CN113886860B - Electronic data security system and method based on mobile terminal - Google Patents
Electronic data security system and method based on mobile terminal Download PDFInfo
- Publication number
- CN113886860B CN113886860B CN202111471668.0A CN202111471668A CN113886860B CN 113886860 B CN113886860 B CN 113886860B CN 202111471668 A CN202111471668 A CN 202111471668A CN 113886860 B CN113886860 B CN 113886860B
- Authority
- CN
- China
- Prior art keywords
- data
- signature
- server
- mobile terminal
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an electronic data security system and method based on a mobile terminal, which comprises a server and a client, wherein the client is arranged on the mobile terminal and comprises: the system comprises an identity authentication module and a password security module; the server comprises a data security module; the server side carries out local encryption storage on the original text, the hash value of the original text, the digital signature information and the identity authentication information of the security electronic data; meanwhile, the hash value and the summary data of the security electronic data are uploaded to a third-party judicial evidence storage organization for evidence storage; when authentication is needed, a hash value is calculated for a secure electronic data original text stored in a local encryption mode, the hash value is verified with a hash value stored in a certificate storage organization of a third party judicial law, and whether the data is tampered or not is determined. The invention can ensure the legality and authority of the electronic data and can obtain the fair electronic evidence with legal effectiveness.
Description
Technical Field
The invention relates to the technical field of data security, in particular to an electronic data security system and method based on a mobile terminal.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
With the rapid development of the internet and related industries and the demand of paperless office, a plurality of electronic government affairs, business behaviors, related official documents, contracts, medical records, house property transactions and other important rights and interests and intellectual property achievements are changed from paper forms to electronic data forms and internet forms, meanwhile, with the rapid development of 4G and 5G mobile internet, the informatization application based on mobile terminals is more and more extensive, how to ensure the legality of electronic data generated by the application of the mobile terminals is ensured, the electronic data becomes an electronic evidence which is the key for justiced authority judgment, and the key and difficulty for ensuring the legality of the electronic data are the fixation, storage, evidence collection and authentication of the electronic data.
Currently, the solidification, storage, evidence obtaining and authentication of electronic data generally comprise court security, justice security and third-party data security platform security modes. Court preservation and justice preservation have the disadvantages of low efficiency, high cost, lack of necessary technologies and the like. As a product of development of the information society, a third-party data security platform can exert unique advantages thereof, and overcomes the defects of traditional court security and justice security, but the third-party data security platform is generally developed by an application system manufacturer, lacks necessary password security protection means, is realized by a soft implementation mode even if a certain security means is provided, and is not realized by a special hardware password device, and has the defects of technical closure, low social acceptance, lack of theoretical research, lack of judicial authentication and the like.
Disclosure of Invention
In order to solve the problems, the invention provides a data security method and a system based on mobile terminal electronic signature application, which effectively solve the security, identity validity, confidentiality, integrity, non-repudiation and time validity of the key storage and use of a mobile terminal user and the electronic data in the current mobile terminal user use environment, and simultaneously process the electronic data from four links of electronic data solidification, storage, evidence obtaining and authentication by connecting a third-party judicial certification mechanism, thereby realizing the combination of data security, judicial evidence obtaining and judicial certification and achieving the requirement of electronic data security based on mobile terminal application.
In some embodiments, the following technical scheme is adopted:
an electronic data security system based on a mobile terminal comprises a server and a client, wherein the client is arranged on the mobile terminal and comprises:
the identity authentication module is configured to call a biological recognition device of the mobile terminal to perform identity authentication, access control and real-name authentication, perform data interaction and key collaborative operation with the server side, and acquire a digital certificate as a digital identity certificate;
a cryptographic security module configured to generate a timestamp and an electronic signature for securing electronic data based on a digital certificate while providing encryption/decryption and signature verification services for the digital certificate;
the server side comprises:
the data security module is configured to perform local encryption storage on the secured electronic data original text, the original text hash value, the digital signature information, the timestamp information, the electronic signature information and the identity authentication information; meanwhile, the hash value and the summary data of the security electronic data are uploaded to a third-party judicial evidence storage organization for evidence storage; when authentication is needed, calculating a hash value of a secure electronic data original text stored in a local encryption mode, verifying the hash value and a hash value stored in a certificate storage mechanism of a third-party judicial certificate storage mechanism, and determining whether the data is tampered; and verifying the data integrity, identity validity, time validity and behavior non-repudiation of the security data by verifying the electronic signature value, the electronic signature information and the timestamp information.
