CN100428261C - Authentic authentication system based on CPK - Google Patents
Authentic authentication system based on CPK Download PDFInfo
- Publication number
- CN100428261C CN100428261C CNB2006100811331A CN200610081133A CN100428261C CN 100428261 C CN100428261 C CN 100428261C CN B2006100811331 A CNB2006100811331 A CN B2006100811331A CN 200610081133 A CN200610081133 A CN 200610081133A CN 100428261 C CN100428261 C CN 100428261C
- Authority
- CN
- China
- Prior art keywords
- label
- cpk
- module
- algorithm
- matrix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 239000011159 matrix material Substances 0.000 claims abstract description 18
- 238000004422 calculation algorithm Methods 0.000 claims description 30
- 238000013507 mapping Methods 0.000 claims description 5
- 230000007246 mechanism Effects 0.000 claims description 4
- 230000008676 import Effects 0.000 claims description 2
- 238000012795 verification Methods 0.000 abstract description 16
- 238000005516 engineering process Methods 0.000 abstract description 9
- 238000000034 method Methods 0.000 description 13
- 230000009471 action Effects 0.000 description 6
- 230000008901 benefit Effects 0.000 description 4
- 101100244969 Arabidopsis thaliana PRL1 gene Proteins 0.000 description 3
- 102100039558 Galectin-3 Human genes 0.000 description 3
- 101100454448 Homo sapiens LGALS3 gene Proteins 0.000 description 3
- 101150051246 MAC2 gene Proteins 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- TVZRAEYQIKYCPH-UHFFFAOYSA-N 3-(trimethylsilyl)propane-1-sulfonic acid Chemical compound C[Si](C)(C)CCCS(O)(=O)=O TVZRAEYQIKYCPH-UHFFFAOYSA-N 0.000 description 2
- 101100059544 Arabidopsis thaliana CDC5 gene Proteins 0.000 description 2
- 101150115300 MAC1 gene Proteins 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Abstract
The present invention discloses the authentic authentication technology of CPK, which is composed of a program body label defined by a manufacturer, a label signing module and a label verifying module, wherein the label signing module (LSM) is composed of a CPK functional module, a digital signature protocol packet and a multiple (private key) matrix (r<ij>); the label verifying module (LVM) is composed of a CPK functional module, a signature verification protocol packet and a time point (public key) matrix (R<ij>). As for a computer user, each computer is provided with the verifying module; thus, the generalization of the label verifying module is easy for realizing a label function of software products and the generalization of verification technology, and software label verification technology based on CPK is suitable for being widely used.
Description
Technical field
The present invention relates to signature technology, verification technique, and Trusted Computing relate in particular to a kind of verification technique of the software label based on CPK.
Background technology
Computing environment can be a unit, also can be a plurality of computer networkings.But latter event mixes the technical task of two different field, makes simple problem more complicated.The credible calculating platform (TCP) of research has been selected back a kind of technology path in the world at present.
Solve the Trusted Computing problem, need to solve the scale of key management and, but up till now, also do not solve " smart-tag authentication " this key issue in Software World in the world based on the key distribution two big problems of label.In Verification System, verification technique is more even more important than proof technology.The system that has can provide the proof of label, but fails to provide the checking means of label.Why very complicated the design of the credible platform module of TCP (TPM) is, be because it does not have to solve the gordian technique of " ID authentication ", but think to solve simultaneously the generation of sign, the generation that key is right outputs to system layer software service problems such as (IPSec) with service.But at the common-denominator target that Trusted Computing will reach is one: cause believable computing environment just can within the specific limits.
In present technique; the Trusted Computing problem is based upon on the basis of " smart-tag authentication " of scale; and separately with Trusted Computing problem and trusted communications problem; the effective solution because trusted communications has occurred simple and direct only needs the trusted computation environment of emphasis solution single computer just passable.The core of its technology path is from setting up orderly software market, the loading and the execution of control unauthorized software, particularly Malware.
In real world, any commodity all have trade mark, and " three do not have " product is fake products often, upsets social economic order.Same reason realizes the label management of software in the software product world, effectively prevent the interference of Malware, helps the improvement of computing environment, improves the confidence level of calculating.
The appearance of CPK algorithm and CPK chip makes software product labelization, verification technique universalization become possibility, can reach labelization and unitized purpose easily.
Summary of the invention
In view of this, in order to address the above problem, the present invention proposes the authentic authentication system based on CPK, three parts of program body label, label signature blocks, label authentication module that defined by businessman constitute.Thereby realize software product labelization, verification technique universalization, the also feasible credible verification technique of software label based on CPK is applicable to widely to be used.
Fundamental purpose of the present invention is to provide a kind of authentic authentication system based on Conbined public or double key CPK, comprising:
Program body label by businessman's definition;
The label signature blocks is by CPK functional module I, signature agreement module, multiple private key matrix r
IjConstitute,, and export signatures tab as long as the tag name of loading routine body just generates the private key of this label; With
The label authentication module, is furnished with and doubly puts PKI matrix R at embedded CPK functional module II, indentification protocol module
Ij, import any label, just export the PKI of this label, therefore can check any signatures tab, judge its legitimacy at once;
Multiple private key matrix r in the wherein said label signature blocks
IjBe secret variable, be stored in the SAM card and protect;
Wherein said label signature blocks is configured in unique tag control mechanism;
Wherein said CPK functional module I and CPK functional module II support CPK algorithm and HASH algorithm.
According to a preferred embodiment of the invention, wherein said CPK algorithm comprises combinational algorithm, mapping algorithm, cryptographic algorithm, replacement algorithm.
Other advantages of the present invention, target, to set forth in the following description to a certain extent with feature, and to a certain extent,, perhaps can obtain instruction from the practice of the present invention based on being conspicuous to those skilled in the art to investigating hereinafter.Target of the present invention and other advantages can be passed through following instructions, claims, and the specifically noted structure realizes and obtains in the accompanying drawing.
Description of drawings
In order to make the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing, wherein:
Fig. 1 shows according to authentication module workflow of the present invention;
Fig. 2 shows according to signature blocks of the present invention and authentication module model.
Embodiment
Hereinafter with reference to accompanying drawing, the preferred embodiments of the present invention are described in detail.
CPK is writing a Chinese character in simplified form of Conbined public or double key (Combined Public Key).CPK key management system is that the key based on sign (identity) of discrete logarithm difficult problem type generates and the system of managing.It makes up public-key cryptography and private cipher key matrix according to the mathematical principle of a discrete logarithm difficult problem, adopt hash function and cryptographic transformation the sign of entity to be mapped as the row-coordinate and the row coordinate sequence of matrix, in order to matrix element is chosen and is made up, it is right to generate quantity huge public affairs, the private key be made up of public-key cryptography and private cipher key, thereby realizes ultra-large key production and distribution based on sign.
The CPK key algorithm utilizes discrete logarithm, elliptic curve cipher theory, and structure is public, private key is right, with mapping algorithm public affairs, private key variable and user ID is bound, thereby solves based on the key management that identifies.The key centralized production is adopted in the key management of CPK, plans as a whole the Centralized Mode of allocation, has may command, manageable advantage, is convenient to make up network trust system from top to bottom.The key management of CPK has adopted key to disperse the operational mode of storage, static call, thereby can realize non-third party's proof and non-on-line authentication.
According to the present invention, CPK Conbined public or double key algorithm utilizes limited public affairs/private factor structure public affairs/private factor matrix, it is right to derive from the extremely huge public affairs/private key of quantity on these public affairs/private key matrix basis, and by the new technology of mapping algorithm with the sign of participant and its key (public affairs/private key) binding.
Verification System based on the CPK algorithm is a kind of ultra-large key management system based on sign, can be used on specific authentication and the public's authenticating network, provide credible proof for including, but is not limited to Email, electronic bill, electronic logistics sign, teleworking etc. in interior trusted application effectively.
According to the present invention, based on the software tag system of CPK, three parts of program body label, label signature blocks, label authentication module that defined by businessman constitute.
(1) label definition is called as software package or program: label by the definition of software businessman.
(2) label signature blocks (LSM) is by CPK functional module, signature agreement module, multiple (private key) matrix (r
Ij) constitute, its function is: as long as the tag name of loading routine body just generates the private key of this label, and export signatures tab (certificate).Multiple matrix in the label signature blocks is secret variable, is stored in the SAM card and protects.The label signature blocks is configured in unique tag control mechanism.
The course of work of label signature blocks is in two steps, and is as follows:
If: program tag (name): label;
Program body: procedureA;
The label signature blocks produces private key: SKlabel according to program name label;
The first step to the proof of label, is signed to the label integrity code with the label private key, as:
Label integrity code: HASH (label)=MAC1;
Signature to integrity code: SIG
SKlabel(MAC1)=sign1;
Second step, the integrity code of calculation procedure body, to integrity code label private key signature, as:
The integrity code of label signature blocks calculation procedure body: HASH (procedureA)=MAC2;
The label signature blocks is made signatures tab with private key signature: SIG
SKlabel(MAC2)=sign2;
Tag control mechanism is presented to software businessman with signatures tab sign1 and sign2 (certificate); Software businessman is trade mark (program name label), program body (procedureA), and signatures tab (sign1 and sign2) is together announced, or listing.
(3) label authentication module (LVM):
Label authentication module of every computer configuration, is furnished with times point (PKI) matrix (R at the embedded CPK functional module of label authentication module, indentification protocol module
Ij), its function is any label of input, just exports the PKI of this label, therefore can check any signatures tab, judges its legitimacy at once.
The workflow of authentication module as shown in Figure 1.Authentication module carries out in two steps to the checking of program.The first step when each program body loads, is at first checked sign1, differentiates this program body and wants to download.Sign1 provides the proof of this label true and false, does not download if just be inconsistent, and downloads if just meet.When program is downloaded, label authentication module parallel computation integrity code MAC2, and checking sign2, sign2 provides the integraty of label and program body to prove, if meet, then carry out, if be not inconsistent, then prompting: the xxx program is no name label (certificate) program, continues (y), stop (n), skip (s).
(TPM) compares with creditable calculation modules, and the checking of label among the present invention was divided into for two steps to be carried out, and the key of genuine/counterfeit discriminating is in the first step, and TPM does not then have this step.Authentication module (LVM) is very simple and direct, the main task of label authentication module is the trusted computation environment that just guarantees in this machine, any contact does not take place between the label authentication module, therefore, authentication module just there is no need to be provided with the special tags of oneself, and can universalization, this brings great convenience for the universal use of authentication module; Module does not contain any secret variable, therefore can come into the open; The workflow of module is instantly to declare, and there is no need to keep any historical record, has therefore alleviated the burden of module greatly.
In the present invention, the root of trust is on the label signature blocks.The label signature blocks only is arranged on the management organization of label, can be national trade-mark administration department, software association or software test and appraisal center, also can be coalition of companies.From setting up orderly software market, protect the angle of every computing machine trusted computation environment, manage more favourable by national departments concerned.The each province can set up branches, and is responsible for accepting the business of the signatures tab of each software businessman.Branch offices with the software label Labe1 of businessman definition and through the integrity code MAC of this software of checking as the data central authority of reporting for work, central authority just can generate the signature (certificate) of this label, and signatures tab beamed back branch offices, it is just passable that branch offices issues businessman again.
Hereinafter with reference to accompanying drawing, specific embodiments of the present invention is described in detail.Yet, it should be noted that the present invention can be presented as different forms, and be not appreciated that the embodiment that is limited in this explaination.On the contrary, provide these embodiment be for present disclosure fully and thoroughly, and can fully express scope of the present invention to those skilled in the art.
Fig. 2 shows the synoptic diagram of signature blocks and authentication module.
Label signature blocks (LSM) is by CPK functional module, digital signature protocol bag, multiple (private key) matrix (r
Ij) constitute, and label authentication module (LVM) is by CPK functional module, signature verification protocol package, times point (PKI) matrix (R
Ij) constitute.
The core devices of module is the CPK chip.Comprise functional module and protocol module in the CPK chip.Functional module is supported CPK algorithm (comprising combinational algorithm, mapping algorithm, cryptographic algorithm, replacement algorithm), HASH algorithm etc., and protocol module comprises digital signature or signature verification.
Signature algorithm is realized on Unite States Standard (USS) DSS basis.With the DSS of discrete logarithm with the elliptic curve simulation just can, algorithm is identical.Signature agreement is on PKI standard agreement basis, according to the CPK algorithm characteristic, has simplified the process of calling the other side's certificate in signature verification and the process of checking the certificate legitimacy.
The present invention helps the ordering management of software market, helps the loading and the operation control of various application software, and then helps the foundation of trusted computation environment.Concerning the computer user, every machine configuration verification module just, so universalization of label authentication module is particularly conducive to popularize and uses.
Although by reference some preferred embodiment of the present invention, the present invention is illustrated and describes, but those of ordinary skill in the art is to be understood that, can make various changes to it in the form and details, and the spirit and scope of the present invention that do not depart from appended claims and limited.
Implementation method
According to the CPK algorithm characteristic, this software proof can be provided with different action scopes with verification system, as general action scope or special-purpose action scope.General action scope works in general context, and special-purpose action scope works at this reserve.How to work, then by the definition of separately security strategy.Different security strategies is only relevant with the signature machine, and irrelevant with proof machine, proof machine is not limited by action scope.
Claims (2)
1. authentic authentication system based on Conbined public or double key CPK comprises:
Program body label by businessman's definition;
The label signature blocks is by CPK functional module I, signature agreement module, multiple private key matrix r
IjConstitute,, and export signatures tab as long as the tag name of loading routine body just generates the private key of this label; With
The label authentication module, is furnished with and doubly puts PKI matrix R at embedded CPK functional module II, indentification protocol module
Ij, import any label, just export the PKI of this label, therefore can check any signatures tab, judge its legitimacy at once;
Multiple private key matrix r in the wherein said label signature blocks
IjBe secret variable, be stored in the SAM card and protect;
Wherein said label signature blocks is configured in unique tag control mechanism;
Wherein said CPK functional module I and CPK functional module II support CPK algorithm and HASH algorithm.
2. the authentic authentication system based on Conbined public or double key CPK according to claim 1, wherein said CPK algorithm comprises combinational algorithm, mapping algorithm, cryptographic algorithm, replacement algorithm.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100811331A CN100428261C (en) | 2006-05-22 | 2006-05-22 | Authentic authentication system based on CPK |
| PCT/CN2007/001625 WO2007134532A1 (en) | 2006-05-22 | 2007-05-18 | A creditable authentication system based on the cpk |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100811331A CN100428261C (en) | 2006-05-22 | 2006-05-22 | Authentic authentication system based on CPK |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1845121A CN1845121A (en) | 2006-10-11 |
| CN100428261C true CN100428261C (en) | 2008-10-22 |
Family
ID=37064049
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100811331A Active CN100428261C (en) | 2006-05-22 | 2006-05-22 | Authentic authentication system based on CPK |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100428261C (en) |
| WO (1) | WO2007134532A1 (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340282B (en) * | 2008-05-28 | 2011-05-11 | 北京易恒信认证科技有限公司 | Generation method of composite public key |
| CN101442522B (en) * | 2008-12-25 | 2011-08-10 | 中国电子科技集团公司第五十四研究所 | Identification authentication method for communication entity based on combined public key |
| CN110830237B (en) * | 2019-11-29 | 2023-05-12 | 晋商博创(北京)科技有限公司 | CPK key generation method, device, entity and key center based on time |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1584911A (en) * | 2004-05-31 | 2005-02-23 | 上海复旦微电子股份有限公司 | Antifogery method by mobile communicating apparatus and electronic label |
| WO2005024697A2 (en) * | 2003-08-26 | 2005-03-17 | Motorola, Inc. | Method, apparatus, and system for determining a fraudulent item |
| CN1881229A (en) * | 2006-03-23 | 2006-12-20 | 南相浩 | Anti-counterfeit method and apparatus based on CPK electronic label |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7103779B2 (en) * | 2003-09-18 | 2006-09-05 | Apple Computer, Inc. | Method and apparatus for incremental code signing |
| CN1262087C (en) * | 2005-01-14 | 2006-06-28 | 南相浩 | Method and apparatus for cipher key generation based on identification |
-
2006
- 2006-05-22 CN CNB2006100811331A patent/CN100428261C/en active Active
-
2007
- 2007-05-18 WO PCT/CN2007/001625 patent/WO2007134532A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005024697A2 (en) * | 2003-08-26 | 2005-03-17 | Motorola, Inc. | Method, apparatus, and system for determining a fraudulent item |
| CN1584911A (en) * | 2004-05-31 | 2005-02-23 | 上海复旦微电子股份有限公司 | Antifogery method by mobile communicating apparatus and electronic label |
| CN1881229A (en) * | 2006-03-23 | 2006-12-20 | 南相浩 | Anti-counterfeit method and apparatus based on CPK electronic label |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1845121A (en) | 2006-10-11 |
| WO2007134532A1 (en) | 2007-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101340282A (en) | Generation method of composite public key | |
| CN106339939B (en) | Non-tamper-able distributed bill system based on secure hardware and transaction processing method | |
| US9614847B2 (en) | User authentication | |
| US20180260821A1 (en) | Digitally secured electronic titles for products in supply chains | |
| CN101414909A (en) | System, method and mobile communication terminal for verifying network application user identification | |
| CN108365950A (en) | The generation method and device of financial self-service equipment key | |
| CN101674181A (en) | User certification system using biological characteristic token | |
| CN113438088A (en) | Social network credit monitoring method and device based on block chain distributed identity | |
| CN108011719A (en) | A kind of endorsement method, device and digital signature system | |
| CN101527634A (en) | System and method for binding account information with certificates | |
| CN110210863A (en) | Block chain method for secure transactions, device, electronic equipment and storage medium | |
| CN115840787B (en) | Block chain-based supply chain data sharing method, device, equipment and medium | |
| CN113112252A (en) | Resource transfer method and device based on block chain, electronic equipment and storage medium | |
| Cui et al. | Protecting vaccine safety: An improved, blockchain-based, storage-efficient scheme | |
| CN100428261C (en) | Authentic authentication system based on CPK | |
| CN111818186A (en) | Information sharing method and system | |
| CN114418570A (en) | Block chain-based non-homogeneous evidence-based processing method and device | |
| CN110224985A (en) | The method and relevant apparatus of data processing | |
| CN109962785A (en) | A kind of system and its electric signing system including TEE | |
| CN108965315A (en) | A kind of authentic authentication method of terminal device, device and terminal device | |
| CN102831517A (en) | Electronic consumption card system based on mobile terminal | |
| CN102609842A (en) | Payment cipher device based on hardware signature equipment, and application method of payment cipher device | |
| Zou et al. | Application of blockchain digital identity technology in healthcare consumer finance system | |
| CN109741050A (en) | Extend method of financial IC card service life and associated method and device | |
| CN111814193B (en) | Information sharing method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING YIHENGXIN TECHNOLOGY CERTIFICATION CO.,LT Free format text: FORMER OWNER: NAN XIANGHAO; APPLICANT Effective date: 20080613 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20080613 Address after: Beijing City, Shijingshan District Shijingshan Road No. 40 building three layer E-G principal zone encoding: 100042 Applicant after: Nan Xianghao Address before: Beijing City, Shijingshan District Shijingshan Road No. 40 building three layer E-G principal zone encoding: 100042 Applicant before: Nan Xiang Hao Co-applicant before: Zhao Jianguo |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CI01 | Correction of invention patent gazette |
Correction item: Patentee Correct: Yihengxin Verification Science and Technology Co., Ltd., Beijing False: Nan Xianghao Number: 43 Page: 1192 Volume: 24 |
|
| CI03 | Correction of invention patent |
Correction item: Patentee Correct: Yihengxin Verification Science and Technology Co., Ltd., Beijing False: Nan Xianghao Number: 43 Page: The title page Volume: 24 |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: PATENTEE; FROM: BEIJING YIHENGXIN TECHNOLOGY CERTIFICATION CO.,LTD. TO: BEIJING YIHENXIN AUTHORIZATION SCIENCE + TECHNOLOGY CO., LTD. |
|
| ERR | Gazette correction |
Free format text: CORRECT: PATENTEE; FROM: BEIJING YIHENGXIN TECHNOLOGY CERTIFICATION CO.,LTD. TO: BEIJING YIHENXIN AUTHORIZATION SCIENCE + TECHNOLOGY CO., LTD. |
|
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: Beijing Hengxin Technology Co., Ltd Document name: Notification to Pay the Fees |
|
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: Zhao Rongzhi Document name: Notice of termination of patent |
|
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: Beijing yihengxin Certification Technology Co.,Ltd. The person in charge Document name: payment instructions |