CN1801029A - Method for generating digital certificate and applying the generated digital certificate - Google Patents
Method for generating digital certificate and applying the generated digital certificate Download PDFInfo
- Publication number
- CN1801029A CN1801029A CN 200410082396 CN200410082396A CN1801029A CN 1801029 A CN1801029 A CN 1801029A CN 200410082396 CN200410082396 CN 200410082396 CN 200410082396 A CN200410082396 A CN 200410082396A CN 1801029 A CN1801029 A CN 1801029A
- Authority
- CN
- China
- Prior art keywords
- key
- digital certificate
- chip
- information
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a digital certification generation method, which is characterized by the following: storing the information with encoding functional chip in the host; providing the private key of digital certification in the chip to affirm the safety of digital certification. The invention also provides two appliance methods of digital certification, which makes the receiver affirm the private key of sender information according to the digital certification and host. Hence, the invention prevents the private key from error identification due to abusing and tapping.
Description
Technical field
The present invention relates to the digital certificate technique field, be meant the method that generates digital certificate and use this digital certificate that generates especially.
Background technology
Digital certificate is to be provided and authenticated center digital signature by certificate granting authentication center (CA, Certificate Authority), comprises a kind of e-file of public-key cryptography owner and public-key cryptography relevant information.Digital certificate and public-key cryptosystem are closely related.In public-key cryptosystem, each entity all has a pair of key that matches each other: public-key cryptography (Pubic Key PKI) and private cipher key (Private Key private key).Public-key cryptography is shared by one group of user, is used for encrypting or certifying signature, and private cipher key only be known to the certificate owner, is used for deciphering or signing.
The generative process of existing digital certificate is as follows:
The user is to the request that CA sends the application digital certificate, comprises the data that show user identity in this request and to the signing messages of these data; After CA checks that user's signature passes through,, the digital certificate that generates is expressly returned to the user for the user signs and issues a digital certificate, and, require the user to use the private key of this digital certificate of password protection.
For reaching practical protection effect; password should have enough length and not have rule; and to remember well and often modification; this is not a duck soup concerning the user; and actual conditions are the password protection mechanism that considerable user does not adopt private key for simplicity fully; perhaps, the password that is adopted is easy to be decrypted.Thereby in actual applications, private key is not well protected.
Digital certificate can have following application mode:
A kind of application mode is: the user uses the private key of the digital certificate of having applied for information is signed, because private key so can generate the file that others can't copy, has also just formed digital signature only for I own.The take over party then uses the PKI in this user's the digital certificate that this digital signature is verified, because digital signature is relevant with the content of information, therefore, the file of a process signature is if any change, can cause the proof procedure failure of digital signature, so just guarantee the reliability of Data Source.
In above-mentioned application process; though can guarantee the safety of data in transmission course; but differ and guarantee the reliable of data surely; because the take over party does not also know the guard mode of the private key of transmit leg; if the private key of transmit leg victim is stolen, and the assailant uses this private key transmission data, then the source of these data and unreliable; like this, be easy to produce the responsibility dispute that causes because of the identity misidentification.
Another kind of application mode is: when sending a secret papers, transmit leg uses take over party's PKI that this document is encrypted, and the take over party then uses the private key deciphering of oneself.Because take over party's private key only owns for me, other people can't decipher this document, arrive the destination so can secure documents.
In above-mentioned application process, the take over party calls in private key and finishes decryption oprerations in the internal memory, thereby there is the hidden danger of being attacked eavesdropping in this private key.
From as can be seen above-mentioned, in the process of existing generation digital certificate and Applied Digital certificate, all there is potential safety hazard.
Summary of the invention
In view of this, an object of the present invention is to provide a kind of method that generates digital certificate, to guarantee the safety of digital certificate.Another object of the present invention provides a kind of method of using the digital certificate that is generated, can effectively avoid the identity misidentification that causes because of the private key abuse.A further object of the present invention provides a kind of method of using the digital certificate that is generated, avoids private key victim eavesdropping in the process of using.
For achieving the above object, technical scheme of the present invention is as follows:
A kind of method that generates digital certificate, in main frame, comprise chip with storage and encryption and decryption functions, in chip, be provided for identifying the host key of main frame and the host credentials of signing and issuing by manufacturer in advance with storage and encryption and decryption functions, and for the digital certificate that is about to generate is provided with certificates identified, this method is further comprising the steps of:
A, wait that the main frame of applying for digital certificate signs to the identity data that shows host identities, generation identity key signature, the PKI of using the CA of certificate granting authentication center then send to CA after the digital certificate solicited message of the PKI, identity key signature and the host credentials that comprise certificates identified, the used key of signature is at least encrypted by Digital Envelope Technology;
After b, CA receive the described information of step a, utilize the private key of self to be decrypted, obtain the digital certificate solicited message, identity key in this message signature and host credentials are verified respectively, checking generates the required digital certificate of main frame by the back, and the PKI of applied host machine key sends to main frame after the digital certificate of this generation is encrypted by Digital Envelope Technology;
After c, main frame receive the described information of step b, the information that receives imported into have in the storage and the chip of encryption and decryption functions, the information that receives is decrypted, obtain the digital certificate that CA issues by the private key of host key.
Preferably, the described method that the identity data that shows host identities is signed of step a is: in the chip with storage and encryption and decryption functions storage key is set in advance, in described chip, utilize the private key of this storage key that the identity data that shows host identities is signed, generation identity key signature is derived described chip with the identity key signature then; The PKI of the used key of described signature is the PKI of described storage key.
Preferably, the described method that the identity data that shows host identities is signed of step a is: in the chip with storage and encryption and decryption functions storage key is set in advance, and derive the identity key that is used to encrypt the host identities data by this storage key, in described chip, utilize the private key of this identity key that the identity data that shows host identities is signed, then by the PKI of storage key to the identity key encrypted private key, the identity key after encrypting, identity key signature are spread out of chip together; The PKI of the used key of described signature is the PKI of described identity key.
Preferably, the process that sends to CA after the PKI of the described application certificate granting CA of authentication center of step a is encrypted digital certificate request message may further comprise the steps:
Generate first random number, and use this first random number PKI, identity key signature and the host credentials of certificates identified at least, the used key of signature are encrypted, and the information after will encrypting is as the symmetric part in the digital certificate request message; Use the PKI of CA first random number that is generated is encrypted, and the information after will encrypting is as the asymmetric part in the digital certificate request message; The digital certificate request message that will comprise symmetric part and asymmetric part sends to CA.
Preferably, the described CA of step b receives the described information of step a, utilizes the private key of self to be decrypted, and the process of obtaining the digital certificate solicited message is:
CA utilizes the private key of self that the asymmetric part in the digital certificate request message is decrypted, and obtains first random number, uses first random number then the symmetric part in the digital certificate request message is decrypted, and obtains the digital certificate solicited message.
Preferably, the described method that identity data behind the signature is verified of step b is: whether extract the used PKI of signature from the digital certificate solicited message, it is legal to use this public key verifications identity key signature; The described method that host credentials is verified is: CA obtains the certificate of the mechanism of signing and issuing host credentials, have legal qualification by verifying this issuing organization, and the signature in the host credentials comes host credentials is verified from this issuing organization.
Preferably, comprise the public key information of host key, version information, the information of manufacturer of chip and the signing messages of manufacturer in the described host credentials at least with storage and encryption and decryption functions with storage and chip of encryption and decryption functions; At least comprise in the described identity data used key when identity data signed public key information, have the cryptographic hash of PKI of version information, the certificate mark that has been provided with and CA of the chip of storage and encryption and decryption functions.
Preferably, the described CA of step b generates the required digital certificate of main frame, and the process that sends to main frame after the PKI of applied host machine key is encrypted the digital certificate of this generation is:
The public key information of used key when CA extracts from host credentials and identity data identity data signed, have the chip of storage and encryption and decryption functions version information, have the information of manufacturer of the chip of storage and encryption and decryption functions, and the private key of using self is signed the required digital certificate of generation main frame to the data that this extracts; Afterwards, CA generates second random number, and use this second random number the digital certificate that generates is encrypted, and the information after will encrypting is as the symmetric part in the digital certificate return messages, the PKI of applied host machine key is encrypted second random number that is generated, and the information after will encrypting is as the asymmetric part in the digital certificate return messages; The digital certificate return messages that will comprise symmetric part and asymmetric part send to main frame.
Preferably, the described private key by host key of step c is decrypted the information that receives, the process of obtaining the digital certificate that CA issues is: the private key of host key is decrypted the asymmetric part in the digital certificate return message, obtain second random number, use second random number then the symmetric part in the digital certificate return message is decrypted, obtain digital certificate.
Preferably, it is characterized in that described chip with storage and encryption and decryption functions is a safety chip.
A kind of method of Applied Digital certificate, this method may further comprise the steps:
Transmit leg is used the method for claim 1 and is obtained digital certificate, and utilizes the private key of this digital certificate that data to be sent are signed, and the data behind this signature are sent to the take over party;
After the take over party obtains the digital certificate of data behind the above-mentioned signature and transmit leg, use extract in the digital certificate of this transmit leg PKI digital signature is verified, if by checking, the information source that then receives is in trusted host, otherwise the information that receives not is to derive from trusted host.
Preferably, if using the storage key that is provided with in the chip with storage and encryption and decryption functions in advance signs to data, then described transmit leg utilizes the private key of digital certificate that data to be sent are signed, and the method that the data behind this signature is sent to the take over party comprises the steps:
Data importing to be sent is had in the chip of storage and encryption and decryption functions, calculate its cryptographic hash; Then, utilize the private key of storage key that the cryptographic hash that calculates is signed, with the signature after data derive described chip, afterwards, transmit leg with data to be sent and the signature after data send to the take over party together.
Preferably, if the identity key that the storage key that application is provided with in the chip with storage and encryption and decryption functions in advance derives is signed to identity data, and the private key of this identity key has been derived described chip behind the public key encryption by storage key, then described transmit leg utilizes the private key of digital certificate that data to be sent are signed, and the method that the data behind this signature is sent to the take over party comprises the steps:
Import the identity key private key that is stored behind the key public key encryption into chip, obtain the identity key private key expressly, simultaneously data importing to be sent is had in the chip of storage and encryption and decryption functions, calculate its cryptographic hash by the deciphering of storage key private key; Utilize the private key of identity key that the cryptographic hash that calculates is signed then, with the signature after data derive described chip, afterwards, transmit leg with data to be sent and the signature after data send to the take over party together.
Preferably, described take over party obtains the digital certificate of transmit leg by CA, and perhaps, the take over party directly obtains the digital certificate of this transmit leg from transmit leg.
Preferably, the described method that whether derives from believable main frame according to this digital certificate of the validation of information in the digital certificate is: check the information whether chip that can identify host identities is arranged in the digital certificate of this transmit leg, and digital signature is verified, if containing information and digital signature authentication that the chip that can identify host identities is arranged in the digital certificate passes through, confirm that then this digital certificate derives from believable main frame, otherwise this digital certificate is not to derive from believable main frame.
Preferably, the described information that can identify the chip of host identities is the version information with chip of storage and encryption and decryption functions, and the information of the manufacturer of this chip.
Preferably, this method further comprises:
The take over party uses the method for claim 1 and obtains digital certificate;
After the take over party receives information after transmit leg utilizes this take over party's public key encryption, the information that receives is imported in the local chip with storage and encryption and decryption functions, and the private key of the digital certificate that has been obtained by take over party's application in this chip is decrypted the information that receives.
A kind of method of Applied Digital certificate, this method may further comprise the steps:
The take over party uses the method for claim 1 and obtains digital certificate;
After the take over party receives information after transmit leg utilizes this take over party's public key encryption, the information that receives is imported in the local chip with storage and encryption and decryption functions, and the private key of the digital certificate that has been obtained by take over party's application in this chip is decrypted the information that receives.
By such scheme as seen, use the information that includes the chip in the main frame in the digital certificate that method of the present invention generates with storage and encryption and decryption functions, and must in this chip of this main frame, just can obtain the private key of digital certificate, thereby this digital certificate is related with this main frame, or says this digital certificate and this host binding.So also just guaranteed the safety of the digital certificate that this generated, when the Applied Digital certificate, the take over party can hold private key according to digital certificate confirmation transmit leg, can determine that this information comes from trusted host simultaneously, thereby avoid private key to be abused caused identity misidentification effectively.Have again, when the private key of Applied Digital certificate carries out the encryption and decryption operation, all in chip, finish, avoided the possibility of private key victim eavesdropping in the process of using like this with storage and encryption and decryption functions.This shows, use method of the present invention, avoided generating the potential safety hazard that exists in digital certificate and the Applied Digital certificate process.
Description of drawings
Figure 1 shows that the schematic flow sheet of an embodiment who uses generation digital certificate of the present invention.
Embodiment
Below in conjunction with accompanying drawing technical scheme of the present invention is described further again.
Thinking of the present invention is: the digital certificate that the main frame with the application digital certificate that obtains in the chip with storage and encryption and decryption functions is associated, guaranteed the safety of digital certificate, make the digital certificate of generation and the host binding of application simultaneously, like this, when using this digital certificate, whether come from trusted host by this digital certificate of the validation of information in the digital certificate, thereby effectively avoid private key to be abused caused identity misidentification.In addition, when the private key of Applied Digital certificate carries out the encryption and decryption operation, all in chip, finish, avoided the private key possibility of victim eavesdropping in use like this with storage and encryption and decryption functions.
At first describe the process that generates digital certificate below in detail.
Wait that the main frame of applying for digital certificate preset a host key during fabrication, with a host credentials of signing and issuing by manufacturer, this host key and host credentials are stored in having in the storage and the chip of encryption and decryption functions in this main frame, described chip can be by safety chip (TPM, Trusted PlatformModule) realizes, also can realize by other similar chips.Wherein, described host key is made of a pair of public private key pair, and it is as the permanent identification of main frame, the non-exchange or deletion of user; At least comprise in the host credentials of signing and issuing by manufacturer host key public key information, have storage and the chip version information of encryption and decryption functions, manufacturer's information and manufacturer's signing messages of this chip.
Referring to Fig. 1, Figure 1 shows that the schematic flow sheet of an embodiment who uses generation digital certificate of the present invention.In the present embodiment, the chip with storage and encryption and decryption functions is realized by safety chip.
Step 1, one storage key that is used to guarantee the private key safety of digital certificate is set in safety chip, and the user can change or delete this storage key, simultaneously, this storage key can depend on host key, also can independently exist and has no related with host key; Afterwards, be that father's key is provided with an identity key again with this storage key, this identity key is positioned at outside the safety chip, and the private key of this identity key is through the public key encryption of storage key.And, for the digital certificate that is about to generate is provided with certificates identified.
Step 2 is configured to show the identity data of host identities, comprises the cryptographic hash of the PKI of identity key, the version information of safety chip, the certificates identified that has been provided with and CA PKI in this identity data at least.Can also comprise anti-replay random number etc. in this identity data.
Step 3, the private key of application identity key is signed to identity data, and the information that obtains is called the identity key signature.
More than three the step in practical operation, almost finish simultaneously, be after identity key generates in safety chip, utilize its private key that identity data is signed, afterwards, the PKI of identity key and the private key of the identity key behind the public key encryption of storage key are stored in outside the safety chip, simultaneously the identity key signature also are stored in outside the safety chip.
Step 4, structure digital certificate solicited message comprises the certificates identified that has been provided with, PKI, identity key signature and the host credentials of identity key at least in this solicited message.Certainly can also comprise identity data information in this digital certificate solicited message.
Step 5, main frame generates the first random number A, and uses this first random number A to digital certificate request information, i.e. the PKI of certificates identified, identity key, identity key signature and host credentials, encrypt, and the information after will encrypting is as the symmetric part in the digital certificate request message.
Step 6, the PKI of host application CA is encrypted the first random number A that is generated, and the information after will encrypting is as the asymmetric part in the digital certificate request message.
Step 7, the digital certificate request message that will comprise symmetric part and asymmetric part sends to CA.Promptly adopted Digital Envelope Technology that digital certificate request message is protected.
Step 8 after CA receives above-mentioned message, utilizes the private key of self that the asymmetric part in the digital certificate request message is decrypted, and obtains the first random number A.
Step 9, CA uses the first random number A symmetric part in the digital certificate request message is decrypted, and obtains the digital certificate solicited message.
Step 10 is obtained the PKI of identity key from the digital certificate solicited message, and whether use this public key verifications identity key signature correct, and checking is by back execution in step 11.
Step 11, CA obtains the certificate of the mechanism of signing and issuing host credentials, whether has legal qualification by verifying this issuing organization, and whether the signature in the host credentials realizes checking to host credentials from this issuing organization, execution in step 12 after checking is passed through.
Certainly, also can first execution in step 11 in practical operation execution in step 10 again, in a word, the order of checking is not limited.
Step 12, structure digital certificate required data are specially: CA extracts the information of manufacturer of version information, this safety chip of public key information, the safety chip of identity key from host credentials and identity data.
Step 13, CA uses the private key of self data that this extracts is signed, and generates the required digital certificate of main frame.
Step 14, CA generates the second random number B, and uses this second random number B the digital certificate that generates is encrypted, and the information after will encrypting is as the symmetric part in the digital certificate return messages.
Step 15, the PKI of CA applied host machine key is encrypted the second random number B that is generated, and the information after will encrypting is as the asymmetric part in the digital certificate return messages.
Step 16, the digital certificate return messages that will comprise symmetric part and asymmetric part send to main frame.Promptly adopted Digital Envelope Technology that the digital certificate return messages are protected.
After step 17, main frame receive above-mentioned message, the information that receives is imported in the safety chip, in safety chip, the asymmetric part in the digital certificate return messages is decrypted, obtain the second random number B by the private key of host key.
Step 18, the host application second random number B is decrypted the symmetric part in the digital certificate return messages, obtains the digital certificate of generation.
So far, main frame has had digital certificate, owing to include the information of the safety chip in the main frame in this digital certificate, and the private key of this digital certificate correspondence must be in the safety chip of this main frame could decrypted obtaining, thereby guaranteed the safety of digital certificate, and this digital certificate is related with this main frame, or says this digital certificate and this host binding.
In the above-described embodiment, also can not produce identity key, and after directly in safety chip, generating storage key, use the private key of this storage key identity data is encrypted, like this, the PKI of all identity key that relate to all replaces with the PKI of this storage key in the above-mentioned flow process.But this method does not recommend to use.
The following describes the method for using above-mentioned digital certificate.
If certain user has used said method as transmit leg and obtained a digital certificate, and the private key of using this digital certificate correspondence carries out digital signature to data to be sent, afterwards, the data behind the signature sent to the take over party.
If using the storage key that is provided with in the chip with storage and encryption and decryption functions in advance encrypts identity data, then described transmit leg utilizes the private key of digital certificate that data to be sent are signed, and the method that the data behind this signature is sent to the take over party comprises the steps:
Data importing to be sent is had in the chip of storage and encryption and decryption functions, calculate its cryptographic hash; Then, utilize the private key of storage key that the cryptographic hash that calculates is signed, with the signature after data derive described chip, afterwards, transmit leg with data to be sent and the signature after data send to the take over party together.
If the identity key that the storage key that application is provided with in the chip with storage and encryption and decryption functions in advance derives is signed to identity data, and the private key of this identity key has been derived described chip behind the public key encryption by storage key, then described transmit leg utilizes the private key of digital certificate that data to be sent are signed, and the method that the data behind this signature is sent to the take over party comprises the steps:
Import the identity key private key that is stored behind the key public key encryption into chip, obtain the identity key private key expressly, simultaneously data importing to be sent is had in the chip of storage and encryption and decryption functions, calculate its cryptographic hash by the deciphering of storage key private key; Utilize the private key of identity key that the cryptographic hash that calculates is signed then, with the signature after data derive described chip, afterwards, transmit leg with data to be sent and the signature after data send to the take over party together.
The take over party uses the PKI of the digital certificate of this transmit leg digital signature is verified after obtaining the digital certificate of data behind the above-mentioned signature and transmit leg, if by checking, the information source that then receives is reliable, otherwise the information source that receives is unreliable.
Concrete verification method is: check the information whether chip that can identify host identities is arranged in the digital certificate of this transmit leg, and digital signature is verified, if digital certificate has the information of the chip that can identify host identities and digital signature authentication to pass through, confirm that then this digital certificate derives from believable main frame, otherwise this digital certificate is not to derive from believable main frame.
Above-mentioned take over party obtains the digital certificate of transmit leg by CA, and perhaps, the take over party directly obtains the digital certificate of this transmit leg from transmit leg.
Use said method, the take over party not only can determine that information sender holds private key, can determine that message comes from the particular host of certificate association simultaneously, thereby effectively avoid private key to be abused caused identity misidentification.
In addition, if the take over party uses said method and has obtained digital certificate, after the take over party receives information after transmit leg utilizes this take over party's public key encryption, the information that receives is imported in the local chip with storage and encryption and decryption functions, in this chip, the private key of being used the digital certificate that has obtained by the take over party is decrypted the information that receives.
Use said method, when the private key of Applied Digital certificate carries out the encryption and decryption operation, all finish in the chip with storage and encryption and decryption functions, the victim eavesdropping may when having avoided private key to use in internal memory like this.
Certainly, above-mentioned two kinds of application processes also can combine together and use.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (18)
1, a kind of method that generates digital certificate, in main frame, comprise chip with storage and encryption and decryption functions, it is characterized in that, in chip, be provided for identifying the host key of main frame and the host credentials of signing and issuing by manufacturer in advance with storage and encryption and decryption functions, and for the digital certificate that is about to generate is provided with certificates identified, this method is further comprising the steps of:
A, wait that the main frame of applying for digital certificate signs to the identity data that shows host identities, generation identity key signature, the PKI of using the CA of certificate granting authentication center then send to CA after the digital certificate solicited message of the PKI, identity key signature and the host credentials that comprise certificates identified, the used key of signature is at least encrypted by Digital Envelope Technology;
After b, CA receive the described information of step a, utilize the private key of self to be decrypted, obtain the digital certificate solicited message, identity key in this message signature and host credentials are verified respectively, checking generates the required digital certificate of main frame by the back, and the PKI of applied host machine key sends to main frame after the digital certificate of this generation is encrypted by Digital Envelope Technology;
After c, main frame receive the described information of step b, the information that receives imported into have in the storage and the chip of encryption and decryption functions, the information that receives is decrypted, obtain the digital certificate that CA issues by the private key of host key.
2, method according to claim 1, it is characterized in that, the described method that the identity data that shows host identities is signed of step a is: in the chip with storage and encryption and decryption functions storage key is set in advance, in described chip, utilize the private key of this storage key that the identity data that shows host identities is signed, generation identity key signature is derived described chip with the identity key signature then; The PKI of the used key of described signature is the PKI of described storage key.
3, method according to claim 1, it is characterized in that, the described method that the identity data that shows host identities is signed of step a is: in the chip with storage and encryption and decryption functions storage key is set in advance, and derive the identity key that is used to encrypt the host identities data by this storage key, in described chip, utilize the private key of this identity key that the identity data that shows host identities is signed, then by the PKI of storage key to the identity key encrypted private key, the identity key after encrypting, identity key signature are spread out of chip together; The PKI of the used key of described signature is the PKI of described identity key.
4, method according to claim 1 is characterized in that, the process that sends to CA after the PKI of the described application certificate granting CA of authentication center of step a is encrypted digital certificate request message may further comprise the steps:
Generate first random number, and use this first random number PKI, identity key signature and the host credentials of certificates identified at least, the used key of signature are encrypted, and the information after will encrypting is as the symmetric part in the digital certificate request message; Use the PKI of CA first random number that is generated is encrypted, and the information after will encrypting is as the asymmetric part in the digital certificate request message; The digital certificate request message that will comprise symmetric part and asymmetric part sends to CA.
5, method according to claim 4 is characterized in that, the described CA of step b receives the described information of step a, utilizes the private key of self to be decrypted, and the process of obtaining the digital certificate solicited message is:
CA utilizes the private key of self that the asymmetric part in the digital certificate request message is decrypted, and obtains first random number, uses first random number then the symmetric part in the digital certificate request message is decrypted, and obtains the digital certificate solicited message.
6, method according to claim 1 is characterized in that, the described method that identity data behind the signature is verified of step b is: whether extract the used PKI of signature from the digital certificate solicited message, it is legal to use this public key verifications identity key signature; The described method that host credentials is verified is: CA obtains the certificate of the mechanism of signing and issuing host credentials, have legal qualification by verifying this issuing organization, and the signature in the host credentials comes host credentials is verified from this issuing organization.
7, method according to claim 1, it is characterized in that, comprise the public key information of host key, version information, the information of manufacturer of chip and the signing messages of manufacturer in the described host credentials at least with storage and encryption and decryption functions with storage and chip of encryption and decryption functions; At least comprise in the described identity data used key when identity data signed public key information, have the cryptographic hash of PKI of version information, the certificate mark that has been provided with and CA of the chip of storage and encryption and decryption functions.
8, method according to claim 7 is characterized in that, the described CA of step b generates the required digital certificate of main frame, and the process that sends to main frame after the PKI of applied host machine key is encrypted the digital certificate of this generation is:
The public key information of used key when CA extracts from host credentials and identity data identity data signed, have the chip of storage and encryption and decryption functions version information, have the information of manufacturer of the chip of storage and encryption and decryption functions, and the private key of using self is signed the required digital certificate of generation main frame to the data that this extracts; Afterwards, CA generates second random number, and use this second random number the digital certificate that generates is encrypted, and the information after will encrypting is as the symmetric part in the digital certificate return messages, the PKI of applied host machine key is encrypted second random number that is generated, and the information after will encrypting is as the asymmetric part in the digital certificate return messages; The digital certificate return messages that will comprise symmetric part and asymmetric part send to main frame.
9, method according to claim 8, it is characterized in that, the described private key by host key of step c is decrypted the information that receives, the process of obtaining the digital certificate that CA issues is: the private key of host key is decrypted the asymmetric part in the digital certificate return message, obtain second random number, use second random number then the symmetric part in the digital certificate return message is decrypted, obtain digital certificate.
According to claim 1,7,8 arbitrary described methods, it is characterized in that 10, described chip with storage and encryption and decryption functions is a safety chip.
11, a kind of method of Applied Digital certificate is characterized in that, this method may further comprise the steps:
Transmit leg is used the method for claim 1 and is obtained digital certificate, and utilizes the private key of this digital certificate that data to be sent are signed, and the data behind this signature are sent to the take over party;
After the take over party obtains the digital certificate of data behind the above-mentioned signature and transmit leg, use extract in the digital certificate of this transmit leg PKI digital signature is verified, if by checking, the information source that then receives is in trusted host, otherwise the information that receives not is to derive from trusted host.
12, method according to claim 11, it is characterized in that, if using the storage key that is provided with in the chip with storage and encryption and decryption functions in advance signs to data, then described transmit leg utilizes the private key of digital certificate that data to be sent are signed, and the method that the data behind this signature is sent to the take over party comprises the steps:
Data importing to be sent is had in the chip of storage and encryption and decryption functions, calculate its cryptographic hash; Then, utilize the private key of storage key that the cryptographic hash that calculates is signed, with the signature after data derive described chip, afterwards, transmit leg with data to be sent and the signature after data send to the take over party together.
13, method according to claim 11, it is characterized in that, if the identity key that the storage key that application is provided with in the chip with storage and encryption and decryption functions in advance derives is signed to identity data, and the private key of this identity key has been derived described chip behind the public key encryption by storage key, then described transmit leg utilizes the private key of digital certificate that data to be sent are signed, and the method that the data behind this signature is sent to the take over party comprises the steps:
Import the identity key private key that is stored behind the key public key encryption into chip, obtain the identity key private key expressly, simultaneously data importing to be sent is had in the chip of storage and encryption and decryption functions, calculate its cryptographic hash by the deciphering of storage key private key; Utilize the private key of identity key that the cryptographic hash that calculates is signed then, with the signature after data derive described chip, afterwards, transmit leg with data to be sent and the signature after data send to the take over party together.
14, method according to claim 11 is characterized in that, described take over party obtains the digital certificate of transmit leg by CA, and perhaps, the take over party directly obtains the digital certificate of this transmit leg from transmit leg.
15, method according to claim 11, it is characterized in that, the described method that whether derives from believable main frame according to this digital certificate of the validation of information in the digital certificate is: check the information whether chip that can identify host identities is arranged in the digital certificate of this transmit leg, and digital signature is verified, if containing information and digital signature authentication that the chip that can identify host identities is arranged in the digital certificate passes through, confirm that then this digital certificate derives from believable main frame, otherwise this digital certificate is not to derive from believable main frame.
16, method according to claim 15 is characterized in that, the described information that can identify the chip of host identities is the version information with chip of storage and encryption and decryption functions, and the information of the manufacturer of this chip.
17, method according to claim 11 is characterized in that, this method further comprises:
The take over party uses the method for claim 1 and obtains digital certificate;
After the take over party receives information after transmit leg utilizes this take over party's public key encryption, the information that receives is imported in the local chip with storage and encryption and decryption functions, and the private key of the digital certificate that has been obtained by take over party's application in this chip is decrypted the information that receives.
18, a kind of method of Applied Digital certificate is characterized in that, this method may further comprise the steps:
The take over party uses the method for claim 1 and obtains digital certificate;
After the take over party receives information after transmit leg utilizes this take over party's public key encryption, the information that receives is imported in the local chip with storage and encryption and decryption functions, and the private key of the digital certificate that has been obtained by take over party's application in this chip is decrypted the information that receives.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100823965A CN100346249C (en) | 2004-12-31 | 2004-12-31 | Method for generating digital certificate and applying the generated digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100823965A CN100346249C (en) | 2004-12-31 | 2004-12-31 | Method for generating digital certificate and applying the generated digital certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1801029A true CN1801029A (en) | 2006-07-12 |
| CN100346249C CN100346249C (en) | 2007-10-31 |
Family
ID=36811074
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100823965A Expired - Fee Related CN100346249C (en) | 2004-12-31 | 2004-12-31 | Method for generating digital certificate and applying the generated digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100346249C (en) |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008148275A1 (en) * | 2007-06-07 | 2008-12-11 | Guan, Haiying | Method and system for encoding and decoding the digital message |
| WO2009079916A1 (en) * | 2007-12-03 | 2009-07-02 | Beijing Senselock Software Technology Co., Ltd | A method for generating a key pair and transmitting a public key or a certificate application document securely |
| CN101212293B (en) * | 2006-12-31 | 2010-04-14 | 普天信息技术研究院 | Identity authentication method and system |
| CN101039182B (en) * | 2007-03-07 | 2010-08-11 | 广东南方信息安全产业基地有限公司 | Authentication system and method for issuing user identification certificate |
| CN101534194B (en) * | 2008-03-12 | 2011-03-30 | 航天信息股份有限公司 | Method for protecting safety of trusted certificate |
| CN101437228B (en) * | 2008-12-17 | 2011-05-11 | 北京握奇数据系统有限公司 | Method, apparatus and system for implementing wireless business based on smart card |
| US7987375B2 (en) | 2006-11-20 | 2011-07-26 | Canon Kabushiki Kaisha | Communication apparatus, control method thereof and computer readable medium |
| CN102377758A (en) * | 2010-08-24 | 2012-03-14 | 中兴通讯股份有限公司 | Identification method and system used for identifying personal area network device |
| CN101115060B (en) * | 2007-08-09 | 2012-04-18 | 上海格尔软件股份有限公司 | Method for protecting user encryption key in asymmetric cipher key transmitting process of user key management system |
| CN101667914B (en) * | 2008-09-05 | 2012-05-23 | 华为技术有限公司 | Method and equipment for managing public key certificate |
| CN102523093A (en) * | 2011-12-16 | 2012-06-27 | 河海大学 | Encapsulation method and encapsulation system for certificate-based key with label |
| CN101778381B (en) * | 2009-12-31 | 2012-07-04 | 卓望数码技术(深圳)有限公司 | Digital certificate generation method, user key acquisition method, mobile terminal and device |
| CN101645889B (en) * | 2009-06-26 | 2012-09-05 | 飞天诚信科技股份有限公司 | Method for issuing digital certificate |
| CN103259654A (en) * | 2012-05-07 | 2013-08-21 | 中国交通通信信息中心 | Intelligent card management system based on satellite communication service |
| CN103516524A (en) * | 2013-10-21 | 2014-01-15 | 北京旋极信息技术股份有限公司 | Security authentication method and system |
| CN103916358A (en) * | 2012-12-30 | 2014-07-09 | 航天信息股份有限公司 | Key spread and verification method and system |
| CN104683107A (en) * | 2015-02-28 | 2015-06-03 | 深圳市思迪信息技术有限公司 | Digital certificate storage method and device, and digital signature method and device |
| WO2016011588A1 (en) * | 2014-07-21 | 2016-01-28 | 宇龙计算机通信科技(深圳)有限公司 | Mobility management entity, home server, terminal, and identity authentication system and method |
| CN106850200A (en) * | 2017-01-25 | 2017-06-13 | 中钞信用卡产业发展有限公司北京智能卡技术研究院 | A kind of method for using the digital cash based on block chain, system and terminal |
| CN107070657A (en) * | 2016-01-21 | 2017-08-18 | 三星电子株式会社 | Safety chip and application processor and its operating method |
| CN108234115A (en) * | 2016-12-15 | 2018-06-29 | 阿里巴巴集团控股有限公司 | The verification method of information security, device and system |
| CN108667781A (en) * | 2017-04-01 | 2018-10-16 | 西安西电捷通无线网络通信股份有限公司 | A kind of digital certificate management method and equipment |
| CN108683506A (en) * | 2018-05-02 | 2018-10-19 | 济南浪潮高新科技投资发展有限公司 | A kind of applying digital certificate method, system, mist node and certificate authority |
| CN109687959A (en) * | 2018-12-29 | 2019-04-26 | 上海唯链信息科技有限公司 | Key security management system and method, medium and computer program |
| CN110365486A (en) * | 2019-06-28 | 2019-10-22 | 东软集团股份有限公司 | A kind of certificate request method, device and equipment |
| WO2019233204A1 (en) * | 2018-06-06 | 2019-12-12 | 腾讯科技(深圳)有限公司 | Method, apparatus and system for key management, storage medium, and computer device |
| CN110830498A (en) * | 2019-11-19 | 2020-02-21 | 武汉思普崚技术有限公司 | Continuous attack detection method and system based on mining |
| CN111212050A (en) * | 2019-12-27 | 2020-05-29 | 航天信息股份有限公司企业服务分公司 | Method and system for encrypting and transmitting data based on digital certificate |
| TWI704795B (en) * | 2019-03-22 | 2020-09-11 | 何六百有限公司 | Login authentication method |
| CN112470428A (en) * | 2018-06-08 | 2021-03-09 | 威睿公司 | Unmanaged secure inter-application data communications |
| CN113424488A (en) * | 2019-02-12 | 2021-09-21 | 西门子股份公司 | Method for providing proof of origin for digital key pair |
| CN113810411A (en) * | 2021-09-17 | 2021-12-17 | 公安部交通管理科学研究所 | Traffic control facility digital certificate management method and system |
| CN115237943A (en) * | 2022-09-21 | 2022-10-25 | 南京易科腾信息技术有限公司 | Data retrieval method and device based on encrypted data and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7047404B1 (en) * | 2000-05-16 | 2006-05-16 | Surety Llc | Method and apparatus for self-authenticating digital records |
| JP2004104539A (en) * | 2002-09-11 | 2004-04-02 | Renesas Technology Corp | Memory card |
| CN1271525C (en) * | 2003-05-28 | 2006-08-23 | 联想(北京)有限公司 | Computer system landing method |
-
2004
- 2004-12-31 CN CNB2004100823965A patent/CN100346249C/en not_active Expired - Fee Related
Cited By (47)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7987375B2 (en) | 2006-11-20 | 2011-07-26 | Canon Kabushiki Kaisha | Communication apparatus, control method thereof and computer readable medium |
| CN101212293B (en) * | 2006-12-31 | 2010-04-14 | 普天信息技术研究院 | Identity authentication method and system |
| CN101039182B (en) * | 2007-03-07 | 2010-08-11 | 广东南方信息安全产业基地有限公司 | Authentication system and method for issuing user identification certificate |
| WO2008148275A1 (en) * | 2007-06-07 | 2008-12-11 | Guan, Haiying | Method and system for encoding and decoding the digital message |
| CN101115060B (en) * | 2007-08-09 | 2012-04-18 | 上海格尔软件股份有限公司 | Method for protecting user encryption key in asymmetric cipher key transmitting process of user key management system |
| WO2009079916A1 (en) * | 2007-12-03 | 2009-07-02 | Beijing Senselock Software Technology Co., Ltd | A method for generating a key pair and transmitting a public key or a certificate application document securely |
| US20100310077A1 (en) * | 2007-12-03 | 2010-12-09 | Beijing Senselock Software Technology Co., Ltd. | Method for generating a key pair and transmitting a public key or request file of a certificate in security |
| US8533482B2 (en) | 2007-12-03 | 2013-09-10 | Beijing Senselock Software Technology Co., Ltd. | Method for generating a key pair and transmitting a public key or request file of a certificate in security |
| CN101534194B (en) * | 2008-03-12 | 2011-03-30 | 航天信息股份有限公司 | Method for protecting safety of trusted certificate |
| CN101667914B (en) * | 2008-09-05 | 2012-05-23 | 华为技术有限公司 | Method and equipment for managing public key certificate |
| CN101437228B (en) * | 2008-12-17 | 2011-05-11 | 北京握奇数据系统有限公司 | Method, apparatus and system for implementing wireless business based on smart card |
| CN101645889B (en) * | 2009-06-26 | 2012-09-05 | 飞天诚信科技股份有限公司 | Method for issuing digital certificate |
| CN101778381B (en) * | 2009-12-31 | 2012-07-04 | 卓望数码技术(深圳)有限公司 | Digital certificate generation method, user key acquisition method, mobile terminal and device |
| CN102377758A (en) * | 2010-08-24 | 2012-03-14 | 中兴通讯股份有限公司 | Identification method and system used for identifying personal area network device |
| CN102377758B (en) * | 2010-08-24 | 2016-03-30 | 中兴通讯股份有限公司 | A kind of authentication method and system of personal network equipment being carried out to certification |
| CN102523093B (en) * | 2011-12-16 | 2014-08-06 | 河海大学 | Encapsulation method and encapsulation system for certificate-based key with label |
| CN102523093A (en) * | 2011-12-16 | 2012-06-27 | 河海大学 | Encapsulation method and encapsulation system for certificate-based key with label |
| CN103259654B (en) * | 2012-05-07 | 2016-06-29 | 中国交通通信信息中心 | A kind of smart card administrative system based on satellite communications services |
| CN103259654A (en) * | 2012-05-07 | 2013-08-21 | 中国交通通信信息中心 | Intelligent card management system based on satellite communication service |
| CN103916358A (en) * | 2012-12-30 | 2014-07-09 | 航天信息股份有限公司 | Key spread and verification method and system |
| CN103516524A (en) * | 2013-10-21 | 2014-01-15 | 北京旋极信息技术股份有限公司 | Security authentication method and system |
| WO2016011588A1 (en) * | 2014-07-21 | 2016-01-28 | 宇龙计算机通信科技(深圳)有限公司 | Mobility management entity, home server, terminal, and identity authentication system and method |
| CN106576237A (en) * | 2014-07-21 | 2017-04-19 | 宇龙计算机通信科技(深圳)有限公司 | Mobility management entity, home server, terminal, and identity authentication system and method |
| CN106576237B (en) * | 2014-07-21 | 2020-10-16 | 宇龙计算机通信科技(深圳)有限公司 | Mobile management entity, home server, terminal, identity authentication system and method |
| CN104683107A (en) * | 2015-02-28 | 2015-06-03 | 深圳市思迪信息技术有限公司 | Digital certificate storage method and device, and digital signature method and device |
| CN107070657B (en) * | 2016-01-21 | 2022-01-18 | 三星电子株式会社 | Secure chip and application processor and operating method thereof |
| CN107070657A (en) * | 2016-01-21 | 2017-08-18 | 三星电子株式会社 | Safety chip and application processor and its operating method |
| CN108234115A (en) * | 2016-12-15 | 2018-06-29 | 阿里巴巴集团控股有限公司 | The verification method of information security, device and system |
| CN106850200A (en) * | 2017-01-25 | 2017-06-13 | 中钞信用卡产业发展有限公司北京智能卡技术研究院 | A kind of method for using the digital cash based on block chain, system and terminal |
| CN106850200B (en) * | 2017-01-25 | 2019-10-22 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | A kind of safety method, system and the terminal of digital cash of the use based on block chain |
| CN108667781A (en) * | 2017-04-01 | 2018-10-16 | 西安西电捷通无线网络通信股份有限公司 | A kind of digital certificate management method and equipment |
| CN108683506A (en) * | 2018-05-02 | 2018-10-19 | 济南浪潮高新科技投资发展有限公司 | A kind of applying digital certificate method, system, mist node and certificate authority |
| CN108683506B (en) * | 2018-05-02 | 2021-01-01 | 浪潮集团有限公司 | Digital certificate application method, system, fog node and certificate authority |
| WO2019233204A1 (en) * | 2018-06-06 | 2019-12-12 | 腾讯科技(深圳)有限公司 | Method, apparatus and system for key management, storage medium, and computer device |
| US11516020B2 (en) | 2018-06-06 | 2022-11-29 | Tencent Technology (Shenzhen) Company Limited | Key management method, apparatus, and system, storage medium, and computer device |
| CN112470428A (en) * | 2018-06-08 | 2021-03-09 | 威睿公司 | Unmanaged secure inter-application data communications |
| CN109687959B (en) * | 2018-12-29 | 2021-11-12 | 上海唯链信息科技有限公司 | Key security management system, key security management method, key security management medium, and computer program |
| CN109687959A (en) * | 2018-12-29 | 2019-04-26 | 上海唯链信息科技有限公司 | Key security management system and method, medium and computer program |
| CN113424488A (en) * | 2019-02-12 | 2021-09-21 | 西门子股份公司 | Method for providing proof of origin for digital key pair |
| TWI704795B (en) * | 2019-03-22 | 2020-09-11 | 何六百有限公司 | Login authentication method |
| CN110365486A (en) * | 2019-06-28 | 2019-10-22 | 东软集团股份有限公司 | A kind of certificate request method, device and equipment |
| CN110365486B (en) * | 2019-06-28 | 2022-08-16 | 东软集团股份有限公司 | Certificate application method, device and equipment |
| CN110830498A (en) * | 2019-11-19 | 2020-02-21 | 武汉思普崚技术有限公司 | Continuous attack detection method and system based on mining |
| CN111212050A (en) * | 2019-12-27 | 2020-05-29 | 航天信息股份有限公司企业服务分公司 | Method and system for encrypting and transmitting data based on digital certificate |
| CN113810411A (en) * | 2021-09-17 | 2021-12-17 | 公安部交通管理科学研究所 | Traffic control facility digital certificate management method and system |
| CN113810411B (en) * | 2021-09-17 | 2023-02-14 | 公安部交通管理科学研究所 | Traffic control facility digital certificate management method and system |
| CN115237943A (en) * | 2022-09-21 | 2022-10-25 | 南京易科腾信息技术有限公司 | Data retrieval method and device based on encrypted data and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100346249C (en) | 2007-10-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100346249C (en) | Method for generating digital certificate and applying the generated digital certificate | |
| CN109067524B (en) | Public and private key pair generation method and system | |
| CN101800637B (en) | Token provisioning | |
| CA2545015C (en) | Portable security transaction protocol | |
| CN1219260C (en) | Method for controlling storage and access of security file system | |
| CN110943976B (en) | Password-based user signature private key management method | |
| CN107196966A (en) | The identity identifying method and system of multi-party trust based on block chain | |
| CN1809984A (en) | Improved secure authenticated channel | |
| CN1565117A (en) | Data certification method and apparatus | |
| CN1299545A (en) | User authentication using a virtual private key | |
| CN1695343A (en) | Methods and systems for providing a secure data distribution via public networks | |
| WO2007027241A3 (en) | Multi-key cryptographically generated address | |
| CN1925393A (en) | Point-to-point network identity authenticating method | |
| CN1934821A (en) | Authentication between device and portable storage | |
| CN101931536B (en) | Method for encrypting and authenticating efficient data without authentication center | |
| CN101465728A (en) | Method, system and device for distributing cipher key | |
| US7660987B2 (en) | Method of establishing a secure e-mail transmission link | |
| CN113824564A (en) | Online signing method and system based on block chain | |
| CN103701787A (en) | User name password authentication method implemented on basis of public key algorithm | |
| CN111539496A (en) | Vehicle information two-dimensional code generation method, two-dimensional code license plate, authentication method and system | |
| US20100161992A1 (en) | Device and method for protecting data, computer program, computer program product | |
| CN112564906A (en) | Block chain-based data security interaction method and system | |
| RU2010126781A (en) | SYSTEM AND METHOD OF SIMPLIFIED ACCESS AUTHENTICATION | |
| CN1697376A (en) | Method and system for authenticating or enciphering data by using IC card | |
| CN106656499A (en) | Terminal equipment dependable authentication method and system in digital copyright protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20071031 Termination date: 20201231 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |