WO2021120683A1 - Method and apparatus for secure communication based on identity authentication - Google Patents

Method and apparatus for secure communication based on identity authentication Download PDF

Info

Publication number
WO2021120683A1
WO2021120683A1 PCT/CN2020/111938 CN2020111938W WO2021120683A1 WO 2021120683 A1 WO2021120683 A1 WO 2021120683A1 CN 2020111938 W CN2020111938 W CN 2020111938W WO 2021120683 A1 WO2021120683 A1 WO 2021120683A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
electronic seal
key
fingerprint information
private key
Prior art date
Application number
PCT/CN2020/111938
Other languages
French (fr)
Chinese (zh)
Inventor
马青龙
孙健
张炳康
夏繁
丁健文
Original Assignee
苏宁云计算有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 苏宁云计算有限公司 filed Critical 苏宁云计算有限公司
Priority to CA3164765A priority Critical patent/CA3164765A1/en
Publication of WO2021120683A1 publication Critical patent/WO2021120683A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Definitions

  • the present invention relates to the technical field of communication security, in particular to a method and device for secure communication based on identity authentication.
  • the two nodes of the business system need to carry out security design during data communication to identify and verify the identity of the other party.
  • Traditional security solutions mostly use digital certificates + TLS (Transport Layer Security). Protocol) mechanism to meet the needs of identification and secure communication.
  • identity recognition the existing technology adopts the scheme of adding the initiator’s identity information (such as the identity code) in the message, and the receiver, after obtaining the identity information, verifies the legitimacy of the other party’s identity by checking the database; the existing technology in terms of security
  • the purpose of the present invention is to provide a secure communication method and device based on identity authentication.
  • identity authentication By compulsory authentication of the electronic seals of both parties, it is possible to flexibly and efficiently verify the identity information of the communicating parties without applying for a digital certificate from the CA organization. , And then ensure the security of communication data.
  • one aspect of the present invention provides a secure communication method based on identity authentication, including:
  • the requesting node and the responding node respectively make their own electronic seals, and the electronic seals include a verification area composed of a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key;
  • the requesting node and the responding node report each other's fingerprint information in the electronic seal of the other party, which is used to compare each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify their identity;
  • the requesting node After the two nodes pass the identity verification, the requesting node encrypts the plaintext data with a random factor to generate ciphertext data, and encrypts the random factor with the public key of the electronic seal of the responding node to obtain the communication key. Then, the ciphertext data, The communication key and the fingerprint information in the electronic seal of the requesting node are packaged and sent to the responding node;
  • the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and decrypts the communication key in the file package with the private key to restore the random factor, The random factor is then used to parse the ciphertext data to obtain plaintext data.
  • the method of making respective electronic seals by the requesting node and the responding node respectively includes:
  • Design the partition of the electronic seal which includes a header area, a seal information area, and a tail area in addition to the verification area;
  • the request node and the response node are based on the partition structure of the electronic seal, and the start tag, identification code and version number are filled into the header area correspondingly, and the chapter holder number, chapter holder name, issuing organization number, issuing organization name, and validity period are correspondingly filled. Fill in the seal information area, fill the description information and the end marker into the tail area correspondingly, and fill the signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encryption private key into the verification area correspondingly.
  • the method for generating the public key and the encrypted private key includes:
  • the method for generating fingerprint information includes:
  • the digest string is signed by the private key corresponding to the signature algorithm to obtain the fingerprint information of the electronic seal.
  • the method for generating the signature information includes:
  • the key domain character string is signed by the private key corresponding to the signature algorithm to form the signature information of the electronic seal.
  • the method for comparing each other's fingerprint information with the reported fingerprint information to verify identity includes:
  • the requesting node sends the electronic seal to the responding node, so that the responding node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal of the requesting node;
  • the response node reads the key field bytes in the electronic seal to which the requesting node belongs, performs a digest based on the digest algorithm to obtain a digest string, and uses the public key of the signature algorithm to perform verification on the key field bytes;
  • the responding node compares the fingerprint information of the electronic seal of the requesting node with the fingerprint information reported by the requesting node, and authorizes the requesting node to access when the comparison results are consistent;
  • the responding node sends the electronic seal to the requesting node so that the requesting node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal to which the responding node belongs;
  • the requesting node reads the key field bytes in the electronic seal to which the responding node belongs, performs a digest based on the digest algorithm to obtain a digest string, and uses the public key of the signature algorithm to perform verification on the key field bytes;
  • the requesting node compares the fingerprint information of the electronic seal to which the responding node belongs with the fingerprint information reported by the responding node, and authorizes the responding node to access when the comparison results are consistent.
  • the requesting node uses a random factor to encrypt the plaintext data to generate the ciphertext data
  • the public key of the electronic seal of the responding node is used to encrypt the random factor to obtain the communication key, and then the ciphertext data and the communication encryption
  • the method of packaging the key and the fingerprint information in the electronic seal of the requesting node and sending it to the responding node includes:
  • the requesting node uses the public key of the electronic seal to which the responding node belongs to encrypt the random factor to generate a communication key;
  • the requesting node packs and sends the communication key, the ciphertext data and the fingerprint information of the electronic seal to the responding node.
  • the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and decrypts the communication key in the file package with the private key to restore the Random factor, and then using the random factor to parse the ciphertext data to obtain plaintext data includes:
  • the responding node reads the fingerprint information in the file package and compares it with the fingerprint information reported by the requesting node;
  • the responding node reads the encryption algorithm, signature algorithm, encryption private key and the preset seal password PIN of the electronic seal to which the responding node belongs, and decrypts the private key of the electronic seal to which the responding node belongs;
  • the random factor is restored by parsing the communication key by the private key, and finally the ciphertext data is parsed by the random factor to obtain plaintext data.
  • the secure communication method based on identity authentication provided by the present invention has the following beneficial effects:
  • the request node and the response section first make their own electronic seal in advance.
  • the electronic seal includes signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, and publicity.
  • the requesting node and the responding node report each other’s fingerprint information in the other’s electronic seal, which is used for identity verification during the exchange of electronic seals. Only those who have passed both nodes Only by identity verification can data communication be carried out securely.
  • the specific process is as follows: the requesting node uses a random factor to encrypt the plaintext data to generate ciphertext data, and then uses the public key of the responding node’s electronic seal to encrypt the random factor to obtain the communication key.
  • the ciphertext data, the communication key and the fingerprint information used to identify the requesting node are packaged and sent to the responding node.
  • the responding node After receiving the file package, the responding node reads the fingerprint information and compares it with the fingerprint information reported by the requesting node , Only after the comparison is passed, can the requesting node be authorized to access the responding node, and then the responding node will call the corresponding encrypted private key, decrypt the encrypted private key and use the plaintext private key to decrypt the communication key to restore the random factor, and finally use Random factors analyze the ciphertext data to obtain plaintext data, and complete the ciphertext transmission of the requesting node to the responding node.
  • the present invention is compared with the solutions in the prior art.
  • the two parties negotiate to make an electronic seal, no need to apply for a digital certificate from the CA, which increases the flexibility of application, and can ensure communication through a compulsory electronic seal exchange authentication strategy.
  • the ciphertext will not be stolen by a third person, which improves the security of the communication between the two parties.
  • the negotiation process of the two parties' keys is cancelled before the data is sent, which increases the convenience of the application.
  • Another aspect of the present invention provides a secure communication device based on identity authentication, which applies the secure communication method based on identity authentication mentioned in the above technical solution, and the device includes:
  • the seal making unit is used for making respective electronic seals by the requesting node and the responding node.
  • the electronic seal includes a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key. Inspection area
  • the fingerprint registration unit is used for requesting nodes and responding nodes to report each other's fingerprint information in the electronic seal of the other party, and for comparing each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify identity;
  • the file encryption unit is configured to store the compressed logistics box code message in a storage system, and complete the archiving of the original logistics box code message;
  • the file decryption unit is used for the responding node to compare the fingerprint information in the file package with the reported fingerprint information, decrypt the encrypted private key of the electronic seal to which the responding node belongs after the comparison is successful, and decrypt the communication key in the file package with the private key Restore the random factor, and then use the random factor to parse the ciphertext data to obtain plaintext data.
  • the beneficial effects of the security communication device based on identity authentication provided by the present invention are the same as the beneficial effects of the security communication method based on identity authentication provided by the above technical solutions, and will not be repeated here.
  • a third aspect of the present invention provides a computer-readable storage medium on which a computer program is stored, and the computer program executes the steps of the above-mentioned identity authentication-based secure communication method when the computer program is run by a processor.
  • the beneficial effects of the computer-readable storage medium provided by the present invention are the same as those of the secure communication method based on identity authentication provided by the above technical solutions, and will not be repeated here.
  • Fig. 1 is a schematic flow chart of a secure communication method based on identity authentication in the first embodiment
  • FIG. 2 is a schematic diagram of the interaction process of the secure communication method based on identity authentication in the first embodiment
  • Fig. 3 is a diagram showing an example of the structure of an electronic seal in the first embodiment.
  • this embodiment provides a secure communication method based on identity authentication, including:
  • the requesting node and the responding node respectively make their own electronic seals.
  • the electronic seal includes a verification area composed of signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key and encrypted private key; request node and response node
  • the fingerprint information in the electronic seal of the other party is reported to each other. After the two parties exchange the electronic seal, the fingerprint information of the other party is extracted and compared with the fingerprint information reported to verify the identity; the node of both parties will be used by the requesting node after the identity verification is passed.
  • the random factor encrypts the plaintext data to generate ciphertext data, and uses the public key of the electronic seal of the responding node to encrypt the random factor to obtain the communication key, and then package the ciphertext data, the communication key and the fingerprint information in the electronic seal of the requesting node to the response Node; the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and uses the private key to decrypt the communication key in the file package to restore the random factor. Then use random factors to parse the ciphertext data to obtain plaintext data.
  • the requesting node and the response section first make their own electronic seal in advance, and the electronic seal includes signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, The verification area composed of the public key and the encrypted private key.
  • the requesting node and the responding node report each other's fingerprint information in the other's electronic seal, which is used for identity verification during the exchange of electronic seals. Only when the two nodes pass Data communication can be carried out safely.
  • the specific process is as follows: the requesting node uses the random factor to encrypt the plaintext data to generate ciphertext data, and then uses the public key of the responding node’s electronic seal to encrypt the random factor to obtain the communication key.
  • the ciphertext data, communication key, and fingerprint information used to identify the requesting node are packaged and sent to the responding node.
  • the responding node After receiving the file package, the responding node reads the fingerprint information and compares it with the fingerprint information reported by the requesting node Yes, the requesting node can be authorized to access the responding node only after the comparison is passed, and then the responding node will call the corresponding encrypted private key, decrypt the encrypted private key and use the plaintext private key to decrypt the communication key to restore the random factor.
  • this embodiment is compared with the solution in the prior art.
  • the two parties negotiate to make an electronic seal, and there is no need to apply for a digital certificate from the CA, which increases the flexibility of application.
  • the mandatory electronic seal exchange authentication strategy can ensure The communication ciphertext will not be stolen by a third party, which improves the security of the communication between the two parties.
  • the negotiation process of the two parties' keys is cancelled before the data is sent, which improves the convenience of the application.
  • the methods for requesting and responding nodes to make their own electronic seals include:
  • the partition In addition to the verification area, the partition also includes the head area, the seal information area and the tail area; the request node and the response node are based on the partition structure of the electronic seal, and the start tag, identification code and version number are filled correspondingly Enter the header area, fill in the seal information area with the chapter holder number, chapter holder name, issuing organization number, issuing organization name, and validity period correspondingly, fill in the description information and ending tag in the tail area, and fill in the signature algorithm and signature
  • the information, encryption algorithm, fingerprint information, digest algorithm, public key and encryption private key are filled in the verification area correspondingly.
  • the start tag of the header area is 2 bytes
  • the identification code is 3 bytes
  • the version number is 1 byte
  • the signature algorithm of the verification area is 8 bytes
  • the signature information is 32 bytes.
  • the encryption algorithm is 8 bytes
  • the fingerprint information is 32 bytes
  • the digest algorithm is 8 bytes
  • the public key is 32 bytes
  • the encryption private key is 32 bytes
  • the holder number in the seal information area is 32 bytes
  • the name of the holder is 32 bytes
  • the number of the issuing authority is 32 bytes
  • the name of the issuing authority is 32 bytes
  • the validity period information is 16 bytes
  • the description information in the tail area is 62 bytes
  • the end tag is 2 bytes .
  • the signature algorithm is an asymmetric algorithm for signing or verifying information, such as RSA, SM1
  • the encryption algorithm is a symmetric algorithm for encrypting or decrypting information, such as AES, SM2
  • the digest algorithm is for information Algorithm for digesting, such as MD5, SM3.
  • the encrypted private key is stored in the electronic seal, which can properly store and manage the private key, and reduces the management risk caused by the persistent storage of the private key in the systems of both parties.
  • the method for generating a public key and an encrypted private key in the foregoing embodiment includes: randomly generating a pair of public key and private key according to the signature algorithm in the electronic seal; and encrypting the private key to generate the requesting node based on the seal password PIN preset by the requesting node The encrypted private key of the electronic seal; and, based on the seal password PIN preset by the responding node, encrypt the private key to generate the encrypted private key of the electronic seal of the responding node.
  • the electronic seal of the requesting node is A
  • the signature algorithm of the corresponding electronic seal A is SA
  • the electronic seal of the responding node is B
  • the signature algorithm of the corresponding electronic seal B is SB
  • the requesting node generates according to the signature algorithm SA
  • the public key SA.PublicKey and the private key SA.PrivateKey the responding node generates the public key SB.PublicKey and the private key SB.PrivateKey according to the signature algorithm SB, and then fills the public key SA.PublicKey into the public key area of the electronic seal A.
  • the public key SB.PublicKey is correspondingly filled into the public key area of the electronic seal B, and then the private key SA.PrivateKey and the private key SB.PrivateKey are encrypted.
  • the private key SA.PrivateKey is encrypted with the seal password PIN preset by the requesting node Obtain the encrypted private key of electronic seal A, and use the seal password PIN preset by the responding node to encrypt the private key SB.PrivateKey to obtain the encrypted private key of electronic seal B.
  • the method for generating fingerprint information in the foregoing embodiment includes: string splicing the seal holder number and the seal holder name in the electronic seal, and encrypting the splicing result of the string using the corresponding seal password PIN to form a secret Text; Digest the ciphertext using the digest algorithm to obtain the digest string; use the private key corresponding to the signature algorithm to sign the digest string to obtain the fingerprint information of the electronic seal.
  • the above formula can be understood as:
  • the serial number of the holder and the name of the holder in the electronic seal are spliced, and then the seal password PIN is used as the key of the encryption algorithm (symmetric algorithm) to encrypt the splicing result of the string to form a cipher text, and then pass the abstract
  • the algorithm digests the ciphertext to obtain the digest string, and finally signs the digest string with the private key of the signature algorithm (asymmetric algorithm) to form fingerprint information.
  • the generation of fingerprint information in the electronic seal B is the same as that in the electronic seal A, which is not repeated in this embodiment.
  • the chapter holder number may be an ID card number, a social credit uniform identification number, or an organization number.
  • the method for generating signature information in the foregoing embodiment includes: defining key field bytes in the electronic seal, where the key field bytes are characteristic bytes of the electronic seal; and digesting the key field bytes through a digest algorithm to obtain the key field String:
  • the key field string is signed by the private key corresponding to the signature algorithm to form the signature information of the electronic seal.
  • signature information SA.Sign(DA(content), SA.PrivateKey), where content represents the key field byte, as shown in Figure 3.
  • signature information SA.Sign(DA(content), SA.PrivateKey)
  • content represents the key field byte, as shown in Figure 3.
  • the key field bytes are summarized by the abstract algorithm to obtain the key field
  • the generation of the signature information in the electronic seal B is the same as that of the electronic seal A, which is not repeated in this embodiment.
  • the method of mutually extracting each other's fingerprint information and comparing the reported fingerprint information to verify identity includes:
  • the requesting node sends the electronic seal to the responding node, so that the responding node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal of the requesting node; the responding node reads the key domain words in the electronic seal of the requesting node Section, digest the digest string based on the digest algorithm, and use the public key of the signature algorithm to verify the key field bytes; after the verification is passed, the responding node will send the fingerprint information of the electronic seal of the requesting node to the information reported by the requesting node.
  • Fingerprint information comparison when the comparison results are consistent, the requesting node is authorized to access; the responding node sends the electronic seal to the requesting node, so that the requesting node can read the signature algorithm, public key, digest algorithm and signature information of the electronic seal of the responding node ;
  • the requesting node reads the key field bytes in the electronic seal to which the responding node belongs, digests the digest string based on the digest algorithm, and uses the public key of the signature algorithm to perform verification on the key field bytes; after the verification is passed, the request
  • the node compares the fingerprint information of the electronic seal to which the responding node belongs with the fingerprint information reported by the responding node, and authorizes the responding node to access when the comparison results are consistent.
  • the above embodiment can be understood as the process of exchanging electronic seals and identity verification between the two nodes.
  • the requesting node sends the electronic seal A to the responding node, and the responding node performs the verification operation on the electronic seal A after receiving it.
  • the fingerprint information in the electronic seal A reads the fingerprint information in the electronic seal A and compare it with the fingerprint information reported by the electronic seal A in the response node.
  • the identity of the electronic seal A is considered legal, and the requesting node is authorized to access the response node.
  • the requesting node After the responding node has verified the identity of the requesting node, the requesting node must continue to verify the identity of the responding node, that is, the responding node sends the electronic seal B to the requesting node, and the requesting node performs the verification operation after receiving the electronic seal B. Then read the fingerprint information in the electronic seal B and compare it with the fingerprint information reported by the electronic seal B in the requesting node. When the comparison results are consistent, the identity of the electronic seal B is considered legal, and the responding node is authorized to access the requesting node. .
  • verification SA.Verify(DA(content),SA.PublicKey,SI), where SI represents the signature information in the electronic seal A
  • SI the signature information in the electronic seal A
  • the signature verification operation is performed through the public key of the signature algorithm (asymmetric algorithm) and the signature information (SI) of the electronic seal A signature file structure. If the verification is successful, it means that the signature file has not been tampered with. Unsuccessful signing means that the signature file has been tampered with.
  • identity If(Equal(A.DS. fingerprint information, registered electronic seal A. fingerprint information)), the above formula is understood as: Take out the signature file of electronic seal A, and compare the fingerprint information with the fingerprint information reported in the responding node. If the comparison result is consistent, the requesting node is authorized to access.
  • the signature verification operation and the identity legality verification operation of the requesting node on the electronic seal B are the same as the above-mentioned response node verification operation and the identity legality verification operation on the electronic seal A, which will not be repeated in this embodiment.
  • the requesting node uses the random factor to encrypt the plaintext data to generate the ciphertext data
  • the public key of the responding node’s electronic seal is used to encrypt the random factor to obtain the communication key, and then the ciphertext data, the communication key and the requesting node’s electronic seal
  • the method of packaging and sending the fingerprint information to the responding node includes:
  • the requesting node generates a random factor, which is used to encrypt the plaintext data to obtain the ciphertext data; the requesting node uses the public key of the electronic seal to which the responding node belongs to encrypt the random factor to generate a communication key; the requesting node encrypts the communication key, ciphertext data, and belonging
  • the fingerprint information of the electronic seal is packaged and sent to the responding node.
  • the above formula can be understood as using the encryption factor Key as the key of the encryption algorithm (symmetric algorithm) and using the signature of the other party
  • the required encryption algorithm (symmetric algorithm) encrypts plaintext data (plainText) to generate ciphertext data.
  • the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and decrypts the communication secret in the file package through the private key.
  • the key to restore the random factor, and then use the random factor to parse the ciphertext data to obtain the plaintext data includes:
  • the responding node reads the fingerprint information in the file package and compares it with the fingerprint information reported by the requesting node; after the comparison is passed, the responding node reads the encryption algorithm, signature algorithm, encryption private key and preset of the electronic seal.
  • the seal password PIN decrypts the private key of the electronic seal to which the responding node belongs; analyzes the communication key through the private key to restore the random factor, and finally uses the random factor to parse the ciphertext data to obtain the plaintext data.
  • the responding node after receiving the file package, the responding node first reads the fingerprint information in the file package, and compares it with the fingerprint information reported by the requesting node, so that one school at a time ensures the security of data transmission. After passing, read the encrypted private key (SB.PrivateKey) from the electronic seal B.
  • SB.PrivateKey the encrypted private key
  • B.SA.PrivateKey B.EA.Decrypt(B.SecureKey, PIN), that is, it is preferred to read the encryption algorithm in the signature, and Use PIN as the key of the encryption algorithm (symmetric algorithm) to decrypt the encrypted private key, and the decrypted plaintext is the plaintext private key.
  • A.Key B.SA.Decrypt (communication key, B.SA.PrivateKey), that is, first read out the signature algorithm in the signature , And use the plaintext private key of the solved signature algorithm (asymmetric algorithm) to decrypt the communication key in the file package, and obtain the random factor (Key) of the requesting node after decryption.
  • the responding node has completed the data encryption communication of the requesting node.
  • the requesting node's data encryption communication to the requesting node is the inverse process of the above implementation process. Please refer to Figure 2.
  • the responding node sends ciphertext data to the requesting node
  • the corresponding node is responsible for generating the encryption factor, and uses the electronic seal A of the requesting node to generate the communication key and ciphertext data.
  • the requesting node After the requesting node receives the ciphertext data, the communication key and the fingerprint information of the electronic seal B, it uses its own The electronic seal A is decrypted to obtain plaintext data.
  • this embodiment provides a secure communication solution at the service data (non-protocol) level to realize independent and controllable data security for both parties in communication.
  • This embodiment provides a secure communication device based on identity authentication, including:
  • the seal making unit is used for making respective electronic seals by the requesting node and the responding node.
  • the electronic seal includes a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key. Inspection area
  • the fingerprint registration unit is used for requesting nodes and responding nodes to report each other's fingerprint information in the electronic seal of the other party, and for comparing each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify identity;
  • the file encryption unit is configured to store the compressed logistics box code message in a storage system, and complete the archiving of the original logistics box code message;
  • the file decryption unit is used for the responding node to compare the fingerprint information in the file package with the reported fingerprint information, decrypt the encrypted private key of the electronic seal to which the responding node belongs after the comparison is successful, and decrypt the communication key in the file package with the private key Restore the random factor, and then use the random factor to parse the ciphertext data to obtain plaintext data.
  • the beneficial effects of the secure communication device based on identity authentication provided in this embodiment are the same as those of the secure communication method based on identity authentication provided in the foregoing embodiments, and will not be repeated here.
  • This embodiment provides a computer-readable storage medium on which a computer program is stored.
  • the steps of the above-mentioned identity authentication-based secure communication method are executed.
  • the above-mentioned program can be stored in a computer readable storage medium.
  • the program When executed, it includes
  • the foregoing storage medium may be: ROM/RAM, magnetic disk, optical disk, memory card, and so on.

