WO2017067490A1 - Digital certificate subsystem - Google Patents

Digital certificate subsystem Download PDF

Info

Publication number
WO2017067490A1
WO2017067490A1 PCT/CN2016/102781 CN2016102781W WO2017067490A1 WO 2017067490 A1 WO2017067490 A1 WO 2017067490A1 CN 2016102781 W CN2016102781 W CN 2016102781W WO 2017067490 A1 WO2017067490 A1 WO 2017067490A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital certificate
subsystem
digital
establishment
certificate subsystem
Prior art date
Application number
PCT/CN2016/102781
Other languages
French (fr)
Chinese (zh)
Inventor
李京海
Original Assignee
李京海
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 李京海 filed Critical 李京海
Publication of WO2017067490A1 publication Critical patent/WO2017067490A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to the field of digital certificate application technologies, and more particularly to a digital certificate subsystem.
  • the idea of the present invention stems from the analysis of "integrating a digital certificate subsystem and its application in a mobile phone.”
  • the existing digital certificate subsystem (such as the USB Key digital certificate subsystem) is a commercial password product specially controlled by the CA and its application system that issue digital certificates; the digital certificate subsystem of each CA is independent. Development, incompatibility. According to the prior art, the existing digital certificate subsystems of CAs and their applications are difficult to be integrated into the mobile phone system.
  • each CA is independently developed and incompatible with each other, so that the USB Key user digital certificate issued by each CA can only be used for the designated service provider, and cannot be used universally.
  • many users have USB Key digital certificates from different banks such as China Merchants Bank, ICBC, and CCB. This not only has high waste and high cost, but also has troublesome management.
  • ICBC China Merchants Bank
  • CCB China Merchants Bank
  • This not only has high waste and high cost, but also has troublesome management.
  • the digital certificate subsystem and its mobile phone system are integrated with strong design; the mobile phone manufacturer hopes to add the mobile digital certificate subsystem and its application to the mobile phone, and increase the functional highlights of the mobile phone for the user. Promote the expansion of the mobile phone market; however, according to the existing technology, the digital certificate subsystem is completely controlled by CA special control, so that mobile phones and their manufacturers are not only restricted by CA, but it is more difficult to open their hands and expand the market; therefore, existing mobile phone manufacturers are No mobile phone digital certificate subsystem and its application have been designed in mobile phones.
  • the present invention provides a digital certificate subsystem, which can solve the above There are technical problems.
  • the present invention is an improvement over the prior art based on the prior art.
  • Hash which is generally translated as “hash”, can also be transliterated directly into “hash”. This article uses its English directly.
  • Hash algorithm is an algorithm that maps binary values of arbitrary length into shorter fixed-length binary values.
  • Hash digest using the hash algorithm to map binary values of arbitrary length to shorter fixed-length binary values. This small binary value is called a hash summary or a hash value. It is a unique and extremely compact numerical representation of a piece of data. Finding two different inputs for the Hash digest to the same value is basically computationally impossible, so the Hash digest of the data can verify the integrity of the data.
  • a symmetric encryption algorithm refers to an encryption algorithm in which the encryption key and the decryption key are the same or can be derived from each other.
  • the key used by the symmetric encryption algorithm is called a symmetric key.
  • the encryption key of the symmetric encryption algorithm can be derived from the decryption key, and the decryption key can also be derived from the encryption key. In most symmetric algorithms, the encryption key and the decryption key are the same.
  • An asymmetric encryption algorithm refers to an encryption algorithm in which the encryption key and the decryption key are different.
  • the two keys used by the asymmetric encryption algorithm are a public key (public key) and a private key (private key). They are a pair, but it is basically impossible to calculate each other. It is calculated from each other and is called an asymmetric key pair.
  • the data is encrypted with the public key and the algorithm, only the corresponding private key and the algorithm can be used for decryption; if the data is encrypted with the private key and the algorithm, only the corresponding public key and the algorithm can be used for decryption.
  • a digital certificate is a file that is digitally signed by a certificate authority and contains public key and public key owner information.
  • the sender first calculates a message digest (also called: HASH digest) according to the agreed HASH algorithm; and then encrypts the message digest with the sender's private key and asymmetric encryption algorithm to obtain the ciphertext. It is called "the sender's digital signature of the message.” The digital signature needs to be bound to the original message and sent to the recipient.
  • a message digest also called: HASH digest
  • the receiver After receiving the digital signature and the original message, the receiver uses the same HASH algorithm to calculate the message digest for the original message, abbreviated as A; then use the "public key in the sender's digital certificate” and “same” "Asymmetric encryption algorithm", the original message digest obtained by decrypting the digital signature, abbreviated as B". Compare the message digest A and the message digest B; if the two are equal, the digital signature verification is successful, indicating the message and The digital signature comes from the "owner of the public key in the digital certificate", which is the sender.
  • the existing USB Key digital certificate subsystem is a computer subsystem including an independent processor, memory and software system, and encryption and decryption module, and a key generation module; the hardware is mainly adopted by a national third-party certification body. Certified SOC security chip.
  • the existing USB Key digital certificate subsystem is a commercial password product specially controlled by the CA that issues the digital certificate and its application system. It does not need to be authenticated when registering to establish a user digital certificate.
  • USB Key digital certificate which is a user digital certificate issued by CA based on the USB Key digital certificate subsystem.
  • the user's private key is uniquely stored and applied to the USB Key digital certificate subsystem and cannot be exported, so it is very secure. It has been widely used in banking and other fields.
  • the basic idea of the invention is to change the technical scheme of "special control digital certificate subsystem by a single CA special control" in the prior art, and provide an innovative "digital certificate subsystem management unit and CA jointly control digital certificate subsystem "Technical solution.”
  • a digital certificate subsystem provided by the present invention can have a variety of different solutions under the general concept. To fully describe the various aspects of the present general inventive concept, various different aspects of the digital certificate subsystem of the present invention are described below in a hierarchical modular structure.
  • a digital certificate subsystem provided by the present invention is a computer subsystem comprising: a processor, a memory and software system, and an encryption and decryption module, and a key generation module, characterized in that it comprises a "digital certificate” Establishing a management module” and a “authentication key for the authentication data of the digital certificate subsystem administrator” and "a verification key for the authentication data of the digital certificate authenticator” for managing the establishment of "required numbers" in the digital certificate subsystem Digital certificate application can be established only by the certificate subsystem administrator and the digital certificate authenticator; if there is no "dual certificate subsystem and digital certificate authenticator's two-factor authentication", the digital certificate subsystem cannot be established in the digital certificate subsystem. Certificate application
  • the "Digital Certificate Subsystem” receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol”, and the authentication key of the digital certificate subsystem management party. Data, and authentication data of the authentication key of the digital certificate authenticator";
  • the authentication data of the digital certificate authenticator or the digital certificate subsystem management party refers to: the authentication key of the digital certificate authenticator or the digital certificate subsystem administrator, and the "Hash summary of the information data to be authenticated" Encrypted encrypted data;
  • the "digital certificate establishment management module" of the digital certificate subsystem applies the "authentication key of the authentication data of the digital certificate subsystem management party" stored in the digital certificate subsystem to the "digital certificate” according to the protocol. The authentication data of the authentication key of the system administrator is verified;
  • the verification method of "authentication key” to "authentication data of authentication key” is:
  • the "authentication key” is used to decrypt the "authentication data of the authentication key", and the “hash summary of the information data to be authenticated” is obtained, which is denoted by A;
  • the digital certificate authenticator may be a CA or a CA computer authentication management system having the same certification effect as the CA;
  • CA is the third-party authority responsible for the certification, issuance and management of digital certificates
  • CA is the management of the issuance of user digital certificates through the CA computer certification management system
  • the digital certificate subsystem management party may be a digital certificate subsystem management organization, or may be a computer management system of a 'digital certificate subsystem management institution' having the same management effect as the 'digital certificate subsystem management institution';
  • the "Digital Certificate Subsystem Authority” is the management organization that manages the establishment of a digital certificate application in the digital certificate subsystem; it may or may not be a CA; it is characterized in that it is managed jointly with "a different CA” The governing body for “establishing a digital certificate application in the digital certificate subsystem”;
  • the “Digital Certificate Subsystem Management Organization” manages “Building a Digital Certificate Application in the Digital Certificate Subsystem” through the “Computer Management System of the Digital Certificate Subsystem Authority”; the “Computer Management System of the Digital Certificate Subsystem Management Organization”, Referred to as: digital certificate subsystem management platform;
  • the authentication key and the verification key of the digital certificate authenticator or the digital certificate subsystem administrator are a pair of mutually uniquely authenticated keys, which may be symmetric keys or asymmetric keys.
  • the digital certificate subsystem comprising: a "digital certificate establishment management module” and a “authentication key of the authentication data of the digital certificate subsystem management party" and “authentication of the authentication data of the digital certificate authenticator” "key” for managing the establishment of a digital certificate application that requires dual authentication by a digital certificate subsystem administrator and a digital certificate authenticator in the digital certificate subsystem; if there is no "digital certificate subsystem manager and number" The two-factor authentication of the certificate certifying party cannot establish a digital certificate application in the digital certificate subsystem;
  • the "Digital Certificate Subsystem” receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol”, and the authentication key of the digital certificate subsystem management party. Data, and authentication data of the authentication key of the digital certificate authenticator'";
  • the "digital certificate establishment management module" of the digital certificate subsystem applies the "authentication key of the authentication data of the digital certificate authenticator" stored in the digital certificate subsystem to the "digital certificate authenticator” according to the protocol. Authentication data of the authentication key is verified;
  • the authentication key and the verification key of the digital certificate authenticator or the digital certificate subsystem administrator are a pair of mutually uniquely authenticated keys, which may be symmetric keys or asymmetric keys.
  • the digital certificate subsystem according to 2 above characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a "national root CA digital certificate” Public key” is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and CA” "Authentication", it is impossible to establish a digital certificate application in the digital certificate subsystem;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a digital signature of the digital certificate subsystem management party, and operation CA's digital signature, and the digital certificate of the operating CA";
  • the "digital certificate establishment management module" of the digital certificate subsystem applies the "public key of the national root CA digital certificate” stored in the digital certificate subsystem according to the protocol, and the received "operating CA number” Certificate” for verification;
  • the verification method is:
  • the national root CA is the national authoritative certification body that issues digital certificates to the operating CA;
  • the digital certificate of the national root CA is the root digital certificate, which is the digital certificate issued by the national root CA to itself; the number of the national root CA and the national root CA Certificate, the starting point of a national trust chain based on digital certificates;
  • the operation CA is a third-party authoritative certification body that is certified by the national root CA and can issue and manage digital certificates to specific individuals and legal persons outside the CA.
  • the digital certificate subsystem according to 2 above characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of the digital certificate subsystem management party" and a "national root CA digital certificate” Public key” is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and CA” "Authentication", it is impossible to establish a digital certificate application in the digital certificate subsystem;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a digital signature of the digital certificate subsystem management party, and operation CA's digital signature, and the digital certificate of the operating CA";
  • the "digital certificate establishment management module" of the digital certificate subsystem applies the "public key of the national root CA digital certificate” stored in the digital certificate subsystem according to the protocol, and the received "operating CA number” Certificate” for verification;
  • the verification method is:
  • Hash summary shorthand with B;
  • the "digital certificate establishment management module” applies the "public key of the digital certificate of the operating CA” to verify the received "digital signature of the operating CA";
  • the national root CA is the national authoritative certification body that issues digital certificates to the operating CA;
  • the digital certificate of the national root CA is the root digital certificate, which is the digital certificate issued by the national root CA to itself; the number of the national root CA and the national root CA Certificate, the starting point of a national trust chain based on digital certificates;
  • the operation CA is a third-party authoritative certification body that is certified by the national root CA and can issue and manage digital certificates to specific individuals and legal persons outside the CA.
  • the digital certificate subsystem of the above 2 further characterized in that it comprises a "digital certificate establishment management module” and a "public key of a digital certificate subsystem digital certificate” and a plurality of different "operations” The public key of the digital certificate of the CA”; wherein each "public key of the digital certificate of the operating CA” is retrieved and called according to its unique ID data;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a digital signature of the digital certificate subsystem management party, and operation The digital signature of the CA and the unique ID data of the operational CA in the digital certificate subsystem";
  • the "digital certificate establishment management module" of the digital certificate subsystem retrieves the call in the digital certificate subsystem according to the received "unique ID data of the operating CA in the digital certificate subsystem” according to the protocol.
  • the digital certificate subsystem according to 2 above characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and "operating a CA digital certificate” Public key" is used to manage the establishment of a digital certificate application that can be established by the digital certificate subsystem management and the operational CA dual authentication in the digital certificate subsystem; if there is no "digital certificate subsystem management party and operational CA” Double authentication, it is impossible to establish a digital certificate application in the digital certificate subsystem;
  • the operating CA is a registered authentication service that establishes a user digital certificate in the digital certificate subsystem through the "Registration Center (RA) of the operating CA";
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a digital signature of the digital certificate subsystem management party, and ' The digital signature 'of the RA of the operating CA', and 'the digital certificate of the RA issued by the operational CA'";
  • the verification method is:
  • the "digital certificate establishment management module” applies the "public key in the RA digital certificate” to verify the received "RA digital signature";
  • the RA is an abbreviation of the Registration Authority, is a registered service center (institution) of the operating CA, and is a part of the overall system of the CA; it is used to handle the registration authentication service in the "establishing a digital certificate of the user in the digital certificate subsystem";
  • the digital certificate of the RA that operates the CA is issued and certified by the operating CA.
  • the digital certificate subsystem of one of the above 2, 3, 4, 5, 6 comprising a "digital certificate establishment management module” and a "public key of a digital certificate subsystem digital certificate” and " The public key of the CA digital certificate is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and The CA's dual authentication" cannot establish a digital certificate application in the digital certificate subsystem;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a digital signature of the digital certificate subsystem management party, and CA Digital signature";
  • the digital certificate subsystem of one of the above 2, 3, 4, 5, 6 further characterized in that it comprises a "digital certificate establishment management module" and a digital certificate of the digital certificate subsystem management party.
  • Public "key” and "public key of CA digital certificate” are used to manage the establishment of a digital certificate application that can be established by the digital certificate subsystem management and CA dual authentication in the digital certificate subsystem; if there is no "digital certificate” The system administrator and the CA's two-factor authentication cannot establish a digital certificate application in the digital certificate subsystem;
  • the “digital certificate subsystem management party” is a registration authentication service for “establishing a user digital certificate in the digital certificate subsystem” through “the registration center (RA) of the digital certificate subsystem management party”;
  • the "Digital Certificate Subsystem” receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol” and the digital signature of the operating CA, and the management of the digital certificate subsystem.
  • the "digital certificate establishment management module” applies the "public key in the digital certificate of the RA of the digital certificate subsystem management party" to the received "digital certificate subsystem management".
  • the digital signature of the party RA is verified;
  • RA is the abbreviation of Registration Authority, is the registration service center of “digital certificate subsystem management party”, and is part of the overall system of “digital certificate subsystem management party”; it is used to establish in the “digital certificate subsystem” User digital certificate” registration certification business;
  • the digital certificate of the RA of the digital certificate subsystem management party needs to be signed and authenticated by the digital certificate subsystem management party before it can be applied to the registration authentication service of “establishing a user digital certificate in the digital certificate subsystem”.
  • the digital certificate subsystem according to 2 above, characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a national root CA digital certificate.
  • the public key is used to manage the establishment of a digital certificate that can be established by the digital certificate subsystem management and the operational CA dual authentication in the digital certificate subsystem; if there is no "digital certificate subsystem management party and the operation CA's two-factor authentication" ", you cannot establish a digital certificate in the digital certificate subsystem;
  • the operation CA is through the “Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem” is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
  • the "digital certificate subsystem management party” is through the “registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem” is handled;
  • the following is the “Registration Center (RA) of the digital certificate subsystem management party”, referred to as MRA;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the operating CA', and the digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem management, and the digital certificate of the MRA and its digital certificate subsystem management Party digital signature '";
  • the "digital certificate establishment management module” applies the public key in the "digital certificate of the MRA” to verify the received "digital signature of the MRA";
  • the "digital certificate establishment management module” continues to apply the "public key of the national root CA digital certificate” stored in the digital certificate subsystem according to the protocol, and the received "operation" CA's digital certificate” is verified;
  • the "digital certificate establishment management module” applies the "public key in the received operational CA digital certificate” according to the protocol, and receives the received "CRA digital certificate issued by the operational CA”. authenticating;
  • the "digital certificate establishment management module” applies the public key in the "CRA digital certificate issued by the operation CA” to verify the received "digital signature of the CRA”;
  • the “digital certificate establishment management module” starts a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
  • the "digital certificate establishment management module” outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
  • the digital certificate subsystem as described in 2 above characterized in that it comprises a "digital certificate establishment management module" and a "public certificate of a digital certificate of a digital certificate subsystem management party" and a national root CA digital certificate.
  • the public key and the “public key of the operational CA digital certificate” are used to manage the establishment of a digital certificate in the digital certificate subsystem that requires the digital certificate subsystem management and the operational CA to be dual-certified to be downloaded and established;
  • the digital certificate subsystem and the operating CA's two-factor authentication cannot establish a digital certificate in the digital certificate subsystem;
  • the operation CA is through the “Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem” is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
  • the "digital certificate subsystem management party” is through the “registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem” is handled;
  • the following is the “Registration Center (RA) of the digital certificate subsystem management party”, referred to as MRA;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem manager, and the digital certificate of the MRA and the digital signature of its digital certificate subsystem management party";
  • the "digital certificate establishment management module” applies the public key in the "digital certificate of the MRA” to verify the received "digital signature of the MRA";
  • the "digital certificate establishment management module” continues to apply the "public key in the operational CA digital certificate” stored in the digital certificate subsystem according to the protocol, and the received "the operation CA” The issued CRA digital certificate is verified;
  • the "digital certificate establishment management module” applies the public key in the "CRA digital certificate issued by the operating CA” to verify the received "digital signature of the CRA”;
  • the “digital certificate establishment management module” initiates a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
  • the "digital certificate establishment management module” outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
  • the invention provides a digital certificate subsystem, which solves the problems existing in the existing digital certificate technology, enables the digital certificate subsystem to be integrated into a mobile phone and is widely used at low cost; and is compatible with "application of digital certificates issued by each CA" And more reliable and safer; at the same time, mobile phone manufacturers can also use the mobile phone digital certificate subsystem and its application features highlights to fully expand the mobile phone market.
  • FIG. 1 is a schematic structural diagram of a conventional digital certificate subsystem.
  • FIG. 2 is a schematic structural view of a digital certificate subsystem of the present invention. .
  • FIG. 3 is a schematic structural diagram of a digital certificate subsystem according to Embodiment 1 of the present invention.
  • FIG. 4 is a schematic structural diagram of a digital certificate subsystem according to Embodiment 2 of the present invention.
  • FIG. 5 is a schematic structural diagram of a registration and authentication system for a user digital certificate based on the digital certificate subsystem of the present invention.
  • the digital certificate subsystem of the first embodiment of the present invention is a mobile phone digital certificate subsystem designed and integrated by a mobile phone manufacturer into a matched mobile phone system; meanwhile, the mobile phone manufacturer is a management party of the digital certificate subsystem, and is associated with the CA. Working together to establish a digital certificate and its application in the digital certificate subsystem;
  • a digital certificate subsystem is characterized in that it includes a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a national root CA number.
  • the public key of the certificate is used to manage the establishment of a digital certificate in the digital certificate subsystem that requires dual authentication of the digital certificate subsystem and the operating CA. If there is no "digital certificate subsystem management party and operating CA" Double authentication, it is impossible to establish a digital certificate in the digital certificate subsystem;
  • the operation CA is through the “Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem” is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
  • the "digital certificate subsystem management party (ie: mobile phone manufacturer)" is through the “registration center (RA) of the digital certificate subsystem management party", the registration of "establishing a user digital certificate in the digital certificate subsystem” Authentication service; for the difference, the following is the “Registration Center (RA) of the digital certificate subsystem management party”, referred to as MRA;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the operating CA', and the digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem management, and the digital certificate of the MRA and its digital certificate subsystem management Party digital signature '";
  • the "digital certificate establishment management module” applies the public key in the "digital certificate of the MRA” to verify the received "digital signature of the MRA";
  • the "digital certificate establishment management module” continues to apply the "public key of the national root CA digital certificate” stored in the digital certificate subsystem according to the protocol, and the received "operating CA” Digital certificate” for verification;
  • the "digital certificate establishment management module” applies the "public key in the received operational CA digital certificate” according to the protocol, and receives the received "CRA digital certificate issued by the operational CA”. authenticating;
  • the "digital certificate establishment management module” applies the public key in the "CRA digital certificate issued by the operation CA” to verify the received "digital signature of the CRA”;
  • the “digital certificate establishment management module” starts a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
  • the "digital certificate establishment management module” outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
  • the digital certificate subsystem of Embodiment 2 of the present invention is a mobile phone digital certificate subsystem, which is composed of a mobile phone.
  • the manufacturer design is integrated in the matching mobile phone system; at the same time, the mobile phone manufacturer is the management party of the digital certificate subsystem, and manages to establish a digital certificate and its application in the digital certificate subsystem together with the CA;
  • a digital certificate subsystem is characterized in that it includes a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a plurality of different "The public key of the digital certificate of the operating CA" is used to manage the establishment of a digital certificate in the digital certificate subsystem that requires both the digital certificate subsystem management and the operational CA to be downloaded and created; if there is no "digital certificate” The two-factor authentication of the system administrator and the operating CA cannot establish a digital certificate in the digital certificate subsystem;
  • each "public key of the digital certificate of the operating CA” is retrieved and called according to its unique ID data
  • the operation CA is through the “Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem” is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
  • the "digital certificate subsystem management party” is through the “registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem” is handled;
  • the following is the “Registration Center (RA) of the digital certificate subsystem management party”, referred to as MRA;
  • the "Digital Certificate Subsystem” receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol”, and a "digital signature of the CRA of the operating CA", the operation The unique ID data of the CA in the digital certificate subsystem, and the 'digital certificate of the CRA issued by the operating CA', and the digital signature of the MRA of the digital certificate subsystem administrator, and the digital certificate of the MRA The digital signature of the administrator of its digital certificate subsystem'";
  • the "digital certificate establishment management module” applies the public key in the "digital certificate of the MRA” to verify the received "digital signature of the MRA";
  • the "digital certificate establishment management module” retrieves the call in the digital certificate subsystem according to the received "unique ID data of the operation CA in the digital certificate subsystem” according to the protocol.
  • the "digital certificate establishment management module” applies the public key in the "CRA digital certificate issued by the operating CA” to verify the received "digital signature of the CRA”;
  • the “digital certificate establishment management module” initiates a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
  • the "digital certificate establishment management module” outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
  • the technical solution of the digital certificate subsystem can solve the problems existing in the existing digital certificate technology, so that the digital certificate subsystem can be integrated into a mobile phone and widely used at low cost; and is compatible with "CA"
  • the application of issued digital certificates is more reliable and safer; at the same time, mobile phone manufacturers can also take advantage of the functional highlights of the mobile digital certificate subsystem and its applications to fully expand the mobile phone market.
  • the technical solution of the digital certificate subsystem provided by the present invention is applicable not only to mobile phones, but also to the application of digital certificate technology of various computer systems such as computer notebooks and servers.

Abstract

A digital certificate subsystem is a computer subsystem comprising a processor, a memory, a software system, an encryption and decryption module, and a key generation module. The subsystem comprises a "digital certificate creation and management module," a "verification key for authentication data of a manager of the digital certificate subsystem" and a "verification key for authentication data of a certifier of a digital certificate" used for managing, in the digital certificate subsystem, the creation of a "digital certificate application which can only be created when the authentications from both of the manager of the digital certificate subsystem and the certifier of the digital certificate are obtained," and if "the authentications from both of the manager of the digital certificate subsystem and the certifier of the digital certificate" are not obtained, the digital certificate application cannot be created in the digital certificate subsystem.

Description

一种数字证书子系统Digital certificate subsystem 技术领域Technical field
本发明涉及数字证书应用技术领域,更具体地,涉及一种数字证书子系统。The present invention relates to the field of digital certificate application technologies, and more particularly to a digital certificate subsystem.
背景技术Background technique
本发明的构思源于对“在手机中集成数字证书子系统及其应用”的分析。The idea of the present invention stems from the analysis of "integrating a digital certificate subsystem and its application in a mobile phone."
在互联通讯时代,数字证书及其数字证书子系统(如USB Key数字证书)被广泛应用。同时,移动通讯技术、智能手机技术也蓬勃发展,基于智能手机的数字证书应用潜力巨大。In the era of interconnected communications, digital certificates and their digital certificate subsystems (such as USB Key digital certificates) are widely used. At the same time, mobile communication technology and smart phone technology are also booming, and the digital certificate application based on smart phones has great potential.
但分析现有数字证书技术,其数字证书子系统却不适合集成于手机中低成本广泛应用。分析其原因,主要如下:However, the analysis of existing digital certificate technology, its digital certificate subsystem is not suitable for integration in mobile phones, low-cost and wide-ranging applications. Analysis of the reasons, mainly as follows:
1、现有数字证书子系统(如USB Key数字证书子系统),都是由签发数字证书的CA及其应用系统特别专管专控的商用密码产品;各家CA的数字证书子系统,独立发展,互不兼容。按现有技术,现有各CA的数字证书子系统及其应用,难兼容集成于手机系统中。1. The existing digital certificate subsystem (such as the USB Key digital certificate subsystem) is a commercial password product specially controlled by the CA and its application system that issue digital certificates; the digital certificate subsystem of each CA is independent. Development, incompatibility. According to the prior art, the existing digital certificate subsystems of CAs and their applications are difficult to be integrated into the mobile phone system.
2、“基于现有数字证书子系统的用户数字证书”重复浪费成本高。2. Repeated waste costs are high in “user digital certificates based on existing digital certificate subsystems”.
现有数字证书技术(如USB Key数字证书),各CA独立发展、互不兼容,使各CA签发的USB Key用户数字证书只能用于指定的服务商,不能通用。例如:许多用户就同时拥有招行、工行、建行等不同银行的USB Key数字证书,不仅重复浪费成本高,而且管理麻烦;实际上,通过技术改进,“用户只需一个数字证书子系统”即可兼容各CA签发的数字证书及其应用。Existing digital certificate technology (such as USB Key digital certificate), each CA is independently developed and incompatible with each other, so that the USB Key user digital certificate issued by each CA can only be used for the designated service provider, and cannot be used universally. For example, many users have USB Key digital certificates from different banks such as China Merchants Bank, ICBC, and CCB. This not only has high waste and high cost, but also has troublesome management. In fact, through technical improvement, “users only need one digital certificate subsystem”. Compatible with digital certificates issued by CAs and their applications.
3、在手机中集成数字证书子系统,其数字证书子系统与其手机系统是一体化强关联设计;手机厂商希望在手机中增加手机数字证书子系统及其应用,为用户增加手机的功能亮点,增进扩大手机市场;但按现有技术,数字证书子系统完全由CA特别专管专控,使手机及其厂商不仅受到CA限制,反而更难放开手脚扩大市场;因此,现有手机厂商都没有在手机中设计增加手机数字证书子系统及其应用。3. Integrating the digital certificate subsystem in the mobile phone, the digital certificate subsystem and its mobile phone system are integrated with strong design; the mobile phone manufacturer hopes to add the mobile digital certificate subsystem and its application to the mobile phone, and increase the functional highlights of the mobile phone for the user. Promote the expansion of the mobile phone market; however, according to the existing technology, the digital certificate subsystem is completely controlled by CA special control, so that mobile phones and their manufacturers are not only restricted by CA, but it is more difficult to open their hands and expand the market; therefore, existing mobile phone manufacturers are No mobile phone digital certificate subsystem and its application have been designed in mobile phones.
基于上面的问题及需求,本发明提供一种数字证书子系统,可解决上面现 有技术的问题。Based on the above problems and needs, the present invention provides a digital certificate subsystem, which can solve the above There are technical problems.
本发明是在现有技术基础上,对现有技术的改进创新。下面再介绍下现有技术的相关内容:The present invention is an improvement over the prior art based on the prior art. The following describes the relevant content of the prior art:
1、Hash算法及Hash摘要1, Hash algorithm and Hash summary
1)Hash,一般翻译为“散列”,也可直接音译为“哈希”。本文直接使用其英文。1) Hash, which is generally translated as "hash", can also be transliterated directly into "hash". This article uses its English directly.
2)Hash算法,是将任意长度的二进制值映射为较短的固定长度的二进制值的算法。2) Hash algorithm is an algorithm that maps binary values of arbitrary length into shorter fixed-length binary values.
3)Hash摘要,用Hash算法将任意长度的二进制值映射为较短的固定长度的二进制值。这个小的二进制值称为Hash摘要或Hash值。其是一段数据唯一且极其紧凑的数值表示形式。要找到Hash摘要为同一个值的两个不同的输入,在计算上基本是不可能的,所以,数据的Hash摘要可以检验数据的完整性。3) Hash digest, using the hash algorithm to map binary values of arbitrary length to shorter fixed-length binary values. This small binary value is called a hash summary or a hash value. It is a unique and extremely compact numerical representation of a piece of data. Finding two different inputs for the Hash digest to the same value is basically computationally impossible, so the Hash digest of the data can verify the integrity of the data.
2、对称加密算法及其对称密钥2. Symmetric encryption algorithm and its symmetric key
对称加密算法,是指加密密钥和解密密钥相同或可相互推算出来的加密算法。对称加密算法使用的密钥,称为对称密钥。A symmetric encryption algorithm refers to an encryption algorithm in which the encryption key and the decryption key are the same or can be derived from each other. The key used by the symmetric encryption algorithm is called a symmetric key.
对称加密算法的加密密钥能够从解密密钥中推算出来,同时解密密钥也可以从加密密钥中推算出来。在大多数的对称算法中,加密密钥和解密密钥是相同的。The encryption key of the symmetric encryption algorithm can be derived from the decryption key, and the decryption key can also be derived from the encryption key. In most symmetric algorithms, the encryption key and the decryption key are the same.
3、非对称加密算法及其非对称密钥对3. Asymmetric encryption algorithm and its asymmetric key pair
非对称加密算法,是指加密密钥和解密密钥不相同的加密算法。An asymmetric encryption algorithm refers to an encryption algorithm in which the encryption key and the decryption key are different.
非对称加密算法使用的这两个密钥,是公开密钥(public key,简称公钥)和私有密钥(private key,简称私钥),它们是一对,但彼此在计算上基本不可能相互推算出来,称为非对称密钥对。The two keys used by the asymmetric encryption algorithm are a public key (public key) and a private key (private key). They are a pair, but it is basically impossible to calculate each other. It is calculated from each other and is called an asymmetric key pair.
如果用公钥和该算法对数据进行加密,只有用对应的私钥和该算法才能解密;如果用私钥和该算法对数据进行加密,那么只有用对应的公钥和该算法才能解密。If the data is encrypted with the public key and the algorithm, only the corresponding private key and the algorithm can be used for decryption; if the data is encrypted with the private key and the algorithm, only the corresponding public key and the algorithm can be used for decryption.
4、数字证书 4, digital certificate
数字证书是一个经证书授权中心数字签名的包含公开密钥以及公开密钥拥有者信息的文件。A digital certificate is a file that is digitally signed by a certificate authority and contains public key and public key owner information.
5、数字签名及其验证方法5, digital signature and its verification method
1)数字签名1) Digital signature
发送者先将报文按约定的HASH算法计算得到一个报文摘要(又称:HASH摘要);再将该报文摘要用发送者的私有密钥和非对称加密算法加密,得到的密文,就叫“该发送者对该报文的数字签名”。数字签名需与原报文绑定使用,一起发送给接收者。The sender first calculates a message digest (also called: HASH digest) according to the agreed HASH algorithm; and then encrypts the message digest with the sender's private key and asymmetric encryption algorithm to obtain the ciphertext. It is called "the sender's digital signature of the message." The digital signature needs to be bound to the original message and sent to the recipient.
2)数字签名的验证方法2) Verification method of digital signature
接收方收到数字签名和原报文后,用同样的HASH算法对原报文计算出报文摘要,简记为A;然后用“发送者的数字证书中的公开密钥”和“相同的非对称加密算法”,对数字签名进行解密得到的原报文摘要,简记为B”。比较报文摘要A和报文摘要B;若二者相等,则数字签名验证成功,说明报文及数字签名来自“数字证书中公开密钥的拥有者”,也就是发送者。After receiving the digital signature and the original message, the receiver uses the same HASH algorithm to calculate the message digest for the original message, abbreviated as A; then use the "public key in the sender's digital certificate" and "same" "Asymmetric encryption algorithm", the original message digest obtained by decrypting the digital signature, abbreviated as B". Compare the message digest A and the message digest B; if the two are equal, the digital signature verification is successful, indicating the message and The digital signature comes from the "owner of the public key in the digital certificate", which is the sender.
6、现有USB Key数字证书子系统及其USB Key数字证书6. Existing USB Key digital certificate subsystem and its USB Key digital certificate
1)现有USB Key数字证书子系统,是包括有独立的处理器、存储器及软件系统、及加密解密模块、及密钥生成模块的计算机子系统;其硬件主要是采用经国家第三方认证机构认证的SOC安全芯片。1) The existing USB Key digital certificate subsystem is a computer subsystem including an independent processor, memory and software system, and encryption and decryption module, and a key generation module; the hardware is mainly adopted by a national third-party certification body. Certified SOC security chip.
2)现有USB Key数字证书子系统,都是由签发数字证书的CA及其应用系统特别专管专控的商用密码产品。其在注册建立用户数字证书时无需再进行认证。2) The existing USB Key digital certificate subsystem is a commercial password product specially controlled by the CA that issues the digital certificate and its application system. It does not need to be authenticated when registering to establish a user digital certificate.
3)USB Key数字证书,是CA签发的基于USB Key数字证书子系统的用户数字证书。其用户私钥唯一存储并应用于USB Key数字证书子系统中,不可导出,因此十分安全。其已在银行等领域广泛成熟地应用。3) USB Key digital certificate, which is a user digital certificate issued by CA based on the USB Key digital certificate subsystem. The user's private key is uniquely stored and applied to the USB Key digital certificate subsystem and cannot be exported, so it is very secure. It has been widely used in banking and other fields.
下面是本文中使用的术语、缩略语及定义:The following are terms, abbreviations, and definitions used in this article:
Figure PCTCN2016102781-appb-000001
Figure PCTCN2016102781-appb-000001
Figure PCTCN2016102781-appb-000002
Figure PCTCN2016102781-appb-000002
发明内容Summary of the invention
本发明的基本构思是:改变现有技术中“由单一CA专管专控数字证书子系统”的技术方案,提供一种创新的“由数字证书子系统管理方和CA共同管控数字证书子系统”的技术方案。 The basic idea of the invention is to change the technical scheme of "special control digital certificate subsystem by a single CA special control" in the prior art, and provide an innovative "digital certificate subsystem management unit and CA jointly control digital certificate subsystem "Technical solution."
本发明提供的一种数字证书子系统,在总的构思下,可有多种不同的方案。为完整描述在本发明总的构思下的各种不同的方案,下面按层次化模块化结构,描述本发明的数字证书子系统的各种不同方案。A digital certificate subsystem provided by the present invention can have a variety of different solutions under the general concept. To fully describe the various aspects of the present general inventive concept, various different aspects of the digital certificate subsystem of the present invention are described below in a hierarchical modular structure.
1、本发明提供的一种数字证书子系统,是包括有:处理器、存储器及软件系统、及加密解密模块、及密钥生成模块的计算机子系统,其特征在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的认证数据的验证密钥”及“数字证书认证方的认证数据的验证密钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和数字证书认证方双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和数字证书认证方的双重认证”,就不能在该数字证书子系统中建立数字证书应用;A digital certificate subsystem provided by the present invention is a computer subsystem comprising: a processor, a memory and software system, and an encryption and decryption module, and a key generation module, characterized in that it comprises a "digital certificate" Establishing a management module" and a "authentication key for the authentication data of the digital certificate subsystem administrator" and "a verification key for the authentication data of the digital certificate authenticator" for managing the establishment of "required numbers" in the digital certificate subsystem Digital certificate application can be established only by the certificate subsystem administrator and the digital certificate authenticator; if there is no "dual certificate subsystem and digital certificate authenticator's two-factor authentication", the digital certificate subsystem cannot be established in the digital certificate subsystem. Certificate application
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的认证密钥的认证数据、及数字证书认证方的认证密钥的认证数据”;(1) The "Digital Certificate Subsystem" receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol", and the authentication key of the digital certificate subsystem management party. Data, and authentication data of the authentication key of the digital certificate authenticator";
其中,数字证书认证方或数字证书子系统管理方的认证数据,是指:用数字证书认证方或数字证书子系统管理方的认证密钥,对“‘要认证的信息数据’的Hash摘要”进行加密后的加密数据;The authentication data of the digital certificate authenticator or the digital certificate subsystem management party refers to: the authentication key of the digital certificate authenticator or the digital certificate subsystem administrator, and the "Hash summary of the information data to be authenticated" Encrypted encrypted data;
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方的认证数据的验证密钥”对“数字证书子系统管理方的认证密钥的认证数据”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem applies the "authentication key of the authentication data of the digital certificate subsystem management party" stored in the digital certificate subsystem to the "digital certificate" according to the protocol. The authentication data of the authentication key of the system administrator is verified;
其中,“验证密钥”对“认证密钥的认证数据”的验证方法是:The verification method of "authentication key" to "authentication data of authentication key" is:
a)按协议,应用“验证密钥”对“认证密钥的认证数据”进行解密,得到“‘要认证的信息数据’的Hash摘要”,简记用A表示;a) According to the protocol, the "authentication key" is used to decrypt the "authentication data of the authentication key", and the "hash summary of the information data to be authenticated" is obtained, which is denoted by A;
b)按协议,对“接收到的‘按协议要认证的信息数据’”应用Hash算法进行运算,得到该‘按协议要认证的信息数据’的Hash摘要,简记用B表示;b) applying the Hash algorithm to the received "information data to be authenticated by protocol" according to the protocol, and obtaining a Hash summary of the "information data to be authenticated by protocol", which is denoted by B;
c)比较数据A和B;若A等于B,则判定“‘验证密钥’对‘认证密钥的认证数据’的验证”通过;若A不等于B,则判定“‘验证密钥’对‘认证密钥的认证数据’的验证”不通过; c) comparing the data A and B; if A is equal to B, it is determined that "the verification of the 'authentication key' for the authentication data of the authentication key' is passed"; if A is not equal to B, the "authentication key" pair is determined 'Verification of authentication data for authentication key' does not pass;
(3)若上述对“数字证书子系统管理方的认证密钥的认证数据”的验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the above verification of the "authentication data of the authentication key of the digital certificate subsystem management party" fails, the "digital certificate establishment management module" does not allow establishment in the "digital certificate subsystem". Requested digital certificate";
其中,数字证书认证方,可以是CA,也可以是“与CA具有同等认证效力的CA计算机认证管理系统”;The digital certificate authenticator may be a CA or a CA computer authentication management system having the same certification effect as the CA;
CA是负责认证、签发和管理数字证书的第三方权威机构;CA是通过CA计算机认证管理系统管理签发用户数字证书;CA is the third-party authority responsible for the certification, issuance and management of digital certificates; CA is the management of the issuance of user digital certificates through the CA computer certification management system;
其中,数字证书子系统管理方,可以是数字证书子系统管理机构,也可以是“与‘数字证书子系统管理机构’具有同等管理效力的‘数字证书子系统管理机构’的计算机管理系统”;The digital certificate subsystem management party may be a digital certificate subsystem management organization, or may be a computer management system of a 'digital certificate subsystem management institution' having the same management effect as the 'digital certificate subsystem management institution';
“数字证书子系统管理机构”是管理“在数字证书子系统中建立数字证书应用的管理机构;其可以是CA,也可以不是CA;其特征是:其是和“与其不同的CA”共同管理“在数字证书子系统中建立数字证书应用”的管理机构;The "Digital Certificate Subsystem Authority" is the management organization that manages the establishment of a digital certificate application in the digital certificate subsystem; it may or may not be a CA; it is characterized in that it is managed jointly with "a different CA" The governing body for “establishing a digital certificate application in the digital certificate subsystem”;
“数字证书子系统管理机构”是通过“数字证书子系统管理机构的计算机管理系统”管理“在数字证书子系统中建立数字证书应用”;该“数字证书子系统管理机构的计算机管理系统”,简称为:数字证书子系统管理平台;The “Digital Certificate Subsystem Management Organization” manages “Building a Digital Certificate Application in the Digital Certificate Subsystem” through the “Computer Management System of the Digital Certificate Subsystem Authority”; the “Computer Management System of the Digital Certificate Subsystem Management Organization”, Referred to as: digital certificate subsystem management platform;
其中,数字证书认证方或数字证书子系统管理方的认证密钥和验证密钥,是一对可相互唯一验证的密钥,其可以是对称密钥,也可以是非对称密钥。The authentication key and the verification key of the digital certificate authenticator or the digital certificate subsystem administrator are a pair of mutually uniquely authenticated keys, which may be symmetric keys or asymmetric keys.
2、如上述1所述的数字证书子系统,其包括有“数字证书建立管理模块”和“数字证书子系统管理方的认证数据的验证密钥”及“数字证书认证方的认证数据的验证密钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和数字证书认证方双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和数字证书认证方的双重认证”,就不能在该数字证书子系统中建立数字证书应用;2. The digital certificate subsystem according to the above 1, comprising: a "digital certificate establishment management module" and a "authentication key of the authentication data of the digital certificate subsystem management party" and "authentication of the authentication data of the digital certificate authenticator" "key" for managing the establishment of a digital certificate application that requires dual authentication by a digital certificate subsystem administrator and a digital certificate authenticator in the digital certificate subsystem; if there is no "digital certificate subsystem manager and number" The two-factor authentication of the certificate certifying party cannot establish a digital certificate application in the digital certificate subsystem;
其特征是还包括下面步骤:It is also characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的认证密钥的认证数据、及数字证书认证方的认证密钥的认证数据’”; (1) The "Digital Certificate Subsystem" receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol", and the authentication key of the digital certificate subsystem management party. Data, and authentication data of the authentication key of the digital certificate authenticator'";
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书认证方的认证数据的验证密钥”对“数字证书认证方的认证密钥的认证数据”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem applies the "authentication key of the authentication data of the digital certificate authenticator" stored in the digital certificate subsystem to the "digital certificate authenticator" according to the protocol. Authentication data of the authentication key is verified;
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
其中,数字证书认证方或数字证书子系统管理方的认证密钥和验证密钥,是一对可相互唯一验证的密钥,其可以是对称密钥,也可以是非对称密钥。The authentication key and the verification key of the digital certificate authenticator or the digital certificate subsystem administrator are a pair of mutually uniquely authenticated keys, which may be symmetric keys or asymmetric keys.
3、如上述2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及“国家根CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和CA双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和CA的双重认证”,就不能在该数字证书子系统中建立数字证书应用;3. The digital certificate subsystem according to 2 above, characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a "national root CA digital certificate" Public key" is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and CA" "Authentication", it is impossible to establish a digital certificate application in the digital certificate subsystem;
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的数字签名、及运营CA的数字签名、和运营CA的数字证书”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a digital signature of the digital certificate subsystem management party, and operation CA's digital signature, and the digital certificate of the operating CA";
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“国家根CA数字证书的公钥”,对接收到的“运营CA的数字证书”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem applies the "public key of the national root CA digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "operating CA number" Certificate" for verification;
其验证方法是:The verification method is:
a)按协议,应用“国家根CA数字证书的公钥”对“‘运营CA的数字证书’中的国家根CA的数字签名”进行解密,得到“‘运营CA的数字证书’中的‘要认证的信息数据’的Hash摘要”,简记用A表示;a) According to the agreement, use the “public key of the national root CA digital certificate” to decrypt the “digital signature of the national root CA in the 'digital certificate of the operating CA'”, and obtain the “in the digital certificate of the operating CA”. The Hash summary of the authenticated information data, abbreviated as A;
b)按协议,对接收到的“‘运营CA的数字证书’中的‘按协议要认证的信息数据’”应用Hash算法进行运算,得到该‘按协议要认证的信息数据’的Hash摘要,简记用B表示;b) Apply the Hash algorithm to the received "information data to be authenticated by the protocol" in the received "digital certificate of the operating CA" according to the protocol, and obtain the Hash summary of the 'information data to be authenticated by protocol'. A shorthand is indicated by B;
c)比较数据A和B;若A等于B,则判定“‘国家根CA数字证书的公钥’ 对该‘运营CA的数字证书’的验证”通过;若A不等于B,则判定“‘国家根CA数字证书的公钥’对该‘运营CA的数字证书’的验证”不通过;c) compare data A and B; if A is equal to B, then determine "the public key of the national root CA digital certificate" The verification of the 'digital certificate of the operating CA' is passed; if A is not equal to B, it is determined that "the public key of the 'national root CA digital certificate' does not pass the verification of the 'digital certificate of the operating CA'";
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
其中,国家根CA,是向运营CA签发数字证书的国家权威认证机构;国家根CA的数字证书是根数字证书,是国家根CA给自己颁发的数字证书;国家根CA和国家根CA的数字证书,是以数字证书为基础的国家级信任链的起始点;Among them, the national root CA is the national authoritative certification body that issues digital certificates to the operating CA; the digital certificate of the national root CA is the root digital certificate, which is the digital certificate issued by the national root CA to itself; the number of the national root CA and the national root CA Certificate, the starting point of a national trust chain based on digital certificates;
其中,运营CA,是由国家根CA认证、可向CA外的具体个人及法人签发并管理数字证书的第三方权威认证机构。Among them, the operation CA is a third-party authoritative certification body that is certified by the national root CA and can issue and manage digital certificates to specific individuals and legal persons outside the CA.
4、如上述2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及“国家根CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和CA双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和CA的双重认证”,就不能在该数字证书子系统中建立数字证书应用;4. The digital certificate subsystem according to 2 above, characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of the digital certificate subsystem management party" and a "national root CA digital certificate" Public key" is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and CA" "Authentication", it is impossible to establish a digital certificate application in the digital certificate subsystem;
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的数字签名、及运营CA的数字签名、和运营CA的数字证书”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a digital signature of the digital certificate subsystem management party, and operation CA's digital signature, and the digital certificate of the operating CA";
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“国家根CA数字证书的公钥”,对接收到的“运营CA的数字证书”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem applies the "public key of the national root CA digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "operating CA number" Certificate" for verification;
其验证方法是:The verification method is:
a)按协议,应用“国家根CA数字证书的公钥”对“‘运营CA的数字证书’中的国家根CA的数字签名”进行解密,得到“‘运营CA的数字证书’中的‘要认证的信息数据’的Hash摘要”,简记用A表示;a) According to the agreement, use the “public key of the national root CA digital certificate” to decrypt the “digital signature of the national root CA in the 'digital certificate of the operating CA'”, and obtain the “in the digital certificate of the operating CA”. The Hash summary of the authenticated information data, abbreviated as A;
b)按协议,对接收到的“‘运营CA的数字证书’中的‘按协议要认证的信息数据’”应用Hash算法进行运算,得到该‘按协议要认证的信息数据’的 Hash摘要,简记用B表示;b) applying the Hash algorithm to the received "information data to be authenticated by the protocol" in the received "digital certificate of the operating CA" according to the protocol, and obtaining the information data to be authenticated by the protocol. Hash summary, shorthand with B;
c)比较数据A和B;若A等于B,则判定“‘国家根CA数字证书的公钥’对该‘运营CA的数字证书’的验证”通过;若A不等于B,则判定“‘国家根CA数字证书的公钥’对该‘运营CA的数字证书’的验证”不通过;c) Comparing data A and B; if A is equal to B, it is determined that "the public key of the 'national root CA digital certificate' passes the verification of the 'digital certificate of the operating CA'"; if A is not equal to B, the decision is made " The public key of the national root CA digital certificate 'verification of the 'digital certificate' of the operating CA is not passed;
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(4)若验证通过,则该“数字证书建立管理模块”,按协议,再应用该“运营CA的数字证书的公钥”对接收到的“运营CA的数字签名”进行验证;(4) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the "public key of the digital certificate of the operating CA" to verify the received "digital signature of the operating CA";
(5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
其中,国家根CA,是向运营CA签发数字证书的国家权威认证机构;国家根CA的数字证书是根数字证书,是国家根CA给自己颁发的数字证书;国家根CA和国家根CA的数字证书,是以数字证书为基础的国家级信任链的起始点;Among them, the national root CA is the national authoritative certification body that issues digital certificates to the operating CA; the digital certificate of the national root CA is the root digital certificate, which is the digital certificate issued by the national root CA to itself; the number of the national root CA and the national root CA Certificate, the starting point of a national trust chain based on digital certificates;
其中,运营CA,是由国家根CA认证、可向CA外的具体个人及法人签发并管理数字证书的第三方权威认证机构。Among them, the operation CA is a third-party authoritative certification body that is certified by the national root CA and can issue and manage digital certificates to specific individuals and legal persons outside the CA.
5、如上述2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及多个不同的“运营CA的数字证书的公钥”;其中,每个“运营CA的数字证书的公钥”按其唯一ID数据被检索调用;5. The digital certificate subsystem of the above 2, further characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate subsystem digital certificate" and a plurality of different "operations" The public key of the digital certificate of the CA"; wherein each "public key of the digital certificate of the operating CA" is retrieved and called according to its unique ID data;
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的数字签名、及运营CA的数字签名、及该运营CA在该数字证书子系统中的唯一ID数据”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a digital signature of the digital certificate subsystem management party, and operation The digital signature of the CA and the unique ID data of the operational CA in the digital certificate subsystem";
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,按接收到的“该运营CA在该数字证书子系统中的唯一ID数据”,在该数字证书子系统中检索调用该“运营CA数字证书中的公钥”;并应用该“运营CA数字证书中的公钥”,对接收到的“运营CA的数字签名”进行验证; (2) The "digital certificate establishment management module" of the digital certificate subsystem retrieves the call in the digital certificate subsystem according to the received "unique ID data of the operating CA in the digital certificate subsystem" according to the protocol. The "public key in the operation CA digital certificate"; and applying the "public key in the operation CA digital certificate" to verify the received "digital signature of the operating CA";
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”。(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem".
6、如上述2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及“运营CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和运营CA双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和运营CA的双重认证”,就不能在该数字证书子系统中建立数字证书应用;6. The digital certificate subsystem according to 2 above, characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and "operating a CA digital certificate" Public key" is used to manage the establishment of a digital certificate application that can be established by the digital certificate subsystem management and the operational CA dual authentication in the digital certificate subsystem; if there is no "digital certificate subsystem management party and operational CA" Double authentication, it is impossible to establish a digital certificate application in the digital certificate subsystem;
其中,运营CA是通过“该运营CA的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;The operating CA is a registered authentication service that establishes a user digital certificate in the digital certificate subsystem through the "Registration Center (RA) of the operating CA";
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的数字签名、及‘运营CA的RA的数字签名’、和‘该运营CA签发的该RA的数字证书’”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a digital signature of the digital certificate subsystem management party, and ' The digital signature 'of the RA of the operating CA', and 'the digital certificate of the RA issued by the operational CA'";
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“运营CA数字证书的公钥”,对接收到的“该运营CA签发的RA数字证书”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem, according to the protocol, applies the "public key of the operating CA digital certificate" stored in the digital certificate subsystem, and the received "issued by the operational CA" RA digital certificate" for verification;
其验证方法是:The verification method is:
a)按协议,应用“运营CA数字证书的公钥”对“‘RA数字证书’中的运营CA的数字签名”进行解密,得到“‘RA数字证书’中的‘要认证的信息数据’的Hash摘要”,简记用A表示;a) Decrypt the "digital signature of the operating CA in the 'RA digital certificate" by applying the "public key of the operating CA digital certificate" according to the agreement, and obtain the "information data to be authenticated" in the 'RA digital certificate'. Hash summary", abbreviated as A;
b)按协议,对接收到的“‘RA数字证书’中的‘要认证的信息数据’”应用Hash算法进行运算,得到该‘要认证的信息数据’的Hash摘要,简记用B表示;b) applying a Hash algorithm to the received "information data to be authenticated" in the "RA digital certificate" according to the protocol, and obtaining a Hash summary of the information data to be authenticated, which is denoted by B;
c)比较数据A和B;若A等于B,则判定“‘运营CA数字证书的公钥’对该‘RA数字证书’的验证”通过;若A不等于B,则判定“‘运营CA数字证书的公钥’对该‘RA数字证书’的验证”不通过; c) comparing data A and B; if A is equal to B, it is determined that "the public key of the operational CA digital certificate 'passes the verification of the 'RA digital certificate'"; if A is not equal to B, then the judgment "the operational CA number The public key of the certificate 'verification of the 'RA digital certificate' does not pass;
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(4)若验证通过,则该“数字证书建立管理模块”,按协议,再应用该“RA数字证书中的公钥”对接收到的“RA数字签名”进行验证;(4) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the "public key in the RA digital certificate" to verify the received "RA digital signature";
(5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
其中,RA是Registration Authority的缩写,是运营CA的注册服务中心(机构),是CA总体系统的一部分;其用于办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;The RA is an abbreviation of the Registration Authority, is a registered service center (institution) of the operating CA, and is a part of the overall system of the CA; it is used to handle the registration authentication service in the "establishing a digital certificate of the user in the digital certificate subsystem";
运营CA的RA的数字证书,由该运营CA签发认证和管理。The digital certificate of the RA that operates the CA is issued and certified by the operating CA.
7、如上述2、3、4、5、6之一的所述数字证书子系统,其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及“CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和CA双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和CA的双重认证”,就不能在该数字证书子系统中建立数字证书应用;7. The digital certificate subsystem of one of the above 2, 3, 4, 5, 6 comprising a "digital certificate establishment management module" and a "public key of a digital certificate subsystem digital certificate" and " The public key of the CA digital certificate is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and The CA's dual authentication" cannot establish a digital certificate application in the digital certificate subsystem;
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的数字签名、及CA的数字签名”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a digital signature of the digital certificate subsystem management party, and CA Digital signature";
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方的数字证书的公钥”,对接收到的“数字证书子系统管理方的数字签名”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem, according to the protocol, applies the "public key of the digital certificate subsystem management party's digital certificate" stored in the digital certificate subsystem, to the received " The digital signature of the digital certificate subsystem management party is verified;
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”。(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem".
8、如上述2、3、4、5、6之一的所述数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公 钥”及“CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和CA双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和CA的双重认证”,就不能在该数字证书子系统中建立数字证书应用;8. The digital certificate subsystem of one of the above 2, 3, 4, 5, 6 further characterized in that it comprises a "digital certificate establishment management module" and a digital certificate of the digital certificate subsystem management party. Public "key" and "public key of CA digital certificate" are used to manage the establishment of a digital certificate application that can be established by the digital certificate subsystem management and CA dual authentication in the digital certificate subsystem; if there is no "digital certificate" The system administrator and the CA's two-factor authentication cannot establish a digital certificate application in the digital certificate subsystem;
其中,“数字证书子系统管理方”是通过“该数字证书子系统管理方的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;The “digital certificate subsystem management party” is a registration authentication service for “establishing a user digital certificate in the digital certificate subsystem” through “the registration center (RA) of the digital certificate subsystem management party”;
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及运营CA的数字签名、及数字证书子系统管理方的RA的数字签名、及‘数字证书子系统管理方的RA的数字证书和其数字证书子系统管理方的数字签名’”;(1) The "Digital Certificate Subsystem" receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol" and the digital signature of the operating CA, and the management of the digital certificate subsystem. The digital signature of the party's RA, and the digital certificate of the RA of the digital certificate subsystem management party and the digital signature of its digital certificate subsystem administrator's;
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方数字证书的公钥”,对接收到的“数字证书子系统管理方的数字签名”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem applies the "public key of the digital certificate subsystem management party digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "digital" The digital signature of the certificate subsystem administrator is verified;
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(4)若验证通过,则该“数字证书建立管理模块”,按协议,再应用该“数字证书子系统管理方的RA的数字证书中的公钥”对接收到的“数字证书子系统管理方的RA的数字签名”进行验证;(4) If the verification is passed, the "digital certificate establishment management module", according to the agreement, applies the "public key in the digital certificate of the RA of the digital certificate subsystem management party" to the received "digital certificate subsystem management". The digital signature of the party RA is verified;
(5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
其中,RA是Registration Authority的缩写,是“数字证书子系统管理方”的注册服务中心,是“数字证书子系统管理方”总体系统的一部分;其用于办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;Among them, RA is the abbreviation of Registration Authority, is the registration service center of “digital certificate subsystem management party”, and is part of the overall system of “digital certificate subsystem management party”; it is used to establish in the “digital certificate subsystem” User digital certificate" registration certification business;
“数字证书子系统管理方的RA的数字证书”,需经“数字证书子系统管理方的签名认证,才能应用于“在该数字证书子系统中建立用户数字证书”的注册认证业务。 The digital certificate of the RA of the digital certificate subsystem management party needs to be signed and authenticated by the digital certificate subsystem management party before it can be applied to the registration authentication service of “establishing a user digital certificate in the digital certificate subsystem”.
9、如上述2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及国家根CA数字证书的公钥,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和运营CA双重认证才能建立的数字证书”;若没有“数字证书子系统管理方和运营CA的双重认证”,就不能在该数字证书子系统中建立数字证书;9. The digital certificate subsystem according to 2 above, characterized in that it comprises a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a national root CA digital certificate. The public key is used to manage the establishment of a digital certificate that can be established by the digital certificate subsystem management and the operational CA dual authentication in the digital certificate subsystem; if there is no "digital certificate subsystem management party and the operation CA's two-factor authentication" ", you cannot establish a digital certificate in the digital certificate subsystem;
其中,运营CA是通过“该运营CA的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该运营CA的注册中心(RA)”,简称为CRA;Among them, the operation CA is through the "Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem" is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
其中,“数字证书子系统管理方”是通过“该数字证书子系统管理方的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该数字证书子系统管理方的注册中心(RA)”,简称为MRA;Among them, the "digital certificate subsystem management party" is through the "registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem" is handled; The following is the "Registration Center (RA) of the digital certificate subsystem management party", referred to as MRA;
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及‘运营CA的CRA的数字签名’、及‘运营CA的数字证书’、及‘该运营CA签发的该CRA的数字证书’、及‘数字证书子系统管理方的MRA的数字签名’、及‘该MRA的数字证书和其数字证书子系统管理方的数字签名’”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the operating CA', and the digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem management, and the digital certificate of the MRA and its digital certificate subsystem management Party digital signature '";
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方的数字证书的公钥”对接收到的“该MRA数字证书的数字证书子系统管理方的数字签名”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem, according to the protocol, applies the "public key of the digital certificate subsystem management party's digital certificate" stored in the digital certificate subsystem to the received The digital signature of the digital certificate subsystem management party of the MRA digital certificate is verified;
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(4)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该MRA的数字证书”中的公钥,对接收到的“该MRA的数字签名”进行验证;(4) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "digital certificate of the MRA" to verify the received "digital signature of the MRA";
(5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(6)若验证通过,则该“数字证书建立管理模块”,按协议,继续应用存储在该数字证书子系统中的“国家根CA数字证书的公钥”,对接收到的“运营 CA的数字证书”进行验证;(6) If the verification is passed, the "digital certificate establishment management module" continues to apply the "public key of the national root CA digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "operation" CA's digital certificate" is verified;
(7)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(7) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(8)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该接收到的运营CA数字证书中的公钥”,对接收到的“该运营CA签发的CRA数字证书”进行验证;(8) If the verification is passed, the "digital certificate establishment management module" applies the "public key in the received operational CA digital certificate" according to the protocol, and receives the received "CRA digital certificate issued by the operational CA". authenticating;
(9)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(9) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(10)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该运营CA签发的CRA数字证书”中的公钥,对接收到的“该CRA的数字签名”进行验证;(10) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "CRA digital certificate issued by the operation CA" to verify the received "digital signature of the CRA";
(11)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(11) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(12)若验证通过,则该“数字证书建立管理模块”,按协议,启动在该数字证书子系统中建立数字证书的流程;该流程包括:(12) If the verification is passed, the “digital certificate establishment management module” starts a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
a)该“数字证书建立管理模块”,启动该数字证书子系统中的“非对称密钥生成模块”,生成该数字证书子系统的非对称密钥对(公钥和私钥);a) the "digital certificate establishment management module", starting the "asymmetric key generation module" in the digital certificate subsystem, generating an asymmetric key pair (public key and private key) of the digital certificate subsystem;
b)该“数字证书建立管理模块”,按协议,在该数字证书子系统中保存该密钥对的私钥;b) the "digital certificate establishment management module", in which the private key of the key pair is stored in the digital certificate subsystem;
c)该“数字证书建立管理模块”,按协议,将该密钥对的公钥输出给CA,用于CA签发基于该公钥的数字证书。c) The "digital certificate establishment management module" outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
10、如上述2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及国家根CA数字证书的公钥、及“运营CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和运营CA双重认证才能下载建立的数字证书”;若没有“数字证书子系统管理方和运营CA的双重认证”,就不能在该数字证书子系统中建立数字证书; 10. The digital certificate subsystem as described in 2 above, characterized in that it comprises a "digital certificate establishment management module" and a "public certificate of a digital certificate of a digital certificate subsystem management party" and a national root CA digital certificate. The public key and the “public key of the operational CA digital certificate” are used to manage the establishment of a digital certificate in the digital certificate subsystem that requires the digital certificate subsystem management and the operational CA to be dual-certified to be downloaded and established; The digital certificate subsystem and the operating CA's two-factor authentication cannot establish a digital certificate in the digital certificate subsystem;
其中,运营CA是通过“该运营CA的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该运营CA的注册中心(RA)”,简称为CRA;Among them, the operation CA is through the "Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem" is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
其中,“数字证书子系统管理方”是通过“该数字证书子系统管理方的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该数字证书子系统管理方的注册中心(RA)”,简称为MRA;Among them, the "digital certificate subsystem management party" is through the "registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem" is handled; The following is the "Registration Center (RA) of the digital certificate subsystem management party", referred to as MRA;
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及‘运营CA的CRA的数字签名’、及‘该运营CA签发的该CRA的数字证书’、及‘数字证书子系统管理方的MRA的数字签名’、及‘该MRA的数字证书和其数字证书子系统管理方的数字签名’”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem manager, and the digital certificate of the MRA and the digital signature of its digital certificate subsystem management party";
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方的数字证书的公钥”对接收到的“该MRA数字证书的数字证书子系统管理方的数字签名”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem, according to the protocol, applies the "public key of the digital certificate subsystem management party's digital certificate" stored in the digital certificate subsystem to the received The digital signature of the digital certificate subsystem management party of the MRA digital certificate is verified;
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(4)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该MRA的数字证书”中的公钥,对接收到的“该MRA的数字签名”进行验证;(4) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "digital certificate of the MRA" to verify the received "digital signature of the MRA";
(5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(6)若验证通过,则该“数字证书建立管理模块”,按协议,继续应用存储在该数字证书子系统中的“运营CA数字证书中的公钥”,对接收到的“该运营CA签发的CRA数字证书”进行验证;(6) If the verification is passed, the "digital certificate establishment management module" continues to apply the "public key in the operational CA digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "the operation CA" The issued CRA digital certificate is verified;
(7)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(7) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(8)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该运营CA签发的CRA数字证书”中的公钥,对接收到的“该CRA的数字签名”进行验证; (8) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "CRA digital certificate issued by the operating CA" to verify the received "digital signature of the CRA";
(9)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(9) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(10)若验证通过,则该“数字证书建立管理模块”,按协议,启动在该数字证书子系统中建立数字证书的流程;该流程包括:(10) If the verification is passed, the “digital certificate establishment management module” initiates a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
a)该“数字证书建立管理模块”,启动该数字证书子系统中的“非对称密钥生成模块”,生成该数字证书子系统的非对称密钥对(公钥和私钥);a) the "digital certificate establishment management module", starting the "asymmetric key generation module" in the digital certificate subsystem, generating an asymmetric key pair (public key and private key) of the digital certificate subsystem;
b)该“数字证书建立管理模块”,按协议,在该数字证书子系统中保存该密钥对的私钥;b) the "digital certificate establishment management module", in which the private key of the key pair is stored in the digital certificate subsystem;
c)该“数字证书建立管理模块”,按协议,将该密钥对的公钥输出给CA,用于CA签发基于该公钥的数字证书。c) The "digital certificate establishment management module" outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
有益效果:Beneficial effects:
本发明提供的一种数字证书子系统,解决了现有数字证书技术中存在的问题,使数字证书子系统可集成于手机中低成本广泛应用;并兼容“各CA签发的数字证书的应用”;并更可靠更安全;同时,手机厂商也可利用手机数字证书子系统及其应用的功能亮点,充分增进扩大手机市场。The invention provides a digital certificate subsystem, which solves the problems existing in the existing digital certificate technology, enables the digital certificate subsystem to be integrated into a mobile phone and is widely used at low cost; and is compatible with "application of digital certificates issued by each CA" And more reliable and safer; at the same time, mobile phone manufacturers can also use the mobile phone digital certificate subsystem and its application features highlights to fully expand the mobile phone market.
附图说明DRAWINGS
图1是现有数字证书子系统的结构示意图。FIG. 1 is a schematic structural diagram of a conventional digital certificate subsystem.
图2是本发明数字证书子系统的结构示意图。。2 is a schematic structural view of a digital certificate subsystem of the present invention. .
图3是本发明实施例1的数字证书子系统的结构示意图。3 is a schematic structural diagram of a digital certificate subsystem according to Embodiment 1 of the present invention.
图4是本发明实施例2的数字证书子系统的结构示意图。4 is a schematic structural diagram of a digital certificate subsystem according to Embodiment 2 of the present invention.
图5是基于本发明书数字证书子系统的用户数字证书的注册认证系统的结构示意图。FIG. 5 is a schematic structural diagram of a registration and authentication system for a user digital certificate based on the digital certificate subsystem of the present invention.
具体实施方式detailed description
下面结合附图给出几个具体实施例,对本发明的总体构思和具体技术方案作进一步的详细描述: Several specific embodiments are given below in conjunction with the accompanying drawings, and the present general inventive concept and specific technical solutions are further described in detail:
实施例1:Example 1:
本发明实施例1的数字证书子系统是一种手机数字证书子系统,其由手机厂商设计集成于匹配的手机系统中;同时,该手机厂商是该数字证书子系统的管理方,并与CA一起管理在该数字证书子系统建立数字证书及其应用;The digital certificate subsystem of the first embodiment of the present invention is a mobile phone digital certificate subsystem designed and integrated by a mobile phone manufacturer into a matched mobile phone system; meanwhile, the mobile phone manufacturer is a management party of the digital certificate subsystem, and is associated with the CA. Working together to establish a digital certificate and its application in the digital certificate subsystem;
参考附图3,本发明实施例1的数字证书子系统,其特征是:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及国家根CA数字证书的公钥,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和运营CA双重认证才能建立的数字证书”;若没有“数字证书子系统管理方和运营CA的双重认证”,就不能在该数字证书子系统中建立数字证书;Referring to FIG. 3, a digital certificate subsystem according to Embodiment 1 of the present invention is characterized in that it includes a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a national root CA number. The public key of the certificate is used to manage the establishment of a digital certificate in the digital certificate subsystem that requires dual authentication of the digital certificate subsystem and the operating CA. If there is no "digital certificate subsystem management party and operating CA" Double authentication, it is impossible to establish a digital certificate in the digital certificate subsystem;
其中,运营CA是通过“该运营CA的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该运营CA的注册中心(RA)”,简称为CRA;Among them, the operation CA is through the "Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem" is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
其中,“数字证书子系统管理方(即:手机厂商)”是通过“该数字证书子系统管理方的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该数字证书子系统管理方的注册中心(RA)”,简称为MRA;Among them, the "digital certificate subsystem management party (ie: mobile phone manufacturer)" is through the "registration center (RA) of the digital certificate subsystem management party", the registration of "establishing a user digital certificate in the digital certificate subsystem" Authentication service; for the difference, the following is the "Registration Center (RA) of the digital certificate subsystem management party", referred to as MRA;
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及‘运营CA的CRA的数字签名’、及‘运营CA的数字证书’、及‘该运营CA签发的该CRA的数字证书’、及‘数字证书子系统管理方的MRA的数字签名’、及‘该MRA的数字证书和其数字证书子系统管理方的数字签名’”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the operating CA', and the digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem management, and the digital certificate of the MRA and its digital certificate subsystem management Party digital signature '";
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方的数字证书的公钥”对接收到的“该MRA数字证书的数字证书子系统管理方的数字签名”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem, according to the protocol, applies the "public key of the digital certificate subsystem management party's digital certificate" stored in the digital certificate subsystem to the received The digital signature of the digital certificate subsystem management party of the MRA digital certificate is verified;
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(4)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该MRA的数字证书”中的公钥,对接收到的“该MRA的数字签名”进行验证; (4) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "digital certificate of the MRA" to verify the received "digital signature of the MRA";
(5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(6)若验证通过,则该“数字证书建立管理模块”,按协议,继续应用存储在该数字证书子系统中的“国家根CA数字证书的公钥”,对接收到的“运营CA的数字证书”进行验证;(6) If the verification is passed, the "digital certificate establishment management module" continues to apply the "public key of the national root CA digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "operating CA" Digital certificate" for verification;
(7)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(7) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(8)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该接收到的运营CA数字证书中的公钥”,对接收到的“该运营CA签发的CRA数字证书”进行验证;(8) If the verification is passed, the "digital certificate establishment management module" applies the "public key in the received operational CA digital certificate" according to the protocol, and receives the received "CRA digital certificate issued by the operational CA". authenticating;
(9)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(9) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(10)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该运营CA签发的CRA数字证书”中的公钥,对接收到的“该CRA的数字签名”进行验证;(10) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "CRA digital certificate issued by the operation CA" to verify the received "digital signature of the CRA";
(11)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(11) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(12)若验证通过,则该“数字证书建立管理模块”,按协议,启动在该数字证书子系统中建立数字证书的流程;该流程包括:(12) If the verification is passed, the “digital certificate establishment management module” starts a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
a)该“数字证书建立管理模块”,启动该数字证书子系统中的“非对称密钥生成模块”,生成该数字证书子系统的非对称密钥对(公钥和私钥);a) the "digital certificate establishment management module", starting the "asymmetric key generation module" in the digital certificate subsystem, generating an asymmetric key pair (public key and private key) of the digital certificate subsystem;
b)该“数字证书建立管理模块”,按协议,在该数字证书子系统中保存该密钥对的私钥;b) the "digital certificate establishment management module", in which the private key of the key pair is stored in the digital certificate subsystem;
c)该“数字证书建立管理模块”,按协议,将该密钥对的公钥输出给CA,用于CA签发基于该公钥的数字证书。c) The "digital certificate establishment management module" outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
实施例2:Example 2:
本发明实施例2的数字证书子系统是一种手机数字证书子系统,其由手机 厂商设计集成于匹配的手机系统中;同时,该手机厂商是该数字证书子系统的管理方,并与CA一起管理在该数字证书子系统建立数字证书及其应用;The digital certificate subsystem of Embodiment 2 of the present invention is a mobile phone digital certificate subsystem, which is composed of a mobile phone. The manufacturer design is integrated in the matching mobile phone system; at the same time, the mobile phone manufacturer is the management party of the digital certificate subsystem, and manages to establish a digital certificate and its application in the digital certificate subsystem together with the CA;
参考附图4,本发明实施例2的数字证书子系统,其特征在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及多个不同的“运营CA的数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和运营CA双重认证才能下载建立的数字证书”;若没有“数字证书子系统管理方和运营CA的双重认证”,就不能在该数字证书子系统中建立数字证书;Referring to FIG. 4, a digital certificate subsystem according to Embodiment 2 of the present invention is characterized in that it includes a "digital certificate establishment management module" and a "public key of a digital certificate of a digital certificate subsystem management party" and a plurality of different "The public key of the digital certificate of the operating CA" is used to manage the establishment of a digital certificate in the digital certificate subsystem that requires both the digital certificate subsystem management and the operational CA to be downloaded and created; if there is no "digital certificate" The two-factor authentication of the system administrator and the operating CA cannot establish a digital certificate in the digital certificate subsystem;
其中,每个“运营CA的数字证书的公钥”按其唯一ID数据被检索调用;Wherein, each "public key of the digital certificate of the operating CA" is retrieved and called according to its unique ID data;
其中,运营CA是通过“该运营CA的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该运营CA的注册中心(RA)”,简称为CRA;Among them, the operation CA is through the "Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem" is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
其中,“数字证书子系统管理方”是通过“该数字证书子系统管理方的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该数字证书子系统管理方的注册中心(RA)”,简称为MRA;Among them, the "digital certificate subsystem management party" is through the "registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem" is handled; The following is the "Registration Center (RA) of the digital certificate subsystem management party", referred to as MRA;
其特征是包括下面步骤:It is characterized by the following steps:
(1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及‘运营CA的CRA的数字签名’、该运营CA在该数字证书子系统中的唯一ID数据、及‘该运营CA签发的该CRA的数字证书’、及‘数字证书子系统管理方的MRA的数字签名’、及‘该MRA的数字证书和其数字证书子系统管理方的数字签名’”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a "digital signature of the CRA of the operating CA", the operation The unique ID data of the CA in the digital certificate subsystem, and the 'digital certificate of the CRA issued by the operating CA', and the digital signature of the MRA of the digital certificate subsystem administrator, and the digital certificate of the MRA The digital signature of the administrator of its digital certificate subsystem'";
(2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方的数字证书的公钥”对接收到的“该MRA数字证书的数字证书子系统管理方的数字签名”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem, according to the protocol, applies the "public key of the digital certificate subsystem management party's digital certificate" stored in the digital certificate subsystem to the received The digital signature of the digital certificate subsystem management party of the MRA digital certificate is verified;
(3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(4)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该MRA的数字证书”中的公钥,对接收到的“该MRA的数字签名”进行验证; (4) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "digital certificate of the MRA" to verify the received "digital signature of the MRA";
(5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(6)若验证通过,则该“数字证书建立管理模块”,按协议,按接收到的“该运营CA在该数字证书子系统中的唯一ID数据”,在该数字证书子系统中检索调用该“运营CA数字证书中的公钥”;并应用该“运营CA数字证书中的公钥”,对接收到的“该运营CA签发的CRA数字证书”进行验证;(6) If the verification is passed, the "digital certificate establishment management module" retrieves the call in the digital certificate subsystem according to the received "unique ID data of the operation CA in the digital certificate subsystem" according to the protocol. The "public key in the operation of the CA digital certificate"; and applying the "public key in the operational CA digital certificate" to verify the received "CRA digital certificate issued by the operational CA";
(7)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(7) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(8)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该运营CA签发的CRA数字证书”中的公钥,对接收到的“该CRA的数字签名”进行验证;(8) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "CRA digital certificate issued by the operating CA" to verify the received "digital signature of the CRA";
(9)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(9) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
(10)若验证通过,则该“数字证书建立管理模块”,按协议,启动在该数字证书子系统中建立数字证书的流程;该流程包括:(10) If the verification is passed, the “digital certificate establishment management module” initiates a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
a)该“数字证书建立管理模块”,启动该数字证书子系统中的“非对称密钥生成模块”,生成该数字证书子系统的非对称密钥对(公钥和私钥);a) the "digital certificate establishment management module", starting the "asymmetric key generation module" in the digital certificate subsystem, generating an asymmetric key pair (public key and private key) of the digital certificate subsystem;
b)该“数字证书建立管理模块”,按协议,在该数字证书子系统中保存该密钥对的私钥;b) the "digital certificate establishment management module", in which the private key of the key pair is stored in the digital certificate subsystem;
c)该“数字证书建立管理模块”,按协议,将该密钥对的公钥输出给CA,用于CA签发基于该公钥的数字证书。c) The "digital certificate establishment management module" outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
综上所述,本发明提供的数字证书子系统的技术方案,可解决了现有数字证书技术中存在的问题,使数字证书子系统可集成于手机中低成本广泛应用;并兼容“各CA签发的数字证书的应用”;并更可靠更安全;同时,手机厂商也可利用手机数字证书子系统及其应用的功能亮点,充分增进扩大手机市场。In summary, the technical solution of the digital certificate subsystem provided by the present invention can solve the problems existing in the existing digital certificate technology, so that the digital certificate subsystem can be integrated into a mobile phone and widely used at low cost; and is compatible with "CA" The application of issued digital certificates is more reliable and safer; at the same time, mobile phone manufacturers can also take advantage of the functional highlights of the mobile digital certificate subsystem and its applications to fully expand the mobile phone market.
需说明的是:本发明提供的数字证书子系统的技术方案,不仅适用于手机,同样也适用于电脑笔记本、服务器等各类计算机系统的数字证书技术的应用。 It should be noted that the technical solution of the digital certificate subsystem provided by the present invention is applicable not only to mobile phones, but also to the application of digital certificate technology of various computer systems such as computer notebooks and servers.

Claims (10)

  1. 本发明提供的一种数字证书子系统,是包括有:处理器、存储器及软件系统、及加密解密模块、及密钥生成模块的计算机子系统,其特征在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的认证数据的验证密钥”及“数字证书认证方的认证数据的验证密钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和数字证书认证方双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和数字证书认证方的双重认证”,就不能在该数字证书子系统中建立数字证书应用;A digital certificate subsystem provided by the present invention includes a processor, a memory and software system, and an encryption and decryption module, and a computer subsystem of a key generation module, which is characterized in that it includes "digital certificate establishment management". "module" and "authentication key of the authentication data of the digital certificate subsystem management party" and "authentication key of the authentication data of the digital certificate authenticator" for managing the establishment of the "digital certificate required" in the digital certificate subsystem Digital certificate application can be established only by system administrator and digital certificate authenticator; if there is no "dual certificate subsystem management and digital certificate authenticator's two-factor authentication", digital certificate application cannot be established in the digital certificate subsystem. ;
    其特征是包括下面步骤:It is characterized by the following steps:
    (1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的认证密钥的认证数据、及数字证书认证方的认证密钥的认证数据”;(1) The "Digital Certificate Subsystem" receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol", and the authentication key of the digital certificate subsystem management party. Data, and authentication data of the authentication key of the digital certificate authenticator";
    其中,数字证书认证方或数字证书子系统管理方的认证数据,是指:用数字证书认证方或数字证书子系统管理方的认证密钥,对“‘要认证的信息数据’的Hash摘要”进行加密后的加密数据;The authentication data of the digital certificate authenticator or the digital certificate subsystem management party refers to: the authentication key of the digital certificate authenticator or the digital certificate subsystem administrator, and the "Hash summary of the information data to be authenticated" Encrypted encrypted data;
    (2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方的认证数据的验证密钥”对“数字证书子系统管理方的认证密钥的认证数据”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem applies the "authentication key of the authentication data of the digital certificate subsystem management party" stored in the digital certificate subsystem to the "digital certificate" according to the protocol. The authentication data of the authentication key of the system administrator is verified;
    其中,“验证密钥”对“认证密钥的认证数据”的验证方法是:The verification method of "authentication key" to "authentication data of authentication key" is:
    a)按协议,应用“验证密钥”对“认证密钥的认证数据”进行解密,得到“‘要认证的信息数据’的Hash摘要”,简记用A表示;a) According to the protocol, the "authentication key" is used to decrypt the "authentication data of the authentication key", and the "hash summary of the information data to be authenticated" is obtained, which is denoted by A;
    b)按协议,对“接收到的‘按协议要认证的信息数据’”应用Hash算法进行运算,得到该‘按协议要认证的信息数据’的Hash摘要,简记用B表示;b) applying the Hash algorithm to the received "information data to be authenticated by protocol" according to the protocol, and obtaining a Hash summary of the "information data to be authenticated by protocol", which is denoted by B;
    c)比较数据A和B;若A等于B,则判定“‘验证密钥’对‘认证密钥的认证数据’的验证”通过;若A不等于B,则判定“‘验证密钥’对‘认证密钥的认证数据’的验证”不通过;c) comparing the data A and B; if A is equal to B, it is determined that "the verification of the 'authentication key' for the authentication data of the authentication key' is passed"; if A is not equal to B, the "authentication key" pair is determined 'Verification of authentication data for authentication key' does not pass;
    (3)若上述对“数字证书子系统管理方的认证密钥的认证数据”的验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”; (3) If the above verification of the "authentication data of the authentication key of the digital certificate subsystem management party" fails, the "digital certificate establishment management module" does not allow establishment in the "digital certificate subsystem". Requested digital certificate";
    其中,数字证书认证方,可以是CA,也可以是“与CA具有同等认证效力的CA计算机认证管理系统”;The digital certificate authenticator may be a CA or a CA computer authentication management system having the same certification effect as the CA;
    CA是负责认证、签发和管理数字证书的第三方权威机构;CA是通过CA计算机认证管理系统管理签发用户数字证书;CA is the third-party authority responsible for the certification, issuance and management of digital certificates; CA is the management of the issuance of user digital certificates through the CA computer certification management system;
    其中,数字证书子系统管理方,可以是数字证书子系统管理机构,也可以是“与‘数字证书子系统管理机构’具有同等管理效力的‘数字证书子系统管理机构’的计算机管理系统”;The digital certificate subsystem management party may be a digital certificate subsystem management organization, or may be a computer management system of a 'digital certificate subsystem management institution' having the same management effect as the 'digital certificate subsystem management institution';
    “数字证书子系统管理机构”是管理“在数字证书子系统中建立数字证书应用的管理机构;其可以是CA,也可以不是CA;其特征是:其是和“与其不同的CA”共同管理“在数字证书子系统中建立数字证书应用”的管理机构;The "Digital Certificate Subsystem Authority" is the management organization that manages the establishment of a digital certificate application in the digital certificate subsystem; it may or may not be a CA; it is characterized in that it is managed jointly with "a different CA" The governing body for “establishing a digital certificate application in the digital certificate subsystem”;
    “数字证书子系统管理机构”是通过“数字证书子系统管理机构的计算机管理系统”管理“在数字证书子系统中建立数字证书应用”;该“数字证书子系统管理机构的计算机管理系统”,简称为:数字证书子系统管理平台;The “Digital Certificate Subsystem Management Organization” manages “Building a Digital Certificate Application in the Digital Certificate Subsystem” through the “Computer Management System of the Digital Certificate Subsystem Authority”; the “Computer Management System of the Digital Certificate Subsystem Management Organization”, Referred to as: digital certificate subsystem management platform;
    其中,数字证书认证方或数字证书子系统管理方的认证密钥和验证密钥,是一对可相互唯一验证的密钥,其可以是对称密钥,也可以是非对称密钥。The authentication key and the verification key of the digital certificate authenticator or the digital certificate subsystem administrator are a pair of mutually uniquely authenticated keys, which may be symmetric keys or asymmetric keys.
  2. 如权利要求1所述的数字证书子系统,其包括有“数字证书建立管理模块”和“数字证书子系统管理方的认证数据的验证密钥”及“数字证书认证方的认证数据的验证密钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和数字证书认证方双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和数字证书认证方的双重认证”,就不能在该数字证书子系统中建立数字证书应用;The digital certificate subsystem according to claim 1, comprising: a "digital certificate establishment management module" and a "authentication key of the authentication data of the digital certificate subsystem management party" and a verification key of the authentication data of the digital certificate authenticator Key" is used to manage the establishment of a digital certificate application that can be established by dual authentication of the digital certificate subsystem administrator and the digital certificate authenticator in the digital certificate subsystem; if there is no "digital certificate subsystem administrator and digital certificate" The two-factor authentication of the authenticator cannot establish a digital certificate application in the digital certificate subsystem;
    其特征是还包括下面步骤:It is also characterized by the following steps:
    (1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的认证密钥的认证数据、及数字证书认证方的认证密钥的认证数据’”;(1) The "Digital Certificate Subsystem" receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol", and the authentication key of the digital certificate subsystem management party. Data, and authentication data of the authentication key of the digital certificate authenticator'";
    (2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书认证方的认证数据的验证密钥”对“数字 证书认证方的认证密钥的认证数据”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem applies the "authentication key of the authentication data of the digital certificate authenticator" stored in the digital certificate subsystem to the "digital" according to the protocol. The authentication data of the certificate authenticator's authentication key is verified;
    (3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    其中,数字证书认证方或数字证书子系统管理方的认证密钥和验证密钥,是一对可相互唯一验证的密钥,其可以是对称密钥,也可以是非对称密钥。The authentication key and the verification key of the digital certificate authenticator or the digital certificate subsystem administrator are a pair of mutually uniquely authenticated keys, which may be symmetric keys or asymmetric keys.
  3. 如权利要求2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及“国家根CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和CA双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和CA的双重认证”,就不能在该数字证书子系统中建立数字证书应用;The digital certificate subsystem of claim 2, further comprising: a "digital certificate establishment management module" and a "public key of a digital certificate subsystem digital certificate" and a "national root CA digital certificate" Public key" is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and CA's dual authentication" ", you cannot establish a digital certificate application in the digital certificate subsystem;
    其特征是包括下面步骤:It is characterized by the following steps:
    (1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的数字签名、及运营CA的数字签名、和运营CA的数字证书”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a digital signature of the digital certificate subsystem management party, and operation CA's digital signature, and the digital certificate of the operating CA";
    (2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“国家根CA数字证书的公钥”,对接收到的“运营CA的数字证书”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem applies the "public key of the national root CA digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "operating CA number" Certificate" for verification;
    其验证方法是:The verification method is:
    a)按协议,应用“国家根CA数字证书的公钥”对“‘运营CA的数字证书’中的国家根CA的数字签名”进行解密,得到“‘运营CA的数字证书’中的‘要认证的信息数据’的Hash摘要”,简记用A表示;a) According to the agreement, use the “public key of the national root CA digital certificate” to decrypt the “digital signature of the national root CA in the 'digital certificate of the operating CA'”, and obtain the “in the digital certificate of the operating CA”. The Hash summary of the authenticated information data, abbreviated as A;
    b)按协议,对接收到的“‘运营CA的数字证书’中的‘按协议要认证的信息数据’”应用Hash算法进行运算,得到该‘按协议要认证的信息数据’的Hash摘要,简记用B表示;b) Apply the Hash algorithm to the received "information data to be authenticated by the protocol" in the received "digital certificate of the operating CA" according to the protocol, and obtain the Hash summary of the 'information data to be authenticated by protocol'. A shorthand is indicated by B;
    c)比较数据A和B;若A等于B,则判定“‘国家根CA数字证书的公钥’对该‘运营CA的数字证书’的验证”通过;若A不等于B,则判定“‘国家根 CA数字证书的公钥’对该‘运营CA的数字证书’的验证”不通过;c) Comparing data A and B; if A is equal to B, it is determined that "the public key of the 'national root CA digital certificate' passes the verification of the 'digital certificate of the operating CA'"; if A is not equal to B, the decision is made " National root The public key of the CA digital certificate 'verification of the 'digital certificate of the operating CA' does not pass;
    (3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    其中,国家根CA,是向运营CA签发数字证书的国家权威认证机构;国家根CA的数字证书是根数字证书,是国家根CA给自己颁发的数字证书;国家根CA和国家根CA的数字证书,是以数字证书为基础的国家级信任链的起始点;Among them, the national root CA is the national authoritative certification body that issues digital certificates to the operating CA; the digital certificate of the national root CA is the root digital certificate, which is the digital certificate issued by the national root CA to itself; the number of the national root CA and the national root CA Certificate, the starting point of a national trust chain based on digital certificates;
    其中,运营CA,是由国家根CA认证、可向CA外的具体个人及法人签发并管理数字证书的第三方权威认证机构。Among them, the operation CA is a third-party authoritative certification body that is certified by the national root CA and can issue and manage digital certificates to specific individuals and legal persons outside the CA.
  4. 如权利要求2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及“国家根CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和CA双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和CA的双重认证”,就不能在该数字证书子系统中建立数字证书应用;The digital certificate subsystem of claim 2, further comprising: a "digital certificate establishment management module" and a "public key of a digital certificate subsystem digital certificate" and a "national root CA digital certificate" Public key" is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem management party and CA's dual authentication" ", you cannot establish a digital certificate application in the digital certificate subsystem;
    其特征是包括下面步骤:It is characterized by the following steps:
    (1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的数字签名、及运营CA的数字签名、和运营CA的数字证书”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a digital signature of the digital certificate subsystem management party, and operation CA's digital signature, and the digital certificate of the operating CA";
    (2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“国家根CA数字证书的公钥”,对接收到的“运营CA的数字证书”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem applies the "public key of the national root CA digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "operating CA number" Certificate" for verification;
    其验证方法是:The verification method is:
    a)按协议,应用“国家根CA数字证书的公钥”对“‘运营CA的数字证书’中的国家根CA的数字签名”进行解密,得到“‘运营CA的数字证书’中的‘要认证的信息数据’的Hash摘要”,简记用A表示;a) According to the agreement, use the “public key of the national root CA digital certificate” to decrypt the “digital signature of the national root CA in the 'digital certificate of the operating CA'”, and obtain the “in the digital certificate of the operating CA”. The Hash summary of the authenticated information data, abbreviated as A;
    b)按协议,对接收到的“‘运营CA的数字证书’中的‘按协议要认证的信息数据’”应用Hash算法进行运算,得到该‘按协议要认证的信息数据’的 Hash摘要,简记用B表示;b) applying the Hash algorithm to the received "information data to be authenticated by the protocol" in the received "digital certificate of the operating CA" according to the protocol, and obtaining the information data to be authenticated by the protocol. Hash summary, shorthand with B;
    c)比较数据A和B;若A等于B,则判定“‘国家根CA数字证书的公钥’对该‘运营CA的数字证书’的验证”通过;若A不等于B,则判定“‘国家根CA数字证书的公钥’对该‘运营CA的数字证书’的验证”不通过;c) Comparing data A and B; if A is equal to B, it is determined that "the public key of the 'national root CA digital certificate' passes the verification of the 'digital certificate of the operating CA'"; if A is not equal to B, the decision is made " The public key of the national root CA digital certificate 'verification of the 'digital certificate' of the operating CA is not passed;
    (3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (4)若验证通过,则该“数字证书建立管理模块”,按协议,再应用该“运营CA的数字证书的公钥”对接收到的“运营CA的数字签名”进行验证;(4) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the "public key of the digital certificate of the operating CA" to verify the received "digital signature of the operating CA";
    (5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    其中,国家根CA,是向运营CA签发数字证书的国家权威认证机构;国家根CA的数字证书是根数字证书,是国家根CA给自己颁发的数字证书;国家根CA和国家根CA的数字证书,是以数字证书为基础的国家级信任链的起始点;Among them, the national root CA is the national authoritative certification body that issues digital certificates to the operating CA; the digital certificate of the national root CA is the root digital certificate, which is the digital certificate issued by the national root CA to itself; the number of the national root CA and the national root CA Certificate, the starting point of a national trust chain based on digital certificates;
    其中,运营CA,是由国家根CA认证、可向CA外的具体个人及法人签发并管理数字证书的第三方权威认证机构。Among them, the operation CA is a third-party authoritative certification body that is certified by the national root CA and can issue and manage digital certificates to specific individuals and legal persons outside the CA.
  5. 如权利要求2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及多个不同的“运营CA的数字证书的公钥”;其中,每个“运营CA的数字证书的公钥”按其唯一ID数据被检索调用;The digital certificate subsystem of claim 2, further comprising: a "digital certificate establishment management module" and a "public key of a digital certificate subsystem digital certificate" and a plurality of different "operational CAs" Public key of the digital certificate"; wherein each "public key of the digital certificate of the operating CA" is retrieved and retrieved according to its unique ID data;
    其特征是包括下面步骤:It is characterized by the following steps:
    (1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的数字签名、及运营CA的数字签名、及该运营CA在该数字证书子系统中的唯一ID数据”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a digital signature of the digital certificate subsystem management party, and operation The digital signature of the CA and the unique ID data of the operational CA in the digital certificate subsystem";
    (2)该数字证书子系统的“数字证书建立管理模块”,按协议,按接收到的“该运营CA在该数字证书子系统中的唯一ID数据”,在该数字证书子系统中检索调用该“运营CA数字证书中的公钥”;并应用该“运营CA数字证书中的公钥”,对接收到的“运营CA的数字签名”进行验证; (2) The "digital certificate establishment management module" of the digital certificate subsystem retrieves the call in the digital certificate subsystem according to the received "unique ID data of the operating CA in the digital certificate subsystem" according to the protocol. The "public key in the operation CA digital certificate"; and applying the "public key in the operation CA digital certificate" to verify the received "digital signature of the operating CA";
    (3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”。(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem".
  6. 如权利要求2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及“运营CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和运营CA双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和运营CA的双重认证”,就不能在该数字证书子系统中建立数字证书应用;The digital certificate subsystem according to claim 2, further comprising: a "digital certificate establishment management module" and a "public key of a digital certificate of the digital certificate subsystem management party" and "a public operation of the digital certificate of the CA" Key" is used to manage the establishment of a digital certificate application that can be established by the digital certificate subsystem management and the operational CA dual authentication in the digital certificate subsystem; if there is no "digital certificate subsystem management party and operation CA" "Authentication", it is impossible to establish a digital certificate application in the digital certificate subsystem;
    其中,运营CA是通过“该运营CA的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;The operating CA is a registered authentication service that establishes a user digital certificate in the digital certificate subsystem through the "Registration Center (RA) of the operating CA";
    其特征是包括下面步骤:It is characterized by the following steps:
    (1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的数字签名、及‘运营CA的RA的数字签名’、和‘该运营CA签发的该RA的数字证书’”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a digital signature of the digital certificate subsystem management party, and ' The digital signature 'of the RA of the operating CA', and 'the digital certificate of the RA issued by the operational CA'";
    (2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“运营CA数字证书的公钥”,对接收到的“该运营CA签发的RA数字证书”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem, according to the protocol, applies the "public key of the operating CA digital certificate" stored in the digital certificate subsystem, and the received "issued by the operational CA" RA digital certificate" for verification;
    其验证方法是:The verification method is:
    a)按协议,应用“运营CA数字证书的公钥”对“‘RA数字证书’中的运营CA的数字签名”进行解密,得到“‘RA数字证书’中的‘要认证的信息数据’的Hash摘要”,简记用A表示;a) Decrypt the "digital signature of the operating CA in the 'RA digital certificate" by applying the "public key of the operating CA digital certificate" according to the agreement, and obtain the "information data to be authenticated" in the 'RA digital certificate'. Hash summary", abbreviated as A;
    b)按协议,对接收到的“‘RA数字证书’中的‘要认证的信息数据’”应用Hash算法进行运算,得到该‘要认证的信息数据’的Hash摘要,简记用B表示;b) applying a Hash algorithm to the received "information data to be authenticated" in the "RA digital certificate" according to the protocol, and obtaining a Hash summary of the information data to be authenticated, which is denoted by B;
    c)比较数据A和B;若A等于B,则判定“‘运营CA数字证书的公钥’对该‘RA数字证书’的验证”通过;若A不等于B,则判定“‘运营CA数字证书的公钥’对该‘RA数字证书’的验证”不通过; c) comparing data A and B; if A is equal to B, it is determined that "the public key of the operational CA digital certificate 'passes the verification of the 'RA digital certificate'"; if A is not equal to B, then the judgment "the operational CA number The public key of the certificate 'verification of the 'RA digital certificate' does not pass;
    (3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (4)若验证通过,则该“数字证书建立管理模块”,按协议,再应用该“RA数字证书中的公钥”对接收到的“RA数字签名”进行验证;(4) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the "public key in the RA digital certificate" to verify the received "RA digital signature";
    (5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    其中,RA是Registration Authority的缩写,是运营CA的注册服务中心(机构),是CA总体系统的一部分;其用于办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;The RA is an abbreviation of the Registration Authority, is a registered service center (institution) of the operating CA, and is a part of the overall system of the CA; it is used to handle the registration authentication service in the "establishing a digital certificate of the user in the digital certificate subsystem";
    运营CA的RA的数字证书,由该运营CA签发认证和管理。The digital certificate of the RA that operates the CA is issued and certified by the operating CA.
  7. 如权利要求2、3、4、5、6之一的所述数字证书子系统,其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及“CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和CA双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和CA的双重认证”,就不能在该数字证书子系统中建立数字证书应用;A digital certificate subsystem according to any one of claims 2, 3, 4, 5, 6 including a "digital certificate establishment management module" and a "public key of a digital certificate subsystem digital certificate" and "CA" The public key of the digital certificate is used to manage the establishment of a digital certificate application that requires the digital certificate subsystem management and CA dual authentication to be established in the digital certificate subsystem; if there is no "digital certificate subsystem administrator and CA" Double authentication", it is impossible to establish a digital certificate application in the digital certificate subsystem;
    其特征是包括下面步骤:It is characterized by the following steps:
    (1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及数字证书子系统管理方的数字签名、及CA的数字签名”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a digital signature of the digital certificate subsystem management party, and CA Digital signature";
    (2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方的数字证书的公钥”,对接收到的“数字证书子系统管理方的数字签名”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem, according to the protocol, applies the "public key of the digital certificate subsystem management party's digital certificate" stored in the digital certificate subsystem, to the received " The digital signature of the digital certificate subsystem management party is verified;
    (3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”。(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem".
  8. 如权利要求2、3、4、5、6之一的所述数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及“CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有 数字证书子系统管理方和CA双重认证才能建立的数字证书应用”;若没有“数字证书子系统管理方和CA的双重认证”,就不能在该数字证书子系统中建立数字证书应用;The digital certificate subsystem of any one of claims 2, 3, 4, 5, 6 further characterized in that it comprises a "digital certificate establishment management module" and a "digital certificate subsystem management party digital certificate" "key" and "public key of CA digital certificate" for managing the establishment of "required" in the digital certificate subsystem Digital certificate application can be established by the digital certificate subsystem management and CA dual authentication; if there is no "dual certificate subsystem management and CA dual authentication", digital certificate application cannot be established in the digital certificate subsystem;
    其中,“数字证书子系统管理方”是通过“该数字证书子系统管理方的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;The “digital certificate subsystem management party” is a registration authentication service for “establishing a user digital certificate in the digital certificate subsystem” through “the registration center (RA) of the digital certificate subsystem management party”;
    其特征是包括下面步骤:It is characterized by the following steps:
    (1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及运营CA的数字签名、及数字证书子系统管理方的RA的数字签名、及‘数字证书子系统管理方的RA的数字证书和其数字证书子系统管理方的数字签名’”;(1) The "Digital Certificate Subsystem" receives the "Request to establish a digital certificate in the digital certificate subsystem", the "information data to be authenticated by the protocol" and the digital signature of the operating CA, and the management of the digital certificate subsystem. The digital signature of the party's RA, and the digital certificate of the RA of the digital certificate subsystem management party and the digital signature of its digital certificate subsystem administrator's;
    (2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方数字证书的公钥”,对接收到的“数字证书子系统管理方的数字签名”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem applies the "public key of the digital certificate subsystem management party digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "digital" The digital signature of the certificate subsystem administrator is verified;
    (3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (4)若验证通过,则该“数字证书建立管理模块”,按协议,再应用该“数字证书子系统管理方的RA的数字证书中的公钥”对接收到的“数字证书子系统管理方的RA的数字签名”进行验证;(4) If the verification is passed, the "digital certificate establishment management module", according to the agreement, applies the "public key in the digital certificate of the RA of the digital certificate subsystem management party" to the received "digital certificate subsystem management". The digital signature of the party RA is verified;
    (5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    其中,RA是Registration Authority的缩写,是“数字证书子系统管理方”的注册服务中心,是“数字证书子系统管理方”总体系统的一部分;其用于办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;Among them, RA is the abbreviation of Registration Authority, is the registration service center of “digital certificate subsystem management party”, and is part of the overall system of “digital certificate subsystem management party”; it is used to establish in the “digital certificate subsystem” User digital certificate" registration certification business;
    “数字证书子系统管理方的RA的数字证书”,需经“数字证书子系统管理方的签名认证,才能应用于“在该数字证书子系统中建立用户数字证书”的注册认证业务。The digital certificate of the RA of the digital certificate subsystem management party needs to be signed and authenticated by the digital certificate subsystem management party before it can be applied to the registration authentication service of “establishing a user digital certificate in the digital certificate subsystem”.
  9. 如权利要求2所述的数字证书子系统,其特征还在于:其包括有“数字 证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及国家根CA数字证书的公钥,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和运营CA双重认证才能建立的数字证书”;若没有“数字证书子系统管理方和运营CA的双重认证”,就不能在该数字证书子系统中建立数字证书;The digital certificate subsystem of claim 2 further characterized in that it comprises "digital The certificate establishment management module and the public key of the digital certificate subsystem management digital certificate and the public key of the national root CA digital certificate are used to manage the establishment of the digital certificate subsystem management party in the digital certificate subsystem. A digital certificate that can be established by operating a CA with dual authentication"; if there is no "dual certification of the digital certificate subsystem management party and the operational CA", a digital certificate cannot be established in the digital certificate subsystem;
    其中,运营CA是通过“该运营CA的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该运营CA的注册中心(RA)”,简称为CRA;Among them, the operation CA is through the "Registration Center (RA) of the operation CA", and the registration authentication service of "establishing the user digital certificate in the digital certificate subsystem" is handled; for the difference, the following is the registration center of the operation CA ( RA)", abbreviated as CRA;
    其中,“数字证书子系统管理方”是通过“该数字证书子系统管理方的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该数字证书子系统管理方的注册中心(RA)”,简称为MRA;Among them, the "digital certificate subsystem management party" is through the "registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem" is handled; The following is the "Registration Center (RA) of the digital certificate subsystem management party", referred to as MRA;
    其特征是包括下面步骤:It is characterized by the following steps:
    (1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及‘运营CA的CRA的数字签名’、及‘运营CA的数字证书’、及‘该运营CA签发的该CRA的数字证书’、及‘数字证书子系统管理方的MRA的数字签名’、及‘该MRA的数字证书和其数字证书子系统管理方的数字签名’”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the operating CA', and the digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem management, and the digital certificate of the MRA and its digital certificate subsystem management Party digital signature '";
    (2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方的数字证书的公钥”对接收到的“该MRA数字证书的数字证书子系统管理方的数字签名”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem, according to the protocol, applies the "public key of the digital certificate subsystem management party's digital certificate" stored in the digital certificate subsystem to the received The digital signature of the digital certificate subsystem management party of the MRA digital certificate is verified;
    (3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (4)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该MRA的数字证书”中的公钥,对接收到的“该MRA的数字签名”进行验证;(4) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "digital certificate of the MRA" to verify the received "digital signature of the MRA";
    (5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (6)若验证通过,则该“数字证书建立管理模块”,按协议,继续应用存储在该数字证书子系统中的“国家根CA数字证书的公钥”,对接收到的“运营CA的数字证书”进行验证; (6) If the verification is passed, the "digital certificate establishment management module" continues to apply the "public key of the national root CA digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "operating CA" Digital certificate" for verification;
    (7)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(7) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (8)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该接收到的运营CA数字证书中的公钥”,对接收到的“该运营CA签发的CRA数字证书”进行验证;(8) If the verification is passed, the "digital certificate establishment management module" applies the "public key in the received operational CA digital certificate" according to the protocol, and receives the received "CRA digital certificate issued by the operational CA". authenticating;
    (9)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(9) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (10)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该运营CA签发的CRA数字证书”中的公钥,对接收到的“该CRA的数字签名”进行验证;(10) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "CRA digital certificate issued by the operation CA" to verify the received "digital signature of the CRA";
    (11)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(11) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (12)若验证通过,则该“数字证书建立管理模块”,按协议,启动在该数字证书子系统中建立数字证书的流程;该流程包括:(12) If the verification is passed, the “digital certificate establishment management module” starts a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
    a)该“数字证书建立管理模块”,启动该数字证书子系统中的“非对称密钥生成模块”,生成该数字证书子系统的非对称密钥对(公钥和私钥);a) the "digital certificate establishment management module", starting the "asymmetric key generation module" in the digital certificate subsystem, generating an asymmetric key pair (public key and private key) of the digital certificate subsystem;
    b)该“数字证书建立管理模块”,按协议,在该数字证书子系统中保存该密钥对的私钥;b) the "digital certificate establishment management module", in which the private key of the key pair is stored in the digital certificate subsystem;
    c)该“数字证书建立管理模块”,按协议,将该密钥对的公钥输出给CA,用于CA签发基于该公钥的数字证书。c) The "digital certificate establishment management module" outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
  10. 如权利要求2所述的数字证书子系统,其特征还在于:其包括有“数字证书建立管理模块”和“数字证书子系统管理方的数字证书的公钥”及国家根CA数字证书的公钥、及“运营CA数字证书的公钥”,用于管理在该数字证书子系统中建立“需有数字证书子系统管理方和运营CA双重认证才能下载建立的数字证书”;若没有“数字证书子系统管理方和运营CA的双重认证”,就不能在该数字证书子系统中建立数字证书;The digital certificate subsystem of claim 2, further comprising: a "digital certificate establishment management module" and a "public key of a digital certificate subsystem digital certificate" and a national root CA digital certificate The key, and the “public key of the operation CA digital certificate”, are used to manage the establishment of a digital certificate in the digital certificate subsystem that requires the digital certificate subsystem management and the operational CA to be dual-certified to be downloaded and established; The certificate system subsystem and the operating CA's two-factor authentication cannot establish a digital certificate in the digital certificate subsystem;
    其中,运营CA是通过“该运营CA的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该运营 CA的注册中心(RA)”,简称为CRA;Among them, the operating CA is through the "Registration Center (RA) of the operating CA", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem" is handled; for the difference, the following will be "the operation" CA's Registration Center (RA), referred to as CRA;
    其中,“数字证书子系统管理方”是通过“该数字证书子系统管理方的注册中心(RA)”,办理在“该数字证书子系统中建立用户数字证书”的注册认证业务;为区别,下面将“该数字证书子系统管理方的注册中心(RA)”,简称为MRA;Among them, the "digital certificate subsystem management party" is through the "registration center (RA) of the digital certificate subsystem management party", and the registration authentication service of "establishing a user digital certificate in the digital certificate subsystem" is handled; The following is the "Registration Center (RA) of the digital certificate subsystem management party", referred to as MRA;
    其特征是包括下面步骤:It is characterized by the following steps:
    (1)该“数字证书子系统”接收到“‘在该数字证书子系统中建立数字证书的请求’、‘按协议要认证的信息数据’及‘运营CA的CRA的数字签名’、及‘该运营CA签发的该CRA的数字证书’、及‘数字证书子系统管理方的MRA的数字签名’、及‘该MRA的数字证书和其数字证书子系统管理方的数字签名’”;(1) The "Digital Certificate Subsystem" receives "a request to establish a digital certificate in the digital certificate subsystem", "information data to be authenticated by the protocol", and a "digital signature of the CRA of the operating CA", and ' The digital certificate of the CRA issued by the operating CA, and the digital signature of the MRA of the digital certificate subsystem manager, and the digital certificate of the MRA and the digital signature of its digital certificate subsystem management party";
    (2)该数字证书子系统的“数字证书建立管理模块”,按协议,应用存储在该数字证书子系统中的“数字证书子系统管理方的数字证书的公钥”对接收到的“该MRA数字证书的数字证书子系统管理方的数字签名”进行验证;(2) The "digital certificate establishment management module" of the digital certificate subsystem, according to the protocol, applies the "public key of the digital certificate subsystem management party's digital certificate" stored in the digital certificate subsystem to the received The digital signature of the digital certificate subsystem management party of the MRA digital certificate is verified;
    (3)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(3) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (4)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该MRA的数字证书”中的公钥,对接收到的“该MRA的数字签名”进行验证;(4) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "digital certificate of the MRA" to verify the received "digital signature of the MRA";
    (5)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(5) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (6)若验证通过,则该“数字证书建立管理模块”,按协议,继续应用存储在该数字证书子系统中的“运营CA数字证书中的公钥”,对接收到的“该运营CA签发的CRA数字证书”进行验证;(6) If the verification is passed, the "digital certificate establishment management module" continues to apply the "public key in the operational CA digital certificate" stored in the digital certificate subsystem according to the protocol, and the received "the operation CA" The issued CRA digital certificate is verified;
    (7)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”;(7) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (8)若验证通过,则该“数字证书建立管理模块”,按协议,应用“该运营CA签发的CRA数字证书”中的公钥,对接收到的“该CRA的数字签名”进行验证;(8) If the verification is passed, the "digital certificate establishment management module", according to the protocol, applies the public key in the "CRA digital certificate issued by the operating CA" to verify the received "digital signature of the CRA";
    (9)若验证不通过,则该“数字证书建立管理模块”,不允许在该“数字证书子系统”中建立“该请求的数字证书”; (9) If the verification fails, the "digital certificate establishment management module" does not allow the establishment of "the requested digital certificate" in the "digital certificate subsystem";
    (10)若验证通过,则该“数字证书建立管理模块”,按协议,启动在该数字证书子系统中建立数字证书的流程;该流程包括:(10) If the verification is passed, the “digital certificate establishment management module” initiates a process of establishing a digital certificate in the digital certificate subsystem according to the protocol; the process includes:
    a)该“数字证书建立管理模块”,启动该数字证书子系统中的“非对称密钥生成模块”,生成该数字证书子系统的非对称密钥对(公钥和私钥);a) the "digital certificate establishment management module", starting the "asymmetric key generation module" in the digital certificate subsystem, generating an asymmetric key pair (public key and private key) of the digital certificate subsystem;
    b)该“数字证书建立管理模块”,按协议,在该数字证书子系统中保存该密钥对的私钥;b) the "digital certificate establishment management module", in which the private key of the key pair is stored in the digital certificate subsystem;
    c)该“数字证书建立管理模块”,按协议,将该密钥对的公钥输出给CA,用于CA签发基于该公钥的数字证书。 c) The "digital certificate establishment management module" outputs the public key of the key pair to the CA according to the protocol for the CA to issue a digital certificate based on the public key.
PCT/CN2016/102781 2015-10-22 2016-10-20 Digital certificate subsystem WO2017067490A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201520818176 2015-10-22
CN201520818176.8 2015-10-22

Publications (1)

Publication Number Publication Date
WO2017067490A1 true WO2017067490A1 (en) 2017-04-27

Family

ID=58556715

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/102781 WO2017067490A1 (en) 2015-10-22 2016-10-20 Digital certificate subsystem

Country Status (1)

Country Link
WO (1) WO2017067490A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050149733A1 (en) * 2003-12-31 2005-07-07 International Business Machines Corporation Method for securely creating an endorsement certificate utilizing signing key pairs
CN101521883A (en) * 2009-03-23 2009-09-02 中兴通讯股份有限公司 Method and system for renewing and using digital certificate
CN101651540A (en) * 2008-08-12 2010-02-17 中国移动通信集团公司 Method, device and system for updating digital certificate
CN104462965A (en) * 2014-11-14 2015-03-25 华为技术有限公司 Method for verifying integrity of application program and network device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050149733A1 (en) * 2003-12-31 2005-07-07 International Business Machines Corporation Method for securely creating an endorsement certificate utilizing signing key pairs
CN101651540A (en) * 2008-08-12 2010-02-17 中国移动通信集团公司 Method, device and system for updating digital certificate
CN101521883A (en) * 2009-03-23 2009-09-02 中兴通讯股份有限公司 Method and system for renewing and using digital certificate
CN104462965A (en) * 2014-11-14 2015-03-25 华为技术有限公司 Method for verifying integrity of application program and network device

Similar Documents

Publication Publication Date Title
WO2020192773A1 (en) Digital identity authentication method, device, apparatus and system, and storage medium
US11496310B2 (en) Methods and systems for universal storage and access to user-owned credentials for trans-institutional digital authentication
CN108292402B (en) Determination of a common secret and hierarchical deterministic keys for the secure exchange of information
US11356280B2 (en) Personal device security using cryptocurrency wallets
US20210367795A1 (en) Identity-Linked Authentication Through A User Certificate System
CN109951489B (en) Digital identity authentication method, equipment, device, system and storage medium
CN110537346B (en) Safe decentralized domain name system
US20190173873A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
US8185938B2 (en) Method and system for network single-sign-on using a public key certificate and an associated attribute certificate
US8438385B2 (en) Method and apparatus for identity verification
US10567370B2 (en) Certificate authority
WO2020073513A1 (en) Blockchain-based user authentication method and terminal device
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
US8397281B2 (en) Service assisted secret provisioning
WO2016054990A1 (en) Security check method, device, terminal and server
WO2016173211A1 (en) Application identifier management method and device
WO2016165662A1 (en) Mobile phone quasi-digital certificate subsystem, and system and method thereof
TW202304172A (en) Location-key encryption system
WO2017067490A1 (en) Digital certificate subsystem
WO2023077280A1 (en) Certificate-less authentication and secure communication
TW201103297A (en) Application and verification method of electronic seal software system
WO2023027730A1 (en) Authentication
GB2621504A (en) Authenticating a device
CN116886357A (en) Distributed digital identity authentication method, device and medium for mobile platform
CN116388979A (en) Key escrow method, device, equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16856921

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WPC Withdrawal of priority claims after completion of the technical preparations for international publication

Ref document number: 201520818176.8

Country of ref document: CN

Date of ref document: 20180703

Free format text: WITHDRAWN AFTER TECHNICAL PREPARATION FINISHED

122 Ep: pct application non-entry in european phase

Ref document number: 16856921

Country of ref document: EP

Kind code of ref document: A1