In other embodiments, the following technical solutions are adopted:
a mobile terminal-based electronic data security method comprises the following processes:
receiving an identity authentication request, and performing real-name identity authentication on a client user;
after the identity authentication is successful, generating a local key share, sending a key generation request and a digital certificate application request to the server, after receiving a client request, generating a server key share, and submitting a digital certificate authentication request to a third-party CA authentication mechanism; meanwhile, receiving a digital certificate returned by the server, and encrypting and storing the digital certificate;
obtaining a signature value through key share cooperative operation, generating a time stamp and an electronic signature for the security electronic data, and performing local encryption storage on the original text, the hash value of the original text, the digital signature information and the identity authentication information of the security electronic data;
meanwhile, the hash value and the summary data of the security electronic data are uploaded to a third-party judicial evidence storage mechanism; wherein the summary data comprises at least: owner information of the secured electronic data, file name of the secured electronic data, electronic signature information, and data generation time.
When security electronic data authentication is needed, calculating a hash value according to a security electronic data original text stored in a local encryption mode, verifying the hash value and a hash value of a certificate stored in a third-party judicial certificate storage mechanism, and determining whether data is tampered;
verifying the digital signature information and the identity authentication information which are stored in a local encryption mode with the summary data to determine whether the data are legal and valid; wherein, the verification specifically comprises: the integrity and the authenticity of the data are ensured by verifying the signature value, the legality of the user identity is ensured by verifying the identity information of the user, and the legality of the generation time of the behavior data is ensured by verifying the timestamp.
As a further scheme, obtaining a signature value through key share cooperative operation specifically includes:
the mobile terminal and the server terminal respectively calculate and encrypt respective key shares;
the mobile terminal and the server terminal verify the validity of data transmitted by the other party through hash value comparison respectively;
if the verification data is valid, the mobile terminal calculates to obtain a signature value r based on the mobile terminal key share and the server terminal key share; the server calculates a signature value r and a signature value s2 based on the mobile terminal key share and the server terminal key share, and returns the signature value s2 to the mobile terminal;
the mobile terminal obtains a signature value s2 through decryption, calculates a signature value s1, and obtains a signature value s through calculation of a signature value s1 and a signature value s 2;
and finally, the mobile terminal obtains complete signature value information (r, s).
Compared with the prior art, the invention has the beneficial effects that:
(1) the invention realizes the safe storage, solidification, evidence obtaining and authentication of electronic data (digital copyright record, digital medical data, electronic contract, electronic document and the like) by the butt joint with a third-party CA authentication mechanism and a third-party judicial evidence storage mechanism, realizes the perfect combination of data safety and judicial authentication, ensures the legality and authority of the electronic data, avoids disputes of participators caused by the authenticity and the judicial authority of the electronic data content, and can obtain the fair electronic evidence with legal efficacy.
(2) The client and the server respectively generate and store partial secret keys, and when identity authentication is carried out or electronic data is signed, the secret keys of the client and the server are subjected to cooperative operation; since almost all mobile terminals do not have a dedicated password security chip at present, keys cannot be stored in a hardware chip and can only be stored in a software mode, but the software storage mode has a key leakage risk, so that even if a key of one party is lost or leaked, others cannot obtain complete key information, and the key security can be effectively ensured.
(3) The invention adopts the digital certificate technology, the signature technology, the time stamp technology, the encryption and decryption technology, the electronic signature technology and the like to process the security data, and can effectively ensure the identity legality, the data confidentiality and integrity, the behavior non-repudiation and the time legality;
(4) the invention can collect the hand-written signature through the mobile terminal, and add the signature into the security electronic data through the electronic signature technology, thereby effectively ensuring the integrity and non-repudiation of the electronic security data, and conveniently seeing the hand-written signature containing the personal digital signature through the graphic processing technology. The invention uses the time stamp technology for proving the time validity when the data is solidified, and ensures the credibility of the time generated by the data.
(5) The invention uses the technology of 'face recognition + testimony in one + process video recording' to perform face recognition on the identity of the data security data participator, compares the face information with the identity card information by connecting a public security face database, and records the video in the face recognition process and the behavior process, thereby effectively ensuring the identity legality and non-repudiation of the security data participator.
(6) The key information of the hardware server password equipment is stored in the password security chip, and the key cannot be extracted from hardware, so that the security of the key can be effectively ensured and the key is prevented from being leaked or copied compared with a soft key used in a traditional security system.
(7) The invention combines the traditional data security system with the judicial certification institution, can effectively improve the reliability of the security data and provides powerful judicial protection for the data security.
Drawings
FIG. 1 is a diagram of a data security system architecture according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a data saving process according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a data authentication process according to an embodiment of the present invention.
Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
Interpretation of terms:
a CA certification authority, i.e. an electronic certification service, i.e. an authority that issues digital certificates;
an SDK development kit, i.e., a software development kit; SDK is an abbreviation for Software Development Kit.