Abstract

Disclosed in the present invention are a method and an apparatus for secure communication based on identity authentication; by means of mandatory authentication of an electronic seal of both parties, the identity information of both communicating parties can be flexibly and efficiently verified without needing to apply for a digital certificate from a CA, ensuring the security of the communication data. The method comprises: a request node and a response node each make a respective electronic seal; the request node and the response node mutually report fingerprint information in the electronic seal of the opposite party; the request node uses a random factor to encrypt plaintext data to generate ciphertext data, uses a public key of the electronic seal of the opposite party to encrypt the random factor to obtain a communication key, and then packages the ciphertext data, the communication key, and the fingerprint information and sends same to the response node; the response node compares the fingerprint information in the file packet with the reported fingerprint information and, once the comparison is successful, decrypts the encrypted private key of the electronic seal belonging to the response node, decrypts the communication key by means of the private key to restore the random factor, and then parses the ciphertext data to obtain the plaintext data.

Description

基于身份认证的安全通讯方法及装置Safety communication method and device based on identity authentication 技术领域Technical field
本发明涉及通信安全技术领域,尤其涉及一种基于身份认证的安全通讯方法及装置。The present invention relates to the technical field of communication security, in particular to a method and device for secure communication based on identity authentication.
背景技术Background technique
为了确保通信安全,业务系统的两个节点在进行数据通讯时需要进行安全性设计,用于识别和验证对方的身份,传统的安全性方案多采用数字证书+TLS(Transport Layer Security,传输层安全协议)机制来满足身份识别和安全通讯的需求。在身份识别方面现有技术采用在报文中增设发起方身份信息(如身份编码),接收方在获得身份信息后,通过查库方式验证对方身份合法性的方案;在安全性方面现有技术通过事先约定好的加解密算法、签名算法、密钥进行交换保存的方案,用以支持报文发送期间的加解密、签名等验签需要。In order to ensure communication security, the two nodes of the business system need to carry out security design during data communication to identify and verify the identity of the other party. Traditional security solutions mostly use digital certificates + TLS (Transport Layer Security). Protocol) mechanism to meet the needs of identification and secure communication. In the aspect of identity recognition, the existing technology adopts the scheme of adding the initiator’s identity information (such as the identity code) in the message, and the receiver, after obtaining the identity information, verifies the legitimacy of the other party’s identity by checking the database; the existing technology in terms of security A scheme for exchanging and storing pre-appointed encryption and decryption algorithms, signature algorithms, and keys to support the encryption, decryption, and signature verification needs during message transmission.
此外,采用数字证书+TLS机制时需向CA机构(Certificate Authority,证书颁发机构)申请数字证书,这给构建快速应用场景的安全数据通讯带来极大的不便,缺乏应用的灵活性,而采用TLS通讯协议,在组织密文发送之前需经过多步骤协商,在一般应用场景下过于繁琐,不具有适用性,而将加解密算法、签名算法、密钥等重要信息交换且持久化的存储在双方系统中,具有一定程度的管理风险。In addition, when the digital certificate + TLS mechanism is adopted, it is necessary to apply for a digital certificate from a CA (Certificate Authority), which brings great inconvenience to the construction of secure data communication in fast application scenarios, and lacks application flexibility. The TLS communication protocol requires multi-step negotiation before sending the ciphertext. It is too cumbersome and unsuitable in general application scenarios. Instead, the encryption and decryption algorithms, signature algorithms, keys and other important information are exchanged and stored persistently. In both systems, there is a certain degree of management risk.
发明内容Summary of the invention
本发明的目的在于提供一种基于身份认证的安全通讯方法及装置,通过强制认证双方的电子印章,可以在无需向CA机构申请数字证书的情况下灵活、高效的对通信双方身份的信息进行验证,进而确保通信数据的安全性。The purpose of the present invention is to provide a secure communication method and device based on identity authentication. By compulsory authentication of the electronic seals of both parties, it is possible to flexibly and efficiently verify the identity information of the communicating parties without applying for a digital certificate from the CA organization. , And then ensure the security of communication data.
为了实现上述目的,本发明的一方面提供一种基于身份认证的安全通讯 方法,包括:In order to achieve the above objective, one aspect of the present invention provides a secure communication method based on identity authentication, including:
由请求节点和响应节点分别制作各自的电子印章,所述电子印章中包括由签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥组成的校验区;The requesting node and the responding node respectively make their own electronic seals, and the electronic seals include a verification area composed of a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key;
请求节点和响应节点互相报备对方电子印章中的指纹信息,用于在双方交换电子印章后,互相提取对方的指纹信息与报备的指纹信息比对以验证身份;The requesting node and the responding node report each other's fingerprint information in the electronic seal of the other party, which is used to compare each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify their identity;
双方节点在身份验证通过后,由请求节点使用随机因子对明文数据加密生成密文数据,以及使用响应节点电子印章的公钥加密所述随机因子得到通讯密钥,之后将所述密文数据、所述通讯密钥和请求节点电子印章中的指纹信息打包发送至响应节点;After the two nodes pass the identity verification, the requesting node encrypts the plaintext data with a random factor to generate ciphertext data, and encrypts the random factor with the public key of the electronic seal of the responding node to obtain the communication key. Then, the ciphertext data, The communication key and the fingerprint information in the electronic seal of the requesting node are packaged and sent to the responding node;
响应节点将文件包中的指纹信息与报备的指纹信息比对,比对成功后解密响应节点所属电子印章的加密私钥,通过私钥解密文件包中的通讯密钥还原所述随机因子,进而使用所述随机因子解析所述密文数据得到明文数据。The responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and decrypts the communication key in the file package with the private key to restore the random factor, The random factor is then used to parse the ciphertext data to obtain plaintext data.
优选地,由请求节点和响应节点分别制作各自的电子印章的方法包括:Preferably, the method of making respective electronic seals by the requesting node and the responding node respectively includes:
设计电子印章的分区,所述分区除校验区之外还包括头部区、印章信息区和尾部区;Design the partition of the electronic seal, which includes a header area, a seal information area, and a tail area in addition to the verification area;
请求节点和响应节点基于电子印章的分区结构,将开始标记符、识别码和版本号对应填充入头部区,将持章人编号、持章人名称、颁发机构编号、颁发机构名称和有效期对应填充入印章信息区、将描述信息和结束标记符对应填充入尾部区,将签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥对应填充入校验区。The request node and the response node are based on the partition structure of the electronic seal, and the start tag, identification code and version number are filled into the header area correspondingly, and the chapter holder number, chapter holder name, issuing organization number, issuing organization name, and validity period are correspondingly filled. Fill in the seal information area, fill the description information and the end marker into the tail area correspondingly, and fill the signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encryption private key into the verification area correspondingly.
较佳地,所述公钥和所述加密私钥的生成方法包括:Preferably, the method for generating the public key and the encrypted private key includes:
根据电子印章中的签名算法随机生成一对公钥和私钥;Randomly generate a pair of public key and private key according to the signature algorithm in the electronic seal;
基于请求节点预设的印章密码PIN,加密所属私钥生成请求节点电子印章的加密私钥;以及,Based on the seal password PIN preset by the requesting node, encrypt the private key to generate the encrypted private key of the electronic seal of the requesting node; and,
基于响应节点预设的印章密码PIN,加密所属私钥生成响应节点电子印章 的加密私钥。Based on the seal password PIN preset by the responding node, encrypt the private key to generate the encrypted private key of the electronic seal of the responding node.
可选地,所述指纹信息的生成方法包括:Optionally, the method for generating fingerprint information includes:
将电子印章中的持章人编号和持章人名称进行字符串拼接,并使用对应的印章密码PIN对字符串的拼接结果加密形成密文;Perform string splicing on the number of the holder and the name of the holder in the electronic seal, and use the corresponding seal password PIN to encrypt the splicing result of the string to form a cipher text;
采用摘要算法对所述密文进行摘要,得到摘要字符串;Digest the ciphertext using a digest algorithm to obtain a digest string;
通过签名算法对应的私钥对所述摘要字符串签名,得到电子印章的指纹信息。The digest string is signed by the private key corresponding to the signature algorithm to obtain the fingerprint information of the electronic seal.
可选地,所述签名信息的生成方法包括:Optionally, the method for generating the signature information includes:
定义电子印章中的关键域字节,所述关键域字节为电子印章的特征字节;Define the key field bytes in the electronic seal, where the key field bytes are characteristic bytes of the electronic seal;
将所述关键域字节通过摘要算法进行摘要,得到关键域字符串;Digest the key field bytes through a digest algorithm to obtain a key field string;
通过签名算法对应的私钥对所述关键域字符串签名,形成电子印章的签名信息。The key domain character string is signed by the private key corresponding to the signature algorithm to form the signature information of the electronic seal.
优选地,双方交换电子印章后,互相提取对方的指纹信息与报备的指纹信息比对以验证身份的方法包括:Preferably, after the two parties exchange electronic seals, the method for comparing each other's fingerprint information with the reported fingerprint information to verify identity includes:
请求节点将所属电子印章发送至响应节点,以使响应节点读取请求节点所属电子印章的签名算法、公钥、摘要算法和签名信息;The requesting node sends the electronic seal to the responding node, so that the responding node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal of the requesting node;
由响应节点读取请求节点所属电子印章中的关键域字节,基于所述摘要算法进行摘要得到摘要字符串,并使用所述签名算法的公钥对所述关键域字节执行验签;The response node reads the key field bytes in the electronic seal to which the requesting node belongs, performs a digest based on the digest algorithm to obtain a digest string, and uses the public key of the signature algorithm to perform verification on the key field bytes;
验签通过后,响应节点将请求节点所属电子印章的指纹信息与请求节点报备的指纹信息比对,比对结果一致时授权请求节点接入;After the verification is passed, the responding node compares the fingerprint information of the electronic seal of the requesting node with the fingerprint information reported by the requesting node, and authorizes the requesting node to access when the comparison results are consistent;
响应节点将所属电子印章发送至请求节点,以使请求节点读取响应节点所属电子印章的签名算法、公钥、摘要算法和签名信息;The responding node sends the electronic seal to the requesting node so that the requesting node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal to which the responding node belongs;
由请求节点读取响应节点所属电子印章中的关键域字节,基于所述摘要算法进行摘要得到摘要字符串,并使用所述签名算法的公钥对所述关键域字节执行验签;The requesting node reads the key field bytes in the electronic seal to which the responding node belongs, performs a digest based on the digest algorithm to obtain a digest string, and uses the public key of the signature algorithm to perform verification on the key field bytes;
验签通过后,请求节点将响应节点所属电子印章的指纹信息与响应节点报 备的指纹信息比对,比对结果一致时授权响应节点接入。After the verification is passed, the requesting node compares the fingerprint information of the electronic seal to which the responding node belongs with the fingerprint information reported by the responding node, and authorizes the responding node to access when the comparison results are consistent.
较佳地,由请求节点使用随机因子对明文数据加密生成密文数据,以及使用响应节点电子印章的公钥加密所述随机因子得到通讯密钥,之后将所述密文数据、所述通讯密钥和请求节点电子印章中的指纹信息打包发送至响应节点的方法包括:Preferably, the requesting node uses a random factor to encrypt the plaintext data to generate the ciphertext data, and the public key of the electronic seal of the responding node is used to encrypt the random factor to obtain the communication key, and then the ciphertext data and the communication encryption The method of packaging the key and the fingerprint information in the electronic seal of the requesting node and sending it to the responding node includes:
请求节点生成随机因子,用于对所述明文数据加密得到密文数据;Request the node to generate a random factor for encrypting the plaintext data to obtain ciphertext data;
请求节点使用响应节点所属电子印章的公钥对所述随机因子加密,生成通讯密钥;The requesting node uses the public key of the electronic seal to which the responding node belongs to encrypt the random factor to generate a communication key;
请求节点将所述通讯密钥、所述密文数据和所属电子印章的指纹信息打包发送至响应节点。The requesting node packs and sends the communication key, the ciphertext data and the fingerprint information of the electronic seal to the responding node.
进一步地,响应节点将文件包中的指纹信息与报备的指纹信息比对,比对成功后解密响应节点所属电子印章的加密私钥,通过私钥解密文件包中的通讯密钥还原所述随机因子,进而使用所述随机因子解析所述密文数据得到明文数据的方法包括:Further, the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and decrypts the communication key in the file package with the private key to restore the Random factor, and then using the random factor to parse the ciphertext data to obtain plaintext data includes:
响应节点读取文件包中的指纹信息,并与请求节点报备的指纹信息比对;The responding node reads the fingerprint information in the file package and compares it with the fingerprint information reported by the requesting node;
比对通过后,由响应节点读取所属电子印章的加密算法、签名算法、加密私钥以及预设的印章密码PIN,解密出响应节点所属电子印章的私钥;After the comparison is passed, the responding node reads the encryption algorithm, signature algorithm, encryption private key and the preset seal password PIN of the electronic seal to which the responding node belongs, and decrypts the private key of the electronic seal to which the responding node belongs;
通过所述私钥解析所述通讯密钥还原所述随机因子,最终利用所述随机因子解析所述密文数据得到明文数据。The random factor is restored by parsing the communication key by the private key, and finally the ciphertext data is parsed by the random factor to obtain plaintext data.
与现有技术相比,本发明提供的基于身份认证的安全通讯方法具有以下有益效果:Compared with the prior art, the secure communication method based on identity authentication provided by the present invention has the following beneficial effects:
本发明提供的基于身份认证的安全通讯方法中,首先由请求节点和响应节预先制作属于自己的电子印章,该电子印章中包括由签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥组成的校验区,电子印章制作完成之后,请求节点和响应节点互相报备对方电子印章中的指纹信息,用于电子印章交换过程中的身份验证,只有通过了双方节点的身份验证,才可安全的进行数据通讯,具体过程如下:由请求节点使用随机因子对明文数 据进行加密生成密文数据,接着使用响应节点电子印章的公钥加密随机因子得到通讯密钥,至此将密文数据、通讯密钥和用于识别请求节点身份的指纹信息打包发送至响应节点,响应节点在接收到文件包后,读取其中的指纹信息并与请求节点报备的指纹信息进行比对,仅在比对通过后方可授权请求节点接入响应节点,之后由响应节点调用所属的加密私钥,对加密私钥解密后使用明文私钥对通讯密钥进行解密从而还原随机因子,最终使用随机因子解析密文数据得到明文数据,完成请求节点对响应节点的密文传输。In the secure communication method based on identity authentication provided by the present invention, the request node and the response section first make their own electronic seal in advance. The electronic seal includes signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, and publicity. After the electronic seal is made, the requesting node and the responding node report each other’s fingerprint information in the other’s electronic seal, which is used for identity verification during the exchange of electronic seals. Only those who have passed both nodes Only by identity verification can data communication be carried out securely. The specific process is as follows: the requesting node uses a random factor to encrypt the plaintext data to generate ciphertext data, and then uses the public key of the responding node’s electronic seal to encrypt the random factor to obtain the communication key. The ciphertext data, the communication key and the fingerprint information used to identify the requesting node are packaged and sent to the responding node. After receiving the file package, the responding node reads the fingerprint information and compares it with the fingerprint information reported by the requesting node , Only after the comparison is passed, can the requesting node be authorized to access the responding node, and then the responding node will call the corresponding encrypted private key, decrypt the encrypted private key and use the plaintext private key to decrypt the communication key to restore the random factor, and finally use Random factors analyze the ciphertext data to obtain plaintext data, and complete the ciphertext transmission of the requesting node to the responding node.
综上,本发明相比较于现有技术中的方案,由双方协商自制电子印章,无需再向CA机构申请数字证书,增加了应用的灵活性,通过强制的电子印章交换认证策略,可以保证通信密文不会被第三人窃取,提升双方通信的安全性,另外,在数据发送之前取消了双方的密钥的协商过程,增加了应用的便捷性。In summary, the present invention is compared with the solutions in the prior art. The two parties negotiate to make an electronic seal, no need to apply for a digital certificate from the CA, which increases the flexibility of application, and can ensure communication through a compulsory electronic seal exchange authentication strategy. The ciphertext will not be stolen by a third person, which improves the security of the communication between the two parties. In addition, the negotiation process of the two parties' keys is cancelled before the data is sent, which increases the convenience of the application.
本发明的另一方面提供一种基于身份认证的安全通讯装置,应用有上述技术方案提到的基于身份认证的安全通讯方法,该装置包括:Another aspect of the present invention provides a secure communication device based on identity authentication, which applies the secure communication method based on identity authentication mentioned in the above technical solution, and the device includes:
印章制作单元,用于由请求节点和响应节点分别制作各自的电子印章,所述电子印章中包括由签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥组成的校验区;The seal making unit is used for making respective electronic seals by the requesting node and the responding node. The electronic seal includes a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key. Inspection area
指纹登记单元,用于请求节点和响应节点互相报备对方电子印章中的指纹信息,用于在双方交换电子印章后,互相提取对方的指纹信息与报备的指纹信息比对以验证身份;The fingerprint registration unit is used for requesting nodes and responding nodes to report each other's fingerprint information in the electronic seal of the other party, and for comparing each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify identity;
文件加密单元,用于将所述压缩物流箱码报文保存于存储系统中,完成对所述原始物流箱码报文的归档;The file encryption unit is configured to store the compressed logistics box code message in a storage system, and complete the archiving of the original logistics box code message;
文件解密单元,用于响应节点将文件包中的指纹信息与报备的指纹信息比对,比对成功后解密响应节点所属电子印章的加密私钥,通过私钥解密文件包中的通讯密钥还原所述随机因子,进而使用所述随机因子解析所述密文数据得到明文数据。The file decryption unit is used for the responding node to compare the fingerprint information in the file package with the reported fingerprint information, decrypt the encrypted private key of the electronic seal to which the responding node belongs after the comparison is successful, and decrypt the communication key in the file package with the private key Restore the random factor, and then use the random factor to parse the ciphertext data to obtain plaintext data.
与现有技术相比,本发明提供的基于身份认证的安全通讯装置的有益效 果与上述技术方案提供的基于身份认证的安全通讯方法的有益效果相同,在此不做赘述。Compared with the prior art, the beneficial effects of the security communication device based on identity authentication provided by the present invention are the same as the beneficial effects of the security communication method based on identity authentication provided by the above technical solutions, and will not be repeated here.
本发明的第三方面提供一种计算机可读存储介质,计算机可读存储介质上存储有计算机程序,计算机程序被处理器运行时执行上述基于身份认证的安全通讯方法的步骤。A third aspect of the present invention provides a computer-readable storage medium on which a computer program is stored, and the computer program executes the steps of the above-mentioned identity authentication-based secure communication method when the computer program is run by a processor.
与现有技术相比,本发明提供的计算机可读存储介质的有益效果与上述技术方案提供的基于身份认证的安全通讯方法的有益效果相同,在此不做赘述。Compared with the prior art, the beneficial effects of the computer-readable storage medium provided by the present invention are the same as those of the secure communication method based on identity authentication provided by the above technical solutions, and will not be repeated here.
附图说明Description of the drawings
此处所说明的附图用来提供对本发明的进一步理解,构成本发明的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described here are used to provide a further understanding of the present invention and constitute a part of the present invention. The exemplary embodiments of the present invention and the description thereof are used to explain the present invention, and do not constitute an improper limitation of the present invention. In the attached picture:
图1为实施例一中基于身份认证的安全通讯方法的流程示意图;Fig. 1 is a schematic flow chart of a secure communication method based on identity authentication in the first embodiment;
图2为实施例一中基于身份认证的安全通讯方法的交互流程示意图;2 is a schematic diagram of the interaction process of the secure communication method based on identity authentication in the first embodiment;
图3为实施例一中电子印章的结构示例图。Fig. 3 is a diagram showing an example of the structure of an electronic seal in the first embodiment.
具体实施方式Detailed ways
为使本发明的上述目的、特征和优点能够更加明显易懂,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动的前提下所获得的所有其它实施例,均属于本发明保护的范围。In order to make the above objectives, features, and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be described clearly and completely in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
实施例一Example one
请参阅图1-图3,本实施例提供一种基于身份认证的安全通讯方法,包括:Referring to Figures 1 to 3, this embodiment provides a secure communication method based on identity authentication, including:
由请求节点和响应节点分别制作各自的电子印章,电子印章中包括由签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥组成 的校验区;请求节点和响应节点互相报备对方电子印章中的指纹信息,用于在双方交换电子印章后,互相提取对方的指纹信息与报备的指纹信息比对以验证身份;双方节点在身份验证通过后,由请求节点使用随机因子对明文数据加密生成密文数据,以及使用响应节点电子印章的公钥加密随机因子得到通讯密钥,之后将密文数据、通讯密钥和请求节点电子印章中的指纹信息打包发送至响应节点;响应节点将文件包中的指纹信息与报备的指纹信息比对,比对成功后解密响应节点所属电子印章的加密私钥,通过私钥解密文件包中的通讯密钥还原随机因子,进而使用随机因子解析密文数据得到明文数据。The requesting node and the responding node respectively make their own electronic seals. The electronic seal includes a verification area composed of signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key and encrypted private key; request node and response node The fingerprint information in the electronic seal of the other party is reported to each other. After the two parties exchange the electronic seal, the fingerprint information of the other party is extracted and compared with the fingerprint information reported to verify the identity; the node of both parties will be used by the requesting node after the identity verification is passed. The random factor encrypts the plaintext data to generate ciphertext data, and uses the public key of the electronic seal of the responding node to encrypt the random factor to obtain the communication key, and then package the ciphertext data, the communication key and the fingerprint information in the electronic seal of the requesting node to the response Node; the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and uses the private key to decrypt the communication key in the file package to restore the random factor. Then use random factors to parse the ciphertext data to obtain plaintext data.
本实施例提供的基于身份认证的安全通讯方法中,首先由请求节点和响应节预先制作属于自己的电子印章,该电子印章中包括由签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥组成的校验区,电子印章制作完成之后,请求节点和响应节点互相报备对方电子印章中的指纹信息,用于电子印章交换过程中的身份验证,只有通过了双方节点的身份验证,才可安全的进行数据通讯,具体过程如下:由请求节点使用随机因子对明文数据进行加密生成密文数据,接着使用响应节点电子印章的公钥加密随机因子得到通讯密钥,至此将密文数据、通讯密钥和用于识别请求节点身份的指纹信息打包发送至响应节点,响应节点在接收到文件包后,读取其中的指纹信息并与请求节点报备的指纹信息进行比对,仅在比对通过后方可授权请求节点接入响应节点,之后由响应节点调用所属的加密私钥,对加密私钥解密后使用明文私钥对通讯密钥进行解密从而还原随机因子,最终使用随机因子解析密文数据得到明文数据,完成请求节点对响应节点的密文传输。In the secure communication method based on identity authentication provided in this embodiment, the requesting node and the response section first make their own electronic seal in advance, and the electronic seal includes signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, The verification area composed of the public key and the encrypted private key. After the electronic seal is made, the requesting node and the responding node report each other's fingerprint information in the other's electronic seal, which is used for identity verification during the exchange of electronic seals. Only when the two nodes pass Data communication can be carried out safely. The specific process is as follows: the requesting node uses the random factor to encrypt the plaintext data to generate ciphertext data, and then uses the public key of the responding node’s electronic seal to encrypt the random factor to obtain the communication key. The ciphertext data, communication key, and fingerprint information used to identify the requesting node are packaged and sent to the responding node. After receiving the file package, the responding node reads the fingerprint information and compares it with the fingerprint information reported by the requesting node Yes, the requesting node can be authorized to access the responding node only after the comparison is passed, and then the responding node will call the corresponding encrypted private key, decrypt the encrypted private key and use the plaintext private key to decrypt the communication key to restore the random factor. Use random factors to parse the ciphertext data to obtain plaintext data, and complete the ciphertext transmission of the requesting node to the responding node.
综上,本实施例相比较于现有技术中的方案,由双方协商自制电子印章,无需再向CA机构申请数字证书,增加了应用的灵活性,通过强制的电子印章交换认证策略,可以保证通信密文不会被第三人窃取,提升双方通信的安全性,另外,在数据发送之前取消了双方的密钥的协商过程,提升了应用的便捷性。In summary, this embodiment is compared with the solution in the prior art. The two parties negotiate to make an electronic seal, and there is no need to apply for a digital certificate from the CA, which increases the flexibility of application. The mandatory electronic seal exchange authentication strategy can ensure The communication ciphertext will not be stolen by a third party, which improves the security of the communication between the two parties. In addition, the negotiation process of the two parties' keys is cancelled before the data is sent, which improves the convenience of the application.
请参阅图3,请求节点和响应节点分别制作各自的电子印章的方法包括:Please refer to Figure 3. The methods for requesting and responding nodes to make their own electronic seals include:
设计电子印章的分区,分区除校验区之外还包括头部区、印章信息区和尾部区;请求节点和响应节点基于电子印章的分区结构,将开始标记符、识别码和版本号对应填充入头部区,将持章人编号、持章人名称、颁发机构编号、颁发机构名称和有效期对应填充入印章信息区、将描述信息和结束标记符对应填充入尾部区,将签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥对应填充入校验区。Design the partition of the electronic seal. In addition to the verification area, the partition also includes the head area, the seal information area and the tail area; the request node and the response node are based on the partition structure of the electronic seal, and the start tag, identification code and version number are filled correspondingly Enter the header area, fill in the seal information area with the chapter holder number, chapter holder name, issuing organization number, issuing organization name, and validity period correspondingly, fill in the description information and ending tag in the tail area, and fill in the signature algorithm and signature The information, encryption algorithm, fingerprint information, digest algorithm, public key and encryption private key are filled in the verification area correspondingly.
如图3所示,头部区的开始标记符为2字节、识别码为3字节、版本号为1字节,校验区的签名算法为8字节、签名信息为32字节、加密算法为8字节、指纹信息为32字节、摘要算法为8字节、公钥为32字节,加密私钥为32字节,印章信息区中的持章人编号为32字节、持章人名称为32字节、颁发机构编号为32字节、颁发机构名称为32字节、有效期信息为16字节,尾部区中的描述信息为62字节、结束标记符为2字节。可以理解的是,签名算法为对信息进行签名或验签的非对称性算法,如RSA、SM1,加密算法为对信息进行加密或解密的对称性算法,如AES、SM2,摘要算法为对信息进行摘要的算法,如MD5、SM3。As shown in Figure 3, the start tag of the header area is 2 bytes, the identification code is 3 bytes, the version number is 1 byte, the signature algorithm of the verification area is 8 bytes, and the signature information is 32 bytes. The encryption algorithm is 8 bytes, the fingerprint information is 32 bytes, the digest algorithm is 8 bytes, the public key is 32 bytes, the encryption private key is 32 bytes, and the holder number in the seal information area is 32 bytes, The name of the holder is 32 bytes, the number of the issuing authority is 32 bytes, the name of the issuing authority is 32 bytes, the validity period information is 16 bytes, the description information in the tail area is 62 bytes, and the end tag is 2 bytes . It is understandable that the signature algorithm is an asymmetric algorithm for signing or verifying information, such as RSA, SM1, the encryption algorithm is a symmetric algorithm for encrypting or decrypting information, such as AES, SM2, and the digest algorithm is for information Algorithm for digesting, such as MD5, SM3.
另外,本实施例将加密私钥放入电子印章中存储,能够妥善对私钥进行存储管理,降低了私钥持久化放在双方系统存储带来的管理风险。In addition, in this embodiment, the encrypted private key is stored in the electronic seal, which can properly store and manage the private key, and reduces the management risk caused by the persistent storage of the private key in the systems of both parties.
上述实施例中的公钥和加密私钥的生成方法包括:根据电子印章中的签名算法随机生成一对公钥和私钥;基于请求节点预设的印章密码PIN,加密所属私钥生成请求节点电子印章的加密私钥;以及,基于响应节点预设的印章密码PIN,加密所属私钥生成响应节点电子印章的加密私钥。The method for generating a public key and an encrypted private key in the foregoing embodiment includes: randomly generating a pair of public key and private key according to the signature algorithm in the electronic seal; and encrypting the private key to generate the requesting node based on the seal password PIN preset by the requesting node The encrypted private key of the electronic seal; and, based on the seal password PIN preset by the responding node, encrypt the private key to generate the encrypted private key of the electronic seal of the responding node.
具体实施时,假设请求节点的电子印章为A,对应的电子印章A的签名算法为SA,响应节点的电子印章为B,对应的电子印章B的签名算法为SB,请求节点根据签名算法SA生成公钥SA.PublicKey和私钥SA.PrivateKey,响应节点根据签名算法SB生成公钥SB.PublicKey和私钥SB.PrivateKey,之后将公钥SA.PublicKey对应填充入电子印章A的公钥区,将公钥SB.PublicKey对应填充入电子印章B的公钥区,紧接着对私钥SA.PrivateKey和私钥 SB.PrivateKey加密,具体为采用请求节点预设的印章密码PIN对私钥SA.PrivateKey加密得到电子印章A的加密私钥,采用响应节点预设的印章密码PIN对私钥SB.PrivateKey加密得到电子印章B的加密私钥,可用公式表达为:私钥=EA.Encrypt(SA.PrivateKey,PIN),进而将SA.PrivateKey填充入电子印章A的私钥区,以及SB.PrivateKey对应填充入电子印章B的私钥区,完成对电子印章A和电子印章B校验区的填充。In specific implementation, suppose that the electronic seal of the requesting node is A, the signature algorithm of the corresponding electronic seal A is SA, the electronic seal of the responding node is B, the signature algorithm of the corresponding electronic seal B is SB, and the requesting node generates according to the signature algorithm SA The public key SA.PublicKey and the private key SA.PrivateKey, the responding node generates the public key SB.PublicKey and the private key SB.PrivateKey according to the signature algorithm SB, and then fills the public key SA.PublicKey into the public key area of the electronic seal A. The public key SB.PublicKey is correspondingly filled into the public key area of the electronic seal B, and then the private key SA.PrivateKey and the private key SB.PrivateKey are encrypted. Specifically, the private key SA.PrivateKey is encrypted with the seal password PIN preset by the requesting node Obtain the encrypted private key of electronic seal A, and use the seal password PIN preset by the responding node to encrypt the private key SB.PrivateKey to obtain the encrypted private key of electronic seal B. The formula can be expressed as: private key=EA.Encrypt(SA.PrivateKey, PIN), then SA.PrivateKey is filled into the private key area of electronic seal A, and SB.PrivateKey is filled into the private key area of electronic seal B correspondingly, to complete the filling of the verification area of electronic seal A and electronic seal B.
进一步地,上述实施例中的指纹信息的生成方法包括:将电子印章中的持章人编号和持章人名称进行字符串拼接,并使用对应的印章密码PIN对字符串的拼接结果加密形成密文;采用摘要算法对密文进行摘要,得到摘要字符串;通过签名算法对应的私钥对摘要字符串签名,得到电子印章的指纹信息。Further, the method for generating fingerprint information in the foregoing embodiment includes: string splicing the seal holder number and the seal holder name in the electronic seal, and encrypting the splicing result of the string using the corresponding seal password PIN to form a secret Text; Digest the ciphertext using the digest algorithm to obtain the digest string; use the private key corresponding to the signature algorithm to sign the digest string to obtain the fingerprint information of the electronic seal.
具体实施时,以电子印章A中指纹信息的生成为例,其可通过公式表达为:指纹信息=SA.Sign(DA(EA(ID+Name,PIN)),SA.PrivateKey),其中,ID表示持章人编号编号、Name表示持章人名称、EA表示加密算法、DA表示摘要算法,指纹信息是指对电子印章内关键域信息进行签名后得到的结果表示,上述公式可以理解为,将电子印章中的持章人编号和持章人名称进行字符串拼接,然后使用印章密码PIN作为加密算法(对称性算法)的密钥对字符串的拼接结果进行加密,形成密文,接着通过摘要算法对密文进行摘要得到摘要字符串,最后通过签名算法(非对称性算法)的私钥对摘要字符串进行签名,形成指纹信息。同理,电子印章B中指纹信息的生成与电子印章A相同,本实施例对此不做赘述。示例性地,持章人编号可以是身份证号、社会信用统一识别编号或组织机构编号。In specific implementation, take the generation of fingerprint information in electronic seal A as an example, which can be expressed by the formula: fingerprint information=SA.Sign(DA(EA(ID+Name,PIN)),SA.PrivateKey), where ID It means the number of the holder of the seal, Name means the name of the holder, EA means the encryption algorithm, DA means the digest algorithm, fingerprint information refers to the result obtained after signing the key domain information in the electronic seal. The above formula can be understood as: The serial number of the holder and the name of the holder in the electronic seal are spliced, and then the seal password PIN is used as the key of the encryption algorithm (symmetric algorithm) to encrypt the splicing result of the string to form a cipher text, and then pass the abstract The algorithm digests the ciphertext to obtain the digest string, and finally signs the digest string with the private key of the signature algorithm (asymmetric algorithm) to form fingerprint information. In the same way, the generation of fingerprint information in the electronic seal B is the same as that in the electronic seal A, which is not repeated in this embodiment. Exemplarily, the chapter holder number may be an ID card number, a social credit uniform identification number, or an organization number.
进一步地,上述实施例中签名信息的生成方法包括:定义电子印章中的关键域字节,关键域字节为电子印章的特征字节;将关键域字节通过摘要算法进行摘要,得到关键域字符串;通过签名算法对应的私钥对关键域字符串签名,形成电子印章的签名信息。Further, the method for generating signature information in the foregoing embodiment includes: defining key field bytes in the electronic seal, where the key field bytes are characteristic bytes of the electronic seal; and digesting the key field bytes through a digest algorithm to obtain the key field String: The key field string is signed by the private key corresponding to the signature algorithm to form the signature information of the electronic seal.
具体实施时,以电子印章A中签名信息的生成为例,通过公式表达为: 签名信息=SA.Sign(DA(content),SA.PrivateKey),其中,content表示关键域字节,如图3所示,也即电子印章中“加密算法”区域至“结束标记符”区域中的所有字段(电子印章中46字节后续的内容),将关键域字节通过摘要算法进行摘要,得到关键域字符串,然后通过签名算法对应的私钥对关键域字符串进行签名,形成电子印章A的签名信息。同理,电子印章B中签名信息的生成与电子印章A相同,本实施例对此不做赘述。In specific implementation, take the generation of signature information in electronic seal A as an example, expressed by the formula: signature information=SA.Sign(DA(content), SA.PrivateKey), where content represents the key field byte, as shown in Figure 3. As shown, that is, all fields from the "encryption algorithm" area to the "end tag" area in the electronic seal (the content after the 46 bytes in the electronic seal), the key field bytes are summarized by the abstract algorithm to obtain the key field Then use the private key corresponding to the signature algorithm to sign the key domain string to form the signature information of the electronic seal A. In the same way, the generation of the signature information in the electronic seal B is the same as that of the electronic seal A, which is not repeated in this embodiment.
至此,签章构建阶段完成,生成了一个可用于身份识别、安全数据通讯的电子印章A和电子印章B,接下来开始签章的校验阶段。At this point, the signature construction phase is completed, and an electronic seal A and electronic seal B that can be used for identification and secure data communication are generated, and then the verification phase of the signature begins.
具体地,上述实施例中双方交换电子印章后,互相提取对方的指纹信息与报备的指纹信息比对以验证身份的方法包括:Specifically, in the above-mentioned embodiment, after the two parties exchange electronic seals, the method of mutually extracting each other's fingerprint information and comparing the reported fingerprint information to verify identity includes:
请求节点将所属电子印章发送至响应节点,以使响应节点读取请求节点所属电子印章的签名算法、公钥、摘要算法和签名信息;由响应节点读取请求节点所属电子印章中的关键域字节,基于摘要算法进行摘要得到摘要字符串,并使用签名算法的公钥对关键域字节执行验签;验签通过后,响应节点将请求节点所属电子印章的指纹信息与请求节点报备的指纹信息比对,比对结果一致时授权请求节点接入;响应节点将所属电子印章发送至请求节点,以使请求节点读取响应节点所属电子印章的签名算法、公钥、摘要算法和签名信息;由请求节点读取响应节点所属电子印章中的关键域字节,基于摘要算法进行摘要得到摘要字符串,并使用签名算法的公钥对关键域字节执行验签;验签通过后,请求节点将响应节点所属电子印章的指纹信息与响应节点报备的指纹信息比对,比对结果一致时授权响应节点接入。The requesting node sends the electronic seal to the responding node, so that the responding node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal of the requesting node; the responding node reads the key domain words in the electronic seal of the requesting node Section, digest the digest string based on the digest algorithm, and use the public key of the signature algorithm to verify the key field bytes; after the verification is passed, the responding node will send the fingerprint information of the electronic seal of the requesting node to the information reported by the requesting node. Fingerprint information comparison, when the comparison results are consistent, the requesting node is authorized to access; the responding node sends the electronic seal to the requesting node, so that the requesting node can read the signature algorithm, public key, digest algorithm and signature information of the electronic seal of the responding node ; The requesting node reads the key field bytes in the electronic seal to which the responding node belongs, digests the digest string based on the digest algorithm, and uses the public key of the signature algorithm to perform verification on the key field bytes; after the verification is passed, the request The node compares the fingerprint information of the electronic seal to which the responding node belongs with the fingerprint information reported by the responding node, and authorizes the responding node to access when the comparison results are consistent.
请参阅图3,上述实施例可以理解为双方节点交换电子印章以及身份验证的过程,首先由请求节点将电子印章A发送至响应节点,响应节点接收到电子印章A后对其进行验签操作,之后读取电子印章A中的指纹信息并与电子印章A在响应节点中报备的指纹信息比对,当比对结果一致时认为电子印章A的身份合法,此时授权请求节点接入响应节点,响应节点验证完请求节点的身份之后,请求节点还得继续验证响应节点的身份,也即响应节点将电子 印章B发送至请求节点,请求节点接收到电子印章B后对其进行验签操作,之后读取电子印章B中的指纹信息并与电子印章B在请求节点中报备的指纹信息比对,当比对结果一致时认为电子印章B的身份合法,此时授权响应节点接入请求节点。Referring to Figure 3, the above embodiment can be understood as the process of exchanging electronic seals and identity verification between the two nodes. First, the requesting node sends the electronic seal A to the responding node, and the responding node performs the verification operation on the electronic seal A after receiving it. Then read the fingerprint information in the electronic seal A and compare it with the fingerprint information reported by the electronic seal A in the response node. When the comparison results are consistent, the identity of the electronic seal A is considered legal, and the requesting node is authorized to access the response node. After the responding node has verified the identity of the requesting node, the requesting node must continue to verify the identity of the responding node, that is, the responding node sends the electronic seal B to the requesting node, and the requesting node performs the verification operation after receiving the electronic seal B. Then read the fingerprint information in the electronic seal B and compare it with the fingerprint information reported by the electronic seal B in the requesting node. When the comparison results are consistent, the identity of the electronic seal B is considered legal, and the responding node is authorized to access the requesting node. .
以响应节点对电子印章A验签操作为例说明,其可通过公式表达为:验签=SA.Verify(DA(content),SA.PublicKey,SI),SI表示电子印章A中的签名信息,上述公式理解为:通过签名算法(非对称性算法)的公钥和电子印章A签章文件结构的签名信息(SI)进行验签操作,如果验签成功代表签章文件未被篡改,如果验签不成功则代表签章文件被篡改。Taking the verification operation of the electronic seal A by the response node as an example, it can be expressed by the formula: verification=SA.Verify(DA(content),SA.PublicKey,SI), where SI represents the signature information in the electronic seal A, The above formula is understood as: the signature verification operation is performed through the public key of the signature algorithm (asymmetric algorithm) and the signature information (SI) of the electronic seal A signature file structure. If the verification is successful, it means that the signature file has not been tampered with. Unsuccessful signing means that the signature file has been tampered with.
以响应节点对电子印章A身份合法性验证为例说明,其可通过公式表达为:身份=If(Equal(A.DS.指纹信息,登记电子印章A.指纹信息)),上述公式理解为:从电子印章A的签章文件内取出,指纹信息并与响应节点中报备的指纹信息进行比对,比对结果一致则授权请求节点的接入。Taking the verification of the identity legality of electronic seal A by the responding node as an example, it can be expressed by the formula: identity=If(Equal(A.DS. fingerprint information, registered electronic seal A. fingerprint information)), the above formula is understood as: Take out the signature file of electronic seal A, and compare the fingerprint information with the fingerprint information reported in the responding node. If the comparison result is consistent, the requesting node is authorized to access.
另外,请求节点对电子印章B的验签操作和身份合法性验证操作,与上述响应节点对电子印章A的验签操作和身份合法性验证操作相同,本实施例对此不做赘述。In addition, the signature verification operation and the identity legality verification operation of the requesting node on the electronic seal B are the same as the above-mentioned response node verification operation and the identity legality verification operation on the electronic seal A, which will not be repeated in this embodiment.
至此,双方的签章校验阶段完成,接下来开始双方的加解密通讯阶段。At this point, the signature verification phase of both parties is completed, and then the encryption and decryption communication phase of both parties begins.
上述实施例中由请求节点使用随机因子对明文数据加密生成密文数据,以及使用响应节点电子印章的公钥加密随机因子得到通讯密钥,之后将密文数据、通讯密钥和请求节点电子印章中的指纹信息打包发送至响应节点的方法包括:In the above embodiment, the requesting node uses the random factor to encrypt the plaintext data to generate the ciphertext data, and the public key of the responding node’s electronic seal is used to encrypt the random factor to obtain the communication key, and then the ciphertext data, the communication key and the requesting node’s electronic seal The method of packaging and sending the fingerprint information to the responding node includes:
请求节点生成随机因子,用于对明文数据加密得到密文数据;请求节点使用响应节点所属电子印章的公钥对随机因子加密,生成通讯密钥;请求节点将通讯密钥、密文数据和所属电子印章的指纹信息打包发送至响应节点。The requesting node generates a random factor, which is used to encrypt the plaintext data to obtain the ciphertext data; the requesting node uses the public key of the electronic seal to which the responding node belongs to encrypt the random factor to generate a communication key; the requesting node encrypts the communication key, ciphertext data, and belonging The fingerprint information of the electronic seal is packaged and sent to the responding node.
具体实施时,请求节点加密明文数据得到密文数据的方案可通过公式表达为:密文数据=B.EA(A.plainText,Key),其中,plainText为明文数据,Key为随机生成的加密因子,且Key既可以选用固定的字符串,也可以为每次加 密时生成的随机数,上述公式可以理解为使用加密因子Key作为加密算法(对称性算法)的密钥,并使用对方签章内所要求的加密算法(对称性算法)对明文数据(plainText)进行加密,生成密文数据。请求节点加密随机因子生成通讯密钥的方案可通过公式表达为:通讯密钥=B.SA.Encrypt(Key,B.SA.PublicKey),可以理解为通过对方签章内所要求的签名算法(非对称性算法)的公钥对我方生成的加密因子(Key)进行加密,形成通讯密钥。In specific implementation, the scheme for requesting nodes to encrypt plaintext data to obtain ciphertext data can be expressed by the formula: ciphertext data=B.EA(A.plainText, Key), where plainText is plaintext data, and Key is a randomly generated encryption factor , And the Key can be either a fixed string or a random number generated during each encryption. The above formula can be understood as using the encryption factor Key as the key of the encryption algorithm (symmetric algorithm) and using the signature of the other party The required encryption algorithm (symmetric algorithm) encrypts plaintext data (plainText) to generate ciphertext data. The scheme of requesting the node to encrypt the random factor to generate the communication key can be expressed by the formula: communication key=B.SA.Encrypt(Key, B.SA.PublicKey), which can be understood as the signature algorithm required by the other party's signature ( The public key of the asymmetric algorithm encrypts the encryption factor (Key) generated by our party to form the communication key.
进一步地,上述实施例中响应节点将文件包中的指纹信息与报备的指纹信息比对,比对成功后解密响应节点所属电子印章的加密私钥,通过私钥解密文件包中的通讯密钥还原随机因子,进而使用随机因子解析密文数据得到明文数据的方法包括:Further, in the above-mentioned embodiment, the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and decrypts the communication secret in the file package through the private key. The key to restore the random factor, and then use the random factor to parse the ciphertext data to obtain the plaintext data includes:
响应节点读取文件包中的指纹信息,并与请求节点报备的指纹信息比对;比对通过后,由响应节点读取所属电子印章的加密算法、签名算法、加密私钥以及预设的印章密码PIN,解密出响应节点所属电子印章的私钥;通过私钥解析通讯密钥还原随机因子,最终利用随机因子解析密文数据得到明文数据。The responding node reads the fingerprint information in the file package and compares it with the fingerprint information reported by the requesting node; after the comparison is passed, the responding node reads the encryption algorithm, signature algorithm, encryption private key and preset of the electronic seal. The seal password PIN decrypts the private key of the electronic seal to which the responding node belongs; analyzes the communication key through the private key to restore the random factor, and finally uses the random factor to parse the ciphertext data to obtain the plaintext data.
具体实施时,响应节点在接收到文件包之后,首先读取文件包中的指纹信息,并与请求节点报备的指纹信息比对,做到一次一校保证确保数据传输的安全性,比对通过后,从电子印章B中读取加密私钥(SB.PrivateKey)。In specific implementation, after receiving the file package, the responding node first reads the fingerprint information in the file package, and compares it with the fingerprint information reported by the requesting node, so that one school at a time ensures the security of data transmission. After passing, read the encrypted private key (SB.PrivateKey) from the electronic seal B.
若要使用明文私钥还需对加密私钥解密,解密公式为:B.SA.PrivateKey=B.EA.Decrypt(B.SecureKey,PIN),也即首选读出签章内的加密算法,并使用PIN作为加密算法(对称性算法)的密钥对加密私钥进行解密,解密后的明文即是明文私钥。If you want to use the plaintext private key, you need to decrypt the encrypted private key. The decryption formula is: B.SA.PrivateKey=B.EA.Decrypt(B.SecureKey, PIN), that is, it is preferred to read the encryption algorithm in the signature, and Use PIN as the key of the encryption algorithm (symmetric algorithm) to decrypt the encrypted private key, and the decrypted plaintext is the plaintext private key.
若要得到随机因子还需继续对通讯密钥解密,解密公式为:A.Key=B.SA.Decrypt(通讯密钥,B.SA.PrivateKey),也即首先读出签章内的签名算法,并使用已解出的签名算法(非对称性算法)的明文私钥对文件包中的通讯密钥进行解密,解密后得到请求节点的随机因子(Key)。If you want to get the random factor, you need to continue to decrypt the communication key. The decryption formula is: A.Key=B.SA.Decrypt (communication key, B.SA.PrivateKey), that is, first read out the signature algorithm in the signature , And use the plaintext private key of the solved signature algorithm (asymmetric algorithm) to decrypt the communication key in the file package, and obtain the random factor (Key) of the requesting node after decryption.
若要得到明文数据还需对密文数据解密,解密公式为:A.plainText=B.EA.Decrypt(密文,A.Key),也即首选读出签章内的加密算法,并使用已 解出的随机因子作为加密算法(对称性算法)的密钥对密文数据进行解密,解密后明文数据。If you want to get the plaintext data, you need to decrypt the ciphertext data. The decryption formula is: A.plainText=B.EA.Decrypt (ciphertext, A.Key), that is, it is preferred to read out the encryption algorithm in the signature and use the The solved random factor is used as the key of the encryption algorithm (symmetric algorithm) to decrypt the ciphertext data, and the plaintext data is decrypted.
至此,响应节点完成了对请求节点的数据加密通信,同理,请求节点对请求节点的数据加密通信为上述实施过程的逆过程,请参阅图2,当响应节点向请求节点发送密文数据时,相应节点负责生成加密因子,并使用请求节点的电子印章A进行通讯密钥和密文数据的生成,请求节点接收到密文数据、通讯密钥和电子印章B的指纹信息后,用自己的电子印章A进行解密获得明文数据。So far, the responding node has completed the data encryption communication of the requesting node. Similarly, the requesting node's data encryption communication to the requesting node is the inverse process of the above implementation process. Please refer to Figure 2. When the responding node sends ciphertext data to the requesting node , The corresponding node is responsible for generating the encryption factor, and uses the electronic seal A of the requesting node to generate the communication key and ciphertext data. After the requesting node receives the ciphertext data, the communication key and the fingerprint information of the electronic seal B, it uses its own The electronic seal A is decrypted to obtain plaintext data.
需要说明的是,本实施例设计了电子印章的校验区,持章者通过制定对称性和非对称性的加密算法,可尽量降低已知算法的安全缺陷并提高总体的算法强度。同时,本实施例提供的是业务数据(非协议)层面安全通讯方案,实现通讯双方数据安全的自主可控。It should be noted that the verification area of the electronic seal is designed in this embodiment, and the seal holder can reduce the security defects of known algorithms as much as possible and improve the overall algorithm strength by formulating symmetric and asymmetric encryption algorithms. At the same time, this embodiment provides a secure communication solution at the service data (non-protocol) level to realize independent and controllable data security for both parties in communication.
实施例二Example two
本实施例提供一种基于身份认证的安全通讯装置,包括:This embodiment provides a secure communication device based on identity authentication, including:
印章制作单元,用于由请求节点和响应节点分别制作各自的电子印章,所述电子印章中包括由签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥组成的校验区;The seal making unit is used for making respective electronic seals by the requesting node and the responding node. The electronic seal includes a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key. Inspection area
指纹登记单元,用于请求节点和响应节点互相报备对方电子印章中的指纹信息,用于在双方交换电子印章后,互相提取对方的指纹信息与报备的指纹信息比对以验证身份;The fingerprint registration unit is used for requesting nodes and responding nodes to report each other's fingerprint information in the electronic seal of the other party, and for comparing each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify identity;
文件加密单元,用于将所述压缩物流箱码报文保存于存储系统中,完成对所述原始物流箱码报文的归档;The file encryption unit is configured to store the compressed logistics box code message in a storage system, and complete the archiving of the original logistics box code message;
文件解密单元,用于响应节点将文件包中的指纹信息与报备的指纹信息比对,比对成功后解密响应节点所属电子印章的加密私钥,通过私钥解密文件包中的通讯密钥还原所述随机因子,进而使用所述随机因子解析所述密文数据得到明文数据。The file decryption unit is used for the responding node to compare the fingerprint information in the file package with the reported fingerprint information, decrypt the encrypted private key of the electronic seal to which the responding node belongs after the comparison is successful, and decrypt the communication key in the file package with the private key Restore the random factor, and then use the random factor to parse the ciphertext data to obtain plaintext data.
与现有技术相比,本实施例提供的基于身份认证的安全通讯装置的有益效果与上述实施例提供的基于身份认证的安全通讯方法的有益效果相同,在此不做赘述。Compared with the prior art, the beneficial effects of the secure communication device based on identity authentication provided in this embodiment are the same as those of the secure communication method based on identity authentication provided in the foregoing embodiments, and will not be repeated here.
实施例三Example three
本实施例提供一种计算机可读存储介质,计算机可读存储介质上存储有计算机程序,计算机程序被处理器运行时执行上述基于身份认证的安全通讯方法的步骤。This embodiment provides a computer-readable storage medium on which a computer program is stored. When the computer program is run by a processor, the steps of the above-mentioned identity authentication-based secure communication method are executed.
与现有技术相比,本实施例提供的计算机可读存储介质的有益效果与上述技术方案提供的基于身份认证的安全通讯方法的有益效果相同,在此不做赘述。Compared with the prior art, the beneficial effects of the computer-readable storage medium provided in this embodiment are the same as those of the secure communication method based on identity authentication provided by the above technical solutions, and will not be repeated here.
本领域普通技术人员可以理解,实现上述发明方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,上述程序可以存储于计算机可读取存储介质中,该程序在执行时,包括上述实施例方法的各步骤,上述的存储介质可以是:ROM/RAM、磁碟、光盘、存储卡等。A person of ordinary skill in the art can understand that all or part of the steps in the above-mentioned inventive method can be implemented by a program instructing relevant hardware. The above-mentioned program can be stored in a computer readable storage medium. When the program is executed, it includes For each step of the method in the foregoing embodiment, the foregoing storage medium may be: ROM/RAM, magnetic disk, optical disk, memory card, and so on.
以上,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of the present invention, but the protection scope of the present invention is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed by the present invention, and they should all be covered. Within the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.

Claims (10)

  1. 一种基于身份认证的安全通讯方法,其特征在于,包括:A secure communication method based on identity authentication, which is characterized in that it includes:
    由请求节点和响应节点分别制作各自的电子印章,所述电子印章中包括由签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥组成的校验区;The requesting node and the responding node respectively make their own electronic seals, and the electronic seals include a verification area composed of a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key;
    请求节点和响应节点互相报备对方电子印章中的指纹信息,用于在双方交换电子印章后,互相提取对方的指纹信息与报备的指纹信息比对以验证身份;The requesting node and the responding node report each other's fingerprint information in the electronic seal of the other party, which is used to compare each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify their identity;
    双方节点在身份验证通过后,由请求节点使用随机因子对明文数据加密生成密文数据,以及使用响应节点电子印章的公钥加密所述随机因子得到通讯密钥,之后将所述密文数据、所述通讯密钥和请求节点电子印章中的指纹信息打包发送至响应节点;After the two nodes pass the identity verification, the requesting node encrypts the plaintext data with a random factor to generate ciphertext data, and encrypts the random factor with the public key of the electronic seal of the responding node to obtain the communication key. Then, the ciphertext data, The communication key and the fingerprint information in the electronic seal of the requesting node are packaged and sent to the responding node;
    响应节点将文件包中的指纹信息与报备的指纹信息比对,比对成功后解密响应节点所属电子印章的加密私钥,通过私钥解密文件包中的通讯密钥还原所述随机因子,进而使用所述随机因子解析所述密文数据得到明文数据。The responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and decrypts the communication key in the file package with the private key to restore the random factor, The random factor is then used to parse the ciphertext data to obtain plaintext data.
  2. 根据权利要求1所述的方法,其特征在于,请求节点和响应节点分别制作各自的电子印章的方法包括:The method according to claim 1, wherein the method for the requesting node and the responding node to make their own electronic seals respectively comprises:
    设计电子印章的分区,所述分区除校验区之外还包括头部区、印章信息区和尾部区;Design the partition of the electronic seal, which includes a header area, a seal information area, and a tail area in addition to the verification area;
    请求节点和响应节点基于电子印章的分区结构,将开始标记符、识别码和版本号对应填充入头部区,将持章人编号、持章人名称、颁发机构编号、颁发机构名称和有效期对应填充入印章信息区、将描述信息和结束标记符对应填充入尾部区,将签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥对应填充入校验区。The request node and the response node are based on the partition structure of the electronic seal, and the start tag, identification code and version number are filled into the header area correspondingly, and the chapter holder number, chapter holder name, issuing organization number, issuing organization name, and validity period are correspondingly filled. Fill in the seal information area, fill the description information and the end marker into the tail area correspondingly, and fill the signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encryption private key into the verification area correspondingly.
  3. 根据权利要求2所述的方法,其特征在于,所述公钥和所述加密私钥的生成方法包括:The method according to claim 2, wherein the method for generating the public key and the encrypted private key comprises:
    根据电子印章中的签名算法随机生成一对公钥和私钥;Randomly generate a pair of public key and private key according to the signature algorithm in the electronic seal;
    基于请求节点预设的印章密码PIN,加密所属私钥生成请求节点电子印章的加密私钥;以及,Based on the seal password PIN preset by the requesting node, encrypt the private key to generate the encrypted private key of the electronic seal of the requesting node; and,
    基于响应节点预设的印章密码PIN,加密所属私钥生成响应节点电子印章的加密私钥。Based on the seal password PIN preset by the responding node, encrypt the private key to generate the encrypted private key of the electronic seal of the responding node.
  4. 根据权利要求3所述的方法,其特征在于,所述指纹信息的生成方法包括:The method according to claim 3, wherein the method for generating fingerprint information comprises:
    将电子印章中的持章人编号和持章人名称进行字符串拼接,并使用对应的印章密码PIN对字符串的拼接结果加密形成密文;Perform string splicing on the number of the holder and the name of the holder in the electronic seal, and use the corresponding seal password PIN to encrypt the splicing result of the string to form a cipher text;
    采用摘要算法对所述密文进行摘要,得到摘要字符串;Digest the ciphertext using a digest algorithm to obtain a digest string;
    通过签名算法对应的私钥对所述摘要字符串签名,得到电子印章的指纹信息。The digest string is signed by the private key corresponding to the signature algorithm to obtain the fingerprint information of the electronic seal.
  5. 根据权利要求3所述的方法,其特征在于,所述签名信息的生成方法包括:The method according to claim 3, wherein the method for generating the signature information comprises:
    定义电子印章中的关键域字节,所述关键域字节为电子印章的特征字节;Define the key field bytes in the electronic seal, where the key field bytes are characteristic bytes of the electronic seal;
    将所述关键域字节通过摘要算法进行摘要,得到关键域字符串;Digest the key field bytes through a digest algorithm to obtain a key field string;
    通过签名算法对应的私钥对所述关键域字符串签名,形成电子印章的签名信息。The key domain character string is signed by the private key corresponding to the signature algorithm to form the signature information of the electronic seal.
  6. 根据权利要求2所述的方法,其特征在于,双方交换电子印章后,互相提取对方的指纹信息与报备的指纹信息比对以验证身份的方法包括:The method according to claim 2, wherein after the two parties exchange electronic seals, the method of extracting each other's fingerprint information and comparing the reported fingerprint information to verify identity comprises:
    请求节点将所属电子印章发送至响应节点,以使响应节点读取请求节点所属电子印章的签名算法、公钥、摘要算法和签名信息;The requesting node sends the electronic seal to the responding node, so that the responding node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal of the requesting node;
    由响应节点读取请求节点所属电子印章中的关键域字节,基于所述摘要算法进行摘要得到摘要字符串,并使用所述签名算法的公钥对所述关键域字节 执行验签;The response node reads the key field bytes in the electronic seal to which the requesting node belongs, performs a digest based on the digest algorithm to obtain a digest string, and uses the public key of the signature algorithm to perform verification on the key field bytes;
    验签通过后,响应节点将请求节点所属电子印章的指纹信息与请求节点报备的指纹信息比对,比对结果一致时授权请求节点接入;After the verification is passed, the responding node compares the fingerprint information of the electronic seal of the requesting node with the fingerprint information reported by the requesting node, and authorizes the requesting node to access when the comparison results are consistent;
    响应节点将所属电子印章发送至请求节点,以使请求节点读取响应节点所属电子印章的签名算法、公钥、摘要算法和签名信息;The responding node sends the electronic seal to the requesting node so that the requesting node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal to which the responding node belongs;
    由请求节点读取响应节点所属电子印章中的关键域字节,基于所述摘要算法进行摘要得到摘要字符串,并使用所述签名算法的公钥对所述关键域字节执行验签;The requesting node reads the key field bytes in the electronic seal to which the responding node belongs, performs a digest based on the digest algorithm to obtain a digest string, and uses the public key of the signature algorithm to perform verification on the key field bytes;
    验签通过后,请求节点将响应节点所属电子印章的指纹信息与响应节点报备的指纹信息比对,比对结果一致时授权响应节点接入。After the verification is passed, the requesting node compares the fingerprint information of the electronic seal to which the responding node belongs with the fingerprint information reported by the responding node, and authorizes the responding node to access when the comparison results are consistent.
  7. 根据权利要求6所述的方法,其特征在于,由请求节点使用随机因子对明文数据加密生成密文数据,以及使用响应节点电子印章的公钥加密所述随机因子得到通讯密钥,之后将所述密文数据、所述通讯密钥和请求节点电子印章中的指纹信息打包发送至响应节点的方法包括:The method according to claim 6, characterized in that the requesting node uses a random factor to encrypt the plaintext data to generate the ciphertext data, and the public key of the electronic seal of the responding node is used to encrypt the random factor to obtain the communication key, and then the all The method for packaging and sending the ciphertext data, the communication key, and the fingerprint information in the electronic seal of the requesting node to the responding node includes:
    请求节点生成随机因子,用于对所述明文数据加密得到密文数据;Request the node to generate a random factor for encrypting the plaintext data to obtain ciphertext data;
    请求节点使用响应节点所属电子印章的公钥对所述随机因子加密,生成通讯密钥;The requesting node uses the public key of the electronic seal to which the responding node belongs to encrypt the random factor to generate a communication key;
    请求节点将所述通讯密钥、所述密文数据和所属电子印章的指纹信息打包发送至响应节点。The requesting node packs and sends the communication key, the ciphertext data and the fingerprint information of the electronic seal to the responding node.
  8. 根据权利要求7所述的方法,其特征在于,响应节点将文件包中的指纹信息与报备的指纹信息比对,比对成功后解密响应节点所属电子印章的加密私钥,通过私钥解密文件包中的通讯密钥还原所述随机因子,进而使用所述随机因子解析所述密文数据得到明文数据的方法包括:The method according to claim 7, wherein the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, the encrypted private key of the electronic seal to which the responding node belongs is decrypted, and the private key is used to decrypt The method of restoring the random factor by the communication key in the file package, and then using the random factor to parse the ciphertext data to obtain plaintext data includes:
    响应节点读取文件包中的指纹信息,并与请求节点报备的指纹信息比对;The responding node reads the fingerprint information in the file package and compares it with the fingerprint information reported by the requesting node;
    比对通过后,由响应节点读取所属电子印章的加密算法、签名算法、加 密私钥以及预设的印章密码PIN,解密出响应节点所属电子印章的私钥;After the comparison is passed, the responding node reads the encryption algorithm, signature algorithm, encryption private key and the preset seal password PIN of the electronic seal to which the responding node belongs, and decrypts the private key of the electronic seal to which the responding node belongs;
    通过所述私钥解析所述通讯密钥还原所述随机因子,最终利用所述随机因子解析所述密文数据得到明文数据。The random factor is restored by parsing the communication key by the private key, and finally the ciphertext data is parsed by the random factor to obtain plaintext data.
  9. 一种基于身份认证的安全通讯装置,其特征在于,包括:A secure communication device based on identity authentication, characterized in that it comprises:
    印章制作单元,用于由请求节点和响应节点分别制作各自的电子印章,所述电子印章中包括由签名算法、签名信息、加密算法、指纹信息、摘要算法、公钥和加密私钥组成的校验区;The seal making unit is used for making respective electronic seals by the requesting node and the responding node. The electronic seal includes a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key. Inspection area
    指纹登记单元,用于请求节点和响应节点互相报备对方电子印章中的指纹信息,用于在双方交换电子印章后,互相提取对方的指纹信息与报备的指纹信息比对以验证身份;The fingerprint registration unit is used for requesting nodes and responding nodes to report each other's fingerprint information in the electronic seal of the other party, and for comparing each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify identity;
    文件加密单元,用于将所述压缩物流箱码报文保存于存储系统中,完成对所述原始物流箱码报文的归档;The file encryption unit is configured to store the compressed logistics box code message in a storage system, and complete the archiving of the original logistics box code message;
    文件解密单元,用于响应节点将文件包中的指纹信息与报备的指纹信息比对,比对成功后解密响应节点所属电子印章的加密私钥,通过私钥解密文件包中的通讯密钥还原所述随机因子,进而使用所述随机因子解析所述密文数据得到明文数据。The file decryption unit is used for the responding node to compare the fingerprint information in the file package with the reported fingerprint information, decrypt the encrypted private key of the electronic seal to which the responding node belongs after the comparison is successful, and decrypt the communication key in the file package with the private key Restore the random factor, and then use the random factor to parse the ciphertext data to obtain plaintext data.
  10. 一种计算机可读存储介质,计算机可读存储介质上存储有计算机程序,其特征在于,计算机程序被处理器运行时执行上述权利要求1至8任一项所述方法的步骤。A computer-readable storage medium with a computer program stored on the computer-readable storage medium, wherein the computer program executes the steps of the method according to any one of claims 1 to 8 when the computer program is run by a processor.
PCT/CN2020/111938 2019-12-16 2020-08-28 Method and apparatus for secure communication based on identity authentication WO2021120683A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CA3164765A CA3164765A1 (en) 2019-12-16 2020-08-28 Secure communication method and device based on identity authentication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911292428.7A CN110881048B (en) 2019-12-16 2019-12-16 Safety communication method and device based on identity authentication
CN201911292428.7 2019-12-16

Publications (1)

Publication Number Publication Date
WO2021120683A1 true WO2021120683A1 (en) 2021-06-24

Family

ID=69730928

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/111938 WO2021120683A1 (en) 2019-12-16 2020-08-28 Method and apparatus for secure communication based on identity authentication

Country Status (3)

Country Link
CN (1) CN110881048B (en)
CA (1) CA3164765A1 (en)
WO (1) WO2021120683A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113708927A (en) * 2021-08-25 2021-11-26 福建师范大学 Universal designated verifier signature certification system based on SM2 digital signature
CN114726552A (en) * 2022-06-07 2022-07-08 杭州天谷信息科技有限公司 Digital signature right transfer method and system
CN114785529A (en) * 2022-06-20 2022-07-22 广东名阳信息科技有限公司 Method and system for establishing trusted communication link based on block chain
CN115022092A (en) * 2022-08-05 2022-09-06 中汽数据(天津)有限公司 Vehicle software upgrading method, device and storage medium
CN115378736A (en) * 2022-10-20 2022-11-22 汉雅星空文化科技有限公司 Data processing system, method and storage medium of digital platform
CN117134904A (en) * 2023-09-01 2023-11-28 嘉兴嘉赛信息技术有限公司 Method based on identity recognition and dynamic encryption and decryption communication
CN117150532A (en) * 2023-10-30 2023-12-01 北京敏行通达信息技术有限公司 Data security guarantee method, device, equipment and readable storage medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110881048B (en) * 2019-12-16 2021-11-09 苏宁云计算有限公司 Safety communication method and device based on identity authentication
CN113452660B (en) * 2020-03-27 2023-07-25 瑞昱半导体股份有限公司 Communication method of mesh network and cloud server, mesh network system and node device thereof
WO2021226989A1 (en) * 2020-05-15 2021-11-18 华为技术有限公司 Communication method and communication apparatus
CN111970114B (en) * 2020-08-31 2023-08-18 中移(杭州)信息技术有限公司 File encryption method, system, server and storage medium
CN112751868A (en) * 2020-12-30 2021-05-04 武汉海昌信息技术有限公司 Heterogeneous encryption transmission method, storage medium and system
CN115242392B (en) * 2022-08-01 2024-03-26 北京成鑫盈通科技有限公司 Method and system for realizing industrial information safety transmission based on safety transmission protocol

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267296A (en) * 2008-04-25 2008-09-17 武汉理工大学 An efficient authorization electronic signature method without authentication center
CN101931535A (en) * 2010-08-31 2010-12-29 武汉理工大学 Method for adaptively performing data encryption and authentication without authentication center
CN101931536A (en) * 2010-08-31 2010-12-29 武汉理工大学 Method for encrypting and authenticating efficient data without authentication center
CN102332980A (en) * 2011-09-14 2012-01-25 福建伊时代信息科技股份有限公司 Method and system for managing electronic file
CN105447407A (en) * 2015-11-11 2016-03-30 中国建设银行股份有限公司 Off-line data encryption method and decryption method and corresponding apparatus and system
US20170338950A1 (en) * 2014-10-21 2017-11-23 Zte Corporation Method, terminal, and network server for information encryption and decryption and key management
CN110881048A (en) * 2019-12-16 2020-03-13 苏宁云计算有限公司 Safety communication method and device based on identity authentication

Family Cites Families (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7178030B2 (en) * 2000-10-25 2007-02-13 Tecsec, Inc. Electronically signing a document
JP4093723B2 (en) * 2001-01-24 2008-06-04 ケープレックス・インク Electronic signature method and apparatus for structured document
FR2844656B1 (en) * 2002-09-18 2005-01-28 France Telecom ELECTRONIC SIGNATURE METHOD, PROGRAM AND SERVER FOR IMPLEMENTING THE METHOD
WO2004068264A2 (en) * 2003-01-31 2004-08-12 Linuxprobe Co. System and method for creating electronic signatures
CN101311950B (en) * 2007-05-25 2012-01-18 北京书生国际信息技术有限公司 Electronic stamp realization method and device
CN101420300B (en) * 2008-05-28 2013-05-29 北京易恒信认证科技有限公司 Double factor combined public key generating and authenticating method
US20110083015A1 (en) * 2009-10-05 2011-04-07 Eidgenossiche Technische Hochschule Zurich System and method for an electronic signature for quick and efficient data authentication
CN101894238B (en) * 2010-08-09 2012-07-04 中国人民解放军海军工程大学 Double authentication-based word document electronic seal system and method
CN103269271B (en) * 2013-05-23 2016-12-07 天地融科技股份有限公司 A kind of back up the method and system of private key in electronic signature token
CN104463554A (en) * 2013-09-25 2015-03-25 天津书生投资有限公司 Electronic seal achieving method and device
CN106603243B (en) * 2016-04-08 2020-06-16 数安时代科技股份有限公司 Private key processing method and device for digital signature
CN107302434B (en) * 2016-04-15 2021-08-24 平安科技(深圳)有限公司 Method and system for checking electronic signature
CN106027482B (en) * 2016-04-18 2019-11-15 李明 A kind of identity card card reading response method and device
CN106022035A (en) * 2016-05-03 2016-10-12 识益生物科技(北京)有限公司 Method and system for electronic signature
CN105933116B (en) * 2016-06-27 2018-01-09 收付宝科技有限公司 The electronic signature generation of SM2 based on segmentation module feature and verification method and device
US10277400B1 (en) * 2016-10-20 2019-04-30 Wells Fargo Bank, N.A. Biometric electronic signature tokens
CN108234125B (en) * 2016-12-21 2020-12-18 金联汇通信息技术有限公司 System and method for identity authentication
CN108229188B (en) * 2017-12-29 2021-06-15 西安慧博习兆信息技术有限公司 Method for signing file and verifying file by using identification key
CN109614802B (en) * 2018-10-31 2020-11-27 如般量子科技有限公司 Anti-quantum-computation signature method and signature system
CN109586917B (en) * 2018-10-31 2021-07-27 如般量子科技有限公司 Anti-quantum-computation signature method and system based on asymmetric key pool
CN109889495B (en) * 2019-01-10 2021-08-10 如般量子科技有限公司 Quantum computation resistant electronic seal method and system based on multiple asymmetric key pools
CN110008679A (en) * 2019-02-21 2019-07-12 云南昆钢电子信息科技有限公司 A kind of electronic seal method and electronic seal system based on digital certificate
CN110309677A (en) * 2019-06-26 2019-10-08 珠海横琴新区润成科技股份有限公司 A kind of secure anti-counterfeiting method and system of electronics license

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267296A (en) * 2008-04-25 2008-09-17 武汉理工大学 An efficient authorization electronic signature method without authentication center
CN101931535A (en) * 2010-08-31 2010-12-29 武汉理工大学 Method for adaptively performing data encryption and authentication without authentication center
CN101931536A (en) * 2010-08-31 2010-12-29 武汉理工大学 Method for encrypting and authenticating efficient data without authentication center
CN102332980A (en) * 2011-09-14 2012-01-25 福建伊时代信息科技股份有限公司 Method and system for managing electronic file
US20170338950A1 (en) * 2014-10-21 2017-11-23 Zte Corporation Method, terminal, and network server for information encryption and decryption and key management
CN105447407A (en) * 2015-11-11 2016-03-30 中国建设银行股份有限公司 Off-line data encryption method and decryption method and corresponding apparatus and system
CN110881048A (en) * 2019-12-16 2020-03-13 苏宁云计算有限公司 Safety communication method and device based on identity authentication

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113708927A (en) * 2021-08-25 2021-11-26 福建师范大学 Universal designated verifier signature certification system based on SM2 digital signature
CN113708927B (en) * 2021-08-25 2023-05-05 福建师范大学 General assignment verifier signature proving system based on SM2 digital signature
CN114726552A (en) * 2022-06-07 2022-07-08 杭州天谷信息科技有限公司 Digital signature right transfer method and system
CN114785529A (en) * 2022-06-20 2022-07-22 广东名阳信息科技有限公司 Method and system for establishing trusted communication link based on block chain
CN115022092A (en) * 2022-08-05 2022-09-06 中汽数据(天津)有限公司 Vehicle software upgrading method, device and storage medium
CN115378736A (en) * 2022-10-20 2022-11-22 汉雅星空文化科技有限公司 Data processing system, method and storage medium of digital platform
CN115378736B (en) * 2022-10-20 2023-01-06 汉雅星空文化科技有限公司 Data processing system, method and storage medium of digital platform
CN117134904A (en) * 2023-09-01 2023-11-28 嘉兴嘉赛信息技术有限公司 Method based on identity recognition and dynamic encryption and decryption communication
CN117150532A (en) * 2023-10-30 2023-12-01 北京敏行通达信息技术有限公司 Data security guarantee method, device, equipment and readable storage medium
CN117150532B (en) * 2023-10-30 2024-01-26 北京敏行通达信息技术有限公司 Data security guarantee method, device, equipment and readable storage medium

Also Published As

Publication number Publication date
CA3164765A1 (en) 2021-06-24
CN110881048B (en) 2021-11-09
CN110881048A (en) 2020-03-13

Similar Documents

Publication Publication Date Title
WO2021120683A1 (en) Method and apparatus for secure communication based on identity authentication
US10708072B2 (en) Mutual authentication of confidential communication
US7925023B2 (en) Method and apparatus for managing cryptographic keys
CN107888560B (en) Mail safe transmission system and method for mobile intelligent terminal
CN106713279B (en) video terminal identity authentication system
US10044684B2 (en) Server for authenticating smart chip and method thereof
CN110401615A (en) A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing
CN108809633B (en) Identity authentication method, device and system
CN108199844B (en) Method for supporting off-line SM9 algorithm key first application downloading
CN109905384B (en) Data migration method and system
CN112528250A (en) System and method for realizing data privacy and digital identity through block chain
CN111080299B (en) Anti-repudiation method for transaction information, client and server
CN113382002B (en) Data request method, request response method, data communication system, and storage medium
WO2019153110A1 (en) Method for transmitting key, receiving terminal, and distribution terminal
TW201537937A (en) Unified identity authentication platform and authentication method thereof
CN103684798A (en) Authentication system used in distributed user service
JP2022540653A (en) Data protection and recovery system and method
CN114267100A (en) Unlocking authentication method and device, security chip and electronic key management system
CN110086818B (en) Cloud file secure storage system and access control method
CN111682937B (en) Method and device for applying and distributing key of enhanced CPK
CN106027254A (en) Secret key use method for identity card reading terminal in identity card authentication system
CN113676330B (en) Digital certificate application system and method based on secondary secret key
CN115776675A (en) Data transmission method and device for vehicle-road cooperation
CN114650173A (en) Encryption communication method and system
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20901898

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 3164765

Country of ref document: CA

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20901898

Country of ref document: EP

Kind code of ref document: A1