WO2021120683A1 - Procédé et appareil de communication sécurisée basés sur une authentification d'identité - Google Patents

Procédé et appareil de communication sécurisée basés sur une authentification d'identité Download PDF

Info

Publication number
WO2021120683A1
WO2021120683A1 PCT/CN2020/111938 CN2020111938W WO2021120683A1 WO 2021120683 A1 WO2021120683 A1 WO 2021120683A1 CN 2020111938 W CN2020111938 W CN 2020111938W WO 2021120683 A1 WO2021120683 A1 WO 2021120683A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
electronic seal
key
fingerprint information
private key
Prior art date
Application number
PCT/CN2020/111938
Other languages
English (en)
Chinese (zh)
Inventor
马青龙
孙健
张炳康
夏繁
丁健文
Original Assignee
苏宁云计算有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 苏宁云计算有限公司 filed Critical 苏宁云计算有限公司
Priority to CA3164765A priority Critical patent/CA3164765A1/fr
Publication of WO2021120683A1 publication Critical patent/WO2021120683A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Definitions

  • the present invention relates to the technical field of communication security, in particular to a method and device for secure communication based on identity authentication.
  • the two nodes of the business system need to carry out security design during data communication to identify and verify the identity of the other party.
  • Traditional security solutions mostly use digital certificates + TLS (Transport Layer Security). Protocol) mechanism to meet the needs of identification and secure communication.
  • identity recognition the existing technology adopts the scheme of adding the initiator’s identity information (such as the identity code) in the message, and the receiver, after obtaining the identity information, verifies the legitimacy of the other party’s identity by checking the database; the existing technology in terms of security
  • the purpose of the present invention is to provide a secure communication method and device based on identity authentication.
  • identity authentication By compulsory authentication of the electronic seals of both parties, it is possible to flexibly and efficiently verify the identity information of the communicating parties without applying for a digital certificate from the CA organization. , And then ensure the security of communication data.
  • one aspect of the present invention provides a secure communication method based on identity authentication, including:
  • the requesting node and the responding node respectively make their own electronic seals, and the electronic seals include a verification area composed of a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key;
  • the requesting node and the responding node report each other's fingerprint information in the electronic seal of the other party, which is used to compare each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify their identity;
  • the requesting node After the two nodes pass the identity verification, the requesting node encrypts the plaintext data with a random factor to generate ciphertext data, and encrypts the random factor with the public key of the electronic seal of the responding node to obtain the communication key. Then, the ciphertext data, The communication key and the fingerprint information in the electronic seal of the requesting node are packaged and sent to the responding node;
  • the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and decrypts the communication key in the file package with the private key to restore the random factor, The random factor is then used to parse the ciphertext data to obtain plaintext data.
  • the method of making respective electronic seals by the requesting node and the responding node respectively includes:
  • Design the partition of the electronic seal which includes a header area, a seal information area, and a tail area in addition to the verification area;
  • the request node and the response node are based on the partition structure of the electronic seal, and the start tag, identification code and version number are filled into the header area correspondingly, and the chapter holder number, chapter holder name, issuing organization number, issuing organization name, and validity period are correspondingly filled. Fill in the seal information area, fill the description information and the end marker into the tail area correspondingly, and fill the signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encryption private key into the verification area correspondingly.
  • the method for generating the public key and the encrypted private key includes:
  • the method for generating fingerprint information includes:
  • the digest string is signed by the private key corresponding to the signature algorithm to obtain the fingerprint information of the electronic seal.
  • the method for generating the signature information includes:
  • the key domain character string is signed by the private key corresponding to the signature algorithm to form the signature information of the electronic seal.
  • the method for comparing each other's fingerprint information with the reported fingerprint information to verify identity includes:
  • the requesting node sends the electronic seal to the responding node, so that the responding node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal of the requesting node;
  • the response node reads the key field bytes in the electronic seal to which the requesting node belongs, performs a digest based on the digest algorithm to obtain a digest string, and uses the public key of the signature algorithm to perform verification on the key field bytes;
  • the responding node compares the fingerprint information of the electronic seal of the requesting node with the fingerprint information reported by the requesting node, and authorizes the requesting node to access when the comparison results are consistent;
  • the responding node sends the electronic seal to the requesting node so that the requesting node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal to which the responding node belongs;
  • the requesting node reads the key field bytes in the electronic seal to which the responding node belongs, performs a digest based on the digest algorithm to obtain a digest string, and uses the public key of the signature algorithm to perform verification on the key field bytes;
  • the requesting node compares the fingerprint information of the electronic seal to which the responding node belongs with the fingerprint information reported by the responding node, and authorizes the responding node to access when the comparison results are consistent.
  • the requesting node uses a random factor to encrypt the plaintext data to generate the ciphertext data
  • the public key of the electronic seal of the responding node is used to encrypt the random factor to obtain the communication key, and then the ciphertext data and the communication encryption
  • the method of packaging the key and the fingerprint information in the electronic seal of the requesting node and sending it to the responding node includes:
  • the requesting node uses the public key of the electronic seal to which the responding node belongs to encrypt the random factor to generate a communication key;
  • the requesting node packs and sends the communication key, the ciphertext data and the fingerprint information of the electronic seal to the responding node.
  • the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and decrypts the communication key in the file package with the private key to restore the Random factor, and then using the random factor to parse the ciphertext data to obtain plaintext data includes:
  • the responding node reads the fingerprint information in the file package and compares it with the fingerprint information reported by the requesting node;
  • the responding node reads the encryption algorithm, signature algorithm, encryption private key and the preset seal password PIN of the electronic seal to which the responding node belongs, and decrypts the private key of the electronic seal to which the responding node belongs;
  • the random factor is restored by parsing the communication key by the private key, and finally the ciphertext data is parsed by the random factor to obtain plaintext data.
  • the secure communication method based on identity authentication provided by the present invention has the following beneficial effects:
  • the request node and the response section first make their own electronic seal in advance.
  • the electronic seal includes signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, and publicity.
  • the requesting node and the responding node report each other’s fingerprint information in the other’s electronic seal, which is used for identity verification during the exchange of electronic seals. Only those who have passed both nodes Only by identity verification can data communication be carried out securely.
  • the specific process is as follows: the requesting node uses a random factor to encrypt the plaintext data to generate ciphertext data, and then uses the public key of the responding node’s electronic seal to encrypt the random factor to obtain the communication key.
  • the ciphertext data, the communication key and the fingerprint information used to identify the requesting node are packaged and sent to the responding node.
  • the responding node After receiving the file package, the responding node reads the fingerprint information and compares it with the fingerprint information reported by the requesting node , Only after the comparison is passed, can the requesting node be authorized to access the responding node, and then the responding node will call the corresponding encrypted private key, decrypt the encrypted private key and use the plaintext private key to decrypt the communication key to restore the random factor, and finally use Random factors analyze the ciphertext data to obtain plaintext data, and complete the ciphertext transmission of the requesting node to the responding node.
  • the present invention is compared with the solutions in the prior art.
  • the two parties negotiate to make an electronic seal, no need to apply for a digital certificate from the CA, which increases the flexibility of application, and can ensure communication through a compulsory electronic seal exchange authentication strategy.
  • the ciphertext will not be stolen by a third person, which improves the security of the communication between the two parties.
  • the negotiation process of the two parties' keys is cancelled before the data is sent, which increases the convenience of the application.
  • Another aspect of the present invention provides a secure communication device based on identity authentication, which applies the secure communication method based on identity authentication mentioned in the above technical solution, and the device includes:
  • the seal making unit is used for making respective electronic seals by the requesting node and the responding node.
  • the electronic seal includes a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key. Inspection area
  • the fingerprint registration unit is used for requesting nodes and responding nodes to report each other's fingerprint information in the electronic seal of the other party, and for comparing each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify identity;
  • the file encryption unit is configured to store the compressed logistics box code message in a storage system, and complete the archiving of the original logistics box code message;
  • the file decryption unit is used for the responding node to compare the fingerprint information in the file package with the reported fingerprint information, decrypt the encrypted private key of the electronic seal to which the responding node belongs after the comparison is successful, and decrypt the communication key in the file package with the private key Restore the random factor, and then use the random factor to parse the ciphertext data to obtain plaintext data.
  • the beneficial effects of the security communication device based on identity authentication provided by the present invention are the same as the beneficial effects of the security communication method based on identity authentication provided by the above technical solutions, and will not be repeated here.
  • a third aspect of the present invention provides a computer-readable storage medium on which a computer program is stored, and the computer program executes the steps of the above-mentioned identity authentication-based secure communication method when the computer program is run by a processor.
  • the beneficial effects of the computer-readable storage medium provided by the present invention are the same as those of the secure communication method based on identity authentication provided by the above technical solutions, and will not be repeated here.
  • Fig. 1 is a schematic flow chart of a secure communication method based on identity authentication in the first embodiment
  • FIG. 2 is a schematic diagram of the interaction process of the secure communication method based on identity authentication in the first embodiment
  • Fig. 3 is a diagram showing an example of the structure of an electronic seal in the first embodiment.
  • this embodiment provides a secure communication method based on identity authentication, including:
  • the requesting node and the responding node respectively make their own electronic seals.
  • the electronic seal includes a verification area composed of signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key and encrypted private key; request node and response node
  • the fingerprint information in the electronic seal of the other party is reported to each other. After the two parties exchange the electronic seal, the fingerprint information of the other party is extracted and compared with the fingerprint information reported to verify the identity; the node of both parties will be used by the requesting node after the identity verification is passed.
  • the random factor encrypts the plaintext data to generate ciphertext data, and uses the public key of the electronic seal of the responding node to encrypt the random factor to obtain the communication key, and then package the ciphertext data, the communication key and the fingerprint information in the electronic seal of the requesting node to the response Node; the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and uses the private key to decrypt the communication key in the file package to restore the random factor. Then use random factors to parse the ciphertext data to obtain plaintext data.
  • the requesting node and the response section first make their own electronic seal in advance, and the electronic seal includes signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, The verification area composed of the public key and the encrypted private key.
  • the requesting node and the responding node report each other's fingerprint information in the other's electronic seal, which is used for identity verification during the exchange of electronic seals. Only when the two nodes pass Data communication can be carried out safely.
  • the specific process is as follows: the requesting node uses the random factor to encrypt the plaintext data to generate ciphertext data, and then uses the public key of the responding node’s electronic seal to encrypt the random factor to obtain the communication key.
  • the ciphertext data, communication key, and fingerprint information used to identify the requesting node are packaged and sent to the responding node.
  • the responding node After receiving the file package, the responding node reads the fingerprint information and compares it with the fingerprint information reported by the requesting node Yes, the requesting node can be authorized to access the responding node only after the comparison is passed, and then the responding node will call the corresponding encrypted private key, decrypt the encrypted private key and use the plaintext private key to decrypt the communication key to restore the random factor.
  • this embodiment is compared with the solution in the prior art.
  • the two parties negotiate to make an electronic seal, and there is no need to apply for a digital certificate from the CA, which increases the flexibility of application.
  • the mandatory electronic seal exchange authentication strategy can ensure The communication ciphertext will not be stolen by a third party, which improves the security of the communication between the two parties.
  • the negotiation process of the two parties' keys is cancelled before the data is sent, which improves the convenience of the application.
  • the methods for requesting and responding nodes to make their own electronic seals include:
  • the partition In addition to the verification area, the partition also includes the head area, the seal information area and the tail area; the request node and the response node are based on the partition structure of the electronic seal, and the start tag, identification code and version number are filled correspondingly Enter the header area, fill in the seal information area with the chapter holder number, chapter holder name, issuing organization number, issuing organization name, and validity period correspondingly, fill in the description information and ending tag in the tail area, and fill in the signature algorithm and signature
  • the information, encryption algorithm, fingerprint information, digest algorithm, public key and encryption private key are filled in the verification area correspondingly.
  • the start tag of the header area is 2 bytes
  • the identification code is 3 bytes
  • the version number is 1 byte
  • the signature algorithm of the verification area is 8 bytes
  • the signature information is 32 bytes.
  • the encryption algorithm is 8 bytes
  • the fingerprint information is 32 bytes
  • the digest algorithm is 8 bytes
  • the public key is 32 bytes
  • the encryption private key is 32 bytes
  • the holder number in the seal information area is 32 bytes
  • the name of the holder is 32 bytes
  • the number of the issuing authority is 32 bytes
  • the name of the issuing authority is 32 bytes
  • the validity period information is 16 bytes
  • the description information in the tail area is 62 bytes
  • the end tag is 2 bytes .
  • the signature algorithm is an asymmetric algorithm for signing or verifying information, such as RSA, SM1
  • the encryption algorithm is a symmetric algorithm for encrypting or decrypting information, such as AES, SM2
  • the digest algorithm is for information Algorithm for digesting, such as MD5, SM3.
  • the encrypted private key is stored in the electronic seal, which can properly store and manage the private key, and reduces the management risk caused by the persistent storage of the private key in the systems of both parties.
  • the method for generating a public key and an encrypted private key in the foregoing embodiment includes: randomly generating a pair of public key and private key according to the signature algorithm in the electronic seal; and encrypting the private key to generate the requesting node based on the seal password PIN preset by the requesting node The encrypted private key of the electronic seal; and, based on the seal password PIN preset by the responding node, encrypt the private key to generate the encrypted private key of the electronic seal of the responding node.
  • the electronic seal of the requesting node is A
  • the signature algorithm of the corresponding electronic seal A is SA
  • the electronic seal of the responding node is B
  • the signature algorithm of the corresponding electronic seal B is SB
  • the requesting node generates according to the signature algorithm SA
  • the public key SA.PublicKey and the private key SA.PrivateKey the responding node generates the public key SB.PublicKey and the private key SB.PrivateKey according to the signature algorithm SB, and then fills the public key SA.PublicKey into the public key area of the electronic seal A.
  • the public key SB.PublicKey is correspondingly filled into the public key area of the electronic seal B, and then the private key SA.PrivateKey and the private key SB.PrivateKey are encrypted.
  • the private key SA.PrivateKey is encrypted with the seal password PIN preset by the requesting node Obtain the encrypted private key of electronic seal A, and use the seal password PIN preset by the responding node to encrypt the private key SB.PrivateKey to obtain the encrypted private key of electronic seal B.
  • the method for generating fingerprint information in the foregoing embodiment includes: string splicing the seal holder number and the seal holder name in the electronic seal, and encrypting the splicing result of the string using the corresponding seal password PIN to form a secret Text; Digest the ciphertext using the digest algorithm to obtain the digest string; use the private key corresponding to the signature algorithm to sign the digest string to obtain the fingerprint information of the electronic seal.
  • the above formula can be understood as:
  • the serial number of the holder and the name of the holder in the electronic seal are spliced, and then the seal password PIN is used as the key of the encryption algorithm (symmetric algorithm) to encrypt the splicing result of the string to form a cipher text, and then pass the abstract
  • the algorithm digests the ciphertext to obtain the digest string, and finally signs the digest string with the private key of the signature algorithm (asymmetric algorithm) to form fingerprint information.
  • the generation of fingerprint information in the electronic seal B is the same as that in the electronic seal A, which is not repeated in this embodiment.
  • the chapter holder number may be an ID card number, a social credit uniform identification number, or an organization number.
  • the method for generating signature information in the foregoing embodiment includes: defining key field bytes in the electronic seal, where the key field bytes are characteristic bytes of the electronic seal; and digesting the key field bytes through a digest algorithm to obtain the key field String:
  • the key field string is signed by the private key corresponding to the signature algorithm to form the signature information of the electronic seal.
  • signature information SA.Sign(DA(content), SA.PrivateKey), where content represents the key field byte, as shown in Figure 3.
  • signature information SA.Sign(DA(content), SA.PrivateKey)
  • content represents the key field byte, as shown in Figure 3.
  • the key field bytes are summarized by the abstract algorithm to obtain the key field
  • the generation of the signature information in the electronic seal B is the same as that of the electronic seal A, which is not repeated in this embodiment.
  • the method of mutually extracting each other's fingerprint information and comparing the reported fingerprint information to verify identity includes:
  • the requesting node sends the electronic seal to the responding node, so that the responding node can read the signature algorithm, public key, digest algorithm, and signature information of the electronic seal of the requesting node; the responding node reads the key domain words in the electronic seal of the requesting node Section, digest the digest string based on the digest algorithm, and use the public key of the signature algorithm to verify the key field bytes; after the verification is passed, the responding node will send the fingerprint information of the electronic seal of the requesting node to the information reported by the requesting node.
  • Fingerprint information comparison when the comparison results are consistent, the requesting node is authorized to access; the responding node sends the electronic seal to the requesting node, so that the requesting node can read the signature algorithm, public key, digest algorithm and signature information of the electronic seal of the responding node ;
  • the requesting node reads the key field bytes in the electronic seal to which the responding node belongs, digests the digest string based on the digest algorithm, and uses the public key of the signature algorithm to perform verification on the key field bytes; after the verification is passed, the request
  • the node compares the fingerprint information of the electronic seal to which the responding node belongs with the fingerprint information reported by the responding node, and authorizes the responding node to access when the comparison results are consistent.
  • the above embodiment can be understood as the process of exchanging electronic seals and identity verification between the two nodes.
  • the requesting node sends the electronic seal A to the responding node, and the responding node performs the verification operation on the electronic seal A after receiving it.
  • the fingerprint information in the electronic seal A reads the fingerprint information in the electronic seal A and compare it with the fingerprint information reported by the electronic seal A in the response node.
  • the identity of the electronic seal A is considered legal, and the requesting node is authorized to access the response node.
  • the requesting node After the responding node has verified the identity of the requesting node, the requesting node must continue to verify the identity of the responding node, that is, the responding node sends the electronic seal B to the requesting node, and the requesting node performs the verification operation after receiving the electronic seal B. Then read the fingerprint information in the electronic seal B and compare it with the fingerprint information reported by the electronic seal B in the requesting node. When the comparison results are consistent, the identity of the electronic seal B is considered legal, and the responding node is authorized to access the requesting node. .
  • verification SA.Verify(DA(content),SA.PublicKey,SI), where SI represents the signature information in the electronic seal A
  • SI the signature information in the electronic seal A
  • the signature verification operation is performed through the public key of the signature algorithm (asymmetric algorithm) and the signature information (SI) of the electronic seal A signature file structure. If the verification is successful, it means that the signature file has not been tampered with. Unsuccessful signing means that the signature file has been tampered with.
  • identity If(Equal(A.DS. fingerprint information, registered electronic seal A. fingerprint information)), the above formula is understood as: Take out the signature file of electronic seal A, and compare the fingerprint information with the fingerprint information reported in the responding node. If the comparison result is consistent, the requesting node is authorized to access.
  • the signature verification operation and the identity legality verification operation of the requesting node on the electronic seal B are the same as the above-mentioned response node verification operation and the identity legality verification operation on the electronic seal A, which will not be repeated in this embodiment.
  • the requesting node uses the random factor to encrypt the plaintext data to generate the ciphertext data
  • the public key of the responding node’s electronic seal is used to encrypt the random factor to obtain the communication key, and then the ciphertext data, the communication key and the requesting node’s electronic seal
  • the method of packaging and sending the fingerprint information to the responding node includes:
  • the requesting node generates a random factor, which is used to encrypt the plaintext data to obtain the ciphertext data; the requesting node uses the public key of the electronic seal to which the responding node belongs to encrypt the random factor to generate a communication key; the requesting node encrypts the communication key, ciphertext data, and belonging
  • the fingerprint information of the electronic seal is packaged and sent to the responding node.
  • the above formula can be understood as using the encryption factor Key as the key of the encryption algorithm (symmetric algorithm) and using the signature of the other party
  • the required encryption algorithm (symmetric algorithm) encrypts plaintext data (plainText) to generate ciphertext data.
  • the responding node compares the fingerprint information in the file package with the reported fingerprint information, and after the comparison is successful, decrypts the encrypted private key of the electronic seal to which the responding node belongs, and decrypts the communication secret in the file package through the private key.
  • the key to restore the random factor, and then use the random factor to parse the ciphertext data to obtain the plaintext data includes:
  • the responding node reads the fingerprint information in the file package and compares it with the fingerprint information reported by the requesting node; after the comparison is passed, the responding node reads the encryption algorithm, signature algorithm, encryption private key and preset of the electronic seal.
  • the seal password PIN decrypts the private key of the electronic seal to which the responding node belongs; analyzes the communication key through the private key to restore the random factor, and finally uses the random factor to parse the ciphertext data to obtain the plaintext data.
  • the responding node after receiving the file package, the responding node first reads the fingerprint information in the file package, and compares it with the fingerprint information reported by the requesting node, so that one school at a time ensures the security of data transmission. After passing, read the encrypted private key (SB.PrivateKey) from the electronic seal B.
  • SB.PrivateKey the encrypted private key
  • B.SA.PrivateKey B.EA.Decrypt(B.SecureKey, PIN), that is, it is preferred to read the encryption algorithm in the signature, and Use PIN as the key of the encryption algorithm (symmetric algorithm) to decrypt the encrypted private key, and the decrypted plaintext is the plaintext private key.
  • A.Key B.SA.Decrypt (communication key, B.SA.PrivateKey), that is, first read out the signature algorithm in the signature , And use the plaintext private key of the solved signature algorithm (asymmetric algorithm) to decrypt the communication key in the file package, and obtain the random factor (Key) of the requesting node after decryption.
  • the responding node has completed the data encryption communication of the requesting node.
  • the requesting node's data encryption communication to the requesting node is the inverse process of the above implementation process. Please refer to Figure 2.
  • the responding node sends ciphertext data to the requesting node
  • the corresponding node is responsible for generating the encryption factor, and uses the electronic seal A of the requesting node to generate the communication key and ciphertext data.
  • the requesting node After the requesting node receives the ciphertext data, the communication key and the fingerprint information of the electronic seal B, it uses its own The electronic seal A is decrypted to obtain plaintext data.
  • this embodiment provides a secure communication solution at the service data (non-protocol) level to realize independent and controllable data security for both parties in communication.
  • This embodiment provides a secure communication device based on identity authentication, including:
  • the seal making unit is used for making respective electronic seals by the requesting node and the responding node.
  • the electronic seal includes a signature algorithm, signature information, encryption algorithm, fingerprint information, digest algorithm, public key, and encrypted private key. Inspection area
  • the fingerprint registration unit is used for requesting nodes and responding nodes to report each other's fingerprint information in the electronic seal of the other party, and for comparing each other's fingerprint information with the reported fingerprint information after the two parties exchange electronic seals to verify identity;
  • the file encryption unit is configured to store the compressed logistics box code message in a storage system, and complete the archiving of the original logistics box code message;
  • the file decryption unit is used for the responding node to compare the fingerprint information in the file package with the reported fingerprint information, decrypt the encrypted private key of the electronic seal to which the responding node belongs after the comparison is successful, and decrypt the communication key in the file package with the private key Restore the random factor, and then use the random factor to parse the ciphertext data to obtain plaintext data.
  • the beneficial effects of the secure communication device based on identity authentication provided in this embodiment are the same as those of the secure communication method based on identity authentication provided in the foregoing embodiments, and will not be repeated here.
  • This embodiment provides a computer-readable storage medium on which a computer program is stored.
  • the steps of the above-mentioned identity authentication-based secure communication method are executed.
  • the above-mentioned program can be stored in a computer readable storage medium.
  • the program When executed, it includes
  • the foregoing storage medium may be: ROM/RAM, magnetic disk, optical disk, memory card, and so on.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Collating Specific Patterns (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé et un appareil de communication sécurisée basés sur une authentification d'identité; au moyen d'une authentification obligatoire d'un sceau électronique des deux parties, les informations d'identité des deux parties communicantes peuvent être vérifiées de manière flexible et efficace sans nécessiter l'application d'un certificat numérique par une CA (autorité de certification), ce qui garantit la sécurité des données de communication. Le procédé comprend les étapes suivantes : un noeud de demande et un noeud de réponse produisent chacun un sceau électronique respectif; le noeud de demande et le noeud de réponse rapportent mutuellement des informations d'empreinte digitale contenues dans le sceau électronique de la partie opposée; le noeud de demande utilise un facteur aléatoire pour chiffrer des données de texte en clair afin de générer des données de texte chiffré, utilise une clé publique du sceau électronique de la partie opposée pour chiffrer le facteur aléatoire afin d'obtenir une clé de communication, et met ensuite en paquet les données de texte chiffré, la clé de communication et les informations d'empreinte digitale et envoie le paquet au noeud de réponse; le noeud de réponse compare les informations d'empreinte digitale dans le paquet de fichiers avec les informations d'empreinte digitale rapportées et, lorsque la comparaison est réussie, déchiffre la clé privée chiffrée du sceau électronique appartenant au noeud de réponse, déchiffre la clé de communication au moyen de la clé privée pour restaurer le facteur aléatoire, et analyse ensuite les données de texte chiffré pour obtenir les données de texte en clair.
PCT/CN2020/111938 2019-12-16 2020-08-28 Procédé et appareil de communication sécurisée basés sur une authentification d'identité WO2021120683A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CA3164765A CA3164765A1 (fr) 2019-12-16 2020-08-28 Procede et appareil de communication securisee bases sur une authentification d'identite

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911292428.7A CN110881048B (zh) 2019-12-16 2019-12-16 基于身份认证的安全通讯方法及装置
CN201911292428.7 2019-12-16

Publications (1)

Publication Number Publication Date
WO2021120683A1 true WO2021120683A1 (fr) 2021-06-24

Family

ID=69730928

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/111938 WO2021120683A1 (fr) 2019-12-16 2020-08-28 Procédé et appareil de communication sécurisée basés sur une authentification d'identité

Country Status (3)

Country Link
CN (1) CN110881048B (fr)
CA (1) CA3164765A1 (fr)
WO (1) WO2021120683A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113708927A (zh) * 2021-08-25 2021-11-26 福建师范大学 基于sm2数字签名的泛指定验证者签名证明系统
CN114726552A (zh) * 2022-06-07 2022-07-08 杭州天谷信息科技有限公司 一种数字签名权转移方法和系统
CN114785529A (zh) * 2022-06-20 2022-07-22 广东名阳信息科技有限公司 基于区块链的建立可信通信链路的方法和系统
CN115022092A (zh) * 2022-08-05 2022-09-06 中汽数据(天津)有限公司 车辆软件升级方法、设备和存储介质
CN115378736A (zh) * 2022-10-20 2022-11-22 汉雅星空文化科技有限公司 一种数字化平台的数据处理系统、方法及存储介质
CN117134904A (zh) * 2023-09-01 2023-11-28 嘉兴嘉赛信息技术有限公司 一种基于身份识别与动态加解密通信的方法
CN117150532A (zh) * 2023-10-30 2023-12-01 北京敏行通达信息技术有限公司 一种数据安全保障方法、装置、设备及可读存储介质

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110881048B (zh) * 2019-12-16 2021-11-09 苏宁云计算有限公司 基于身份认证的安全通讯方法及装置
CN113452660B (zh) * 2020-03-27 2023-07-25 瑞昱半导体股份有限公司 网状网络与云端服务器的通信方法、网状网络系统及其节点装置
KR20230008167A (ko) * 2020-05-15 2023-01-13 후아웨이 테크놀러지 컴퍼니 리미티드 통신 방법 및 통신 장치
CN111970114B (zh) * 2020-08-31 2023-08-18 中移(杭州)信息技术有限公司 文件加密方法、系统、服务器和存储介质
CN112751868A (zh) * 2020-12-30 2021-05-04 武汉海昌信息技术有限公司 一种异构加密传输方法、存储介质及系统
CN115242392B (zh) * 2022-08-01 2024-03-26 北京成鑫盈通科技有限公司 基于安全传输协议实现工业信息安全传输的方法及系统

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267296A (zh) * 2008-04-25 2008-09-17 武汉理工大学 一种无需认证中心的高效授权电子签名方法
CN101931535A (zh) * 2010-08-31 2010-12-29 武汉理工大学 一种无需认证中心的自适应数据加密及认证方法
CN101931536A (zh) * 2010-08-31 2010-12-29 武汉理工大学 一种无需认证中心的高效数据加密及认证方法
CN102332980A (zh) * 2011-09-14 2012-01-25 福建伊时代信息科技股份有限公司 电子文件管理方法和管理系统
CN105447407A (zh) * 2015-11-11 2016-03-30 中国建设银行股份有限公司 一种离线数据的加密方法、解密方法及相应装置和系统
US20170338950A1 (en) * 2014-10-21 2017-11-23 Zte Corporation Method, terminal, and network server for information encryption and decryption and key management
CN110881048A (zh) * 2019-12-16 2020-03-13 苏宁云计算有限公司 基于身份认证的安全通讯方法及装置

Family Cites Families (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7178030B2 (en) * 2000-10-25 2007-02-13 Tecsec, Inc. Electronically signing a document
JP4093723B2 (ja) * 2001-01-24 2008-06-04 ケープレックス・インク 構造を持った文書に対する電子署名方法及び装置
FR2844656B1 (fr) * 2002-09-18 2005-01-28 France Telecom Procede de signature electronique, programme et serveur pour la mise en oeuvre du procede
WO2004068264A2 (fr) * 2003-01-31 2004-08-12 Linuxprobe Co. Systeme et procede de creation de signatures electroniques
CN101311950B (zh) * 2007-05-25 2012-01-18 北京书生国际信息技术有限公司 一种电子印章的实现方法和装置
CN101420300B (zh) * 2008-05-28 2013-05-29 北京易恒信认证科技有限公司 双因子组合公钥生成和认证方法
US20110083015A1 (en) * 2009-10-05 2011-04-07 Eidgenossiche Technische Hochschule Zurich System and method for an electronic signature for quick and efficient data authentication
CN101894238B (zh) * 2010-08-09 2012-07-04 中国人民解放军海军工程大学 基于双重认证的word文档电子印章系统及方法
CN103269271B (zh) * 2013-05-23 2016-12-07 天地融科技股份有限公司 一种备份电子签名令牌中私钥的方法和系统
CN104463554A (zh) * 2013-09-25 2015-03-25 天津书生投资有限公司 一种电子印章的实现方法和装置
CN106789080B (zh) * 2016-04-08 2020-05-15 数安时代科技股份有限公司 数字签名生成方法和装置
CN107302434B (zh) * 2016-04-15 2021-08-24 平安科技(深圳)有限公司 电子签章的校验方法及系统
CN106027482B (zh) * 2016-04-18 2019-11-15 李明 一种身份证读卡响应方法及装置
CN106022035A (zh) * 2016-05-03 2016-10-12 识益生物科技(北京)有限公司 一种电子签章方法及系统
CN105933116B (zh) * 2016-06-27 2018-01-09 收付宝科技有限公司 基于分段模特性的sm2的电子签名生成及验证方法和装置
US10277400B1 (en) * 2016-10-20 2019-04-30 Wells Fargo Bank, N.A. Biometric electronic signature tokens
CN108234125B (zh) * 2016-12-21 2020-12-18 金联汇通信息技术有限公司 用于身份认证的系统和方法
CN108229188B (zh) * 2017-12-29 2021-06-15 西安慧博习兆信息技术有限公司 一种用标识密钥签署文件及验证方法
CN109586917B (zh) * 2018-10-31 2021-07-27 如般量子科技有限公司 基于非对称密钥池的抗量子计算的签章方法和签章系统
CN109614802B (zh) * 2018-10-31 2020-11-27 如般量子科技有限公司 抗量子计算的签章方法和签章系统
CN109889495B (zh) * 2019-01-10 2021-08-10 如般量子科技有限公司 基于多个非对称密钥池的抗量子计算电子印章方法和系统
CN110008679A (zh) * 2019-02-21 2019-07-12 云南昆钢电子信息科技有限公司 一种基于数字证书的电子印章方法及电子印章系统
CN110309677A (zh) * 2019-06-26 2019-10-08 珠海横琴新区润成科技股份有限公司 一种电子证照的安全防伪方法和系统

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267296A (zh) * 2008-04-25 2008-09-17 武汉理工大学 一种无需认证中心的高效授权电子签名方法
CN101931535A (zh) * 2010-08-31 2010-12-29 武汉理工大学 一种无需认证中心的自适应数据加密及认证方法
CN101931536A (zh) * 2010-08-31 2010-12-29 武汉理工大学 一种无需认证中心的高效数据加密及认证方法
CN102332980A (zh) * 2011-09-14 2012-01-25 福建伊时代信息科技股份有限公司 电子文件管理方法和管理系统
US20170338950A1 (en) * 2014-10-21 2017-11-23 Zte Corporation Method, terminal, and network server for information encryption and decryption and key management
CN105447407A (zh) * 2015-11-11 2016-03-30 中国建设银行股份有限公司 一种离线数据的加密方法、解密方法及相应装置和系统
CN110881048A (zh) * 2019-12-16 2020-03-13 苏宁云计算有限公司 基于身份认证的安全通讯方法及装置

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113708927A (zh) * 2021-08-25 2021-11-26 福建师范大学 基于sm2数字签名的泛指定验证者签名证明系统
CN113708927B (zh) * 2021-08-25 2023-05-05 福建师范大学 基于sm2数字签名的泛指定验证者签名证明系统
CN114726552A (zh) * 2022-06-07 2022-07-08 杭州天谷信息科技有限公司 一种数字签名权转移方法和系统
CN114785529A (zh) * 2022-06-20 2022-07-22 广东名阳信息科技有限公司 基于区块链的建立可信通信链路的方法和系统
CN115022092A (zh) * 2022-08-05 2022-09-06 中汽数据(天津)有限公司 车辆软件升级方法、设备和存储介质
CN115378736A (zh) * 2022-10-20 2022-11-22 汉雅星空文化科技有限公司 一种数字化平台的数据处理系统、方法及存储介质
CN115378736B (zh) * 2022-10-20 2023-01-06 汉雅星空文化科技有限公司 一种数字化平台的数据处理系统、方法及存储介质
CN117134904A (zh) * 2023-09-01 2023-11-28 嘉兴嘉赛信息技术有限公司 一种基于身份识别与动态加解密通信的方法
CN117150532A (zh) * 2023-10-30 2023-12-01 北京敏行通达信息技术有限公司 一种数据安全保障方法、装置、设备及可读存储介质
CN117150532B (zh) * 2023-10-30 2024-01-26 北京敏行通达信息技术有限公司 一种数据安全保障方法、装置、设备及可读存储介质

Also Published As

Publication number Publication date
CA3164765A1 (fr) 2021-06-24
CN110881048B (zh) 2021-11-09
CN110881048A (zh) 2020-03-13

Similar Documents

Publication Publication Date Title
WO2021120683A1 (fr) Procédé et appareil de communication sécurisée basés sur une authentification d'identité
US10708072B2 (en) Mutual authentication of confidential communication
US7925023B2 (en) Method and apparatus for managing cryptographic keys
CN107888560B (zh) 一种移动智能终端邮件安全传输系统及方法
CN106713279B (zh) 一种视频终端身份认证系统
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
US10044684B2 (en) Server for authenticating smart chip and method thereof
CN110401615A (zh) 一种身份认证方法、装置、设备、系统及可读存储介质
CN108809633B (zh) 一种身份认证的方法、装置及系统
CN108199844B (zh) 一种支持离线sm9算法密钥首次申请下载方法
CN109905384B (zh) 数据迁移方法及系统
CN111080299B (zh) 一种交易信息的防抵赖方法及客户端、服务器
TW201537937A (zh) 統一身份認證平臺及認證方法
CN113382002B (zh) 数据请求方法、请求应答方法、数据通信系统及存储介质
WO2019153110A1 (fr) Procédé de transmission de clé, terminal de réception et terminal de distribution
CN103684798A (zh) 一种用于分布式用户服务间认证系统
JP2022540653A (ja) データ保護及び回復システム及び方法
CN110086818B (zh) 一种云文件安全存储系统及访问控制方法
CN114650173A (zh) 一种加密通讯方法及系统
CN106027254A (zh) 一种身份证认证系统中身份证读卡终端使用密钥的方法
CN111682937A (zh) 增强型cpk的密钥申请与分发方法及装置
CN106027474A (zh) 一种身份证认证系统中的身份证读卡终端
CN113676330B (zh) 一种基于二级密钥的数字证书申请系统及方法
CN115776675A (zh) 一种用于车路协同的数据传输方法及装置
EP3185504A1 (fr) Système de gestion de sécurité de communication entre un serveur distant et un dispositif électronique

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20901898

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 3164765

Country of ref document: CA

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20901898

Country of ref document: EP

Kind code of ref document: A1