Example one
In one or more embodiments, disclosed is a mobile terminal-based electronic data security system, referring to fig. 1, including a server and a client;
wherein the client is arranged on the mobile terminal, and the client comprises:
(1) the identity authentication module is configured to call a biological recognition device of the mobile terminal to perform identity authentication, access control and real-name authentication, perform data interaction and key collaborative operation with the server side, and acquire a digital certificate as a digital identity certificate;
specifically, the identity authentication module comprises:
a biometric identification unit configured to perform identity authentication and access control on client key information and personal information by invoking a biometric identification device (such as fingerprint identification, voiceprint identification, face identification, or the like) of the mobile terminal;
the real-name authentication unit is configured to perform real-name identity authentication on the client user; the real-name system authentication can be carried out on the client user through modes such as identity card information or public security face bank portrait recognition, so that the authenticity and the legality of the identity of the client user are guaranteed, and people and cards are integrated.
The digital certificate unit is configured to generate a local key after the real-name authentication passes, and send a digital certificate application request and the local key to the server by using the certificate application interface so that the server submits the digital certificate authentication request to a third-party CA authentication mechanism; and meanwhile, receiving the digital certificate returned by the server, and encrypting and storing the digital certificate.
In the embodiment, a user inputs basic information through a client and submits a registration application; the client checks the user registration information and sends an activation code; and activating and logging in the system by inputting a user name, a password and an activation code.
The client user performs real-name identity authentication in a mode of combining input identity card number and face identification, generates a local secret key after the real-name identity authentication is passed, and submits a digital certificate application request;
after receiving the application request of the digital certificate, the server side submits the application of the certificate to a third-party CA certification authority, and the third-party CA certification authority automatically checks the request of the user certificate and issues the digital certificate; wherein the digital certificate includes: a signature certificate, an encryption certificate, and an encryption key.
The server receives and stores the digital certificate, and returns the digital certificate and the encryption key to the client, and the client uses the digital certificate as a legal digital identity credential for the user to log in the system.
The digital certificate comprises an encryption certificate and a signature certificate, the corresponding keys comprise an encryption key and a signature key, and the signature key is generated and stored in a security chip of the client; the signing certificate, the encryption certificate and the encryption key are issued by a third party CA certification authority, the encryption key is used for data encryption, and the signing key is used for data signing.
A signature key pair (comprising a signature public key and a signature private key) is generated by the client, when a certificate request is submitted, user information and the signature public key are sent to the server, and the signature private key is still stored in the client;
the encryption key pair (comprising an encryption public key and an encryption private key) is generated by a third-party CA certification authority, and after the third-party CA certification authority issues a signature certificate and an encryption certificate, the signature certificate, the encryption certificate and the encryption key pair are returned to the server side, and the server side sends the signature certificate, the encryption certificate and the encryption key pair to the client side; at this time, the client has a signature key pair, an encryption key pair, a signature certificate and an encryption certificate so as to be used for signature verification and encryption and decryption.
(2) A cryptographic security module configured to generate a timestamp and an electronic signature for securing electronic data based on a digital certificate while providing encryption and decryption of the digital certificate and a signature verification service;
specifically, the cryptographic security module comprises:
a key generation unit configured to generate a client key share for performing a collaborative operation by a key division technique;
a timestamp service unit configured to generate a timestamp of the security electronic data based on a timestamp technology of the digital signature (which can be synchronized with the time of a national time service center through GPS/Beidou/4G); the method has the advantages that the legality protection is carried out on the action occurrence time of the electronic data and the integrity and non-repudiation of the electronic data, the action occurrence time and the electronic data content are prevented from being artificially tampered, and the time and the action data can be effectively solidified.
In this embodiment, the timestamp technology is a timestamp structure that is generated by a digital signature technology and other information and conforms to a national standard, and the structure includes digital certificate information, signature information, a hash value of an original text, national standard time, and the like, and is mainly used for performing legitimacy protection on time generated by a behavior, performing integrity protection on a behavior record generated by the behavior, and making the time generated by the behavior credible and data credible.
The electronic signature service unit is configured to electronically sign the security electronic data mainly through a digital signature technology, a document processing technology and an image processing technology, supports multi-person signature, and can effectively ensure identity validity, data integrity and non-repudiation of all parties signing the electronic document.
After electronic data or documents to be preserved are generated, a user passing identity authentication uses a handwritten signature acquisition function of an electronic signature to carry out handwritten signature, information such as handwritten signature pictures and digital certificates is made into a standard electronic seal data structure, and the seal structure, certificate information, behavior time information and the like are input into a standard format file structure, such as PDF (Portable document Format) and OFD (office document) format files and the like, so that the electronic signature based on the format file is formed; and finally, displaying the electronic signature in a standard format file of the secure electronic data, and ensuring the integrity and non-repudiation of the electronic document by verifying the signature.
As an optional implementation, the client further includes: and the process video recording module is configured to record the video in the identity authentication process and the data security process by calling the mobile equipment camera, and encrypt and store the video data after carrying out digital signature so as to ensure the legality and the non-repudiation of the identity of the operator.
In this embodiment, the server includes:
(1) the data security module is configured to perform local encryption storage on the secure electronic data original text, the original text hash value, the digital signature information, the electronic signature information, the timestamp information and the identity authentication information; meanwhile, the hash value and the summary data of the security electronic data are uploaded to a third-party judicial evidence storage organization for evidence storage; when authentication is needed, a hash value is calculated for a secure electronic data original text stored in a local encryption mode, the hash value is verified with a hash value stored in a certificate storage mechanism of a third-party judicial certificate storage mechanism, and whether the data is tampered or not is determined.
Wherein the summary data comprises: saving electronic data owner information, saving electronic data file names and data generation time;
when authentication is needed, a hash value is calculated for a security electronic data original text stored in a local encryption mode, the hash value is verified with a hash value stored in a certificate storage mechanism of a third-party judicial certificate storage mechanism, and whether the data are tampered or not is determined by comparing whether the two hash values are consistent or not.
And verifying the digital signature information and the identity authentication information which are stored in a local encryption way and the summary data to determine whether the data is legal and valid. The specific verification process is as follows: the integrity and the non-repudiation of the data are guaranteed by verifying the signature value, the validity of the identity of the user is guaranteed by verifying the identity information of the user, and the validity of the generation time of the behavior data is guaranteed by verifying the timestamp.
Specifically, the data security module specifically includes:
the system comprises a black box card storage unit, a data processing unit and a data processing unit, wherein the black box card storage unit is configured to locally solidify and encrypt and store electronic data original text, original text hash values, digital signature values, electronic signature information, timestamp information and user identity information;
the identity authentication information is used for confirming identity validity of a person holding the electronic data, and the digital signature information comprises a signature value obtained through key collaborative operation and is used for guaranteeing identity validity of a digital certificate holder, integrity of the security data and non-repudiation generated by behaviors.
A third-party judicial evidence storing unit configured to upload the hash value and summary data of the security electronic data to the third-party judicial evidence storing organization through a data uploading interface of the third-party judicial evidence storing organization; receiving a judicial evidence electronic certificate issued by a third judicial evidence-storing organization for subsequent judicial evidence collection;
the hash value adopts SM3 cryptographic algorithm, and the summary information includes security electronic data owner information, security electronic data file name, data generation time and the like, so as to ensure the legality of user identity, the integrity of behavior data and the non-repudiation of behavior.
As an optional implementation manner, the server further includes a cryptographic service module, where the cryptographic service module specifically includes:
a key generation unit configured to generate a server-side key share for performing a collaborative operation by a key division technique;
the key collaborative operation unit is configured to perform collaborative operation on key shares generated by the client and the server respectively to obtain corresponding signature values when performing identity authentication or performing electronic data signature, and the signature values are used for performing identity authentication or electronic signature;
according to the embodiment, the key safety can be effectively ensured through the key collaborative operation method, and even if one party reveals the key, the safety of the whole key cannot be influenced because any party cannot obtain the complete key.
The password security service unit is configured to be used for storing client key information and identity authentication information; and corresponding password security service and storage service are provided through password security chips in the identity authentication server, the signature verification server, the electronic signature server, the timestamp server and the data security server.
The key information of the embodiment is stored in the password security chip, and the key cannot be extracted from hardware, so that compared with a soft key used in a traditional security system, the security of the key can be effectively ensured, and the key is prevented from being leaked or copied.
The password security service unit specifically comprises a security support layer, a core layer, a service layer and an interface layer; the security support layer is used for storing client key information and identity authentication information; the core layer is used for performing core operation and comprises a local black box server, an electronic signature server, a data security server, a timestamp server and the like; the service layer is used for providing password security services for the client, and the services comprise identity authentication services, signature verification services, electronic signature services, timestamp services, data security services and the like. The interface layer is an integrated interface which provides an interface development kit for the business system so that the business system can call and integrate the data security function and provides the password security services of user identity authentication, encryption and decryption, signature verification, time stamp, electronic signature and the like for the business system.
In this embodiment, the server is configured to receive a digital certificate application and a local key sent by the client, and submit a digital certificate authentication request to a third-party CA certificate authority; and receiving a digital certificate issued by a third-party CA certification authority, and returning the digital certificate and the encryption key to the client.
Meanwhile, the keys of the client and the server are subjected to cooperative operation, the two parties participate in signature operation through respective key shares, a corresponding signature value is obtained after the signature value is processed through a cooperative algorithm, and finally the signature value is used for identity authentication or electronic signature.
As a specific implementation manner, the process of obtaining the corresponding signature value after the processing by the cooperative algorithm is specifically as follows:
firstly, a mobile terminal and a server side negotiate a session key sk;
the mobile terminal generates a random number, calculates a mobile terminal key share k1, and encrypts the mobile terminal key share k1 by using the session key sk to obtain a ciphertext c 1;
thirdly, the server generates a random number, calculates a server key share k2, and encrypts the server key share k2 by using the session key sk to obtain a ciphertext c 2;
the server side decrypts the session key sk to obtain a mobile terminal key share k 1; carrying out hash operation on the mobile terminal key share k1, the server terminal key share k2 and the session key sk to obtain a hash value h2, and sending the hash value h2 and a ciphertext c2 to the mobile terminal;
the mobile terminal decrypts the ciphertext c2 by using the session key sk to obtain a key share k2, performs hash operation on the key shares k1 and k2 and the session key sk to obtain a hash value h1, and compares the hash value h1 with the hash value h2 to verify the data validity;
sixthly, the mobile terminal obtains a signature value r through an elliptic curve algorithm and a multiplier calculation based on the key share k1 and the key share k2, and sends the hash value h1 to the server terminal;
the service side verifies the data validity by comparing the hash value h2 with the hash value h 1; if the verification is passed, the server side is based on the mobile side key share k1 and the server side key share k2, a signature value r and a signature value s2 are obtained through calculation of an elliptic curve algorithm and a multiplier, and the signature value s2 is returned to the mobile side;
the mobile terminal obtains a signature value s2 through decryption, calculates a signature value s1, and obtains a signature value s through the calculation of signature values s1 and s 2;
ninthly, finally, the mobile terminal obtains complete signature value information (r, s).
In this embodiment, with reference to fig. 2, the electronic data to be secured may be text, image or video data; the method comprises the following steps of (1) uploading data security module to solidify security electronic data and behavior operation records (such as people, time, content and the like for recording data security) through a network, and performing encryption storage and data security verification through an identity authentication module and a password security module; the data security module uploads the hash value and the summary data of the security electronic data to a third-party judicial evidence storage mechanism through a data uploading interface of the third-party judicial evidence storage mechanism; and the judicial evidence electronic certificate issued by the third judicial evidence-storing organization is used for subsequent judicial evidence collection.
In this embodiment, the third-party judicial evidence storing organization may select a national information center judicial appraisal center, or may select other organizations as needed.
In this embodiment, with reference to fig. 3, when security electronic data authentication is required, a third-party judicial evidence storing organization extracts related original security electronic data from a local black box evidence storing unit, and calculates a hash value of the original security electronic data by using an SM3 cryptographic algorithm; comparing and checking the hash value obtained by calculation with the hash value of the certificate of the third judicial certificate storage institution to determine the authenticity of the security electronic data; meanwhile, the electronic signature technology is used, the authenticity, the integrity and the time validity of the electronic data are verified by verifying the validity of a digital certificate of the electronic signature, the validity of a signature value, the validity of a time stamp and the like, and finally if the verification results are consistent, a third-party judicial certificate authority issues a judicial verification opinion book to prove that the electronic data is a legal and effective electronic evidence.
Example two
In one or more embodiments, disclosed is a mobile terminal-based electronic data security method, which comprises the following processes:
(1) receiving an identity authentication request, and performing real-name identity authentication on a client user;
(2) after the identity authentication is successful, generating a local secret key, and sending a digital certificate request and the local secret key to a server so that the server submits the digital certificate authentication request to a third-party CA authentication mechanism; meanwhile, receiving a digital certificate returned by the server, and encrypting and storing the digital certificate;
(3) obtaining a signature value through key share cooperative operation, generating a time stamp and an electronic signature for the security electronic data, and performing local encryption storage on the original text, the hash value of the original text, the digital signature information and the identity authentication information of the security electronic data; meanwhile, the hash value and the summary data of the security electronic data are uploaded to a third-party judicial evidence storage mechanism; wherein the summary data comprises at least: owner information of the secured electronic data, a file name of the secured electronic data, and a data generation time.
The process of obtaining the signature value through the key share cooperative operation is the same as the process of obtaining the corresponding signature value through the cooperative algorithm processing in the first embodiment, and is not described in detail here.
When security electronic data authentication is needed, calculating a hash value according to a security electronic data original text stored in a local encryption mode, verifying the hash value and a hash value of a certificate stored in a third-party judicial certificate storage mechanism, and determining whether data is tampered;
the method mainly comprises the steps of verifying the digital signature information and the identity authentication information stored in a local encryption mode and the summary data, ensuring the integrity and the non-repudiation of the data through a signature value verification mode, ensuring the validity of the identity of a user through verifying the identity information of the user, ensuring the validity of the generation time of the behavior data through verifying a timestamp, and determining whether the data is valid or not through the verification mode.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, it is not intended to limit the scope of the present invention, and it should be understood by those skilled in the art that various modifications and variations can be made without inventive efforts by those skilled in the art based on the technical solution of the present invention.
Claims (10)
1. An electronic data security system based on a mobile terminal is characterized by comprising a server side and a client side; the client is arranged on the mobile terminal, and the client comprises:
the identity authentication module is configured to call a biological recognition device of the mobile terminal to perform identity authentication, access control and real-name authentication, generate a client key share, perform data interaction and key share cooperative operation with a server to obtain a signature value for performing identity authentication or electronic signature, and acquire a digital certificate as a digital identity certificate;
a cryptographic security module configured to generate a timestamp and an electronic signature for securing electronic data based on the digital certificate and the signature value while providing encryption and decryption of the digital certificate and signature verification services;
the server side comprises:
the data security module is configured to perform local encryption storage on the secured electronic data original text, the original text hash value, the digital signature information, the timestamp information, the electronic signature information and the identity authentication information; meanwhile, the hash value and the summary data of the security electronic data are uploaded to a third-party judicial evidence storage organization for evidence storage; when authentication is needed, calculating a hash value of a secure electronic data original text stored in a local encryption mode, verifying the hash value and a hash value stored in a certificate storage mechanism of a third-party judicial certificate storage mechanism, and determining whether the data is tampered; meanwhile, whether the security data is complete and whether the identity and the time are legal is verified by verifying the signature value, the electronic signature information and the time stamp information.
2. The mobile terminal-based electronic data security system of claim 1, wherein the client further comprises:
and the process video recording module is configured to record the video in the identity authentication process and the data security process, and encrypt and store the video data after digitally signing the video data.
3. A mobile terminal based electronic data security system as claimed in claim 1, wherein said identity authentication module comprises:
a biometric unit configured to perform authentication and access control by calling a biometric device of the mobile terminal;
the real-name authentication unit is configured to perform real-name identity authentication on the client user;
the digital certificate unit is configured to generate a local secret key after the real-name authentication passes, and send a digital certificate request and the local secret key to the server so that the server submits the digital certificate authentication request to a third-party CA (certificate authority); and meanwhile, receiving the digital certificate returned by the server, and encrypting and storing the digital certificate.
4. A mobile terminal based electronic data security system as claimed in claim 1, wherein said cryptographic security module comprises:
a key generation unit configured to generate a client key share for performing a cooperative operation by a key splitting technique;
a time stamp service unit configured to generate a time stamp of the secured electronic data based on a digital signature technique;
an electronic signature service unit configured to implement electronic signature on secure electronic data; or, the handwritten signature is acquired through the mobile terminal, then a standard electronic seal data structure is formed, and the electronic seal data structure, the electronic certificate information and the behavior time information are input into a format file for preserving electronic data.
5. A mobile terminal-based electronic data security system as claimed in claim 1, wherein said data security module comprises:
the black box card storage unit is configured to locally solidify and encrypt and store the electronic data original text, the original text hash value, the digital signature value and the user identity information;
a third-party judicial evidence storage unit configured to upload the hash value and summary data of the secured electronic data to a third-party judicial evidence storage institution; and receiving the judicial evidence electronic certificate issued by the third judicial evidence-storing organization.
6. The system as claimed in claim 1, wherein the server further comprises a cryptographic service module, the cryptographic service module comprising:
a key generation unit configured to generate a server-side key share for performing a cooperative operation by a key splitting technique;
the key collaborative operation unit is configured to conduct collaborative operation on key shares generated by the client and the server respectively to obtain corresponding signature values when identity authentication is conducted or electronic data is signed, and the signature values are used for conducting identity authentication or electronic signing;
a cryptographic security service unit configured to store client key information and identity authentication information; and corresponding password security service and storage service are provided through password security chips in the identity authentication server, the signature verification server, the electronic signature server, the timestamp server and the data security server.
7. The mobile terminal-based electronic data security system of claim 1, wherein the server is configured to receive a digital certificate application sent by the client, and submit a digital certificate authentication request to a third party CA certification authority; and receiving a digital certificate issued by a third-party CA certification authority, and returning the digital certificate and the encryption key to the mobile terminal.
8. An electronic data security method based on a mobile terminal is characterized by comprising the following processes:
receiving an identity authentication request, and performing real-name identity authentication on a client user;
after the identity authentication is successful, generating a client side key share, sending a key generation request and a digital certificate application request to the server side, so that the server side generates the server side key share after receiving the request, and submitting the digital certificate authentication request to a third party CA authentication mechanism; meanwhile, receiving a digital certificate returned by the server, and encrypting and storing the digital certificate;
performing cooperative operation on the client side key share and the server side key share to obtain a signature value, generating a time stamp and an electronic signature for the security electronic data, and performing local encryption storage on the original text, the hash value of the original text, the digital signature information, the time stamp information, the electronic signature information and the identity authentication information of the security electronic data;
meanwhile, the hash value and the summary data of the security electronic data are uploaded to a third-party judicial evidence storage mechanism; wherein the summary data comprises at least: owner information of the secured electronic data, file name of the secured electronic data, electronic signature information, and data generation time.
9. The electronic data preservation method based on the mobile terminal as claimed in claim 8, wherein when preservation electronic data authentication is required, a hash value is calculated according to a preservation electronic data original text stored by local encryption, the hash value is verified with a hash value stored by a third-party judicial evidence storage institution, and whether data is tampered is determined;
verifying the digital signature information and the identity authentication information which are stored in a local encryption mode with the summary data to determine whether the data are legal and valid; wherein, the verification specifically comprises: the integrity and the authenticity of the data are ensured by verifying the signature value, the legality of the user identity is ensured by verifying the identity information of the user, and the legality of the generation time of the behavior data is ensured by verifying the timestamp.
10. The method as claimed in claim 8, wherein the obtaining of the signature value through key share cooperative operation specifically includes:
the mobile terminal and the server negotiate a session key sk;
the mobile terminal generates a random number, calculates a mobile terminal key share k1, and encrypts the mobile terminal key share k1 by using a session key sk to obtain a ciphertext c 1;
the server generates a random number, calculates a server key share k2, and encrypts the server key share k2 by using the session key sk to obtain a ciphertext c 2;
the server side decrypts the session key sk to obtain a mobile side key share k 1; carrying out hash operation on the mobile terminal key share k1, the server terminal key share k2 and the session key sk to obtain a hash value h2, and sending the hash value h2 and a ciphertext c2 to the mobile terminal;
the mobile terminal decrypts the ciphertext c2 by using the session key sk to obtain a server key share k2, performs hash operation on the mobile terminal key share k1, the server key share k2 and the session key sk to obtain a hash value h1, and compares the hash value h1 with the hash value h2 to verify the data validity;
the mobile terminal obtains a signature value r through an elliptic curve algorithm and a multiplier calculation based on the mobile terminal key share k1 and the server terminal key share k2, and sends a hash value h1 to the server terminal;
the server side verifies the data validity by comparing the hash value h2 with the hash value h 1; if the verification is passed, the server side is based on the mobile side key share k1 and the server side key share k2, a signature value r and a signature value s2 are obtained through calculation of an elliptic curve algorithm and a multiplier, and the signature value s2 is returned to the mobile side;
the mobile terminal obtains a signature value s2 through decryption, calculates a signature value s1, and obtains a signature value s through calculation of a signature value s1 and a signature value s 2;
and finally, the mobile terminal obtains complete signature value information (r, s).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111471668.0A CN113886860B (en) | 2021-12-06 | 2021-12-06 | Electronic data security system and method based on mobile terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111471668.0A CN113886860B (en) | 2021-12-06 | 2021-12-06 | Electronic data security system and method based on mobile terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113886860A CN113886860A (en) | 2022-01-04 |
| CN113886860B true CN113886860B (en) | 2022-03-29 |
Family
ID=79016330
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111471668.0A Active CN113886860B (en) | 2021-12-06 | 2021-12-06 | Electronic data security system and method based on mobile terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113886860B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726647B (en) * | 2022-05-12 | 2022-08-12 | 知安视娱(北京)科技有限公司 | Safe distribution method and system of 4K film content and safe projection system |
| CN115442143B (en) * | 2022-09-05 | 2023-07-28 | 开普数智科技(广东)有限公司 | Electronic signature method, device, equipment and readable medium |
| CN116488820B (en) * | 2022-09-07 | 2024-01-30 | 厦门市兴百邦科技有限公司 | Electronic data security method based on data acquisition analysis |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078841A (en) * | 2012-12-03 | 2013-05-01 | 厦门市美亚柏科信息股份有限公司 | Method and system for preventive electronic data security |
| CN103679436A (en) * | 2013-12-17 | 2014-03-26 | 重庆邮电大学 | Electronic contract security system and method based on biological information identification |
| CN112003704A (en) * | 2020-07-31 | 2020-11-27 | 中科扶云(杭州)科技有限公司 | Electronic evidence processing method and device and computer equipment |
| CN113378236A (en) * | 2021-06-02 | 2021-09-10 | 浙江数秦科技有限公司 | Evidence data online security notarization platform and security method |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106470201A (en) * | 2015-08-21 | 2017-03-01 | 中兴通讯股份有限公司 | A kind of user authen method and device |
| CN107888591B (en) * | 2017-11-10 | 2020-02-14 | 国信嘉宁数据技术有限公司 | Method and system for electronic data preservation |
| CN110046515B (en) * | 2019-04-18 | 2021-03-23 | 杭州尚尚签网络科技有限公司 | Safe electronic signature method based on short-lived digital certificate |
-
2021
- 2021-12-06 CN CN202111471668.0A patent/CN113886860B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078841A (en) * | 2012-12-03 | 2013-05-01 | 厦门市美亚柏科信息股份有限公司 | Method and system for preventive electronic data security |
| WO2014086166A1 (en) * | 2012-12-03 | 2014-06-12 | 厦门市美亚柏科信息股份有限公司 | Method and system for preventively preserving electronic data |
| CN103679436A (en) * | 2013-12-17 | 2014-03-26 | 重庆邮电大学 | Electronic contract security system and method based on biological information identification |
| CN112003704A (en) * | 2020-07-31 | 2020-11-27 | 中科扶云(杭州)科技有限公司 | Electronic evidence processing method and device and computer equipment |
| CN113378236A (en) * | 2021-06-02 | 2021-09-10 | 浙江数秦科技有限公司 | Evidence data online security notarization platform and security method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113886860A (en) | 2022-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11799668B2 (en) | Electronic identification verification methods and systems with storage of certification records to a side chain | |
| CN113886860B (en) | Electronic data security system and method based on mobile terminal | |
| TWI237978B (en) | Method and apparatus for the trust and authentication of network communications and transactions, and authentication infrastructure | |
| CN103679436B (en) | A kind of electronic contract security system and method based on biological information identification | |
| US10559049B2 (en) | Digital passport country entry stamp | |
| US20080019573A1 (en) | User Authentication Method Based On The Utilization Of Biometric Identification Techniques And Related Architecture | |
| EP1376925A2 (en) | Selectively disclosable digital certificates | |
| CN101183439A (en) | Electronic bill processing system and processing method | |
| US11531746B2 (en) | Method for electronic signing of a document by a plurality of signatories | |
| JP2008541633A (en) | Electronic passport authentication protocol with enhanced privacy | |
| CN105635187B (en) | Method and device for generating electronic file with stamp and method and device for authenticating electronic file with stamp | |
| CN108022194A (en) | Law-enforcing recorder and its data safety processing method, server and system | |
| CN106656505A (en) | Mobile terminal electronic signature system based on event certificate and mobile terminal electronic signature method thereof | |
| CN112905979B (en) | Electronic signature authorization method and device, storage medium and electronic device | |
| Qureshi et al. | SeVEP: Secure and verifiable electronic polling system | |
| CN111541713A (en) | Identity authentication method and device based on block chain and user signature | |
| CN112231769A (en) | Block chain-based numerical verification method and device, computer equipment and medium | |
| CN112801606A (en) | Electronic contract system of cone block chain | |
| EP1938505A1 (en) | Method, apparatus and system for generating a digital signature linked to a biometric identifier | |
| CN109600338B (en) | Trusted identity management service method and system | |
| CA3227278A1 (en) | Methods and systems for generating and validating uses of digital credentials and other documents | |
| CN116305185A (en) | Data processing method, system and computer readable storage medium | |
| Chakraborty et al. | Generation and verification of digital signature with two factor authentication | |
| CN108737095B (en) | Method for carrying out credible operation by using digital current survey record credible model system | |
| CN112035893A (en) | Block chain electronic contract management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 250101 floor 17, building 4, future entrepreneurship Plaza, north section of Gangxing Third Road, Jinan area, China (Shandong) pilot Free Trade Zone, Jinan City, Shandong Province Applicant after: Confident Information Co.,Ltd. Address before: 250101 floor 17, building 4, future entrepreneurship Plaza, north section of Gangxing Third Road, Jinan area, China (Shandong) pilot Free Trade Zone, Jinan City, Shandong Province Applicant before: SHANDONG SURESEC INFORMATION INDUSTRY CO.,LTD. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |