en) * | 2017-12-29 | 2018-06-22 | 数安时代科技股份有限公司 | Security processing method, computer equipment and storage medium |
| CN108629027A (en) * | 2018-05-09 | 2018-10-09 | 深圳壹账通智能科技有限公司 | Customer data base method for reconstructing, device, equipment and medium on block chain |
| CN109768987A (en) * | 2019-02-26 | 2019-05-17 | 重庆邮电大学 | A kind of storage of data file security privacy and sharing method based on block chain |
| CN110445621A (en) * | 2019-09-27 | 2019-11-12 | 瓦戈科技有限公司 | A kind of application method and system of trusted identities |
| CN110837634A (en) * | 2019-10-24 | 2020-02-25 | 杭州安存网络科技有限公司 | Electronic signature method based on hardware encryption machine |
| CN110943976A (en) * | 2019-11-08 | 2020-03-31 | 中国电子科技网络信息安全有限公司 | Password-based user signature private key management method |
-
2020
- 2020-12-23 CN CN202011532883.2A patent/CN112688784B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013078970A1 (en) * | 2011-11-30 | 2013-06-06 | 西安西电捷通无线网络通信股份有限公司 | Key negotiation method and apparatus according to sm2 key exchange protocol |
| CN107483429A (en) * | 2017-08-09 | 2017-12-15 | 北京中软信科技有限公司 | A kind of data ciphering method and device |
| CN108199847A (en) * | 2017-12-29 | 2018-06-22 | 数安时代科技股份有限公司 | Security processing method, computer equipment and storage medium |
| CN108629027A (en) * | 2018-05-09 | 2018-10-09 | 深圳壹账通智能科技有限公司 | Customer data base method for reconstructing, device, equipment and medium on block chain |
| CN109768987A (en) * | 2019-02-26 | 2019-05-17 | 重庆邮电大学 | A kind of storage of data file security privacy and sharing method based on block chain |
| CN110445621A (en) * | 2019-09-27 | 2019-11-12 | 瓦戈科技有限公司 | A kind of application method and system of trusted identities |
| CN110837634A (en) * | 2019-10-24 | 2020-02-25 | 杭州安存网络科技有限公司 | Electronic signature method based on hardware encryption machine |
| CN110943976A (en) * | 2019-11-08 | 2020-03-31 | 中国电子科技网络信息安全有限公司 | Password-based user signature private key management method |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113382002A (en) * | 2021-06-10 | 2021-09-10 | 杭州安恒信息技术股份有限公司 | Data request method, request response method, data communication system, and storage medium |
| CN113127934A (en) * | 2021-06-17 | 2021-07-16 | 北京信安世纪科技股份有限公司 | Log file based signature and signature verification method and electronic equipment |
| CN113259934A (en) * | 2021-06-25 | 2021-08-13 | 贵州大学 | Short message verification code encryption method, decryption method and encryption and decryption system |
| CN113285959A (en) * | 2021-06-25 | 2021-08-20 | 贵州大学 | Mail encryption method, decryption method and encryption and decryption system |
| CN113472542A (en) * | 2021-06-29 | 2021-10-01 | 广州炒米信息科技有限公司 | Network attack defense method and device based on SM3 algorithm, storage medium, client terminal and service terminal |
| CN113392418A (en) * | 2021-06-30 | 2021-09-14 | 北京紫光展锐通信技术有限公司 | Data deployment method and device, computer readable storage medium, deployment device and user side |
| CN113726503B (en) * | 2021-07-12 | 2023-11-14 | 国网山东省电力公司信息通信公司 | Method and system for protecting web interaction information |
| CN113726503A (en) * | 2021-07-12 | 2021-11-30 | 国网山东省电力公司信息通信公司 | Method and system for protecting web interaction information |
| CN113986845A (en) * | 2021-12-27 | 2022-01-28 | 南京大学 | Method and system for issuing unconditional trusted timestamp |
| CN114553438A (en) * | 2022-03-02 | 2022-05-27 | 深圳壹账通智能科技有限公司 | Data transmission method and device, electronic equipment and storage medium |
| CN114978694A (en) * | 2022-05-23 | 2022-08-30 | 深圳云创数安科技有限公司 | Data volume generation method, device, equipment and storage medium based on digital signature |
| CN114817068A (en) * | 2022-05-25 | 2022-07-29 | 云账户技术(天津)有限公司 | Interface testing method and device based on mock test and electronic equipment |
| CN115208632A (en) * | 2022-06-16 | 2022-10-18 | 国网浙江省电力有限公司营销服务中心 | Front-end and back-end data encryption transmission method and system |
| CN115208632B (en) * | 2022-06-16 | 2023-11-07 | 国网浙江省电力有限公司营销服务中心 | Front-end and back-end data encryption transmission method and system |
| CN115174260A (en) * | 2022-07-29 | 2022-10-11 | 中国工商银行股份有限公司 | Data verification method, data verification device, computer, storage medium and program product |
| CN115174260B (en) * | 2022-07-29 | 2024-02-02 | 中国工商银行股份有限公司 | Data verification method, device, computer, storage medium and program product |
| CN115225272A (en) * | 2022-09-20 | 2022-10-21 | 北方健康医疗大数据科技有限公司 | Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm |
| CN116527236A (en) * | 2023-06-29 | 2023-08-01 | 深圳市亲邻科技有限公司 | Information change verification method and system for encryption card |
| CN116527236B (en) * | 2023-06-29 | 2023-09-19 | 深圳市亲邻科技有限公司 | Information change verification method and system for encryption card |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112688784B (en) | 2023-04-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112688784B (en) | Digital signature and verification method, device and system | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| CN109728914B (en) | Digital signature verification method, system, device and computer readable storage medium | |
| CN106790156B (en) | Intelligent device binding method and device | |
| CN109714176B (en) | Password authentication method, device and storage medium | |
| CA3164765A1 (en) | Secure communication method and device based on identity authentication | |
| CN107592202B (en) | Application signature method, device, system, computing equipment and storage medium | |
| CN105099673A (en) | Authorization method, authorization requesting method and devices | |
| WO2021042851A1 (en) | Data signature method and device for use in blockchain, computer apparatus, and storage medium | |
| CN110958209B (en) | Bidirectional authentication method, system and terminal based on shared secret key | |
| CN110677382A (en) | Data security processing method, device, computer system and storage medium | |
| CN110690956A (en) | Bidirectional authentication method and system, server and terminal | |
| CN113382002B (en) | Data request method, request response method, data communication system, and storage medium | |
| CN101102464A (en) | STB terminal and its verification method | |
| CN114143108A (en) | Session encryption method, device, equipment and storage medium | |
| CN111327561B (en) | Authentication method, system, authentication server, and computer-readable storage medium | |
| CN113259722B (en) | Secure video Internet of things key management method, device and system | |
| CN111510442A (en) | User verification method and device, electronic equipment and storage medium | |
| CN114793184A (en) | Security chip communication method and device based on third-party key management node | |
| US20240106633A1 (en) | Account opening methods, systems, and apparatuses | |
| CN113114654B (en) | Terminal equipment access security authentication method, device and system | |
| CN116318784B (en) | Identity authentication method, identity authentication device, computer equipment and storage medium | |
| CN114553557B (en) | Key calling method, device, computer equipment and storage medium | |
| CN111062721B (en) | Signature method, system and storage medium applied to blockchain | |
| CN111064580B (en) | Implicit certificate key expansion method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 10 / F, R & D building, Hefei Institute of technology innovation, Chinese Academy of Sciences, 2666 Xiyou Road, Hefei hi tech Zone, Hefei, Anhui 230000 Applicant after: Zhongke Meiluo Technology Co., Ltd. Address before: 10 / F, R & D building, Hefei Institute of technology innovation, Chinese Academy of Sciences, 2666 Xiyou Road, Hefei hi tech Zone, Hefei, Anhui 230000 Applicant before: ANHUI ZHONGKE MEILUO INFORMATION TECHNOLOGY CO.,LTD. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |